fixed

testifysec · Apr 1, 2024 · 3fb8ede · 3fb8ede
1 parent a9926c8
commit 3fb8ede
Show file tree

Hide file tree

Showing 9 changed files with 897 additions and 643 deletions.
diff --git a/cmd/attestation.go b/cmd/attestation.go
@@ -0,0 +1,82 @@
+package cmd
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/in-toto/go-witness/attestation"
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/intoto"
+	"github.com/in-toto/go-witness/policy"
+)
+
+type parsedCollection struct {
+	attestation.Collection
+	Attestations []struct {
+		Type        string          `json:"type"`
+		Attestation json.RawMessage `json:"attestation"`
+	} `json:"attestations"`
+}
+
+// https://archivista.testifysec.io/download/354754c3452052ec52da4ecf2022257c4bf045f2b181b812162e012b6ad4b162
+// function parses the attestationCollection from the file or url provides
+func parseAttestationCollectionFromFile(filePath string) ([]policy.Attestation, *parsedCollection, error) {
+	//lets get the bytes from the file or url first
+	var b []byte
+
+	if strings.HasPrefix(filePath, "http") {
+		resp, err := http.Get(filePath)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			return nil, nil, fmt.Errorf("failed to download attestation collection: %s", resp.Status)
+
+		}
+
+		b, err = ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, nil, err
+		}
+
+	} else {
+		//read the file
+		var err error
+		b, err = ioutil.ReadFile(filePath)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	envelope := &dsse.Envelope{}
+	if err := json.Unmarshal(b, envelope); err != nil {
+		return nil, nil, err
+	}
+
+	payload := &intoto.Statement{}
+	if err := json.Unmarshal(envelope.Payload, payload); err != nil {
+		return nil, nil, err
+	}
+
+	parsedCollection := &parsedCollection{}
+	if err := json.Unmarshal(payload.Predicate, parsedCollection); err != nil {
+		return nil, nil, err
+	}
+
+	attestations := make([]policy.Attestation, 0, len(parsedCollection.Attestations))
+
+	for _, a := range parsedCollection.Attestations {
+		attestations = append(attestations, policy.Attestation{
+			Type:         a.Type,
+			RegoPolicies: []policy.RegoPolicy{},
+		})
+	}
+
+	return attestations, parsedCollection, nil
+}
diff --git a/cmd/check.go b/cmd/check.go
@@ -9,9 +9,9 @@ import (
 	"os"
 	"time"
 
+	"github.com/in-toto/go-witness/policy"
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/spf13/cobra"
-	"github.com/testifysec/go-witness/policy"
 )
 
 func CheckCmd() *cobra.Command {
@@ -73,7 +73,7 @@ func CheckPolicy(p *policy.Policy) []error {
 	errors := []error{}
 
 	// Make sure the policy is not expired
-	if time.Now().After(p.Expires) {
+	if time.Now().After(p.Expires.Time) {
 		errors = append(errors, fmt.Errorf("policy expired"))
 	}
 
@@ -145,7 +145,7 @@ func CheckPolicy(p *policy.Policy) []error {
 		}
 
 		// check that the expiration date is not before the policy expiration date
-		if cert.NotAfter.Before(p.Expires) {
+		if cert.NotAfter.Before(p.Expires.Time) {
 			errors = append(errors, fmt.Errorf("error: root certificate '%s' has an expiration date before the policy expiration date", k))
 		}
 
