def setUpClass(self):
# Create layout with one inspection
self.layout = Layout.read({
"_type":
"layout",
"inspect": [],
"steps": [{
"name": "run-command",
"expected_command": ["{EDITOR}"],
}]
})
# Backup original cwd
self.working_dir = os.getcwd()
# Find demo files
demo_files = os.path.join(os.path.dirname(os.path.realpath(__file__)),
"demo_files")
# Create and change into temporary directory
self.test_dir = os.path.realpath(tempfile.mkdtemp())
os.chdir(self.test_dir)
# Copy demo files to temp dir
for file in os.listdir(demo_files):
shutil.copy(os.path.join(demo_files, file), self.test_dir)
# load alice's key
self.alice = import_rsa_key_from_file("alice")
self.alice_pub_dict = import_public_keys_from_files_as_dict(
["alice.pub"])
def setUp(self):
self.layout = Layout.read({
"_type": "layout",
"inspect": [{
"name": "do-the-thing",
"expected_materials": [
["MATCH", "{SOURCE_THING}", "WITH", "MATERIALS", "FROM",
"{SOURCE_STEP}"]
],
"expected_products": [
["CREATE", "{NEW_THING}"]
]
}],
"steps": [{
"name": "artifacts",
"expected_command": [],
"expected_materials": [
["MATCH", "{SOURCE_THING}", "WITH", "MATERIALS", "FROM",
"{SOURCE_STEP}"]
],
"expected_products": [
["CREATE", "{NEW_THING}"]
]
}]
})
def load(path):
"""Loads the JSON string representation of in-toto metadata from disk.
Arguments:
path: The path to read the file from.
Raises:
IOError: The file cannot be written.
securesystemslib.exceptions.FormatError: Metadata format is invalid.
Returns:
A Metablock object whose signable attribute is either a Link or a Layout
object.
"""
with open(path, "r") as fp:
data = json.load(fp)
signatures = data.get("signatures", [])
signed_data = data.get("signed", {})
signed_type = signed_data.get("_type")
if signed_type == "link":
signed = Link.read(signed_data)
elif signed_type == "layout":
signed = Layout.read(signed_data)
else:
raise securesystemslib.exceptions.FormatError(
"Invalid Metadata format")
return Metablock(signatures=signatures, signed=signed)
def main():
key_owner = interface.import_rsa_privatekey_from_file("./keys/owner")
key_clone = interface.import_rsa_publickey_from_file("./keys/clone.pub")
key_build = interface.import_rsa_publickey_from_file("./keys/build.pub")
key_build_image = interface.import_rsa_publickey_from_file(
"./keys/build-image.pub")
layout = Layout.read({
"_type":
"layout",
"keys": {
key_clone["keyid"]: key_clone,
key_build["keyid"]: key_build,
key_build_image["keyid"]: key_build_image,
},
"steps": [{
"name":
"clone",
"expected_materials": [["DISALLOW", "*"]],
"expected_products": [["CREATE", "*"]],
"pubkeys": [key_clone["keyid"]],
"expected_command": [
"git", "clone",
"https://gitlab.com/boxboat/demos/intoto-spire/go-hello-world"
],
"threshold":
1,
}, {
"name":
"build",
"expected_materials":
[["MATCH", "*", "WITH", "PRODUCTS", "FROM", "clone"],
["DISALLOW", "*"]],
"expected_products": [["CREATE", "go-hello-world"],
["DISALLOW", "*"]],
"pubkeys": [key_build["keyid"]],
"expected_command": ["go", "build", "./..."],
"threshold":
1,
}, {
"name":
"build-image",
"expected_materials":
[["MATCH", "*", "WITH", "PRODUCTS", "FROM", "clone"],
["DISALLOW", "*"]],
"expected_products": [["CREATE", "image-id"],
["CREATE", "go-hello-world.tar"],
["DISALLOW", "*"]],
"pubkeys": [key_build_image["keyid"]],
"threshold":
1,
}],
"inspect": []
})
