proof of concept for flag-level disable auth check #9000
Conversation
Building upon the existing command-level disable auth check logic, this commit adds flag-level disable auth check logic for any flag set with `-b,--bundle` flag of `gh attestation verify` being the first use case. Subsequent commit to build out testing is needed as IsAuthCheckEnabled does not have tests.
|
@steiza @phillmv : is the manual process I listed above how you would test the feature? @williammartin : is there anything about these changes you'd like to see beyond adding tests around the various auth check annotation use cases? |
TL;DRLet's move forward with this PR, thanks! Design thoughtsI appreciate the work you've done here and I think it's pretty clever. That said, for a few reasons I prefer a less abstracted approach as in #8995. I've mentioned this elsewhere but I think that tying the authentication check logic into the cobra lifecycle takes us in a less maintainable direction in the long run. Copying and slightly modifying parts of a comment I made elsewhere so that it's in our public record: I think the auth checks are too tightly coupled to Cobra configuration and that the responsibility to make this decision should be owned closer to the business logic. From an architecture astronauting point of view, it's a leaky abstraction and though I don't expect we'll ever swap out cobra, that all the auth checks that the business logic depends upon would no longer be validated preconditions if we did, should give us a hint that it's not where it belongs. Furthermore we see that the root command has become knowledgable about From a less theoretical point of view, this knowledge living in Cobra configuration makes it hard for the business logic to be specific about when it matters, as we've discovered with this offline verification issue. Additionally, the current situation causes spooky action at a distance and I would argue the situation that func (c MyCommand) Run() error {
if err := c.SharedActor.EnsureAuthenticated(); err != nil {
return err
}
}We probably would have realised pretty quickly that authed / not authed was something to look at more closely. I'm not suggesting ^ is the solution, just an indication of code that would have acted as a beacon. To call out a specific example, imagine a command that doesn't know whether authentication is required until some state has been evaluated. All that said, I'm happy to move forward with this PR (plus tests) since you are keen on this approach and the risk is low. Really I just wanted a place to capture thoughts should we run into a situation where we wanted to revisit this decision, and to serve as a mental trigger when we come to thinking about other places where command level auth checks are not sufficient (e.g. |
|
Firstly, I want to say I completely agree with you:
Cobra is / should be merely an invocation layer handling flags and arguments to application code while whether authentication is necessary is an application concern. From a long term goal, I think refactoring the code to ensure application code is responsible for whether authentication is required makes sense. Secondly, I don't think that work is trivial in the short term, necessitating a now solution until we get to the later solution This draft was only intended as a now solution because authentication is tightly coupled to Cobra event hooks and I couldn't think of a simpler way to add support without significantly refactoring commands and the logic around Cobra event hooks: Lines 73 to 86 in 7d432bc |
This commit adds various test cases around whether a command will require authentication based on Cobra annotation metadata.
cliAutomation
added
the
external
Thanks to @williammartin, this completes the PR by ensuring the actual feature this new logic was added for actually works as expected :D
There was a problem hiding this comment.
Before (without --bundle)
GH_CONFIG_DIR=/tmp/test/gh gh attestation verify oci://ghcr.io/phillmv/arquivo -o phillmv
To get started with GitHub CLI, please run: gh auth login
Alternatively, populate the GH_TOKEN environment variable with a GitHub API authentication token.
After (without --bundle)
GH_CONFIG_DIR=/tmp/test/gh ~/workspace/cli/bin/gh attestation verify oci://ghcr.io/phillmv/arquivo -o phillmv
To get started with GitHub CLI, please run: gh auth login
Alternatively, populate the GH_TOKEN environment variable with a GitHub API authentication token.
Before (with --bundle)
GH_CONFIG_DIR=/tmp/test/gh gh attestation verify oci://ghcr.io/phillmv/arquivo -o phillmv --bundle bundle.json
To get started with GitHub CLI, please run: gh auth login
Alternatively, populate the GH_TOKEN environment variable with a GitHub API authentication token.
After (with --bundle)
GH_CONFIG_DIR=/tmp/test/gh ~/workspace/cli/bin/gh attestation verify oci://ghcr.io/phillmv/arquivo -o phillmv --bundle bundle.json
Loaded digest sha256:5936c74c8999e9fd50ca0658f378a5d3f8492fb04bd77b952942fdbba4d038bb for oci://ghcr.io/phillmv/arquivo
✗ Loading attestations from oci://ghcr.io/phillmv/arquivo failed
Error: bundle could not be loaded from JSON file: open bundle.json: no such file or directory
We can see in this last case that although the bundle didn't exist (expected error) we did not have the auth check.
LGTM!
