def Run(self, args): project_ref = resources.REGISTRY.Parse( properties.VALUES.core.project.Get(required=True), collection='cloudresourcemanager.projects', ) normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) signature = console_io.ReadFromFileOrStdin(args.signature_file, binary=False) attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = authorities.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) client = binauthz_api_util.ContainerAnalysisClient() return client.CreateAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, pgp_key_fingerprint=args.pgp_key_fingerprint, signature=signature, )
def Run(self, args): normalized_artifact_url = None if args.artifact_url: normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) note_ref = args.CONCEPTS.attestation_authority_note.Parse() if note_ref is None: authority_ref = args.CONCEPTS.attestation_authority.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) authority = authorities.Client(api_version).Get(authority_ref) # TODO(b/79709480): Add other types of authorities if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', authority.userOwnedDrydockNote.noteReference, {}) client = binauthz_api_util.ContainerAnalysisClient() if normalized_artifact_url: return client.YieldPgpKeyFingerprintsAndSignatures( note_ref=note_ref, artifact_url=normalized_artifact_url, ) else: return client.YieldUrlsWithOccurrences(note_ref)
def Run(self, args): project_ref = resources.REGISTRY.Parse( properties.VALUES.core.project.Get(required=True), collection='cloudresourcemanager.projects', ) normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) signature = console_io.ReadFromFileOrStdin(args.signature_file, binary=True) if args.payload_file: payload = files.ReadBinaryFileContents(args.payload_file) else: payload = binauthz_command_util.MakeSignaturePayload( normalized_artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) return containeranalysis.Client().CreateGenericAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=args.public_key_id, signature=signature, plaintext=payload, )
def Run(self, args): attestor_ref = args.CONCEPTS.attestor.Parse() note_ref = args.CONCEPTS.attestation_authority_note.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) return attestors.Client(api_version).Create( attestor_ref, note_ref, description=args.description)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) client = continuous_validation.Client(api_version) cv_config = client.Get(util.GetCvConfigRef()) cv_config.enforcementPolicyConfig.enabled = False return client.Set(util.GetCvConfigRef(), cv_config)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) attestors_client = attestors.Client(api_version) attestor_ref = args.CONCEPTS.attestor.Parse() attestors_client.RemoveKey(attestor_ref, pubkey_id=args.public_key_id)
def Run(self, args): project_ref = resources.REGISTRY.Parse( properties.VALUES.core.project.Get(required=True), collection='cloudresourcemanager.projects', ) normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() key_ref = args.CONCEPTS.keyversion.Parse() # NOTE: This will hit the alpha Binauthz API until we promote this command # to the beta surface or hardcode it e.g. to Beta. api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) key_id = args.public_key_id_override or kms.GetKeyUri(key_ref) # TODO(b/138719072): Remove when validation is on by default validation_enabled = 'validate' in args and args.validate if not validation_enabled: if key_id not in set( pubkey.id for pubkey in attestor.userOwnedDrydockNote.publicKeys): log.warning('No public key with ID [%s] found on attestor [%s]', key_id, attestor.name) console_io.PromptContinue( prompt_string='Create and upload Attestation anyway?', cancel_on_no=True) payload = binauthz_command_util.MakeSignaturePayload(args.artifact_url) kms_client = kms.Client() pubkey_response = kms_client.GetPublicKey(key_ref.RelativeName()) sign_response = kms_client.AsymmetricSign( key_ref.RelativeName(), kms.GetAlgorithmDigestType(pubkey_response.algorithm), payload) validation_callback = functools.partial( validation.validate_attestation, attestor_ref=attestor_ref, api_version=api_version) client = containeranalysis.Client( ca_apis.GetApiVersion(self.ReleaseTrack())) return client.CreateAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=key_id, signature=sign_response.signature, plaintext=payload, validation_callback=(validation_callback if validation_enabled else None), )
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) attestors_client = attestors.Client(api_version) attestor_ref = args.CONCEPTS.attestor.Parse() # TODO(b/71700164): Validate the contents of the public key file. return attestors_client.AddKey(attestor_ref, args.public_key_file, args.comment)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) client = iam.Client(api_version) policy_ref = util.GetPolicyRef() policy, _ = iam_util.ParseYamlOrJsonPolicyFile( args.policy_file, client.messages.IamPolicy) result = client.Set(policy_ref, policy) iam_util.LogSetIamPolicy(policy_ref.Name(), 'policy') return result
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) ref = util.GetPolicyRef() if ref.Name() == OLD_SYSTEM_POLICY_PROJECT_NAME: raise Error( 'The Binary Authorization system policy is no longer accessible via ' 'the binauthz-global-policy project. Use the following command to ' 'display the system policy:\n' ' $ gcloud alpha container binauthz policy export-system-policy\n' 'For details, see https://cloud.google.com/binary-authorization/docs/' 'key-concepts#google-maintained_system_images.') return policies.Client(api_version).Get(ref)
