def in_toto_verify(layout_path, layout_key_paths):
"""Loads layout file and layout keys from disk and performs all in-toto
verifications."""
try:
log.doing("load layout...")
layout = Layout.read_from_file(layout_path)
except Exception, e:
_die("in load layout - %s" % e)
def in_toto_verify(layout_path, layout_key_paths):
"""Loads layout file and layout keys from disk and performs all in-toto
verifications."""
try:
log.doing("load layout...")
layout = Layout.read_from_file(layout_path)
except Exception, e:
_die("in load layout - %s" % e)
def toto_verify(layout_path, layout_key):
global retval
# Load layout (validates format)
try:
log.doing("'%s' - load layout" % layout_path)
layout = toto.models.layout.Layout.read_from_file(layout_path)
except Exception, e:
log.error("in load layout - %s" % e)
return 1 # TODO: re-raise?
def in_toto_run(step_name, key_path, material_list, product_list,
link_cmd_args, record_byproducts=False):
"""Load link signing private keys from disk and runs passed command, storing
its materials, by-products and return value, and products into link metadata
file. The link metadata file is signed and stored to disk. """
try:
log.doing("load link signing key...")
key = toto.util.prompt_import_rsa_key_from_file(key_path)
except Exception, e:
_die("in load key - %s" % e)
def in_toto_run(step_name,
key_path,
material_list,
product_list,
link_cmd_args,
record_byproducts=False):
"""Load link signing private keys from disk and runs passed command, storing
its materials, by-products and return value, and products into link metadata
file. The link metadata file is signed and stored to disk. """
try:
log.doing("load link signing key...")
key = toto.util.prompt_import_rsa_key_from_file(key_path)
except Exception, e:
_die("in load key - %s" % e)
def in_toto_run(step_name,
key_path,
material_list,
product_list,
link_cmd_args,
record_byproducts=False):
"""Load link signing private keys from disk and runs passed command, storing
its materials, by-products and return value, and products into link metadata
file. The link metadata file is signed and stored to disk. """
if tpm.readFromTPM(23) == str(0):
tpm.set_register_23()
log.doing("TPM: First time running - creating entry for register 23.")
elif tpm.check_register_23():
log.doing("TPM: Check passed.")
else:
log.doing("TPM: Check failed. Exiting.")
sys.exit()
"""
if tpm.initialize_register_23():
log.doing("TPM check passed.")
else:
log.doing("TPM check failed, exiting.")
sys.exit()
"""
try:
log.doing("load link signing key...")
key = toto.util.prompt_import_rsa_key_from_file(key_path)
except Exception, e:
_die("in load key - %s" % e)
def _verify_rules(rules, source_type, item_name, item_link, step_links):
""" Iterates over list of rules and calls verify on them. """
global retval
for rule_data in rules:
try:
rule = toto.models.matchrule.Matchrule.read(rule_data)
rule.source_type = source_type
log.doing("'%s' - '%s' - verify %s matchrule - %s" \
% (layout_path, item_name, source_type, rule_data))
rule.verify_rule(item_link, step_links)
except toto.models.matchrule.RuleVerficationFailed, e:
log.failing("'%s' - '%s' - verify %s matchrule - %s" \
% (layout_path, item_name, source_type, e))
retval = 1
except Exception, e:
log.error("in verify matchrule - %s" % e)
def in_toto_verify(layout_path, layout_key_paths):
try:
log.doing("load layout...")
layout = Layout.read_from_file(layout_path)
except Exception, e:
_die("in load layout - %s" % e)
def _die(msg, exitcode=1):
log.failing(msg)
log.doing("Stopping installation process.")
sys.exit(exitcode)
self.successfully_installed = to_install
def _die(msg, exitcode=1):
log.failing(msg)
log.doing("Stopping installation process.")
sys.exit(exitcode)
def in_toto_verify(layout_path, layout_key_paths):
try:
log.doing("load layout...")
layout = Layout.read_from_file(layout_path)
except Exception, e:
_die("in load layout - %s" % e)
try:
log.doing("verify layout expiration")
toto.verifylib.verify_layout_expiration(layout)
except Exception, e:
_die("in verify layout expiration - %s" % e)
try:
log.doing("load layout keys...")
layout_key_dict = toto.util.import_rsa_public_keys_from_files_as_dict(
layout_key_paths)
except Exception, e:
_die("in load layout keys - %s" % e)
try:
log.doing("verify layout signatures...")
toto.verifylib.verify_layout_signatures(layout, layout_key_dict)
except Exception, e:
key_path,
material_list,
product_list,
link_cmd_args,
record_byproducts=False):
"""Load link signing private keys from disk and runs passed command, storing
its materials, by-products and return value, and products into link metadata
file. The link metadata file is signed and stored to disk. """
try:
log.doing("load link signing key...")
key = toto.util.prompt_import_rsa_key_from_file(key_path)
except Exception, e:
_die("in load key - %s" % e)
try:
log.doing("record materials...")
materials_dict = toto.runlib.record_artifacts_as_dict(material_list)
except Exception, e:
_die("in record materials - %s" % e)
try:
log.doing("run command...")
byproducts, return_value = toto.runlib.execute_link(
link_cmd_args, record_byproducts)
except Exception, e:
_die("in run command - %s" % e)
try:
log.doing("record products...")
products_dict = toto.runlib.record_artifacts_as_dict(product_list)
except Exception, e:
retval = 0
def toto_verify(layout_path, layout_key):
global retval
# Load layout (validates format)
try:
log.doing("'%s' - load layout" % layout_path)
layout = toto.models.layout.Layout.read_from_file(layout_path)
except Exception, e:
log.error("in load layout - %s" % e)
return 1 # TODO: re-raise?