metadata = Metablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(key_owner)
metadata.dump("root.layout")
def setUpClass(self):
# Create layout with one inspection
self.layout = Layout.read({
"_type":
"layout",
"inspect": [],
"steps": [{
"name": "run-command",
"expected_command": ["{EDITOR}"],
}]
})
super(Test_SubstituteOnVerify, self).setUpClass()
# Find demo files
demo_files = os.path.join(os.path.dirname(os.path.realpath(__file__)),
"demo_files")
# Copy demo files to temp dir
for file in os.listdir(demo_files):
shutil.copy(os.path.join(demo_files, file), self.test_dir)
# load alice's key
self.alice = import_rsa_key_from_file("alice")
self.alice_pub_dict = import_public_keys_from_files_as_dict(
["alice.pub"])
def setUp(self):
# Create layout with one inspection
self.layout = Layout.read({
"_type": "layout",
"inspect": [],
"steps": [{
"name": "run-command",
"expected_command": ["{EDITOR}"],
}]})
def test_inspection_fail_with_non_zero_retval(self):
"""Test fail run inspections with non-zero return value. """
layout = Layout.read({
"_type":
"layout",
"steps": [],
"inspect": [{
"name": "non-zero-inspection",
"run": "expr 1 / 0",
}]
})
with self.assertRaises(BadReturnValueError):
run_all_inspections(layout)
def setUp(self):
"""
Create layout with dummy inspection
"""
# Create layout with one inspection
self.layout = Layout.read({
"_type": "layout",
"steps": [],
"inspect": [{
"name": "run-command",
"run": ["{COMMAND}"],
}]
})
def main():
key_owner = import_rsa_key_from_file("dependency_owner")
key_developer = import_rsa_key_from_file("../developer/developer.pub")
key_reviewer = import_rsa_key_from_file("../reviewer/reviewer.pub")
layout = Layout.read({
"_type": "layout",
"keys": {
key_developer["keyid"]: key_developer,
key_reviewer["keyid"]: key_reviewer,
},
"steps": [{
"name": "dependency-develop",
"expected_materials": [],
"expected_products": [
["CREATE", "../dependency/demo.py"],
["DISALLOW", "*"]
],
"pubkeys": [key_developer["keyid"]],
"expected_command": [],
"threshold": 1,
},{
"name": "dependency-code-review",
"expected_materials": [
["MATCH", "../dependency/demo.py", "WITH", "PRODUCTS", "FROM",
"dependency-develop"],
["DISALLOW", "*"]
],
"expected_products": [
["ALLOW", "../dependency/demo.py"],
["DISALLOW", "*"]
],
"pubkeys": [key_reviewer["keyid"]],
"expected_command": [],
"threshold": 1,
},
],
"inspect": [],
})
metadata = Metablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(key_owner)
metadata.dump("../metadata_dependency/root.layout")
def setUpClass(self):
"""
Create layout with dummy inpsection.
Create and change into temp test directory with dummy artifact."""
# Create layout with one inspection
self.layout = Layout.read({
"_type":
"layout",
"steps": [],
"inspect": [{
"name": "touch-bar",
"run": "touch bar",
}]
})
# Create directory where the verification will take place
self.working_dir = os.getcwd()
self.test_dir = os.path.realpath(tempfile.mkdtemp())
os.chdir(self.test_dir)
open("foo", "w").write("foo")
def load(path):
"""
<Purpose>
Loads the JSON string representation of signed metadata from disk
and creates a Metablock object.
The `signed` attribute of the Metablock object is assigned a Link
or Layout object, depending on the `_type` field in the loaded
metadata file.
<Arguments>
path:
The path to write the file to.
<Side Effects>
Reading metadata file from disk
<Returns>
None.
