def Run(self, args): project_ref = resources.REGISTRY.Parse( properties.VALUES.core.project.Get(required=True), collection='cloudresourcemanager.projects', ) normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) signature = console_io.ReadFromFileOrStdin(args.signature_file, binary=True) if args.payload_file: payload = files.ReadBinaryFileContents(args.payload_file) else: payload = binauthz_command_util.MakeSignaturePayload( normalized_artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) validation_enabled = 'validate' in args and args.validate validation_callback = functools.partial( validation.validate_attestation, attestor_ref=attestor_ref, api_version=api_version) ca_api_version = ca_apis.GetApiVersion(self.ReleaseTrack()) # TODO(b/138859339): Remove when remainder of surface migrated to V1 API. if ca_api_version == ca_apis.V1: return containeranalysis.Client( ca_api_version).CreateAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=args.public_key_id, signature=signature, plaintext=payload, validation_callback=(validation_callback if validation_enabled else None), ) else: return containeranalysis.Client( ca_api_version).CreateGenericAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=args.public_key_id, signature=signature, plaintext=payload, )
def Run(self, args): project_ref = resources.REGISTRY.Parse( properties.VALUES.core.project.Get(required=True), collection='cloudresourcemanager.projects', ) normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) signature = console_io.ReadFromFileOrStdin(args.signature_file, binary=True) if args.payload_file: payload = files.ReadBinaryFileContents(args.payload_file) else: payload = binauthz_command_util.MakeSignaturePayload( normalized_artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) return containeranalysis.Client().CreateGenericAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=args.public_key_id, signature=signature, plaintext=payload, )
def SetUp(self): self.ca_client = containeranalysis.Client() self.project_ref = resources.REGISTRY.Parse( self.Project(), collection='cloudresourcemanager.projects', ) self.artifact_url = self.GenerateArtifactUrl() self.pgp_key_fingerprint = 'AAAABBBB' self.signature = b'fake-signature' self.payload = b'fake-payload' self.note_id = 'my-aa-note' self.note_project = 'other-' + self.Project() self.note_relative_name = binauthz_test_base.GetNoteRelativeName( project_id=self.note_project, note_id=self.note_id, ) self.note_ref = resources.REGISTRY.ParseRelativeName( relative_name=self.note_relative_name, collection='containeranalysis.projects.notes', ) self.request_occurrence = self.CreateRequestAttestationOccurrence( note_ref=self.note_ref, plaintext=self.payload, signatures=[(self.pgp_key_fingerprint, self.signature)], artifact_url=self.artifact_url, project_ref=self.project_ref, ) self.response_occurrence = self.CreateResponseOccurrence( project_ref=self.project_ref, request_occurrence=self.request_occurrence, )
def Run(self, args): project_ref = resources.REGISTRY.Parse( properties.VALUES.core.project.Get(required=True), collection='cloudresourcemanager.projects', ) normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() key_ref = args.CONCEPTS.keyversion.Parse() # NOTE: This will hit the alpha Binauthz API until we promote this command # to the beta surface or hardcode it e.g. to Beta. api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) key_id = args.public_key_id_override or kms.GetKeyUri(key_ref) # TODO(b/138719072): Remove when validation is on by default validation_enabled = 'validate' in args and args.validate if not validation_enabled: if key_id not in set( pubkey.id for pubkey in attestor.userOwnedDrydockNote.publicKeys): log.warning('No public key with ID [%s] found on attestor [%s]', key_id, attestor.name) console_io.PromptContinue( prompt_string='Create and upload Attestation anyway?', cancel_on_no=True) payload = binauthz_command_util.MakeSignaturePayload(args.artifact_url) kms_client = kms.Client() pubkey_response = kms_client.GetPublicKey(key_ref.RelativeName()) sign_response = kms_client.AsymmetricSign( key_ref.RelativeName(), kms.GetAlgorithmDigestType(pubkey_response.algorithm), payload) validation_callback = functools.partial( validation.validate_attestation, attestor_ref=attestor_ref, api_version=api_version) client = containeranalysis.Client( ca_apis.GetApiVersion(self.ReleaseTrack())) return client.CreateAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=key_id, signature=sign_response.signature, plaintext=payload, validation_callback=(validation_callback if validation_enabled else None), )
def Run(self, args): normalized_artifact_url = None if args.artifact_url: normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) client = containeranalysis.Client() return client.YieldAttestations( note_ref=note_ref, artifact_url=normalized_artifact_url, )
def SetUp(self): # We don't get our track from the base binauthz test because `CliTestBase` # clobbers it in its SetUp. self.track = calliope_base.ReleaseTrack.GA # CliTestBase sets this to True in its SetUp, but we only need to consume # the result of calling self.Run in their structured format. properties.VALUES.core.user_output_enabled.Set(False) self.ca_client = apis.GetClientInstance( containeranalysis.API_NAME, containeranalysis.DEFAULT_VERSION) self.ca_messages = self.ca_client.MESSAGES_MODULE self.note_id_generator = e2e_utils.GetResourceNameGenerator( prefix='test-aa-note') self.client = containeranalysis.Client() self.artifact_url = self.GenerateArtifactUrl() self.project_ref = resources.REGISTRY.Parse( self.Project(), collection='cloudresourcemanager.projects') self.note_id = next(self.note_id_generator) self.note_relative_name = 'projects/{}/notes/{}'.format( self.Project(), self.note_id) self.attestor_id = self.note_id self.attestor_relative_name = 'projects/{}/attestors/{}'.format( self.Project(), self.attestor_id)