def setUpClass(self): # Create layout with one inspection self.layout = Layout.read({ "_type": "layout", "inspect": [], "steps": [{ "name": "run-command", "expected_command": ["{EDITOR}"], }] }) # Backup original cwd self.working_dir = os.getcwd() # Find demo files demo_files = os.path.join(os.path.dirname(os.path.realpath(__file__)), "demo_files") # Create and change into temporary directory self.test_dir = os.path.realpath(tempfile.mkdtemp()) os.chdir(self.test_dir) # Copy demo files to temp dir for file in os.listdir(demo_files): shutil.copy(os.path.join(demo_files, file), self.test_dir) # load alice's key self.alice = import_rsa_key_from_file("alice") self.alice_pub_dict = import_public_keys_from_files_as_dict( ["alice.pub"])
def setUp(self): self.layout = Layout.read({ "_type": "layout", "inspect": [{ "name": "do-the-thing", "expected_materials": [ ["MATCH", "{SOURCE_THING}", "WITH", "MATERIALS", "FROM", "{SOURCE_STEP}"] ], "expected_products": [ ["CREATE", "{NEW_THING}"] ] }], "steps": [{ "name": "artifacts", "expected_command": [], "expected_materials": [ ["MATCH", "{SOURCE_THING}", "WITH", "MATERIALS", "FROM", "{SOURCE_STEP}"] ], "expected_products": [ ["CREATE", "{NEW_THING}"] ] }] })
def load(path): """Loads the JSON string representation of in-toto metadata from disk. Arguments: path: The path to read the file from. Raises: IOError: The file cannot be written. securesystemslib.exceptions.FormatError: Metadata format is invalid. Returns: A Metablock object whose signable attribute is either a Link or a Layout object. """ with open(path, "r") as fp: data = json.load(fp) signatures = data.get("signatures", []) signed_data = data.get("signed", {}) signed_type = signed_data.get("_type") if signed_type == "link": signed = Link.read(signed_data) elif signed_type == "layout": signed = Layout.read(signed_data) else: raise securesystemslib.exceptions.FormatError( "Invalid Metadata format") return Metablock(signatures=signatures, signed=signed)
def main(): key_owner = interface.import_rsa_privatekey_from_file("./keys/owner") key_clone = interface.import_rsa_publickey_from_file("./keys/clone.pub") key_build = interface.import_rsa_publickey_from_file("./keys/build.pub") key_build_image = interface.import_rsa_publickey_from_file( "./keys/build-image.pub") layout = Layout.read({ "_type": "layout", "keys": { key_clone["keyid"]: key_clone, key_build["keyid"]: key_build, key_build_image["keyid"]: key_build_image, }, "steps": [{ "name": "clone", "expected_materials": [["DISALLOW", "*"]], "expected_products": [["CREATE", "*"]], "pubkeys": [key_clone["keyid"]], "expected_command": [ "git", "clone", "https://gitlab.com/boxboat/demos/intoto-spire/go-hello-world" ], "threshold": 1, }, { "name": "build", "expected_materials": [["MATCH", "*", "WITH", "PRODUCTS", "FROM", "clone"], ["DISALLOW", "*"]], "expected_products": [["CREATE", "go-hello-world"], ["DISALLOW", "*"]], "pubkeys": [key_build["keyid"]], "expected_command": ["go", "build", "./..."], "threshold": 1, }, { "name": "build-image", "expected_materials": [["MATCH", "*", "WITH", "PRODUCTS", "FROM", "clone"], ["DISALLOW", "*"]], "expected_products": [["CREATE", "image-id"], ["CREATE", "go-hello-world.tar"], ["DISALLOW", "*"]], "pubkeys": [key_build_image["keyid"]], "threshold": 1, }], "inspect": [] }) metadata = Metablock(signed=layout) # Sign and dump layout to "root.layout" metadata.sign(key_owner) metadata.dump("root.layout")