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://togithub.com/cli/cli) | minor | `v2.48.0` -> `v2.49.0` | --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.49.0`](https://togithub.com/cli/cli/releases/tag/v2.49.0): GitHub CLI 2.49.0 [Compare Source](https://togithub.com/cli/cli/compare/v2.48.0...v2.49.0) #### Support for GitHub Artifact Attestations `v2.49.0` release introduces the `attestation` command set for downloading and verifying attestations about artifacts built in GitHub Actions! This is part of the larger Artifact Attestations initiative. An artifact attestation is a piece of cryptographically signed metadata that is generated as part of your artifact build process. These attestations bind artifacts to the details of the workflow run that produced them, and allow you to guarantee the integrity and provenance of any artifact built in GitHub Actions. ```shell ### Verify a local artifact gh attestation verify artifact.bin -o <your org> ### Verify a local artifact against a local artifact attestation gh attestation verify artifact.bin -b ./artifact-v0.0.1-bundle.json -o <your org> ### Verify an OCI image gh attestation verify oci://ghcr.io/foo/bar:latest -o <your org> ### Download artifact attestations gh attestation download artifact.bin -o <your org> ``` To get started, check out gh help attestation. You can also use the `gh at <command>` alias for short. #### What's Changed - Improve gh run rerun docs by [@​sochotnicky](https://togithub.com/sochotnicky) in [cli/cli#8969 - build(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 by [@​dependabot](https://togithub.com/dependabot) in [cli/cli#8981 - Update `sigstore-go` dependency to v0.3.0 by [@​malancas](https://togithub.com/malancas) in [cli/cli#8977 - `gh attestation tuf-root-verify` offline test fix by [@​malancas](https://togithub.com/malancas) in [cli/cli#8975 - Update `gh attestation verify` output by [@​malancas](https://togithub.com/malancas) in [cli/cli#8991 - build(deps): bump google.golang.org/grpc from 1.62.1 to 1.62.2 by [@​dependabot](https://togithub.com/dependabot) in [cli/cli#8989 - Remove `Hidden` flag from `gh attestation` command by [@​malancas](https://togithub.com/malancas) in [cli/cli#8998 - Add colon for `gh secret set` by [@​NeroBlackstone](https://togithub.com/NeroBlackstone) in [cli/cli#9004 - Improve errors when loading bundle locally fails by [@​williammartin](https://togithub.com/williammartin) in [cli/cli#8996 - Support offline mode for `gh attestation verify` by [@​steiza](https://togithub.com/steiza) in [cli/cli#8997 - Add `projectsV2` to JSON fields of `gh repo` commands by [@​babakks](https://togithub.com/babakks) in [cli/cli#9007 - Support long URLs in `gh repo clone` by [@​babakks](https://togithub.com/babakks) in [cli/cli#9008 - Fix issue with closing pager stream by [@​babakks](https://togithub.com/babakks) in [cli/cli#9020 - proof of concept for flag-level disable auth check by [@​andyfeller](https://togithub.com/andyfeller) in [cli/cli#9000 - Be more general with attestation host checks by [@​williammartin](https://togithub.com/williammartin) in [cli/cli#9019 - Add beta designation on attestation command set by [@​andyfeller](https://togithub.com/andyfeller) in [cli/cli#9022 - Tweaked gh attestation help strings to generate nicer cli manual site. by [@​phillmv](https://togithub.com/phillmv) in [cli/cli#9025 - Update cli/go-gh to v2.9.0 by [@​andyfeller](https://togithub.com/andyfeller) in [cli/cli#9023 - Document repo clone protocol behaviour by [@​williammartin](https://togithub.com/williammartin) in [cli/cli#9030 #### New Contributors - [@​sochotnicky](https://togithub.com/sochotnicky) made their first contribution in [cli/cli#8969 - [@​NeroBlackstone](https://togithub.com/NeroBlackstone) made their first contribution in [cli/cli#9004 - [@​phillmv](https://togithub.com/phillmv) made their first contribution in [cli/cli#9025 **Full Changelog**: cli/cli@v2.48.0...v2.49.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 4pm on monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/earthly/earthly). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbInJlbm92YXRlIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Relates #8995
Building upon the existing command-level disable auth check logic, this commit adds flag-level disable auth check logic for any flag set with
-b,--bundleflag ofgh attestation verifybeing the first use case.Subsequent commit to build out testing is needed as IsAuthCheckEnabled does not have tests.
Testing
Build changes and setup temporary working directory
Download release artifact(s) built with attestation signatures captured
andyfeller@Andys-MBP:cli/tmp ‹andyfeller/flag-level-disableauth›$ ../bin/gh release download v0.0.10 --repo advanced-security/gh-sbom andyfeller@Andys-MBP:cli/tmp ‹andyfeller/flag-level-disableauth*›$ ll total 152360 -rw-r--r-- 1 andyfeller staff 5.8M Apr 25 09:41 android-amd64 -rw-r--r-- 1 andyfeller staff 5.6M Apr 25 09:41 android-arm64 -rw-r--r-- 1 andyfeller staff 5.6M Apr 25 09:41 darwin-amd64 -rw-r--r-- 1 andyfeller staff 5.5M Apr 25 09:41 darwin-arm64 -rw-r--r-- 1 andyfeller staff 5.0M Apr 25 09:41 freebsd-386 -rw-r--r-- 1 andyfeller staff 5.3M Apr 25 09:41 freebsd-amd64 -rw-r--r-- 1 andyfeller staff 5.1M Apr 25 09:41 freebsd-arm64 -rw-r--r-- 1 andyfeller staff 5.1M Apr 25 09:41 linux-386 -rw-r--r-- 1 andyfeller staff 5.3M Apr 25 09:41 linux-amd64 -rw-r--r-- 1 andyfeller staff 5.2M Apr 25 09:41 linux-arm -rw-r--r-- 1 andyfeller staff 5.1M Apr 25 09:41 linux-arm64 -rw-r--r-- 1 andyfeller staff 5.3M Apr 25 09:41 windows-386.exe -rw-r--r-- 1 andyfeller staff 5.5M Apr 25 09:41 windows-amd64.exe -rw-r--r-- 1 andyfeller staff 5.2M Apr 25 09:41 windows-arm64.exeDownload artifact attestation bundle for artifact and verify
Logout of
github.comVerify that
gh attestation verify -bdoes not require auth with flag