attest-provider/main.go

package main

import (
	"crypto/tls"
	"crypto/x509"
	"flag"
	"fmt"
	"net/http"
	"os"
	"path/filepath"
	"time"

	"github.com/docker/attest-provider/pkg/handler"
	"github.com/docker/attest-provider/pkg/utils"

	"k8s.io/klog/v2"
)

const (
	handlerTimeout    = 15 * time.Second
	readHeaderTimeout = 1 * time.Second
)

const (
	defaultPort = 8090

	certName = "tls.crt"
	keyName  = "tls.key"
)

var (
	certDir      string
	clientCAFile string
	port         int

	tufRoot       string
	tufoutputPath string
	metadataURL   string
	targetsURL    string

	policyDir      string
	policyCacheDir string
)

const (
	defaultMetadataURL = "registry-1.docker.io/docker/tuf-metadata:latest"
	defaultTargetsURL  = "registry-1.docker.io/docker/tuf-targets"
)

var (
	defaultTUFOutputPath  = filepath.Join("/tuf_temp", ".docker", "tuf")
	defaultPolicyCacheDir = filepath.Join("/tuf_temp", ".docker", "policy")
)

var timeoutError = string(utils.GatekeeperError("operation timed out"))

func init() {
	klog.InitFlags(nil)
	flag.StringVar(&certDir, "cert-dir", "", "path to directory containing TLS certificates")
	flag.StringVar(&clientCAFile, "client-ca-file", "", "path to client CA certificate")
	flag.IntVar(&port, "port", defaultPort, "Port for the server to listen on")
	flag.StringVar(&tufRoot, "tuf-root", "staging", "specify embedded tuf root [dev, staging], default [staging]")

	if tufRoot != "dev" && tufRoot != "staging" {
		klog.Errorf("invalid tuf root: %s", tufRoot)
		os.Exit(1)
	}

	flag.StringVar(&metadataURL, "tuf-metadata-source", defaultMetadataURL, "source (URL or repo) for TUF metadata")
	flag.StringVar(&targetsURL, "tuf-targets-source", defaultTargetsURL, "source (URL or repo) for TUF targets")
	flag.StringVar(&tufoutputPath, "tuf-output-path", defaultTUFOutputPath, "local dir to store TUF repo metadata")

	flag.StringVar(&policyDir, "local-policy-dir", "", "path to local policy directory (overrides TUF policy)")
	flag.StringVar(&policyCacheDir, "policy-cache-dir", defaultPolicyCacheDir, "path to store policy downloaded from TUF")

	flag.Parse()
}

func main() {
	mux := http.NewServeMux()

	validateHandler, err := handler.NewValidateHandler(&handler.ValidateHandlerOptions{
		TUFRoot:        tufRoot,
		TUFOutputPath:  tufoutputPath,
		TUFMetadataURL: metadataURL,
		TUFTargetsURL:  targetsURL,
		PolicyDir:      policyDir,
		PolicyCacheDir: policyCacheDir,
	})
	if err != nil {
		klog.ErrorS(err, "unable to create validate handler")
		os.Exit(1)
	}

	mutateHandler, err := handler.NewMutateHandler()
	if err != nil {
		klog.ErrorS(err, "unable to create validate handler")
		os.Exit(1)
	}

	mux.Handle("POST /validate", http.TimeoutHandler(validateHandler, handlerTimeout, timeoutError))
	mux.Handle("POST /mutate", http.TimeoutHandler(mutateHandler, handlerTimeout, timeoutError))

	server := &http.Server{
		Addr:              fmt.Sprintf(":%d", port),
		Handler:           mux,
		ReadHeaderTimeout: readHeaderTimeout,
	}

	config := &tls.Config{
		MinVersion: tls.VersionTLS13,
	}
	if clientCAFile != "" {
		klog.InfoS("loading Gatekeeper's CA certificate", "clientCAFile", clientCAFile)
		caCert, err := os.ReadFile(clientCAFile)
		if err != nil {
			klog.ErrorS(err, "unable to load Gatekeeper's CA certificate", "clientCAFile", clientCAFile)
			os.Exit(1)
		}

		clientCAs := x509.NewCertPool()
		clientCAs.AppendCertsFromPEM(caCert)

		config.ClientCAs = clientCAs
		config.ClientAuth = tls.RequireAndVerifyClientCert
		server.TLSConfig = config
	}

	if certDir != "" {
		certFile := filepath.Join(certDir, certName)
		keyFile := filepath.Join(certDir, keyName)

		klog.InfoS("starting external data provider server", "port", port, "certFile", certFile, "keyFile", keyFile)
		if err := server.ListenAndServeTLS(certFile, keyFile); err != nil {
			klog.ErrorS(err, "unable to start external data provider server")
			os.Exit(1)
		}
	} else {
		klog.Error("TLS certificates are not provided, the server will not be started")
		os.Exit(1)
	}
}
Initial commit 2024-05-23 10:19:55 -05:00			`package main`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"flag"`
			`"fmt"`
			`"net/http"`
			`"os"`
			`"path/filepath"`
			`"time"`

Rename module to docker/attest-provider We were still using the name from the template 2024-06-26 12:14:15 +01:00			`"github.com/docker/attest-provider/pkg/handler"`
			`"github.com/docker/attest-provider/pkg/utils"`
Initial commit 2024-05-23 10:19:55 -05:00
			`"k8s.io/klog/v2"`
			`)`

			`const (`
Use lower timeout for reading headers 2024-06-12 11:51:36 +01:00			`handlerTimeout = 15 * time.Second`
			`readHeaderTimeout = 1 * time.Second`
			`)`