def Run(self, args): project_ref = resources.REGISTRY.Parse( properties.VALUES.core.project.Get(required=True), collection='cloudresourcemanager.projects', ) normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) signature = console_io.ReadFromFileOrStdin(args.signature_file, binary=True) if args.payload_file: payload = files.ReadBinaryFileContents(args.payload_file) else: payload = binauthz_command_util.MakeSignaturePayload( normalized_artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) validation_enabled = 'validate' in args and args.validate validation_callback = functools.partial( validation.validate_attestation, attestor_ref=attestor_ref, api_version=api_version) ca_api_version = ca_apis.GetApiVersion(self.ReleaseTrack()) # TODO(b/138859339): Remove when remainder of surface migrated to V1 API. if ca_api_version == ca_apis.V1: return containeranalysis.Client( ca_api_version).CreateAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=args.public_key_id, signature=signature, plaintext=payload, validation_callback=(validation_callback if validation_enabled else None), ) else: return containeranalysis.Client( ca_api_version).CreateGenericAttestationOccurrence( project_ref=project_ref, note_ref=note_ref, artifact_url=normalized_artifact_url, public_key_id=args.public_key_id, signature=signature, plaintext=payload, )
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) attestors_client = attestors.Client(api_version) attestor_ref = args.CONCEPTS.attestor.Parse() # TODO(b/71700164): Validate the contents of the public key file. # TODO(b/133451183): Remove deprecated flag. if self.ReleaseTrack() == base.ReleaseTrack.GA: pgp_pubkey = args.pgp_public_key_file else: pgp_pubkey = args.pgp_public_key_file or args.public_key_file return attestors_client.UpdateKey(attestor_ref, args.public_key_id, pgp_pubkey_content=pgp_pubkey, comment=args.comment)
def Run(self, args): normalized_artifact_url = None if args.artifact_url: normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl( args.artifact_url) attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) attestor = attestors.Client(api_version).Get(attestor_ref) # TODO(b/79709480): Add other types of attestors if/when supported. note_ref = resources.REGISTRY.ParseResourceId( 'containeranalysis.projects.notes', attestor.userOwnedDrydockNote.noteReference, {}) client = containeranalysis.Client() return client.YieldAttestations( note_ref=note_ref, artifact_url=normalized_artifact_url, )
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) messages = apis.GetMessagesModule(api_version) # Load the policy file into a Python object. policy_obj = parsing.LoadResourceFile(args.policy_file) if not policy_obj: # NOTE: This is necessary because apitools falls over when you provide it # with None and that's what the yaml returns when passed an empty string. policy_obj = {} # Make sure the user meant to do this. log.warning('Empty Policy provided!') console_io.PromptContinue( prompt_string='Do you want to import an empty policy?', cancel_on_no=True) # Decode the dict into a Policy message, allowing DecodeErrors to bubble up # to the user if they are raised. policy = encoding.DictToMessageWithErrorCheck(policy_obj, messages.Policy) return policies.Client(api_version).Set(util.GetPolicyRef(), policy)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) attestors_client = attestors.Client(api_version) attestor_ref = args.CONCEPTS.attestor.Parse() if args.pgp_public_key_file and args.public_key_id_override: raise exceptions.InvalidArgumentError( '--public-key-id-override may not be used with old-style PGP keys' ) if args.keyversion: key_resource = args.CONCEPTS.keyversion.Parse() public_key = kms.Client().GetPublicKey(key_resource.RelativeName()) return attestors_client.AddPkixKey( attestor_ref, pkix_pubkey_content=public_key.pem, pkix_sig_algorithm=attestors_client. ConvertFromKmsSignatureAlgorithm(public_key.algorithm), id_override=(args.public_key_id_override or kms.GetKeyUri(key_resource)), comment=args.comment) elif args.pkix_public_key_file: alg_mapper = pkix.GetAlgorithmMapper(api_version) return attestors_client.AddPkixKey( attestor_ref, pkix_pubkey_content=args.pkix_public_key_file, pkix_sig_algorithm=alg_mapper.GetEnumForChoice( args.pkix_public_key_algorithm), id_override=args.public_key_id_override, comment=args.comment) else: # TODO(b/71700164): Validate the contents of the public key file. return attestors_client.AddPgpKey( attestor_ref, pgp_pubkey_content=args.pgp_public_key_file, comment=args.comment)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) return system_policy.Client(api_version).Get( util.GetSystemPolicyRef(args.location))
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) return iam.Client(api_version).RemoveBinding(util.GetPolicyRef(), args.member, args.role)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) return attestors.Client(api_version).List(util.GetProjectRef())
def Run(self, args): attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) return iam.Client(api_version).RemoveBinding(attestor_ref, args.member, args.role)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) return iam.Client(api_version).Get(util.GetPolicyRef())
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) cv_config = continuous_validation.Client(api_version).Get( util.GetCvConfigRef()) return continuous_validation.EnsureEnabledFalseIsShown(cv_config)
def Run(self, args): attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) return attestors.Client(api_version).Get(attestor_ref)