"""
with open(path, "r") as fp:
data = json.load(fp)
signatures = data.get("signatures", [])
signed_data = data.get("signed", {})
signed_type = signed_data.get("_type")
if signed_type == "link":
signed = Link.read(signed_data)
elif signed_type == "layout":
signed = Layout.read(signed_data)
else:
raise securesystemslib.exceptions.FormatError(
"Invalid Metadata format")
return Metablock(signatures=signatures, signed=signed)
def main():
# Load Jerry's private key to later sign the layout
key_jerry = interface.import_rsa_privatekey_from_file("jerry")
# Fetch and load Bob's and Alice's public keys
# to specify that they are authorized to perform certain step in the layout
key_alice = interface.import_rsa_publickey_from_file(
"../functionary_alice/alice.pub")
key_bob = interface.import_rsa_publickey_from_file(
"../functionary_bob/bob.pub")
layout = Layout.read({
"_type":
"layout",
"keys": {
key_bob["keyid"]: key_bob,
key_alice["keyid"]: key_alice,
},
"steps": [{
"name":
"clone",
"expected_materials": [],
"expected_products":
[["CREATE", "inclavare-containers/rbi/kata-agent/Dockerfile"],
[
"CREATE",
"inclavare-containers/rbi/kata-agent/kata-build-docker.sh"
],
[
"CREATE",
"inclavare-containers/rbi/kata-agent/kata-source-code.sh"
], ["CREATE", "inclavare-containers/rbi/kata-agent/kata-test.sh"],
[
"CREATE",
"inclavare-containers/rbi/kata-agent/patch/Cargo.lock"
],
["CREATE", "inclavare-containers/rbi/kata-agent/patch/Makefile"],
["CREATE", "inclavare-containers/rbi/kata-agent/patch/protocols"],
[
"CREATE",
"inclavare-containers/rbi/kata-agent/patch/protocols/Cargo.toml"
], ["CREATE", "inclavare-containers/rbi/kata-agent/readme.md"],
["CREATE", "inclavare-containers/rbi/kata-agent/readme_cn.md"],
[
"CREATE",
"inclavare-containers/rbi/kata-agent/scripts/start.sh"
], ["CREATE",
"inclavare-containers/rbi/misc/check-integrity.sh"]],
"pubkeys": [key_alice["keyid"]],
"expected_command": [
"git", "clone",
"https://github.com/alibaba/inclavare-containers.git"
],
"threshold":
1,
}, {
"name":
"build",
"expected_materials": [
[
"MATCH", "inclavare-containers/rbi/kata-agent/Dockerfile",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/kata-build-docker.sh",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/kata-source-code.sh",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/kata-test.sh", "WITH",
"PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/patch/Cargo.lock",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/patch/Makefile",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/patch/protocols",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/patch/protocols/Cargo.toml",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH", "inclavare-containers/rbi/kata-agent/readme.md",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/readme_cn.md", "WITH",
"PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kata-agent/scripts/start.sh",
"WITH", "PRODUCTS", "FROM", "clone"
]
],
"expected_products": [
[
"CREATE",
"inclavare-containers/rbi/result/kata-agent/kata-agent"
],
],
"pubkeys": [key_bob["keyid"]],
"expected_command": [
"bash",
"inclavare-containers/rbi/rbi.sh",
"agent",
],
"threshold":
1,
}],
"inspect": [{
"name":
"integrity",
"expected_materials": [
[
"MATCH",
"inclavare-containers/rbi/result/kata-agent/kata-agent",
"WITH", "PRODUCTS", "FROM", "build"
],
[
"MATCH",
"inclavare-containers/rbi/misc/check-integrity.sh", "WITH",
"PRODUCTS", "FROM", "clone"
