def Run(self, args):
project_ref = resources.REGISTRY.Parse(
properties.VALUES.core.project.Get(required=True),
collection='cloudresourcemanager.projects',
)
normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl(
args.artifact_url)
signature = console_io.ReadFromFileOrStdin(args.signature_file,
binary=False)
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestor = authorities.Client(api_version).Get(attestor_ref)
# TODO(b/79709480): Add other types of attestors if/when supported.
note_ref = resources.REGISTRY.ParseResourceId(
'containeranalysis.projects.notes',
attestor.userOwnedDrydockNote.noteReference, {})
client = binauthz_api_util.ContainerAnalysisClient()
return client.CreateAttestationOccurrence(
project_ref=project_ref,
note_ref=note_ref,
artifact_url=normalized_artifact_url,
pgp_key_fingerprint=args.pgp_key_fingerprint,
signature=signature,
)
def Run(self, args):
normalized_artifact_url = None
if args.artifact_url:
normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl(
args.artifact_url)
note_ref = args.CONCEPTS.attestation_authority_note.Parse()
if note_ref is None:
authority_ref = args.CONCEPTS.attestation_authority.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
authority = authorities.Client(api_version).Get(authority_ref)
# TODO(b/79709480): Add other types of authorities if/when supported.
note_ref = resources.REGISTRY.ParseResourceId(
'containeranalysis.projects.notes',
authority.userOwnedDrydockNote.noteReference, {})
client = binauthz_api_util.ContainerAnalysisClient()
if normalized_artifact_url:
return client.YieldPgpKeyFingerprintsAndSignatures(
note_ref=note_ref,
artifact_url=normalized_artifact_url,
)
else:
return client.YieldUrlsWithOccurrences(note_ref)
def Run(self, args):
project_ref = resources.REGISTRY.Parse(
properties.VALUES.core.project.Get(required=True),
collection='cloudresourcemanager.projects',
)
normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl(
args.artifact_url)
signature = console_io.ReadFromFileOrStdin(args.signature_file, binary=True)
if args.payload_file:
payload = files.ReadBinaryFileContents(args.payload_file)
else:
payload = binauthz_command_util.MakeSignaturePayload(
normalized_artifact_url)
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestor = attestors.Client(api_version).Get(attestor_ref)
# TODO(b/79709480): Add other types of attestors if/when supported.
note_ref = resources.REGISTRY.ParseResourceId(
'containeranalysis.projects.notes',
attestor.userOwnedDrydockNote.noteReference, {})
return containeranalysis.Client().CreateGenericAttestationOccurrence(
project_ref=project_ref,
note_ref=note_ref,
artifact_url=normalized_artifact_url,
public_key_id=args.public_key_id,
signature=signature,
plaintext=payload,
)
def Run(self, args):
attestor_ref = args.CONCEPTS.attestor.Parse()
note_ref = args.CONCEPTS.attestation_authority_note.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
return attestors.Client(api_version).Create(
attestor_ref, note_ref, description=args.description)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
client = continuous_validation.Client(api_version)
cv_config = client.Get(util.GetCvConfigRef())
cv_config.enforcementPolicyConfig.enabled = False
return client.Set(util.GetCvConfigRef(), cv_config)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
attestors_client.RemoveKey(attestor_ref, pubkey_id=args.public_key_id)
def Run(self, args):
project_ref = resources.REGISTRY.Parse(
properties.VALUES.core.project.Get(required=True),
collection='cloudresourcemanager.projects',
)
normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl(
args.artifact_url)
attestor_ref = args.CONCEPTS.attestor.Parse()
key_ref = args.CONCEPTS.keyversion.Parse()
