173 lines
4.8 KiB
Go
173 lines
4.8 KiB
Go
/*
|
|
Copyright Docker attest-provider authors
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package handler
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"runtime/debug"
|
|
|
|
"github.com/docker/attest"
|
|
"github.com/docker/attest-provider/pkg/utils"
|
|
"github.com/docker/attest/mapping"
|
|
"github.com/docker/attest/oci"
|
|
"github.com/docker/attest/policy"
|
|
"github.com/docker/attest/tuf"
|
|
intoto "github.com/in-toto/in-toto-golang/in_toto"
|
|
"github.com/open-policy-agent/frameworks/constraint/pkg/externaldata"
|
|
"k8s.io/klog/v2"
|
|
)
|
|
|
|
type ValidationResult struct {
|
|
Outcome attest.Outcome `json:"outcome"`
|
|
Input *policy.Input `json:"input"`
|
|
VSA *intoto.Statement `json:"vsa"`
|
|
Violations []policy.Violation `json:"violations"`
|
|
}
|
|
|
|
type ValidateHandlerOptions struct {
|
|
TUFRoot string
|
|
TUFChannel string
|
|
TUFOutputPath string
|
|
TUFMetadataURL string
|
|
TUFTargetsURL string
|
|
|
|
PolicyDir string
|
|
PolicyCacheDir string
|
|
|
|
AttestationStyle string
|
|
ReferrersRepo string
|
|
Parameters map[string]string
|
|
}
|
|
|
|
type validateHandler struct {
|
|
opts *ValidateHandlerOptions
|
|
}
|
|
|
|
func NewValidateHandler(ctx context.Context, opts *ValidateHandlerOptions) (http.Handler, error) {
|
|
handler := &validateHandler{opts: opts}
|
|
|
|
// a TUF client can only be used once, so we need to create a new one for each request.
|
|
// we create this one up front to ensure that the TUF root is valid and to pre-load the metadata.
|
|
// TODO: this pre-loading works for the root, targets, snapshot, and timestamp roles, but not for delegated roles.
|
|
_, err := handler.newVerifier(ctx)
|
|
if err != nil {
|
|
// if this failed, don't return an error, just log it and continue
|
|
// this prevents the server from getting into a crash loop if the TUF repo is down or broken,
|
|
// and we can still recover if the TUF repo comes back up.
|
|
klog.ErrorS(err, "failed to initialize TUF client")
|
|
}
|
|
|
|
klog.Infof("validate handler initialized with %s TUF root", opts.TUFRoot)
|
|
|
|
return handler, nil
|
|
}
|
|
|
|
func (h *validateHandler) newVerifier(ctx context.Context) (*attest.ImageVerifier, error) {
|
|
root, err := tuf.GetEmbeddedRoot(h.opts.TUFRoot)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
policyOpts := &policy.Options{
|
|
TUFClientOptions: &tuf.ClientOptions{
|
|
InitialRoot: root.Data,
|
|
LocalStorageDir: h.opts.TUFOutputPath,
|
|
MetadataSource: h.opts.TUFMetadataURL,
|
|
TargetsSource: h.opts.TUFTargetsURL,
|
|
PathPrefix: h.opts.TUFChannel,
|
|
VersionChecker: tuf.NewDefaultVersionChecker(),
|
|
},
|
|
LocalTargetsDir: h.opts.PolicyCacheDir,
|
|
LocalPolicyDir: h.opts.PolicyDir,
|
|
AttestationStyle: mapping.AttestationStyle(h.opts.AttestationStyle),
|
|
ReferrersRepo: h.opts.ReferrersRepo,
|
|
Debug: true,
|
|
Parameters: h.opts.Parameters,
|
|
}
|
|
verifier, err := attest.NewImageVerifier(ctx, policyOpts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return verifier, nil
|
|
}
|
|
|
|
func (h *validateHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|
defer func() {
|
|
if r := recover(); r != nil {
|
|
klog.Error(string(debug.Stack()))
|
|
klog.ErrorS(fmt.Errorf("%v", r), "panic occurred")
|
|
}
|
|
}()
|
|
|
|
ctx := req.Context()
|
|
|
|
// read request body
|
|
requestBody, err := io.ReadAll(req.Body)
|
|
if err != nil {
|
|
utils.SendResponse(nil, fmt.Sprintf("unable to read request body: %v", err), w)
|
|
return
|
|
}
|
|
|
|
klog.InfoS("received request", "body", requestBody)
|
|
|
|
// parse request body
|
|
var providerRequest externaldata.ProviderRequest
|
|
err = json.Unmarshal(requestBody, &providerRequest)
|
|
if err != nil {
|
|
utils.SendResponse(nil, fmt.Sprintf("unable to unmarshal request body: %v", err), w)
|
|
return
|
|
}
|
|
|
|
// create a new verifier for each request
|
|
attest, err := h.newVerifier(ctx)
|
|
if err != nil {
|
|
utils.SendResponse(nil, fmt.Sprintf("unable to create verifier: %v", err), w)
|
|
return
|
|
}
|
|
|
|
results := make([]externaldata.Item, 0)
|
|
for _, key := range providerRequest.Request.Keys {
|
|
platform := "linux/amd64"
|
|
src, err := oci.ParseImageSpec(key, oci.WithPlatform(platform))
|
|
if err != nil {
|
|
utils.SendResponse(nil, err.Error(), w)
|
|
return
|
|
}
|
|
|
|
result, err := attest.Verify(ctx, src)
|
|
if err != nil {
|
|
utils.SendResponse(nil, err.Error(), w)
|
|
return
|
|
}
|
|
|
|
results = append(results, externaldata.Item{
|
|
Key: key,
|
|
Value: ValidationResult{
|
|
Outcome: result.Outcome,
|
|
Input: result.Input,
|
|
VSA: result.VSA,
|
|
Violations: result.Violations,
|
|
},
|
|
})
|
|
}
|
|
utils.SendResponse(&results, "", w)
|
|
}
|