feat: Enable Witness Policy verify from Archivista

Enables Witness to retrieve Policy from Archivista. If a user provides a Policy `gitoid`, Witness will attempt to retrieve it from Archivista. To maintain backward compatibility, Witness first tries to load the file locally. If the local file loading fails and an Archivista is configured, it will retrieve the Policy from Archivista. Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com>
in-toto · May 2, 2024 · 00d38f9 · 00d38f9
1 parent fb15191
commit 00d38f9
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 19 deletions.
diff --git a/cmd/verify.go b/cmd/verify.go
@@ -1,4 +1,4 @@
-// Copyright 2021 The Witness Contributors
+// Copyright 2021-2024 The Witness Contributors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,18 +17,17 @@ package cmd
 import (
 	"context"
 	"crypto"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"os"
 
 	witness "github.com/in-toto/go-witness"
 	"github.com/in-toto/go-witness/archivista"
 	"github.com/in-toto/go-witness/cryptoutil"
-	"github.com/in-toto/go-witness/dsse"
 	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/source"
 	"github.com/in-toto/witness/options"
+	"github.com/in-toto/witness/pkg"
 	"github.com/spf13/cobra"
 )
 
@@ -64,6 +63,19 @@ const (
 // todo: this logic should be broken out and moved to pkg/
 // we need to abstract where keys are coming from, etc
 func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...cryptoutil.Verifier) error {
+
+	var (
+		collectionSource source.Sourcer
+		archivistaClient *archivista.Client
+	)
+	memSource := source.NewMemorySource()
+
+	collectionSource = memSource
+	if vo.ArchivistaOptions.Enable {
+		archivistaClient = archivista.New(vo.ArchivistaOptions.Url)
+		collectionSource = source.NewMultiSource(collectionSource, source.NewArchvistSource(archivistaClient))
+	}
+
 	if vo.KeyPath == "" && len(vo.CAPaths) == 0 && len(verifiers) == 0 {
 		return fmt.Errorf("must supply either a public key, CA certificates or a verifier")
 	}
@@ -83,16 +95,9 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		verifiers = append(verifiers, v)
 	}
 
-	inFile, err := os.Open(vo.PolicyFilePath)
+	policyEnvelope, err := pkg.LoadPolicy(ctx, vo.PolicyFilePath, archivistaClient)
 	if err != nil {
-		return fmt.Errorf("failed to open file to sign: %w", err)
-	}
-
-	defer inFile.Close()
-	policyEnvelope := dsse.Envelope{}
-	decoder := json.NewDecoder(inFile)
-	if err := decoder.Decode(&policyEnvelope); err != nil {
-		return fmt.Errorf("could not unmarshal policy envelope: %w", err)
+		return fmt.Errorf("failed to load policy: %w", err)
 	}
 
 	subjects := []cryptoutil.DigestSet{}
@@ -113,19 +118,12 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		return errors.New("at least one subject is required, provide an artifact file or subject")
 	}
 
-	var collectionSource source.Sourcer
-	memSource := source.NewMemorySource()
 	for _, path := range vo.AttestationFilePaths {
 		if err := memSource.LoadFile(path); err != nil {
 			return fmt.Errorf("failed to load attestation file: %w", err)
 		}
 	}
 
-	collectionSource = memSource
-	if vo.ArchivistaOptions.Enable {
-		collectionSource = source.NewMultiSource(collectionSource, source.NewArchvistSource(archivista.New(vo.ArchivistaOptions.Url)))
-	}
-
 	verifiedEvidence, err := witness.Verify(
 		ctx,
 		policyEnvelope,

diff --git a/pkg/policy.go b/pkg/policy.go
@@ -0,0 +1,57 @@
+// Copyright 2024 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pkg
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/in-toto/go-witness/archivista"
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/log"
+)
+
+// Load policy from a file or Archivista
+//
+// It prefers to load from a file, if it fails, it tries to load from Archivista
+func LoadPolicy(ctx context.Context, policy string, archivista *archivista.Client) (dsse.Envelope, error) {
+	policyEnvelope := dsse.Envelope{}
+
+	filePolicy, err := os.Open(policy)
+	if err != nil {
+		log.Debug("failed to open policy file: ", policy)
+		if archivista == nil {
+			return policyEnvelope, fmt.Errorf("failed to open file to sign: %w", err)
+		} else {
+			log.Debug("attempting to fetch policy " + policy + " from archivista")
+			policyEnvelope, err = archivista.Download(ctx, policy)
+			if err != nil {
+				return policyEnvelope, fmt.Errorf("failed to fetch policy from archivista: %w", err)
+			}
+			log.Debug("folicy " + policy + " downloaded from archivista")
+		}
+
+	} else {
+		defer filePolicy.Close()
+		decoder := json.NewDecoder(filePolicy)
+		if err := decoder.Decode(&policyEnvelope); err != nil {
+			return policyEnvelope, fmt.Errorf("could not unmarshal policy envelope: %w", err)
+		}
+	}
+
+	return policyEnvelope, nil
+}