],
# FIXME: If the routine running inspections would gather the
# materials/products to record from the rules we wouldn't have to
# ALLOW other files that we aren't interested in.
["ALLOW", "jerry.pub"],
["ALLOW", "root.layout"],
["ALLOW", ".keep"]
],
"expected_products": [
[
"CREATE",
"inclavare-containers/rbi/result/kata-agent/.check_done"
],
# FIXME: See expected_materials above
["ALLOW", "jerry.pub"],
["ALLOW", "root.layout"],
["ALLOW", ".keep"]
],
"run": [
"bash", "inclavare-containers/rbi/misc/check-integrity.sh",
"inclavare-containers/rbi/result/kata-agent/kata-agent",
SHA256_VALUE
]
}],
})
metadata = Metablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(key_jerry)
metadata.dump("root.layout")
def main():
# Load Alice's private key to later sign the layout
key_alice = interface.import_rsa_privatekey_from_file("alice")
# Fetch and load Bob's and Carl's public keys
# to specify that they are authorized to perform certain step in the layout
key_bob = interface.import_rsa_publickey_from_file(
"../functionary_bob/bob.pub")
key_carl = interface.import_rsa_publickey_from_file(
"../functionary_carl/carl.pub")
layout = Layout.read({
"_type":
"layout",
"keys": {
key_bob["keyid"]: key_bob,
key_carl["keyid"]: key_carl,
},
"steps": [{
"name":
"clone",
"expected_materials": [],
"expected_products": [["CREATE", "demo-project/foo.py"],
["DISALLOW", "*"]],
"pubkeys": [key_bob["keyid"]],
"expected_command":
["git", "clone", "https://github.com/in-toto/demo-project.git"],
"threshold":
1,
}, {
"name":
"update-version",
"expected_materials":
[["MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM", "clone"],
["DISALLOW", "*"]],
"expected_products": [["ALLOW", "demo-project/foo.py"],
["DISALLOW", "*"]],
"pubkeys": [key_bob["keyid"]],
"expected_command": [],
"threshold":
1,
}, {
"name":
"package",
"expected_materials": [
[
"MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM",
"update-version"
],
["DISALLOW", "*"],
],
"expected_products": [
["CREATE", "demo-project.tar.gz"],
["DISALLOW", "*"],
],
"pubkeys": [key_carl["keyid"]],
"expected_command": [
"tar",
"--exclude",
".git",
"-zcvf",
"demo-project.tar.gz",
"demo-project",
],
"threshold":
1,
}],
"inspect": [{
"name":
"untar",
"expected_materials": [
[
"MATCH", "demo-project.tar.gz", "WITH", "PRODUCTS", "FROM",
"package"
],
# FIXME: If the routine running inspections would gather the
# materials/products to record from the rules we wouldn't have to
# ALLOW other files that we aren't interested in.
["ALLOW", ".keep"],
["ALLOW", "alice.pub"],
["ALLOW", "root.layout"],
["DISALLOW", "*"]
],
"expected_products": [
[
"MATCH", "demo-project/foo.py", "WITH", "PRODUCTS", "FROM",
"update-version"
],
# FIXME: See expected_materials above
["ALLOW", "demo-project/.git/*"],
["ALLOW", "demo-project.tar.gz"],
["ALLOW", ".keep"],
["ALLOW", "alice.pub"],
["ALLOW", "root.layout"],
["DISALLOW", "*"]
],
"run": [
"tar",
"xzf",
"demo-project.tar.gz",
]
}],
})
metadata = DbomMetablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(key_alice)
metadata.save_owner_key(key_alice, assetID)
metadata.dump("root.layout")
metadata.save_layout("root.layout", assetID)
def main():
# Load Alice's private key to later sign the layout
key_alice = import_rsa_key_from_file("alice")
# Fetch and load Bob's and Carl's public keys
# to specify that they are authorized to perform certain step in the layout
key_bob = import_rsa_key_from_file("../functionary_bob/bob.pub")
key_carl = import_rsa_key_from_file("../functionary_carl/carl.pub")
layout = Layout.read({
"signed": {
"_type":
"layout",
"keys": {
key_bob["keyid"]: key_bob,
key_carl["keyid"]: key_carl,
},
"steps": [{
"name":
"setup-project",
"expected_materials": [],
"expected_products": [["CREATE", "project.meta"],
["CREATE", "package.meta"]],
"pubkeys": [key_bob["keyid"]],
"expected_command":
"",
"threshold":
1,
}, {
"name":
"clone",
"expected_materials": [],
"expected_products":
[["CREATE", "connman/_service"],
["CREATE", "connman/connman-1.30.tar.gz"],
["CREATE", "connman/connman-1.30.tar.sign"],
["CREATE", "connman/connman-rpmlintrc"],
["CREATE", "connman/connman.changes"],
["CREATE", "connman/connman.keyring"],
["CREATE", "connman/connman.spec"]],
"pubkeys": [key_bob["keyid"]],
"expected_command":
"",
"threshold":
1,
}, {
"name":
"update-changelog",
