def Run(self, args):
project_ref = resources.REGISTRY.Parse(
properties.VALUES.core.project.Get(required=True),
collection='cloudresourcemanager.projects',
)
normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl(
args.artifact_url)
attestor_ref = args.CONCEPTS.attestor.Parse()
key_ref = args.CONCEPTS.keyversion.Parse()
# NOTE: This will hit the alpha Binauthz API until we promote this command
# to the beta surface or hardcode it e.g. to Beta.
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestor = attestors.Client(api_version).Get(attestor_ref)
# TODO(b/79709480): Add other types of attestors if/when supported.
note_ref = resources.REGISTRY.ParseResourceId(
'containeranalysis.projects.notes',
attestor.userOwnedDrydockNote.noteReference, {})
key_id = args.public_key_id_override or kms.GetKeyUri(key_ref)
# TODO(b/138719072): Remove when validation is on by default
validation_enabled = 'validate' in args and args.validate
if not validation_enabled:
if key_id not in set(
pubkey.id for pubkey in attestor.userOwnedDrydockNote.publicKeys):
log.warning('No public key with ID [%s] found on attestor [%s]', key_id,
attestor.name)
console_io.PromptContinue(
prompt_string='Create and upload Attestation anyway?',
cancel_on_no=True)
payload = binauthz_command_util.MakeSignaturePayload(args.artifact_url)
kms_client = kms.Client()
pubkey_response = kms_client.GetPublicKey(key_ref.RelativeName())
sign_response = kms_client.AsymmetricSign(
key_ref.RelativeName(),
kms.GetAlgorithmDigestType(pubkey_response.algorithm), payload)
validation_callback = functools.partial(
validation.validate_attestation,
attestor_ref=attestor_ref,
api_version=api_version)
client = containeranalysis.Client(
ca_apis.GetApiVersion(self.ReleaseTrack()))
return client.CreateAttestationOccurrence(
project_ref=project_ref,
note_ref=note_ref,
artifact_url=normalized_artifact_url,
public_key_id=key_id,
signature=sign_response.signature,
plaintext=payload,
validation_callback=(validation_callback
if validation_enabled else None),
)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
if args.pgp_public_key_file and args.public_key_id_override:
raise exceptions.InvalidArgumentError(
'--public-key-id-override may not be used with old-style PGP keys'
)
if args.keyversion:
key_resource = args.CONCEPTS.keyversion.Parse()
public_key = kms.Client().GetPublicKey(key_resource.RelativeName())
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=public_key.pem,
pkix_sig_algorithm=attestors_client.
ConvertFromKmsSignatureAlgorithm(public_key.algorithm),
id_override=(args.public_key_id_override
or kms.GetKeyUri(key_resource)),
comment=args.comment)
elif args.pkix_public_key_file:
alg_mapper = pkix.GetAlgorithmMapper(api_version)
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=args.pkix_public_key_file,
pkix_sig_algorithm=alg_mapper.GetEnumForChoice(
args.pkix_public_key_algorithm),
id_override=args.public_key_id_override,
comment=args.comment)
else:
# TODO(b/71700164): Validate the contents of the public key file.
return attestors_client.AddPgpKey(
attestor_ref,
pgp_pubkey_content=args.pgp_public_key_file,
comment=args.comment)