Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Add User Defined Trusted Subjects #520

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 27 additions & 18 deletions cmd/run.go
Original file line number Diff line number Diff line change
@@ -1,17 +1,3 @@
// Copyright 2021 The Witness Contributors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cmd

import (
Expand All @@ -19,15 +5,15 @@
"encoding/json"
"fmt"

witness "github.com/in-toto/go-witness"

Check failure on line 8 in cmd/run.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 8 in cmd/run.go

View workflow job for this annotation

GitHub Actions / sast / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 8 in cmd/run.go

View workflow job for this annotation

GitHub Actions / e2e-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 8 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist
"github.com/in-toto/go-witness/archivista"

Check failure on line 9 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Verify Docgen

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 9 in cmd/run.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 9 in cmd/run.go

View workflow job for this annotation

GitHub Actions / sast / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 9 in cmd/run.go

View workflow job for this annotation

GitHub Actions / e2e-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 9 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist
"github.com/in-toto/go-witness/attestation"
"github.com/in-toto/go-witness/attestation/commandrun"

Check failure on line 11 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Verify Docgen

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 11 in cmd/run.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 11 in cmd/run.go

View workflow job for this annotation

GitHub Actions / sast / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 11 in cmd/run.go

View workflow job for this annotation

GitHub Actions / e2e-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 11 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist
"github.com/in-toto/go-witness/attestation/material"

Check failure on line 12 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Verify Docgen

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 12 in cmd/run.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 12 in cmd/run.go

View workflow job for this annotation

GitHub Actions / sast / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 12 in cmd/run.go

View workflow job for this annotation

GitHub Actions / e2e-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 12 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist
"github.com/in-toto/go-witness/attestation/product"

Check failure on line 13 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Verify Docgen

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 13 in cmd/run.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 13 in cmd/run.go

View workflow job for this annotation

GitHub Actions / sast / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 13 in cmd/run.go

View workflow job for this annotation

GitHub Actions / e2e-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 13 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist
"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/registry"

Check failure on line 16 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Verify Docgen

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 16 in cmd/run.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 16 in cmd/run.go

View workflow job for this annotation

GitHub Actions / sast / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 16 in cmd/run.go

View workflow job for this annotation

GitHub Actions / e2e-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 16 in cmd/run.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist
"github.com/in-toto/go-witness/timestamp"
"github.com/in-toto/witness/options"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -127,13 +113,36 @@
roHashes = append(roHashes, cryptoutil.DigestValue{Hash: hash, GitOID: false})
}

results, err := witness.RunWithExports(
ro.StepName,
// Add the `RunWithUserDefinedSubject` option if user-defined subjects are provided
runOptions := []witness.RunOption{
witness.RunWithSigners(signers...),
witness.RunWithAttestors(attestors),
witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir), attestation.WithHashes(roHashes)),
witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir),
attestation.WithHashes(roHashes)),
witness.RunWithTimestampers(timestampers...),
)
}

// Aggregate all user-defined subjects into a single map
allSubjects := make(map[string]cryptoutil.DigestSet)

// Iterate over user-defined subjects and add them to the aggregated map
for _, userDefinedSubject := range ro.UserDefinedSubjects {
fmt.Printf("User-defined subject: %v\n", userDefinedSubject)
ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(userDefinedSubject), roHashes)
if err != nil {
log.Debugf("(witness) failed to record user-defined subject %v: %v", userDefinedSubject, err)
continue
}
// Add the user-defined subject to the aggregated map
allSubjects["https://witness.dev/internal/user:"+userDefinedSubject] = ds
}

// Add the aggregated subjects to the run options
if len(allSubjects) > 0 {
runOptions = append(runOptions, witness.RunWithUserDefinedSubject(allSubjects))
}

results, err := witness.RunWithExports(ro.StepName, runOptions...)
if err != nil {
return err
}
Expand Down
26 changes: 25 additions & 1 deletion cmd/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@

import (
"context"
"crypto"
"fmt"
"os"

witness "github.com/in-toto/go-witness"
"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/dsse"

Check failure on line 25 in cmd/sign.go

View workflow job for this annotation

GitHub Actions / Verify Docgen

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 25 in cmd/sign.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 25 in cmd/sign.go

View workflow job for this annotation

GitHub Actions / sast / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 25 in cmd/sign.go

View workflow job for this annotation

GitHub Actions / e2e-test / witness

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist

Check failure on line 25 in cmd/sign.go

View workflow job for this annotation

GitHub Actions / Analyze (go)

github.com/in-toto/[email protected]: replacement directory ../go-witness does not exist
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/timestamp"
"github.com/in-toto/witness/options"
"github.com/spf13/cobra"
Expand Down Expand Up @@ -81,5 +83,27 @@
}

defer outFile.Close()
return witness.Sign(inFile, so.DataType, outFile, dsse.SignWithSigners(signers[0]), dsse.SignWithTimestampers(timestampers...))