"expected_materials": [[
"MATCH", "connman/connman.changes", "WITH", "PRODUCTS",
"FROM", "clone"
]],
"expected_products": [["ALLOW", "connman/connman.changes"]],
"pubkeys": [key_bob["keyid"]],
"expected_command":
"",
"threshold":
1,
}, {
"name": "test",
"expected_materials": [],
"expected_products": [],
"pubkeys": [key_carl["keyid"]],
"expected_command":
"osc build openSUSE_Factory x86_64 connman/connman.spec",
"threshold": 1,
}, {
"name":
"package",
"expected_materials": [
[
"MATCH", "connman/_service", "WITH", "PRODUCTS",
"FROM", "clone"
],
[
"MATCH", "connman/connman-1.30.tar.gz", "WITH",
"PRODUCTS", "FROM", "clone"
],
[
"MATCH", "connman/connman-1.30.tar.sign", "WITH",
"PRODUCTS", "FROM", "clone"
],
[
"MATCH", "connman/connman-rpmlintrc", "WITH",
"PRODUCTS", "FROM", "clone"
],
[
"MATCH", "connman/connman.changes", "WITH", "PRODUCTS",
"FROM", "update-changelog"
],
[
"MATCH", "connman/connman.keyring", "WITH", "PRODUCTS",
"FROM", "clone"
],
[
"MATCH", "connman/connman.spec", "WITH", "PRODUCTS",
"FROM", "clone"
],
],
"expected_products": [
["CREATE", "connman-1.30-1.1.src.rpm"],
],
"pubkeys": [key_carl["keyid"]],
"expected_command":
"",
"threshold":
1,
}],
"inspect": [
{
"name":
"unpack",
"expected_materials": [
[
"MATCH", "connman-1.30-1.1.src.rpm", "WITH",
"PRODUCTS", "FROM", "package"
],
# FIXME: If the routine running inspections would gather the
# materials/products to record from the rules we wouldn't have to
# ALLOW other files that we aren't interested in.
["ALLOW", ".keep"],
["ALLOW", "alice.pub"],
["ALLOW", "verify-signature.sh"],
["ALLOW", "root.layout"],
],
"expected_products": [
[
"MATCH", "connman-1.30-1.1.src.rpm", "WITH",
"PRODUCTS", "FROM", "package"
],
[
"MATCH", "connman-1.30.tar.gz", "WITH", "PRODUCTS",
"IN", "connman", "FROM", "clone"
],
[
"MATCH", "_service", "WITH", "PRODUCTS", "IN",
"connman", "FROM", "clone"
],
[
"MATCH", "connman-1.30.tar.sign", "WITH",
"PRODUCTS", "IN", "connman", "FROM", "clone"
],
[
"MATCH", "connman-rpmlintrc", "WITH", "PRODUCTS",
"IN", "connman", "FROM", "clone"
],
[
"MATCH", "connman.changes", "WITH", "PRODUCTS",
"IN", "connman", "FROM", "update-changelog"
],
[
"MATCH", "connman.keyring", "WITH", "PRODUCTS",
"IN", "connman", "FROM", "clone"
],
# FIXME: hash doesn't match for this file because connman.spec in
# rpm has changelog appended to it and release number incremented.
["ALLOW", "connman.spec"],
["ALLOW", ".keep"],
["ALLOW", "alice.pub"],
["ALLOW", "verify-signature.sh"],
["ALLOW", "root.layout"],
],
"run":
"unrpm connman-1.30-1.1.src.rpm",
},
{
"name": "verify-signature",
"expected_materials": [["ALLOW", "*"]],
"expected_products": [["ALLOW", "*"]],
"run": "./verify-signature.sh",
}
],
},
"signatures": []
})
# Sign and dump layout to "layout.root"
layout.sign(key_alice)
layout.dump()
def main():
# Load Alice's private key to later sign the layout
key_alice = import_rsa_key_from_file("alice")
# Fetch and load Bob's and Carl's public keys
# to specify that they are authorized to perform certain step in the layout
key_bob = import_rsa_key_from_file("../functionary_bob/bob.pub")
key_carl = import_rsa_key_from_file("../functionary_carl/carl.pub")
layout = Layout.read({
"_type":
"layout",
"keys": {
key_bob["keyid"]: key_bob,
key_carl["keyid"]: key_carl,
},
"steps": [
{
"name": "clone",
"material_matchrules": [],
"product_matchrules": [["CREATE", "demo-project/foo.py"]],
"pubkeys": [key_bob["keyid"]],
"expected_command":
"git clone https://github.com/in-toto/demo-project.git",
"threshold": 1,
},
{
"name":
"update-version",
"material_matchrules": [[
"MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM",
"clone"
]],
# FIXME: CREATE is more like an allow here, is fixed in next version
"product_matchrules": [["ALLOW", "demo-project/foo.py"]],
"pubkeys": [key_bob["keyid"]],
"expected_command":
"",
"threshold":
1,
},
{
"name":
"package",
"material_matchrules": [
[
"MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM",
"update-version"
],
],
"product_matchrules": [
["CREATE", "demo-project.tar.gz"],
],
"pubkeys": [key_carl["keyid"]],
"expected_command":
"tar --exclude '.git' -zcvf demo-project.tar.gz demo-project",
"threshold":
1,
}
],
"inspect": [{
"name":
"untar",
"material_matchrules": [
[
"MATCH", "demo-project.tar.gz", "WITH", "PRODUCTS", "FROM",
"package"
