fix: Passing kms provider options down to initialisation of functiona…

…ries (#292) * passing kms provider options down to initialisation of functionaries --------- Signed-off-by: chaosinthecrd <[email protected]>
in-toto · Aug 12, 2024 · 604063f · 604063f
1 parent cb17ebf
commit 604063f
Show file tree

Hide file tree

Showing 6 changed files with 59 additions and 12 deletions.
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -43,4 +43,4 @@ jobs:
         with:
           version: latest
           args: --timeout=3m
-          skip-pkg-cache: true
+          skip-cache: true
diff --git a/attestation/policyverify/policyverify.go b/attestation/policyverify/policyverify.go
@@ -27,6 +27,7 @@ import (
 	ipolicy "github.com/in-toto/go-witness/internal/policy"
 	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/policy"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/slsa"
 	"github.com/in-toto/go-witness/source"
 	"github.com/in-toto/go-witness/timestamp"
@@ -54,10 +55,11 @@ type Attestor struct {
 	*ipolicy.VerifyPolicySignatureOptions
 	slsa.VerificationSummary
 
-	stepResults      map[string]policy.StepResult
-	policyEnvelope   dsse.Envelope
-	collectionSource source.Sourcer
-	subjectDigests   []string
+	stepResults        map[string]policy.StepResult
+	policyEnvelope     dsse.Envelope
+	collectionSource   source.Sourcer
+	subjectDigests     []string
+	kmsProviderOptions map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)
 }
 
 type Option func(*Attestor)
@@ -76,6 +78,12 @@ func VerifyWithPolicyEnvelope(policyEnvelope dsse.Envelope) Option {
 	}
 }
 
+func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) Option {
+	return func(a *Attestor) {
+		a.kmsProviderOptions = opts
+	}
+}
+
 func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) Option {
 	return func(vo *Attestor) {
 		for _, set := range subjectDigests {
@@ -149,7 +157,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		return fmt.Errorf("failed to unmarshal policy from envelope: %w", err)
 	}
 
-	pubKeysById, err := pol.PublicKeyVerifiers()
+	pubKeysById, err := pol.PublicKeyVerifiers(a.kmsProviderOptions)
 	if err != nil {
 		return fmt.Errorf("failed to get public keys from policy: %w", err)
 	}

diff --git a/policy/policy.go b/policy/policy.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/signer/kms"
 	"github.com/in-toto/go-witness/source"
 
@@ -55,18 +56,39 @@ type PublicKey struct {
 }
 
 // PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID
-func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error) {
+func (p Policy) PublicKeyVerifiers(ko map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) (map[string]cryptoutil.Verifier, error) {
 	verifiers := make(map[string]cryptoutil.Verifier)
 	var err error
 
 	for _, key := range p.PublicKeys {
 		var verifier cryptoutil.Verifier
 		for _, prefix := range kms.SupportedProviders() {
 			if strings.HasPrefix(key.KeyID, prefix) {
-				verifier, err = kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256")).Verifier(context.TODO())
+				ksp := kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256"))
+				var vp signer.SignerProvider
+				for _, opt := range ksp.Options {
+					pn := opt.ProviderName()
+					for _, setter := range ko[pn] {
+						vp, err = setter(ksp)
+						if err != nil {
+							continue
+						}
+					}
+				}
+
+				if vp != nil {
+					var ok bool
+					ksp, ok = vp.(*kms.KMSSignerProvider)
+					if !ok {
+						return nil, fmt.Errorf("provided verifier provider is not a KMS verifier provider")
+					}
+				}
+
+				verifier, err = ksp.Verifier(context.TODO())
 				if err != nil {
-					return nil, fmt.Errorf("KMS Key ID recognized but not valid: %w", err)
+					return nil, fmt.Errorf("failed to create kms verifier: %w", err)
 				}
+
 			}
 		}
 

diff --git a/policy/policy_test.go b/policy/policy_test.go
@@ -31,6 +31,7 @@ import (
 	"github.com/in-toto/go-witness/attestation/commandrun"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/intoto"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/source"
 	"github.com/invopop/jsonschema"
 	"github.com/stretchr/testify/assert"
@@ -483,7 +484,7 @@ func TestPubKeyVerifiers(t *testing.T) {
 				}
 			}
 
-			verifiers, err := p.PublicKeyVerifiers()
+			verifiers, err := p.PublicKeyVerifiers(map[string][]func(signer.SignerProvider) (signer.SignerProvider, error){})
 			if testCase.expectedErr == nil {
 				assert.NoError(t, err)
 				assert.Len(t, verifiers, testCase.expectedLen)

diff --git a/signer/kms/aws/client.go b/signer/kms/aws/client.go
@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -303,7 +304,6 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider)
 	}
 
 	opts := []func(*config.LoadOptions) error{}
-
 	if a.options.insecureSkipVerify {
 		log.Warn("InsecureSkipVerify is enabled for AWS KMS attestor")
 		opts = append(opts, config.WithHTTPClient(&http.Client{
@@ -320,6 +320,9 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider)
 		}
 
 		log.Debug("Using file ", f, " as credentials file for AWS KMS provider")
+		if _, err := os.ReadFile(f); err != nil {
+			return fmt.Errorf("error reading credentials file: %w", err)
+		}
 		opts = append(opts, config.WithSharedCredentialsFiles([]string{f}))
 	}
 

diff --git a/verify.go b/verify.go
@@ -27,6 +27,7 @@ import (
 	"github.com/in-toto/go-witness/dsse"
 	ipolicy "github.com/in-toto/go-witness/internal/policy"
 	"github.com/in-toto/go-witness/policy"
+	"github.com/in-toto/go-witness/signer"
 	"github.com/in-toto/go-witness/slsa"
 	"github.com/in-toto/go-witness/source"
 	"github.com/in-toto/go-witness/timestamp"
@@ -49,6 +50,7 @@ type verifyOptions struct {
 	verifyPolicySignatureOptions []ipolicy.Option
 	runOptions                   []RunOption
 	signers                      []cryptoutil.Signer
+	kmsProviderOptions           map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)
 }
 
 type VerifyOption func(*verifyOptions)
@@ -121,6 +123,12 @@ func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption {
 	}
 }
 
+func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) VerifyOption {
+	return func(vo *verifyOptions) {
+		vo.kmsProviderOptions = opts
+	}
+}
+
 type VerifyResult struct {
 	RunResult
 	VerificationSummary slsa.VerificationSummary
@@ -148,7 +156,12 @@ func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers [
 	vo.runOptions = append(vo.runOptions,
 		RunWithAttestors(
 			[]attestation.Attestor{
-				policyverify.New(vo.attestorOptions...),
+				policyverify.New(
+					append(
+						[]policyverify.Option{policyverify.VerifyWithKMSProviderOptions(vo.kmsProviderOptions)},
+						vo.attestorOptions...,
+					)...,
+				),
 			},
 		),
 	)