// Aggregate all user-defined subjects into a single map
allSubjects := make(map[string]cryptoutil.DigestSet)

// Iterate over user-defined subjects and add them to the aggregated map
for _, userDefinedSubject := range so.UserDefinedSubjects {
fmt.Printf("User-defined subject: %v\n", userDefinedSubject)
ds, err := cryptoutil.CalculateDigestSetFromBytes([]byte(userDefinedSubject),
[]cryptoutil.DigestValue{{
Hash: crypto.SHA256,
GitOID: false,
}})

if err != nil {
log.Debugf("(witness) failed to record user-defined subject %v: %v", userDefinedSubject, err)
continue
}
// Add the user-defined subject to the aggregated map
allSubjects["https://witness.dev/internal/user:"+userDefinedSubject] = ds
}

return witness.Sign(inFile, so.DataType, outFile, dsse.SignWithSigners(signers[0]),
dsse.SignWithTimestampers(timestampers...), dsse.SignWithUserDefinedSubject(allSubjects))
}
45 changes: 24 additions & 21 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -35,28 +35,28 @@ require (
cloud.google.com/go/kms v1.20.0 // indirect
cloud.google.com/go/longrunning v0.6.1 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/CycloneDX/cyclonedx-go v0.9.0 // indirect
github.com/CycloneDX/cyclonedx-go v0.9.1 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ProtonMail/go-crypto v1.0.0 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aws/aws-sdk-go v1.55.5 // indirect
github.com/aws/aws-sdk-go-v2 v1.31.0 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.37 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.35 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.14 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.18 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.18 // indirect
github.com/aws/aws-sdk-go-v2 v1.32.2 // indirect
github.com/aws/aws-sdk-go-v2/config v1.27.43 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.41 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.21 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.5 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.20 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.2 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.35.7 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.23.1 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.27.1 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.31.1 // indirect
github.com/aws/smithy-go v1.21.0 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.24.2 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.2 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.32.2 // indirect
github.com/aws/smithy-go v1.22.0 // indirect
github.com/bahlo/generic-list-go v0.2.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/buger/jsonparser v1.1.1 // indirect
Expand All @@ -73,7 +73,7 @@ require (
github.com/fkautz/omnitrail-go v0.0.0-20230808061951-37d34c23539d // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/gabriel-vasile/mimetype v1.4.4 // indirect
github.com/gabriel-vasile/mimetype v1.4.6 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.5.0 // indirect
github.com/go-git/go-git/v5 v5.11.0 // indirect
Expand All @@ -94,7 +94,7 @@ require (
github.com/gorilla/mux v1.8.1 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
github.com/hashicorp/hcl v1.0.1-vault-3 // indirect
github.com/in-toto/archivista v0.5.1 // indirect
github.com/in-toto/archivista v0.5.4 // indirect
github.com/in-toto/attestation v1.0.2 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
Expand Down Expand Up @@ -133,7 +133,7 @@ require (
github.com/sigstore/sigstore v1.8.9 // indirect
github.com/skeema/knownhosts v1.2.1 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spdx/tools-golang v0.5.4 // indirect
github.com/spdx/tools-golang v0.5.5 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/spf13/cast v1.7.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
Expand All @@ -155,13 +155,14 @@ require (
go.opentelemetry.io/otel/sdk v1.29.0 // indirect
go.opentelemetry.io/otel/trace v1.30.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/crypto v0.27.0 // indirect
golang.org/x/crypto v0.28.0 // indirect
golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
golang.org/x/net v0.29.0 // indirect
golang.org/x/mod v0.21.0 // indirect
golang.org/x/net v0.30.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/term v0.24.0 // indirect
golang.org/x/text v0.18.0 // indirect
golang.org/x/sys v0.26.0 // indirect
golang.org/x/term v0.25.0 // indirect
golang.org/x/text v0.19.0 // indirect
golang.org/x/time v0.6.0 // indirect
google.golang.org/api v0.199.0 // indirect
google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect
Expand All @@ -187,3 +188,5 @@ replace github.com/sigstore/rekor => github.com/testifysec/rekor v0.4.0-dsse-int
replace github.com/gin-gonic/gin v1.5.0 => github.com/gin-gonic/gin v1.7.7

replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1

replace github.com/in-toto/go-witness => ../go-witness
Loading
Loading