],
# FIXME: If the routine running inspections would gather the
# materials/products to record from the rules we wouldn't have to
# ALLOW other files that we aren't interested in.
["ALLOW", ".keep"],
["ALLOW", "alice.pub"],
["ALLOW", "root.layout"],
],
"product_matchrules": [
[
"MATCH", "demo-project/foo.py", "WITH", "PRODUCTS", "FROM",
"update-version"
],
# FIXME: See material_matchrules above
["ALLOW", "demo-project/.git/*"],
["ALLOW", "demo-project.tar.gz"],
["ALLOW", ".keep"],
["ALLOW", "alice.pub"],
["ALLOW", "root.layout"],
],
"run":
"tar xzf demo-project.tar.gz",
}],
"signatures": []
})
# Sign and dump layout to "layout.root"
layout.sign(key_alice)
layout.dump()
#!/usr/bin/env python
from in_toto.models.layout import Layout, Step, Inspection
import in_toto.util
import json
import datetime
if __name__:
# Get keys
santiago_key = in_toto.util.import_rsa_key_from_file("santiago.pub")
justin_key = in_toto.util.import_rsa_key_from_file("justin")
with open("root.layout") as fp:
info = json.load(fp)
l = Layout.read(info)
l.sign(justin_key)
l.dump()
def main():
# Load Niels's private key to later sign the layout
key_niels = import_rsa_key_from_file("niels")
# Fetch and load aimee's and noud's public keys
# to specify that they are authorized to perform certain step in the layout
key_aimee = import_rsa_key_from_file("../functionary_aimee/aimee.pub")
key_noud = import_rsa_key_from_file("../functionary_noud/noud.pub")
layout = Layout.read({
"_type": "layout",
"keys": {
key_aimee["keyid"]: key_aimee,
key_noud["keyid"]: key_noud,
},
"steps": [{
"name": "create",
"expected_materials": [],
"expected_products": [["CREATE", "app/Program.cs"], ["DISALLOW", "*"]],
"pubkeys": [key_aimee["keyid"]],
"expected_command": [
"dotnet",
"new",
"console",
"-n",
"app"
],
"threshold": 1,
},{
"name": "publish",
"expected_materials": [
["MATCH", "app/Program.cs", "WITH", "PRODUCTS", "FROM",
"create"], ["DISALLOW", "*"],
],
"expected_products": [["CREATE", "published/app"], ["CREATE", "published/app.*"], ["DISALLOW", "*"]],
"pubkeys": [key_noud["keyid"]],
"expected_command": [
"dotnet",
"publish",
"-o",
"published",
"app"