def setUpClass(self): # Create layout with one inspection self.layout = Layout.read({ "_type": "layout", "inspect": [], "steps": [{ "name": "run-command", "expected_command": ["{EDITOR}"], }] }) super(Test_SubstituteOnVerify, self).setUpClass() # Find demo files demo_files = os.path.join(os.path.dirname(os.path.realpath(__file__)), "demo_files") # Copy demo files to temp dir for file in os.listdir(demo_files): shutil.copy(os.path.join(demo_files, file), self.test_dir) # load alice's key self.alice = import_rsa_key_from_file("alice") self.alice_pub_dict = import_public_keys_from_files_as_dict( ["alice.pub"])
def setUp(self): # Create layout with one inspection self.layout = Layout.read({ "_type": "layout", "inspect": [], "steps": [{ "name": "run-command", "expected_command": ["{EDITOR}"], }]})
def test_inspection_fail_with_non_zero_retval(self): """Test fail run inspections with non-zero return value. """ layout = Layout.read({ "_type": "layout", "steps": [], "inspect": [{ "name": "non-zero-inspection", "run": "expr 1 / 0", }] }) with self.assertRaises(BadReturnValueError): run_all_inspections(layout)
def setUp(self): """ Create layout with dummy inspection """ # Create layout with one inspection self.layout = Layout.read({ "_type": "layout", "steps": [], "inspect": [{ "name": "run-command", "run": ["{COMMAND}"], }] })
def main(): key_owner = import_rsa_key_from_file("dependency_owner") key_developer = import_rsa_key_from_file("../developer/developer.pub") key_reviewer = import_rsa_key_from_file("../reviewer/reviewer.pub") layout = Layout.read({ "_type": "layout", "keys": { key_developer["keyid"]: key_developer, key_reviewer["keyid"]: key_reviewer, }, "steps": [{ "name": "dependency-develop", "expected_materials": [], "expected_products": [ ["CREATE", "../dependency/demo.py"], ["DISALLOW", "*"] ], "pubkeys": [key_developer["keyid"]], "expected_command": [], "threshold": 1, },{ "name": "dependency-code-review", "expected_materials": [ ["MATCH", "../dependency/demo.py", "WITH", "PRODUCTS", "FROM", "dependency-develop"], ["DISALLOW", "*"] ], "expected_products": [ ["ALLOW", "../dependency/demo.py"], ["DISALLOW", "*"] ], "pubkeys": [key_reviewer["keyid"]], "expected_command": [], "threshold": 1, }, ], "inspect": [], }) metadata = Metablock(signed=layout) # Sign and dump layout to "root.layout" metadata.sign(key_owner) metadata.dump("../metadata_dependency/root.layout")
def setUpClass(self): """ Create layout with dummy inpsection. Create and change into temp test directory with dummy artifact.""" # Create layout with one inspection self.layout = Layout.read({ "_type": "layout", "steps": [], "inspect": [{ "name": "touch-bar", "run": "touch bar", }] }) # Create directory where the verification will take place self.working_dir = os.getcwd() self.test_dir = os.path.realpath(tempfile.mkdtemp()) os.chdir(self.test_dir) open("foo", "w").write("foo")
def load(path): """ <Purpose> Loads the JSON string representation of signed metadata from disk and creates a Metablock object. The `signed` attribute of the Metablock object is assigned a Link or Layout object, depending on the `_type` field in the loaded metadata file. <Arguments> path: The path to write the file to. <Side Effects> Reading metadata file from disk <Returns> None. """ with open(path, "r") as fp: data = json.load(fp) signatures = data.get("signatures", []) signed_data = data.get("signed", {}) signed_type = signed_data.get("_type") if signed_type == "link": signed = Link.read(signed_data) elif signed_type == "layout": signed = Layout.read(signed_data) else: raise securesystemslib.exceptions.FormatError( "Invalid Metadata format") return Metablock(signatures=signatures, signed=signed)