			`const (`
Initial commit 2024-05-23 10:19:55 -05:00			`defaultPort = 8090`

			`certName = "tls.crt"`
			`keyName = "tls.key"`
			`)`

			`var (`
			`certDir string`
			`clientCAFile string`
			`port int`
Read TUF config from flags and add to helm chart The values in the local helm chart are for the dev root 2024-06-24 16:53:54 +01:00
			`tufRoot string`
			`tufoutputPath string`
			`metadataURL string`
			`targetsURL string`

			`policyDir string`
			`policyCacheDir string`
			`)`

			`const (`
			`defaultMetadataURL = "registry-1.docker.io/docker/tuf-metadata:latest"`
			`defaultTargetsURL = "registry-1.docker.io/docker/tuf-targets"`
			`)`

			`var (`
			`defaultTUFOutputPath = filepath.Join("/tuf_temp", ".docker", "tuf")`
			`defaultPolicyCacheDir = filepath.Join("/tuf_temp", ".docker", "policy")`
Initial commit 2024-05-23 10:19:55 -05:00			`)`

Swap buggy timeout code for http.TimeoutHandler 2024-06-11 11:19:52 +01:00			`var timeoutError = string(utils.GatekeeperError("operation timed out"))`

Initial commit 2024-05-23 10:19:55 -05:00			`func init() {`
			`klog.InitFlags(nil)`
			`flag.StringVar(&certDir, "cert-dir", "", "path to directory containing TLS certificates")`
			`flag.StringVar(&clientCAFile, "client-ca-file", "", "path to client CA certificate")`
			`flag.IntVar(&port, "port", defaultPort, "Port for the server to listen on")`
Read TUF config from flags and add to helm chart The values in the local helm chart are for the dev root 2024-06-24 16:53:54 +01:00			`flag.StringVar(&tufRoot, "tuf-root", "staging", "specify embedded tuf root [dev, staging], default [staging]")`

			`if tufRoot != "dev" && tufRoot != "staging" {`
			`klog.Errorf("invalid tuf root: %s", tufRoot)`
			`os.Exit(1)`
			`}`

			`flag.StringVar(&metadataURL, "tuf-metadata-source", defaultMetadataURL, "source (URL or repo) for TUF metadata")`
			`flag.StringVar(&targetsURL, "tuf-targets-source", defaultTargetsURL, "source (URL or repo) for TUF targets")`
			`flag.StringVar(&tufoutputPath, "tuf-output-path", defaultTUFOutputPath, "local dir to store TUF repo metadata")`

			`flag.StringVar(&policyDir, "local-policy-dir", "", "path to local policy directory (overrides TUF policy)")`
			`flag.StringVar(&policyCacheDir, "policy-cache-dir", defaultPolicyCacheDir, "path to store policy downloaded from TUF")`

Initial commit 2024-05-23 10:19:55 -05:00			`flag.Parse()`
			`}`

			`func main() {`
			`mux := http.NewServeMux()`
Read TUF config from flags and add to helm chart The values in the local helm chart are for the dev root 2024-06-24 16:53:54 +01:00
			`validateHandler, err := handler.NewValidateHandler(&handler.ValidateHandlerOptions{`
			`TUFRoot: tufRoot,`
			`TUFOutputPath: tufoutputPath,`
			`TUFMetadataURL: metadataURL,`
			`TUFTargetsURL: targetsURL,`
			`PolicyDir: policyDir,`
			`PolicyCacheDir: policyCacheDir,`
			`})`
			`if err != nil {`
			`klog.ErrorS(err, "unable to create validate handler")`
			`os.Exit(1)`
			`}`

			`mutateHandler, err := handler.NewMutateHandler()`
			`if err != nil {`
			`klog.ErrorS(err, "unable to create validate handler")`
			`os.Exit(1)`
			`}`

			`mux.Handle("POST /validate", http.TimeoutHandler(validateHandler, handlerTimeout, timeoutError))`
			`mux.Handle("POST /mutate", http.TimeoutHandler(mutateHandler, handlerTimeout, timeoutError))`
Initial commit 2024-05-23 10:19:55 -05:00
			`server := &http.Server{`
			`Addr: fmt.Sprintf(":%d", port),`
			`Handler: mux,`
Use lower timeout for reading headers 2024-06-12 11:51:36 +01:00			`ReadHeaderTimeout: readHeaderTimeout,`
Initial commit 2024-05-23 10:19:55 -05:00			`}`

			`config := &tls.Config{`
			`MinVersion: tls.VersionTLS13,`
			`}`
			`if clientCAFile != "" {`
			`klog.InfoS("loading Gatekeeper's CA certificate", "clientCAFile", clientCAFile)`
			`caCert, err := os.ReadFile(clientCAFile)`
			`if err != nil {`
			`klog.ErrorS(err, "unable to load Gatekeeper's CA certificate", "clientCAFile", clientCAFile)`
			`os.Exit(1)`
			`}`

			`clientCAs := x509.NewCertPool()`
			`clientCAs.AppendCertsFromPEM(caCert)`

			`config.ClientCAs = clientCAs`
			`config.ClientAuth = tls.RequireAndVerifyClientCert`
			`server.TLSConfig = config`
			`}`

			`if certDir != "" {`
			`certFile := filepath.Join(certDir, certName)`
			`keyFile := filepath.Join(certDir, keyName)`

			`klog.InfoS("starting external data provider server", "port", port, "certFile", certFile, "keyFile", keyFile)`
			`if err := server.ListenAndServeTLS(certFile, keyFile); err != nil {`
			`klog.ErrorS(err, "unable to start external data provider server")`
			`os.Exit(1)`
			`}`
			`} else {`
			`klog.Error("TLS certificates are not provided, the server will not be started")`
			`os.Exit(1)`
			`}`
			`}`