],
"threshold": 1,
},{
"name": "package",
"expected_materials": [
["MATCH", "published/*", "WITH", "PRODUCTS", "FROM",
"publish"], ["DISALLOW", "*"],
],
"expected_products": [
["CREATE", "published.tar.gz"], ["DISALLOW", "*"],
],
"pubkeys": [key_noud["keyid"]],
"expected_command": [
"tar",
"-zcvf",
"published.tar.gz",
"published",
],
"threshold": 1,
}],
"inspect": [{
"name": "untar",
"expected_materials": [
["MATCH", "published.tar.gz", "WITH", "PRODUCTS", "FROM", "package"],
# FIXME: If the routine running inspections would gather the
# materials/products to record from the rules we wouldn't have to
# ALLOW other files that we aren't interested in.
["ALLOW", ".keep"],
["ALLOW", "niels.pub"],
["ALLOW", "root.layout"],
["DISALLOW", "*"]
],
"expected_products": [
["MATCH", "published/*", "WITH", "PRODUCTS", "FROM", "publish"],
# FIXME: See expected_materials above
["ALLOW", "published/app.*"],
["ALLOW", "published.tar.gz"],
["ALLOW", ".keep"],
["ALLOW", "niels.pub"],
["ALLOW", "root.layout"],
["DISALLOW", "*"]
],
"run": [
"tar",
"xzf",
"published.tar.gz",
]
}],
})
metadata = Metablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(key_niels)
metadata.dump("root.layout")
def main():
key_owner = import_rsa_key_from_file("target_owner")
key_dependency_owner = import_rsa_key_from_file("dependency_owner.pub")
key_developer = import_rsa_key_from_file("../developer/developer.pub")
key_reviewer = import_rsa_key_from_file("../reviewer/reviewer.pub")
key_xray = import_rsa_key_from_file("../xray/xray.pub")
layout = Layout.read({
"_type":
"layout",
"keys": {
key_developer["keyid"]: key_developer,
key_reviewer["keyid"]: key_reviewer,
key_xray["keyid"]: key_xray,
key_dependency_owner["keyid"]: key_dependency_owner,
},
"steps": [
{
"name":
"target-develop",
"expected_materials": [],
"expected_products": [["CREATE", "../target/demo.py"],
["DISALLOW", "*"]],
"pubkeys": [key_developer["keyid"]],
"expected_command": [],
"threshold":
1,
},
{
"name":
"target-code-review",
"expected_materials": [[
"MATCH", "../target/demo.py", "WITH", "PRODUCTS", "FROM",
"target-develop"
], ["DISALLOW", "*"]],
"expected_products": [["ALLOW", "../target/demo.py"],
["DISALLOW", "*"]],
"pubkeys": [key_reviewer["keyid"]],
"expected_command": [],
"threshold":
1,
},
{
"name":
"target-get-dependency",
"expected_materials": [],
"expected_products": [
["ALLOW", "../dependency/demo.py"],
["DISALLOW", "*"],
],
"pubkeys": [key_dependency_owner["keyid"]],
"expected_command": [],
"threshold":
1,
},
{
"name":
"target-jfrog-xray",
"expected_materials": [
[
"MATCH", "../target/demo.py", "WITH", "PRODUCTS",
"FROM", "target-develop"
],
["DISALLOW", "*"],
],
"expected_products": [
["CREATE", "../reports/jfrog-xray-report.json"],
["DISALLOW", "*"],
],
"pubkeys": [key_xray["keyid"]],
"expected_command": ["python", "generate_report.py"],
"threshold":
1,
},
],
"inspect": [{
"name":
"target-check-vulnerability-report",
"expected_materials": [
[
"MATCH", "../reports/jfrog-xray-report.json", "WITH",
"PRODUCTS", "FROM", "target-jfrog-xray"
],
],
"expected_products": [],
"run": ["python", "scripts/validate_jfrog_xray_report.py"],
}],
})
metadata = Metablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(key_owner)
metadata.dump("../metadata_target/root.layout")
def main():
# Load Jerry's private key to later sign the layout
key_jerry = interface.import_rsa_privatekey_from_file("jerry")
# Fetch and load Bob's and Alice's public keys
# to specify that they are authorized to perform certain step in the layout
key_alice = interface.import_rsa_publickey_from_file(
"../functionary_alice/alice.pub")
key_bob = interface.import_rsa_publickey_from_file(
"../functionary_bob/bob.pub")
layout = Layout.read({
"_type":
"layout",
"keys": {
key_bob["keyid"]: key_bob,
key_alice["keyid"]: key_alice,
},
"steps": [{
"name":
"clone",
"expected_materials": [],
"expected_products":
[["CREATE", "inclavare-containers/rbi/kernel/Dockerfile"],
[
"CREATE",
"inclavare-containers/rbi/kernel/build-docker-image.sh"