def main(): # Load Jerry's private key to later sign the layout key_jerry = interface.import_rsa_privatekey_from_file("jerry") # Fetch and load Bob's and Alice's public keys # to specify that they are authorized to perform certain step in the layout key_alice = interface.import_rsa_publickey_from_file( "../functionary_alice/alice.pub") key_bob = interface.import_rsa_publickey_from_file( "../functionary_bob/bob.pub") layout = Layout.read({ "_type": "layout", "keys": { key_bob["keyid"]: key_bob, key_alice["keyid"]: key_alice, }, "steps": [{ "name": "clone", "expected_materials": [], "expected_products": [["CREATE", "inclavare-containers/rbi/kata-agent/Dockerfile"], [ "CREATE", "inclavare-containers/rbi/kata-agent/kata-build-docker.sh" ], [ "CREATE", "inclavare-containers/rbi/kata-agent/kata-source-code.sh" ], ["CREATE", "inclavare-containers/rbi/kata-agent/kata-test.sh"], [ "CREATE", "inclavare-containers/rbi/kata-agent/patch/Cargo.lock" ], ["CREATE", "inclavare-containers/rbi/kata-agent/patch/Makefile"], ["CREATE", "inclavare-containers/rbi/kata-agent/patch/protocols"], [ "CREATE", "inclavare-containers/rbi/kata-agent/patch/protocols/Cargo.toml" ], ["CREATE", "inclavare-containers/rbi/kata-agent/readme.md"], ["CREATE", "inclavare-containers/rbi/kata-agent/readme_cn.md"], [ "CREATE", "inclavare-containers/rbi/kata-agent/scripts/start.sh" ], ["CREATE", "inclavare-containers/rbi/misc/check-integrity.sh"]], "pubkeys": [key_alice["keyid"]], "expected_command": [ "git", "clone", "https://github.com/alibaba/inclavare-containers.git" ], "threshold": 1, }, { "name": "build", "expected_materials": [ [ "MATCH", "inclavare-containers/rbi/kata-agent/Dockerfile", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/kata-build-docker.sh", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/kata-source-code.sh", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/kata-test.sh", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/patch/Cargo.lock", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/patch/Makefile", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/patch/protocols", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/patch/protocols/Cargo.toml", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/readme.md", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/readme_cn.md", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kata-agent/scripts/start.sh", "WITH", "PRODUCTS", "FROM", "clone" ] ], "expected_products": [ [ "CREATE", "inclavare-containers/rbi/result/kata-agent/kata-agent" ], ], "pubkeys": [key_bob["keyid"]], "expected_command": [ "bash", "inclavare-containers/rbi/rbi.sh", "agent", ], "threshold": 1, }], "inspect": [{ "name": "integrity", "expected_materials": [ [ "MATCH", "inclavare-containers/rbi/result/kata-agent/kata-agent", "WITH", "PRODUCTS", "FROM", "build" ], [ "MATCH", "inclavare-containers/rbi/misc/check-integrity.sh", "WITH", "PRODUCTS", "FROM", "clone" ], # FIXME: If the routine running inspections would gather the # materials/products to record from the rules we wouldn't have to # ALLOW other files that we aren't interested in. ["ALLOW", "jerry.pub"], ["ALLOW", "root.layout"], ["ALLOW", ".keep"] ], "expected_products": [ [ "CREATE", "inclavare-containers/rbi/result/kata-agent/.check_done" ], # FIXME: See expected_materials above ["ALLOW", "jerry.pub"], ["ALLOW", "root.layout"], ["ALLOW", ".keep"] ], "run": [ "bash", "inclavare-containers/rbi/misc/check-integrity.sh", "inclavare-containers/rbi/result/kata-agent/kata-agent", SHA256_VALUE ] }], }) metadata = Metablock(signed=layout) # Sign and dump layout to "root.layout" metadata.sign(key_jerry) metadata.dump("root.layout")
def main(): # Load Alice's private key to later sign the layout key_alice = interface.import_rsa_privatekey_from_file("alice") # Fetch and load Bob's and Carl's public keys # to specify that they are authorized to perform certain step in the layout key_bob = interface.import_rsa_publickey_from_file( "../functionary_bob/bob.pub") key_carl = interface.import_rsa_publickey_from_file( "../functionary_carl/carl.pub") layout = Layout.read({ "_type": "layout", "keys": { key_bob["keyid"]: key_bob, key_carl["keyid"]: key_carl, }, "steps": [{ "name": "clone", "expected_materials": [], "expected_products": [["CREATE", "demo-project/foo.py"], ["DISALLOW", "*"]], "pubkeys": [key_bob["keyid"]], "expected_command": ["git", "clone", "https://github.com/in-toto/demo-project.git"], "threshold": 1, }, { "name": "update-version", "expected_materials": [["MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM", "clone"], ["DISALLOW", "*"]], "expected_products": [["ALLOW", "demo-project/foo.py"], ["DISALLOW", "*"]], "pubkeys": [key_bob["keyid"]], "expected_command": [], "threshold": 1, }, { "name": "package", "expected_materials": [ [ "MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM", "update-version" ], ["DISALLOW", "*"], ], "expected_products": [ ["CREATE", "demo-project.tar.gz"], ["DISALLOW", "*"], ], "pubkeys": [key_carl["keyid"]], "expected_command": [ "tar", "--exclude", ".git", "-zcvf", "demo-project.tar.gz", "demo-project", ], "threshold": 1, }], "inspect": [{ "name": "untar", "expected_materials": [ [ "MATCH", "demo-project.tar.gz", "WITH", "PRODUCTS", "FROM", "package" ], # FIXME: If the routine running inspections would gather the # materials/products to record from the rules we wouldn't have to # ALLOW other files that we aren't interested in. ["ALLOW", ".keep"], ["ALLOW", "alice.pub"], ["ALLOW", "root.layout"], ["DISALLOW", "*"] ], "expected_products": [ [ "MATCH", "demo-project/foo.py", "WITH", "PRODUCTS", "FROM", "update-version" ], # FIXME: See expected_materials above ["ALLOW", "demo-project/.git/*"], ["ALLOW", "demo-project.tar.gz"], ["ALLOW", ".keep"], ["ALLOW", "alice.pub"], ["ALLOW", "root.layout"], ["DISALLOW", "*"] ], "run": [ "tar", "xzf", "demo-project.tar.gz", ] }], }) metadata = DbomMetablock(signed=layout) # Sign and dump layout to "root.layout" metadata.sign(key_alice) metadata.save_owner_key(key_alice, assetID) metadata.dump("root.layout") metadata.save_layout("root.layout", assetID)
def main(): # Load Alice's private key to later sign the layout key_alice = import_rsa_key_from_file("alice") # Fetch and load Bob's and Carl's public keys # to specify that they are authorized to perform certain step in the layout key_bob = import_rsa_key_from_file("../functionary_bob/bob.pub") key_carl = import_rsa_key_from_file("../functionary_carl/carl.pub") layout = Layout.read({ "signed": { "_type": "layout", "keys": { key_bob["keyid"]: key_bob, key_carl["keyid"]: key_carl, }, "steps": [{ "name": "setup-project", "expected_materials": [], "expected_products": [["CREATE", "project.meta"], ["CREATE", "package.meta"]], "pubkeys": [key_bob["keyid"]], "expected_command": "", "threshold": 1, }, { "name": "clone", "expected_materials": [], "expected_products": [["CREATE", "connman/_service"], ["CREATE", "connman/connman-1.30.tar.gz"], ["CREATE", "connman/connman-1.30.tar.sign"], ["CREATE", "connman/connman-rpmlintrc"], ["CREATE", "connman/connman.changes"], ["CREATE", "connman/connman.keyring"], ["CREATE", "connman/connman.spec"]], "pubkeys": [key_bob["keyid"]], "expected_command": "", "threshold": 1, }, { "name": "update-changelog", "expected_materials": [[ "MATCH", "connman/connman.changes", "WITH", "PRODUCTS", "FROM", "clone" ]], "expected_products": [["ALLOW", "connman/connman.changes"]], "pubkeys": [key_bob["keyid"]], "expected_command": "", "threshold": 1, }, { "name": "test", "expected_materials": [], "expected_products": [], "pubkeys": [key_carl["keyid"]], "expected_command": "osc build openSUSE_Factory x86_64 connman/connman.spec", "threshold": 1, }, { "name": "package", "expected_materials": [ [ "MATCH", "connman/_service", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "connman/connman-1.30.tar.gz", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "connman/connman-1.30.tar.sign", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "connman/connman-rpmlintrc", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "connman/connman.changes", "WITH", "PRODUCTS", "FROM", "update-changelog" ], [ "MATCH", "connman/connman.keyring", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "connman/connman.spec", "WITH", "PRODUCTS", "FROM", "clone" ], ], "expected_products": [ ["CREATE", "connman-1.30-1.1.src.rpm"], ], "pubkeys": [key_carl["keyid"]], "expected_command": "", "threshold": 1, }], "inspect": [ { "name": "unpack", "expected_materials": [ [ "MATCH", "connman-1.30-1.1.src.rpm", "WITH", "PRODUCTS", "FROM", "package" ], # FIXME: If the routine running inspections would gather the # materials/products to record from the rules we wouldn't have to # ALLOW other files that we aren't interested in. ["ALLOW", ".keep"], ["ALLOW", "alice.pub"], ["ALLOW", "verify-signature.sh"], ["ALLOW", "root.layout"], ], "expected_products": [ [ "MATCH", "connman-1.30-1.1.src.rpm", "WITH", "PRODUCTS", "FROM", "package" ], [ "MATCH", "connman-1.30.tar.gz", "WITH", "PRODUCTS", "IN", "connman", "FROM", "clone" ], [ "MATCH", "_service", "WITH", "PRODUCTS", "IN", "connman", "FROM", "clone" ], [ "MATCH", "connman-1.30.tar.sign", "WITH", "PRODUCTS", "IN", "connman", "FROM", "clone" ], [ "MATCH", "connman-rpmlintrc", "WITH", "PRODUCTS", "IN", "connman", "FROM", "clone" ], [ "MATCH", "connman.changes", "WITH", "PRODUCTS", "IN", "connman", "FROM", "update-changelog" ], [ "MATCH", "connman.keyring", "WITH", "PRODUCTS", "IN", "connman", "FROM", "clone" ], # FIXME: hash doesn't match for this file because connman.spec in # rpm has changelog appended to it and release number incremented. ["ALLOW", "connman.spec"], ["ALLOW", ".keep"], ["ALLOW", "alice.pub"], ["ALLOW", "verify-signature.sh"], ["ALLOW", "root.layout"], ], "run": "unrpm connman-1.30-1.1.src.rpm", }, { "name": "verify-signature", "expected_materials": [["ALLOW", "*"]], "expected_products": [["ALLOW", "*"]], "run": "./verify-signature.sh", } ], }, "signatures": [] }) # Sign and dump layout to "layout.root" layout.sign(key_alice) layout.dump()
def main(): # Load Alice's private key to later sign the layout key_alice = import_rsa_key_from_file("alice") # Fetch and load Bob's and Carl's public keys # to specify that they are authorized to perform certain step in the layout key_bob = import_rsa_key_from_file("../functionary_bob/bob.pub") key_carl = import_rsa_key_from_file("../functionary_carl/carl.pub") layout = Layout.read({ "_type": "layout", "keys": { key_bob["keyid"]: key_bob, key_carl["keyid"]: key_carl, }, "steps": [ { "name": "clone", "material_matchrules": [], "product_matchrules": [["CREATE", "demo-project/foo.py"]], "pubkeys": [key_bob["keyid"]], "expected_command": "git clone https://github.com/in-toto/demo-project.git", "threshold": 1, }, { "name": "update-version", "material_matchrules": [[ "MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM", "clone" ]], # FIXME: CREATE is more like an allow here, is fixed in next version "product_matchrules": [["ALLOW", "demo-project/foo.py"]], "pubkeys": [key_bob["keyid"]], "expected_command": "", "threshold": 1, }, { "name": "package", "material_matchrules": [ [ "MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM", "update-version" ], ], "product_matchrules": [ ["CREATE", "demo-project.tar.gz"], ], "pubkeys": [key_carl["keyid"]], "expected_command": "tar --exclude '.git' -zcvf demo-project.tar.gz demo-project", "threshold": 1, } ], "inspect": [{ "name": "untar", "material_matchrules": [ [ "MATCH", "demo-project.tar.gz", "WITH", "PRODUCTS", "FROM", "package" ], # FIXME: If the routine running inspections would gather the # materials/products to record from the rules we wouldn't have to # ALLOW other files that we aren't interested in. ["ALLOW", ".keep"], ["ALLOW", "alice.pub"], ["ALLOW", "root.layout"], ], "product_matchrules": [ [ "MATCH", "demo-project/foo.py", "WITH", "PRODUCTS", "FROM", "update-version" ], # FIXME: See material_matchrules above ["ALLOW", "demo-project/.git/*"], ["ALLOW", "demo-project.tar.gz"], ["ALLOW", ".keep"], ["ALLOW", "alice.pub"], ["ALLOW", "root.layout"], ], "run": "tar xzf demo-project.tar.gz", }], "signatures": [] }) # Sign and dump layout to "layout.root" layout.sign(key_alice) layout.dump()
#!/usr/bin/env python from in_toto.models.layout import Layout, Step, Inspection import in_toto.util import json import datetime if __name__: # Get keys santiago_key = in_toto.util.import_rsa_key_from_file("santiago.pub") justin_key = in_toto.util.import_rsa_key_from_file("justin") with open("root.layout") as fp: info = json.load(fp) l = Layout.read(info) l.sign(justin_key) l.dump()
def main(): # Load Niels's private key to later sign the layout key_niels = import_rsa_key_from_file("niels") # Fetch and load aimee's and noud's public keys # to specify that they are authorized to perform certain step in the layout key_aimee = import_rsa_key_from_file("../functionary_aimee/aimee.pub") key_noud = import_rsa_key_from_file("../functionary_noud/noud.pub") layout = Layout.read({ "_type": "layout", "keys": { key_aimee["keyid"]: key_aimee, key_noud["keyid"]: key_noud, }, "steps": [{ "name": "create", "expected_materials": [], "expected_products": [["CREATE", "app/Program.cs"], ["DISALLOW", "*"]], "pubkeys": [key_aimee["keyid"]], "expected_command": [ "dotnet", "new", "console", "-n", "app" ], "threshold": 1, },{ "name": "publish", "expected_materials": [ ["MATCH", "app/Program.cs", "WITH", "PRODUCTS", "FROM", "create"], ["DISALLOW", "*"], ], "expected_products": [["CREATE", "published/app"], ["CREATE", "published/app.*"], ["DISALLOW", "*"]], "pubkeys": [key_noud["keyid"]], "expected_command": [ "dotnet", "publish", "-o", "published", "app" ], "threshold": 1, },{ "name": "package", "expected_materials": [ ["MATCH", "published/*", "WITH", "PRODUCTS", "FROM", "publish"], ["DISALLOW", "*"], ], "expected_products": [ ["CREATE", "published.tar.gz"], ["DISALLOW", "*"], ], "pubkeys": [key_noud["keyid"]], "expected_command": [ "tar", "-zcvf", "published.tar.gz", "published", ], "threshold": 1, }], "inspect": [{ "name": "untar", "expected_materials": [ ["MATCH", "published.tar.gz", "WITH", "PRODUCTS", "FROM", "package"], # FIXME: If the routine running inspections would gather the # materials/products to record from the rules we wouldn't have to # ALLOW other files that we aren't interested in. ["ALLOW", ".keep"], ["ALLOW", "niels.pub"], ["ALLOW", "root.layout"], ["DISALLOW", "*"] ], "expected_products": [ ["MATCH", "published/*", "WITH", "PRODUCTS", "FROM", "publish"], # FIXME: See expected_materials above ["ALLOW", "published/app.*"], ["ALLOW", "published.tar.gz"], ["ALLOW", ".keep"], ["ALLOW", "niels.pub"], ["ALLOW", "root.layout"], ["DISALLOW", "*"] ], "run": [ "tar", "xzf", "published.tar.gz", ] }], }) metadata = Metablock(signed=layout) # Sign and dump layout to "root.layout" metadata.sign(key_niels) metadata.dump("root.layout")