# NOTE: This will hit the alpha Binauthz API until we promote this command
# to the beta surface or hardcode it e.g. to Beta.
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestor = attestors.Client(api_version).Get(attestor_ref)
# TODO(b/79709480): Add other types of attestors if/when supported.
note_ref = resources.REGISTRY.ParseResourceId(
'containeranalysis.projects.notes',
attestor.userOwnedDrydockNote.noteReference, {})
key_id = args.public_key_id_override or kms.GetKeyUri(key_ref)
# TODO(b/138719072): Remove when validation is on by default
validation_enabled = 'validate' in args and args.validate
if not validation_enabled:
if key_id not in set(
pubkey.id for pubkey in attestor.userOwnedDrydockNote.publicKeys):
log.warning('No public key with ID [%s] found on attestor [%s]', key_id,
attestor.name)
console_io.PromptContinue(
prompt_string='Create and upload Attestation anyway?',
cancel_on_no=True)
payload = binauthz_command_util.MakeSignaturePayload(args.artifact_url)
kms_client = kms.Client()
pubkey_response = kms_client.GetPublicKey(key_ref.RelativeName())
sign_response = kms_client.AsymmetricSign(
key_ref.RelativeName(),
kms.GetAlgorithmDigestType(pubkey_response.algorithm), payload)
validation_callback = functools.partial(
validation.validate_attestation,
attestor_ref=attestor_ref,
api_version=api_version)
client = containeranalysis.Client(
ca_apis.GetApiVersion(self.ReleaseTrack()))
return client.CreateAttestationOccurrence(
project_ref=project_ref,
note_ref=note_ref,
artifact_url=normalized_artifact_url,
public_key_id=key_id,
signature=sign_response.signature,
plaintext=payload,
validation_callback=(validation_callback
if validation_enabled else None),
)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
# TODO(b/71700164): Validate the contents of the public key file.
return attestors_client.AddKey(attestor_ref, args.public_key_file,
args.comment)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
client = iam.Client(api_version)
policy_ref = util.GetPolicyRef()
policy, _ = iam_util.ParseYamlOrJsonPolicyFile(
args.policy_file, client.messages.IamPolicy)
result = client.Set(policy_ref, policy)
iam_util.LogSetIamPolicy(policy_ref.Name(), 'policy')
return result
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
ref = util.GetPolicyRef()
if ref.Name() == OLD_SYSTEM_POLICY_PROJECT_NAME:
raise Error(
'The Binary Authorization system policy is no longer accessible via '
'the binauthz-global-policy project. Use the following command to '
'display the system policy:\n'
' $ gcloud alpha container binauthz policy export-system-policy\n'
'For details, see https://cloud.google.com/binary-authorization/docs/'
'key-concepts#google-maintained_system_images.')
return policies.Client(api_version).Get(ref)
def Run(self, args):
project_ref = resources.REGISTRY.Parse(
properties.VALUES.core.project.Get(required=True),
collection='cloudresourcemanager.projects',
)
normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl(
args.artifact_url)
signature = console_io.ReadFromFileOrStdin(args.signature_file,
binary=True)
if args.payload_file:
payload = files.ReadBinaryFileContents(args.payload_file)
else:
payload = binauthz_command_util.MakeSignaturePayload(
normalized_artifact_url)
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestor = attestors.Client(api_version).Get(attestor_ref)
# TODO(b/79709480): Add other types of attestors if/when supported.
note_ref = resources.REGISTRY.ParseResourceId(
'containeranalysis.projects.notes',
attestor.userOwnedDrydockNote.noteReference, {})
validation_enabled = 'validate' in args and args.validate
validation_callback = functools.partial(
validation.validate_attestation,
attestor_ref=attestor_ref,
api_version=api_version)
ca_api_version = ca_apis.GetApiVersion(self.ReleaseTrack())
# TODO(b/138859339): Remove when remainder of surface migrated to V1 API.
if ca_api_version == ca_apis.V1:
return containeranalysis.Client(
ca_api_version).CreateAttestationOccurrence(
project_ref=project_ref,
note_ref=note_ref,
artifact_url=normalized_artifact_url,
public_key_id=args.public_key_id,
signature=signature,
plaintext=payload,
validation_callback=(validation_callback
if validation_enabled else None),
)
else:
return containeranalysis.Client(
ca_api_version).CreateGenericAttestationOccurrence(
project_ref=project_ref,
note_ref=note_ref,
artifact_url=normalized_artifact_url,
public_key_id=args.public_key_id,
signature=signature,
plaintext=payload,
)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
# TODO(b/71700164): Validate the contents of the public key file.
# TODO(b/133451183): Remove deprecated flag.
if self.ReleaseTrack() == base.ReleaseTrack.GA:
pgp_pubkey = args.pgp_public_key_file
else:
pgp_pubkey = args.pgp_public_key_file or args.public_key_file
return attestors_client.UpdateKey(attestor_ref,
args.public_key_id,
pgp_pubkey_content=pgp_pubkey,
comment=args.comment)
def Run(self, args):
normalized_artifact_url = None
if args.artifact_url:
normalized_artifact_url = binauthz_command_util.NormalizeArtifactUrl(
args.artifact_url)
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestor = attestors.Client(api_version).Get(attestor_ref)
# TODO(b/79709480): Add other types of attestors if/when supported.
note_ref = resources.REGISTRY.ParseResourceId(
'containeranalysis.projects.notes',
attestor.userOwnedDrydockNote.noteReference, {})
client = containeranalysis.Client()
return client.YieldAttestations(
note_ref=note_ref,
artifact_url=normalized_artifact_url,
)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
messages = apis.GetMessagesModule(api_version)
# Load the policy file into a Python object.
policy_obj = parsing.LoadResourceFile(args.policy_file)
if not policy_obj:
# NOTE: This is necessary because apitools falls over when you provide it
# with None and that's what the yaml returns when passed an empty string.
policy_obj = {}
# Make sure the user meant to do this.
log.warning('Empty Policy provided!')
console_io.PromptContinue(
prompt_string='Do you want to import an empty policy?',
cancel_on_no=True)
# Decode the dict into a Policy message, allowing DecodeErrors to bubble up
# to the user if they are raised.
policy = encoding.DictToMessageWithErrorCheck(policy_obj, messages.Policy)
return policies.Client(api_version).Set(util.GetPolicyRef(), policy)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
attestors_client = attestors.Client(api_version)
attestor_ref = args.CONCEPTS.attestor.Parse()
if args.pgp_public_key_file and args.public_key_id_override:
raise exceptions.InvalidArgumentError(
'--public-key-id-override may not be used with old-style PGP keys'
)
if args.keyversion:
key_resource = args.CONCEPTS.keyversion.Parse()
public_key = kms.Client().GetPublicKey(key_resource.RelativeName())
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=public_key.pem,
pkix_sig_algorithm=attestors_client.
ConvertFromKmsSignatureAlgorithm(public_key.algorithm),
id_override=(args.public_key_id_override
or kms.GetKeyUri(key_resource)),
comment=args.comment)
elif args.pkix_public_key_file:
alg_mapper = pkix.GetAlgorithmMapper(api_version)
return attestors_client.AddPkixKey(
attestor_ref,
pkix_pubkey_content=args.pkix_public_key_file,
pkix_sig_algorithm=alg_mapper.GetEnumForChoice(
args.pkix_public_key_algorithm),
id_override=args.public_key_id_override,
comment=args.comment)
else:
# TODO(b/71700164): Validate the contents of the public key file.
return attestors_client.AddPgpKey(
attestor_ref,
pgp_pubkey_content=args.pgp_public_key_file,
comment=args.comment)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
return system_policy.Client(api_version).Get(
util.GetSystemPolicyRef(args.location))
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
return iam.Client(api_version).RemoveBinding(util.GetPolicyRef(),
args.member, args.role)
def Run(self, args): api_version = apis.GetApiVersion(self.ReleaseTrack()) return attestors.Client(api_version).List(util.GetProjectRef())
def Run(self, args):
attestor_ref = args.CONCEPTS.attestor.Parse()
api_version = apis.GetApiVersion(self.ReleaseTrack())
return iam.Client(api_version).RemoveBinding(attestor_ref, args.member,
args.role)
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
return iam.Client(api_version).Get(util.GetPolicyRef())
def Run(self, args):
api_version = apis.GetApiVersion(self.ReleaseTrack())
cv_config = continuous_validation.Client(api_version).Get(
util.GetCvConfigRef())
return continuous_validation.EnsureEnabledFalseIsShown(cv_config)
def Run(self, args): attestor_ref = args.CONCEPTS.attestor.Parse() api_version = apis.GetApiVersion(self.ReleaseTrack()) return attestors.Client(api_version).Get(attestor_ref)