], ["CREATE", "inclavare-containers/rbi/kernel/build-kernel.sh"],
["CREATE", "inclavare-containers/rbi/kernel/check-integrity.sh"],
[
"CREATE",
"inclavare-containers/rbi/kernel/patch/build-kernel.sh"
], ["CREATE", "inclavare-containers/rbi/kernel/scripts/start.sh"],
["CREATE", "inclavare-containers/rbi/misc/check-integrity.sh"]],
"pubkeys": [key_alice["keyid"]],
"expected_command": [
"git", "clone",
"https://github.com/alibaba/inclavare-containers.git"
],
"threshold":
1,
}, {
"name":
"build",
"expected_materials":
[[
"MATCH", "inclavare-containers/rbi/kernel/Dockerfile", "WITH",
"PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kernel/build-docker-image.sh",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH", "inclavare-containers/rbi/kernel/build-kernel.sh",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH", "inclavare-containers/rbi/kernel/check-integrity.sh",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH",
"inclavare-containers/rbi/kernel/patch/build-kernel.sh",
"WITH", "PRODUCTS", "FROM", "clone"
],
[
"MATCH", "inclavare-containers/rbi/kernel/readme.md", "WITH",
"PRODUCTS", "FROM", "clone"
],
[
"MATCH", "inclavare-containers/rbi/kernel/scripts/start.sh",
"WITH", "PRODUCTS", "FROM", "clone"
]],
"expected_products": [
["CREATE", "inclavare-containers/rbi/result/kernel/vmlinux"],
],
"pubkeys": [key_bob["keyid"]],
"expected_command": [
"bash",
"inclavare-containers/rbi/rbi.sh",
"kernel",
],
"threshold":
1,
}],
"inspect": [{
"name":
"integrity",
"expected_materials": [
[
"MATCH", "inclavare-containers/rbi/result/kernel/vmlinux",
"WITH", "PRODUCTS", "FROM", "build"
],
[
"MATCH",
"inclavare-containers/rbi/misc/check-integrity.sh", "WITH",
"PRODUCTS", "FROM", "clone"
], ["ALLOW", "jerry.pub"], ["ALLOW", "root.layout"],
["ALLOW", ".keep"]
],
"expected_products": [
[
"CREATE",
"inclavare-containers/rbi/result/kernel/.check_done"
],
# FIXME: See expected_materials above
["ALLOW", "jerry.pub"],
["ALLOW", "root.layout"],
["ALLOW", ".keep"]
],
"run": [
"bash", "inclavare-containers/rbi/misc/check-integrity.sh",
"inclavare-containers/rbi/result/kernel/vmlinux", SHA256_VALUE
]
}],
})
metadata = Metablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(key_jerry)
metadata.dump("root.layout")
def setUp(self):
"""Imports keys, generates layout and layout_key_dict for the clone,
update-version, and package step."""
self.key_alice = interface.import_rsa_privatekey_from_file(
"keys/alice")
# Fetch and load Bob's and Carl's public keys
# to specify that they are authorized to perform certain step in the layout
self.key_bob = interface.import_rsa_publickey_from_file("keys/bob.pub")
self.key_carl = interface.import_rsa_publickey_from_file(
"keys/carl.pub")
# Create layout
self.layout = Layout.read({
"_type":
"layout",
"keys": {
self.key_bob["keyid"]: self.key_bob,
self.key_carl["keyid"]: self.key_carl,
},
"steps": [{
"name":
"clone",
"expected_materials": [],
"expected_products": [["CREATE", "demo-project/foo.py"],
["DISALLOW", "*"]],
"pubkeys": [self.key_bob["keyid"]],
"expected_command": [
"git", "clone",
"https://github.com/in-toto/demo-project.git"
],
"threshold":
1,
}, {
"name":
"update-version",
"expected_materials": [[
"MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM",
"clone"
], ["DISALLOW", "*"]],
"expected_products": [["ALLOW", "demo-project/foo.py"],
["DISALLOW", "*"]],
"pubkeys": [self.key_bob["keyid"]],
"expected_command": [],
"threshold":
1,
}, {
"name":
"package",
"expected_materials": [
[
"MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM",
"update-version"
],
["DISALLOW", "*"],
],
"expected_products": [
["CREATE", "demo-project.tar.gz"],
["DISALLOW", "*"],
],
"pubkeys": [self.key_carl["keyid"]],
"expected_command": [
"tar",
"--exclude",
".git",
"-zcvf",
"demo-project.tar.gz",
"demo-project",
],
"threshold":
1,
}],
"inspect": [],
})
self.metadata = Metablock(signed=self.layout)
self.metadata.sign(self.key_alice)
# Create the public key dict
self.layout_key_dict = {}
self.layout_key_dict.update(
interface.import_publickeys_from_file(["keys/alice.pub"]))