@@ -203,18 +203,8 @@ func CheckPolicy(p *policy.Policy) []error {
 
 		// Check that the timestamp authority certificate has a valid signature
 		err = cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature)
-		if err != nil {
-			errors = append(errors, fmt.Errorf("error: timestamp authority certificate '%s' has an invalid signature: %v", k, err))
-		}
-
-		// Check that the timestamp authority certificate has a valid public key
-		err = cert.CheckSignatureFrom(cert)
-		if err != nil {
-			errors = append(errors, fmt.Errorf("error: timestamp authority certificate '%s' has an invalid public key: %v", k, err))
-		}
-
 		// check that the expiration date is not before the policy expiration date
-		if cert.NotAfter.Before(p.Expires) {
+		if cert.NotAfter.Before(p.Expires.Time) {
 			errors = append(errors, fmt.Errorf("error: timestamp authority certificate '%s' has an expiration date before the policy expiration date", k))
 		}
 	}

diff --git a/cmd/cmd.go b/cmd/cmd.go
@@ -0,0 +1,58 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+)
+
+func CreateCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "create",
+		Short: "Create a policy file",
+		Long: `create -s <step1_name> -r <root_ca_path> -a <attestation> -g <rego_path> -a <attestation> -g <rego_path> \
+-s <step2_name> -r <root_ca_path> -a <attestation> -g <rego_path> -a <attestation> -g <rego_path> \
+-o <output_path> -e <expiration> -t <tsa_ca_path>
+					  
+Flags must come after the step they are bound to. For example, the -r flag must come after the -s flag.`,
+		Args: cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			expires, _ := cmd.Flags().GetDuration("expires")
+
+			err := CreatePolicy(os.Args[2:], expires)
+			if err != nil {
+				return fmt.Errorf("policy creation failed: %v", err)
+			}
+			return nil
+		},
+	}
+
+	archivistaURL = cmd.Flags().StringP("archivsita-url", "u", "https://archivista.testifysec.io/download/", "URL of the Archivista instance to use for DSSE envelope retrieval")
+	cmd.Flags().StringP("dsse", "d", "", "Path to a DSSE envelope file to associate with an functionary, should be used instread of a step flag")
+	cmd.Flags().StringP("dsse-archivista", "x", "", "gitoid of the DSSE envelope in Archivista; should be used instead of a step flag")
+	cmd.Flags().StringP("sticky-keys", "y", "", "Path to a file containing a list of sticky keys to use for the policy")
+	cmd.Flags().StringP("step", "s", "", "Step name to bind subsequent flags to (e.g., root CA, intermediate, attestations, Rego policy)")
+	cmd.Flags().StringP("tsa-ca", "t", "", "Path to the TSA CA PEM file; should be used after a step flag")
+	cmd.Flags().StringP("root-ca", "r", "", "Path to the root CA PEM file; should be used after a step flag")
+	cmd.Flags().StringP("intermediate", "i", "", "Path to the intermediate PEM file (optional); should be used after a step flag")
+	cmd.Flags().StringP("attestations", "a", "", "Attestations to include in the policy for a step; should be used after a step flag")
+	cmd.Flags().StringP("subjects", "b", "", "Subjects to search for attestation to generate the policy")
+
+	cmd.Flags().StringP("rego", "g", "", "Path to a Rego policy file to associate with an attestation; should be used after an attestation flag")
+	cmd.Flags().StringP("public-key", "k", "", "Path to a public key file to associate with an attestation; should be used after a step flag")
+
+	//flags for cert constraints
+	cmd.Flags().String("constraint-commonname", "", "Certificate common name constraint")
+	cmd.Flags().String("constraint-dnsnames", "", "Certificate DNS names constraint (comma-separated)")
+	cmd.Flags().String("constraint-emails", "", "Certificate emails constraint (comma-separated)")
+	cmd.Flags().String("constraint-organizations", "", "Certificate organizations constraint (comma-separated)")
+	cmd.Flags().String("constraint-uris", "", "Certificate URIs constraint (comma-separated)")
+	cmd.Flags().StringP("output", "o", "", "Output file to save the policy (default id stdout)")
+	cmd.Flags().DurationP("expires", "e", time.Hour*24, "Expiration duration for the policy (e.g., 24h, 7d)")
+
+	//make sure we have either a root-ca or public-key, we need one or the other
+
+	return cmd
+}