try:
log.doing("'%s' - load key '%s'" % (layout_path, layout_key))
# FIXME: Change key load
layout_key_dict = toto.util.create_and_persist_or_load_key(layout_key)
except Exception, e:
log.error("in load key - %s" % e)
# Verify signature
try:
log.doing("'%s' - verify signature - key '%s'" \
% (layout_path, layout_key))
msg = "'%s' - verify signature" % layout_path
if layout.verify_signature(layout_key):
log.passing(msg)
def main():
print """
#############################################################################
# Define the supply chain
#############################################################################
"""
# Create keys
print "Generate keypair for Alice..."
toto.util.generate_and_write_rsa_keypair("alice")
print "Generate keypair for Bob..."
toto.util.generate_and_write_rsa_keypair("bob")
alice_public = toto.util.import_rsa_key_from_file("alice.pub")
bob_public = toto.util.import_rsa_key_from_file("bob.pub")
# Create Layout
layout = m.Layout.read({
"_type":
"layout",
"expires":
"EXPIRES",
"keys": {
alice_public["keyid"]: alice_public,
bob_public["keyid"]: bob_public
},
"steps": [{
"name": "write-code",
"material_matchrules": [],
"product_matchrules": [["CREATE", "foo.py"]],
"pubkeys": [alice_public["keyid"]],
"expected_command": "vi",
}, {
"name":
"package",
"material_matchrules": [
["MATCH", "PRODUCT", "foo.py", "FROM", "write-code"],
],
"product_matchrules": [
["CREATE", "foo.tar.gz"],
],
"pubkeys": [bob_public["keyid"]],
"expected_command":
"tar zcvf foo.tar.gz foo.py",
}],
"inspect": [{
"name":
"untar",
"material_matchrules":
[["MATCH", "PRODUCT", "foo.tar.gz", "FROM", "package"]],
"product_matchrules": [
["MATCH", "PRODUCT", "foo.py", "FROM", "write-code"],
],
"run":
"tar xfz foo.tar.gz",
}],
"signatures": []
})
# Sign and dump layout
print "Load alice private key to sign layout..."
alice_private = toto.util.import_rsa_key_from_file("alice")
layout.sign(alice_private)
layout.dump()
# Check if dumping - reading - dumping produces the same layout
# layout_same = m.Layout.read_from_file("root.layout")
# if repr(layout) != repr(layout_same):
# log.failing("There is something wrong with layout de-/serialization")
wait_for_y("Wanna do the peachy supply chain?")
print """
#############################################################################
# Do the peachy supply chain
#############################################################################
"""
write_code_cmd = "python -m toto.toto-run "\
"--name write-code --products foo.py "\
"--key alice -- vi foo.py"
log.doing("(Alice) - %s" % write_code_cmd)
wait_for_y("Wanna drop to vi and write peachy code?")
subprocess.call(write_code_cmd.split())
package_cmd = "python -m toto.toto-run "\
"--name package --material foo.py --products foo.tar.gz "\
"--key bob --record-byproducts -- tar zcvf foo.tar.gz foo.py"
log.doing("(Bob) - %s" % package_cmd)
subprocess.call(package_cmd.split())
print """
#############################################################################
# Verify the peachy supply chain
#############################################################################
"""
wait_for_y("Wanna verify peachy supply chain?")
verify_cmd = "python -m toto.toto-verify "\
"--layout root.layout "\
"--layout-key alice"
log.doing("(User) - %s" % verify_cmd)
subprocess.call(verify_cmd.split())
wait_for_y("Wanna do the failing supply chain?")
print """
#############################################################################
# Do the failing supply chain
#############################################################################
"""
write_code_cmd = "python -m toto.toto-run "\
"--name write-code --products foo.py "\
"--key alice -- vi foo.py"
log.doing("(Alice) - %s" % write_code_cmd)
wait_for_y("Wanna drop to vi and write peachy code?")
subprocess.call(write_code_cmd.split())
bad_cmd = "vi foo.py"
wait_for_y("Wanna drop to vi and write baaad code?")
log.doing("(Malory) - %s" % bad_cmd)
subprocess.call(bad_cmd.split())
package_cmd = "python -m toto.toto-run "\
"--name package --material foo.py --products foo.tar.gz "\
"--key bob --record-byproducts -- tar zcvf foo.tar.gz foo.py"
log.doing("(Bob) - %s" % package_cmd)
subprocess.call(package_cmd.split())
print """
#############################################################################
# Verify the failing supply chain
#############################################################################
"""
verify_cmd = "python -m toto.toto-verify "\
"--layout root.layout "\
"--layout-key alice"
log.doing("(User) - %s" % verify_cmd)
subprocess.call(verify_cmd.split())
log.error(msg)
sys.exit(exitcode)
def in_toto_run(step_name, key_path, material_list, product_list,
link_cmd_args, record_byproducts=False):
"""Load link signing private keys from disk and runs passed command, storing
its materials, by-products and return value, and products into link metadata
file. The link metadata file is signed and stored to disk. """
try:
log.doing("load link signing key...")
key = toto.util.prompt_import_rsa_key_from_file(key_path)
except Exception, e:
_die("in load key - %s" % e)
try:
log.doing("record materials...")
materials_dict = toto.runlib.record_artifacts_as_dict(material_list)
except Exception, e:
_die("in record materials - %s" % e)
try:
log.doing("run command...")
byproducts, return_value = toto.runlib.execute_link(link_cmd_args,
record_byproducts)
except Exception, e:
_die("in run command - %s" % e)
try:
log.doing("record products...")
products_dict = toto.runlib.record_artifacts_as_dict(product_list)
except Exception, e: