From 604063f9f801b61c494e02c0ebf81e1ebb3faa1b Mon Sep 17 00:00:00 2001 From: Tom Meadows Date: Mon, 12 Aug 2024 14:40:29 +0100 Subject: [PATCH] fix: Passing kms provider options down to initialisation of functionaries (#292) * passing kms provider options down to initialisation of functionaries --------- Signed-off-by: chaosinthecrd --- .github/workflows/golangci-lint.yml | 2 +- attestation/policyverify/policyverify.go | 18 ++++++++++----- policy/policy.go | 28 +++++++++++++++++++++--- policy/policy_test.go | 3 ++- signer/kms/aws/client.go | 5 ++++- verify.go | 15 ++++++++++++- 6 files changed, 59 insertions(+), 12 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index e37aa5bb..b72e2a7f 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -43,4 +43,4 @@ jobs: with: version: latest args: --timeout=3m - skip-pkg-cache: true + skip-cache: true diff --git a/attestation/policyverify/policyverify.go b/attestation/policyverify/policyverify.go index 004bab24..867234d6 100644 --- a/attestation/policyverify/policyverify.go +++ b/attestation/policyverify/policyverify.go @@ -27,6 +27,7 @@ import ( ipolicy "github.com/in-toto/go-witness/internal/policy" "github.com/in-toto/go-witness/log" "github.com/in-toto/go-witness/policy" + "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/slsa" "github.com/in-toto/go-witness/source" "github.com/in-toto/go-witness/timestamp" @@ -54,10 +55,11 @@ type Attestor struct { *ipolicy.VerifyPolicySignatureOptions slsa.VerificationSummary - stepResults map[string]policy.StepResult - policyEnvelope dsse.Envelope - collectionSource source.Sourcer - subjectDigests []string + stepResults map[string]policy.StepResult + policyEnvelope dsse.Envelope + collectionSource source.Sourcer + subjectDigests []string + kmsProviderOptions map[string][]func(signer.SignerProvider) (signer.SignerProvider, error) } type Option func(*Attestor) @@ -76,6 +78,12 @@ func VerifyWithPolicyEnvelope(policyEnvelope dsse.Envelope) Option { } } +func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) Option { + return func(a *Attestor) { + a.kmsProviderOptions = opts + } +} + func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) Option { return func(vo *Attestor) { for _, set := range subjectDigests { @@ -149,7 +157,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { return fmt.Errorf("failed to unmarshal policy from envelope: %w", err) } - pubKeysById, err := pol.PublicKeyVerifiers() + pubKeysById, err := pol.PublicKeyVerifiers(a.kmsProviderOptions) if err != nil { return fmt.Errorf("failed to get public keys from policy: %w", err) } diff --git a/policy/policy.go b/policy/policy.go index dfac8358..908aefab 100644 --- a/policy/policy.go +++ b/policy/policy.go @@ -25,6 +25,7 @@ import ( "github.com/in-toto/go-witness/attestation" "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/signer/kms" "github.com/in-toto/go-witness/source" @@ -55,7 +56,7 @@ type PublicKey struct { } // PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID -func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error) { +func (p Policy) PublicKeyVerifiers(ko map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) (map[string]cryptoutil.Verifier, error) { verifiers := make(map[string]cryptoutil.Verifier) var err error @@ -63,10 +64,31 @@ func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error) { var verifier cryptoutil.Verifier for _, prefix := range kms.SupportedProviders() { if strings.HasPrefix(key.KeyID, prefix) { - verifier, err = kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256")).Verifier(context.TODO()) + ksp := kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256")) + var vp signer.SignerProvider + for _, opt := range ksp.Options { + pn := opt.ProviderName() + for _, setter := range ko[pn] { + vp, err = setter(ksp) + if err != nil { + continue + } + } + } + + if vp != nil { + var ok bool + ksp, ok = vp.(*kms.KMSSignerProvider) + if !ok { + return nil, fmt.Errorf("provided verifier provider is not a KMS verifier provider") + } + } + + verifier, err = ksp.Verifier(context.TODO()) if err != nil { - return nil, fmt.Errorf("KMS Key ID recognized but not valid: %w", err) + return nil, fmt.Errorf("failed to create kms verifier: %w", err) } + } } diff --git a/policy/policy_test.go b/policy/policy_test.go index c57fda3e..761237c5 100644 --- a/policy/policy_test.go +++ b/policy/policy_test.go @@ -31,6 +31,7 @@ import ( "github.com/in-toto/go-witness/attestation/commandrun" "github.com/in-toto/go-witness/cryptoutil" "github.com/in-toto/go-witness/intoto" + "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/source" "github.com/invopop/jsonschema" "github.com/stretchr/testify/assert" @@ -483,7 +484,7 @@ func TestPubKeyVerifiers(t *testing.T) { } } - verifiers, err := p.PublicKeyVerifiers() + verifiers, err := p.PublicKeyVerifiers(map[string][]func(signer.SignerProvider) (signer.SignerProvider, error){}) if testCase.expectedErr == nil { assert.NoError(t, err) assert.Len(t, verifiers, testCase.expectedLen) diff --git a/signer/kms/aws/client.go b/signer/kms/aws/client.go index 620b3e98..493ab1fc 100644 --- a/signer/kms/aws/client.go +++ b/signer/kms/aws/client.go @@ -23,6 +23,7 @@ import ( "fmt" "io" "net/http" + "os" "regexp" "strings" "time" @@ -303,7 +304,6 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider) } opts := []func(*config.LoadOptions) error{} - if a.options.insecureSkipVerify { log.Warn("InsecureSkipVerify is enabled for AWS KMS attestor") opts = append(opts, config.WithHTTPClient(&http.Client{ @@ -320,6 +320,9 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider) } log.Debug("Using file ", f, " as credentials file for AWS KMS provider") + if _, err := os.ReadFile(f); err != nil { + return fmt.Errorf("error reading credentials file: %w", err) + } opts = append(opts, config.WithSharedCredentialsFiles([]string{f})) } diff --git a/verify.go b/verify.go index f24b9224..fbe91cef 100644 --- a/verify.go +++ b/verify.go @@ -27,6 +27,7 @@ import ( "github.com/in-toto/go-witness/dsse" ipolicy "github.com/in-toto/go-witness/internal/policy" "github.com/in-toto/go-witness/policy" + "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/slsa" "github.com/in-toto/go-witness/source" "github.com/in-toto/go-witness/timestamp" @@ -49,6 +50,7 @@ type verifyOptions struct { verifyPolicySignatureOptions []ipolicy.Option runOptions []RunOption signers []cryptoutil.Signer + kmsProviderOptions map[string][]func(signer.SignerProvider) (signer.SignerProvider, error) } type VerifyOption func(*verifyOptions) @@ -121,6 +123,12 @@ func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption { } } +func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) VerifyOption { + return func(vo *verifyOptions) { + vo.kmsProviderOptions = opts + } +} + type VerifyResult struct { RunResult VerificationSummary slsa.VerificationSummary @@ -148,7 +156,12 @@ func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers [ vo.runOptions = append(vo.runOptions, RunWithAttestors( []attestation.Attestor{ - policyverify.New(vo.attestorOptions...), + policyverify.New( + append( + []policyverify.Option{policyverify.VerifyWithKMSProviderOptions(vo.kmsProviderOptions)}, + vo.attestorOptions..., + )..., + ), }, ), )