def main(): key_owner = import_rsa_key_from_file("target_owner") key_dependency_owner = import_rsa_key_from_file("dependency_owner.pub") key_developer = import_rsa_key_from_file("../developer/developer.pub") key_reviewer = import_rsa_key_from_file("../reviewer/reviewer.pub") key_xray = import_rsa_key_from_file("../xray/xray.pub") layout = Layout.read({ "_type": "layout", "keys": { key_developer["keyid"]: key_developer, key_reviewer["keyid"]: key_reviewer, key_xray["keyid"]: key_xray, key_dependency_owner["keyid"]: key_dependency_owner, }, "steps": [ { "name": "target-develop", "expected_materials": [], "expected_products": [["CREATE", "../target/demo.py"], ["DISALLOW", "*"]], "pubkeys": [key_developer["keyid"]], "expected_command": [], "threshold": 1, }, { "name": "target-code-review", "expected_materials": [[ "MATCH", "../target/demo.py", "WITH", "PRODUCTS", "FROM", "target-develop" ], ["DISALLOW", "*"]], "expected_products": [["ALLOW", "../target/demo.py"], ["DISALLOW", "*"]], "pubkeys": [key_reviewer["keyid"]], "expected_command": [], "threshold": 1, }, { "name": "target-get-dependency", "expected_materials": [], "expected_products": [ ["ALLOW", "../dependency/demo.py"], ["DISALLOW", "*"], ], "pubkeys": [key_dependency_owner["keyid"]], "expected_command": [], "threshold": 1, }, { "name": "target-jfrog-xray", "expected_materials": [ [ "MATCH", "../target/demo.py", "WITH", "PRODUCTS", "FROM", "target-develop" ], ["DISALLOW", "*"], ], "expected_products": [ ["CREATE", "../reports/jfrog-xray-report.json"], ["DISALLOW", "*"], ], "pubkeys": [key_xray["keyid"]], "expected_command": ["python", "generate_report.py"], "threshold": 1, }, ], "inspect": [{ "name": "target-check-vulnerability-report", "expected_materials": [ [ "MATCH", "../reports/jfrog-xray-report.json", "WITH", "PRODUCTS", "FROM", "target-jfrog-xray" ], ], "expected_products": [], "run": ["python", "scripts/validate_jfrog_xray_report.py"], }], }) metadata = Metablock(signed=layout) # Sign and dump layout to "root.layout" metadata.sign(key_owner) metadata.dump("../metadata_target/root.layout")
def main(): # Load Jerry's private key to later sign the layout key_jerry = interface.import_rsa_privatekey_from_file("jerry") # Fetch and load Bob's and Alice's public keys # to specify that they are authorized to perform certain step in the layout key_alice = interface.import_rsa_publickey_from_file( "../functionary_alice/alice.pub") key_bob = interface.import_rsa_publickey_from_file( "../functionary_bob/bob.pub") layout = Layout.read({ "_type": "layout", "keys": { key_bob["keyid"]: key_bob, key_alice["keyid"]: key_alice, }, "steps": [{ "name": "clone", "expected_materials": [], "expected_products": [["CREATE", "inclavare-containers/rbi/kernel/Dockerfile"], [ "CREATE", "inclavare-containers/rbi/kernel/build-docker-image.sh" ], ["CREATE", "inclavare-containers/rbi/kernel/build-kernel.sh"], ["CREATE", "inclavare-containers/rbi/kernel/check-integrity.sh"], [ "CREATE", "inclavare-containers/rbi/kernel/patch/build-kernel.sh" ], ["CREATE", "inclavare-containers/rbi/kernel/scripts/start.sh"], ["CREATE", "inclavare-containers/rbi/misc/check-integrity.sh"]], "pubkeys": [key_alice["keyid"]], "expected_command": [ "git", "clone", "https://github.com/alibaba/inclavare-containers.git" ], "threshold": 1, }, { "name": "build", "expected_materials": [[ "MATCH", "inclavare-containers/rbi/kernel/Dockerfile", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kernel/build-docker-image.sh", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kernel/build-kernel.sh", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kernel/check-integrity.sh", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kernel/patch/build-kernel.sh", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kernel/readme.md", "WITH", "PRODUCTS", "FROM", "clone" ], [ "MATCH", "inclavare-containers/rbi/kernel/scripts/start.sh", "WITH", "PRODUCTS", "FROM", "clone" ]], "expected_products": [ ["CREATE", "inclavare-containers/rbi/result/kernel/vmlinux"], ], "pubkeys": [key_bob["keyid"]], "expected_command": [ "bash", "inclavare-containers/rbi/rbi.sh", "kernel", ], "threshold": 1, }], "inspect": [{ "name": "integrity", "expected_materials": [ [ "MATCH", "inclavare-containers/rbi/result/kernel/vmlinux", "WITH", "PRODUCTS", "FROM", "build" ], [ "MATCH", "inclavare-containers/rbi/misc/check-integrity.sh", "WITH", "PRODUCTS", "FROM", "clone" ], ["ALLOW", "jerry.pub"], ["ALLOW", "root.layout"], ["ALLOW", ".keep"] ], "expected_products": [ [ "CREATE", "inclavare-containers/rbi/result/kernel/.check_done" ], # FIXME: See expected_materials above ["ALLOW", "jerry.pub"], ["ALLOW", "root.layout"], ["ALLOW", ".keep"] ], "run": [ "bash", "inclavare-containers/rbi/misc/check-integrity.sh", "inclavare-containers/rbi/result/kernel/vmlinux", SHA256_VALUE ] }], }) metadata = Metablock(signed=layout) # Sign and dump layout to "root.layout" metadata.sign(key_jerry) metadata.dump("root.layout")
def setUp(self): """Imports keys, generates layout and layout_key_dict for the clone, update-version, and package step.""" self.key_alice = interface.import_rsa_privatekey_from_file( "keys/alice") # Fetch and load Bob's and Carl's public keys # to specify that they are authorized to perform certain step in the layout self.key_bob = interface.import_rsa_publickey_from_file("keys/bob.pub") self.key_carl = interface.import_rsa_publickey_from_file( "keys/carl.pub") # Create layout self.layout = Layout.read({ "_type": "layout", "keys": { self.key_bob["keyid"]: self.key_bob, self.key_carl["keyid"]: self.key_carl, }, "steps": [{ "name": "clone", "expected_materials": [], "expected_products": [["CREATE", "demo-project/foo.py"], ["DISALLOW", "*"]], "pubkeys": [self.key_bob["keyid"]], "expected_command": [ "git", "clone", "https://github.com/in-toto/demo-project.git" ], "threshold": 1, }, { "name": "update-version", "expected_materials": [[ "MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM", "clone" ], ["DISALLOW", "*"]], "expected_products": [["ALLOW", "demo-project/foo.py"], ["DISALLOW", "*"]], "pubkeys": [self.key_bob["keyid"]], "expected_command": [], "threshold": 1, }, { "name": "package", "expected_materials": [ [ "MATCH", "demo-project/*", "WITH", "PRODUCTS", "FROM", "update-version" ], ["DISALLOW", "*"], ], "expected_products": [ ["CREATE", "demo-project.tar.gz"], ["DISALLOW", "*"], ], "pubkeys": [self.key_carl["keyid"]], "expected_command": [ "tar", "--exclude", ".git", "-zcvf", "demo-project.tar.gz", "demo-project", ], "threshold": 1, }], "inspect": [], }) self.metadata = Metablock(signed=self.layout) self.metadata.sign(self.key_alice) # Create the public key dict self.layout_key_dict = {} self.layout_key_dict.update( interface.import_publickeys_from_file(["keys/alice.pub"]))