Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add tool to check local materials against products of passed link #589

Merged
merged 6 commits into from May 4, 2023
Merged

Add tool to check local materials against products of passed link #589

merged 6 commits into from May 4, 2023

Conversation

lukpueh
Copy link
Member

@lukpueh lukpueh commented May 4, 2023

Adds new runlib functionary API, to perform basic vetting of materials. More specifically, to check if the untrusted materials match the products of a passed trusted link metadata file.

Caveat
The used link metadata is not validated against a layout. This means, no checking if the link is part of a certain supply chain, or if it was signed by a threshold of authorised functionaries.

This PR includes: API, CLI, RTD docs, tests and an small unrelated docs fix. Review commit by commit for details.

@lukpueh
runlib: add basic local material checker
c58ca6f 
Adds new runlib functionary API, to perform basic vetting of materials.
More specifically, to check if the **untrusted** materials match the
products of a passed **trusted** link metadata file.

**Caveat**
The used link metadata is not validated against a layout. This means, no
checking if the link is part of a certain supply chain, or if it was
signed by a threshold of authorized functionaries.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@lukpueh
cli: for local material checker
59893ac 
- Loads link metadata from passed path
- Calls runlib API, to record local materials and match with products
- Returns 0 if they match, and 1 otherwise.
- Optionally provides verbose output.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@lukpueh
doc: add missing blank line to fix doc build
93e7712 
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@lukpueh
doc: add rtd docs for check material api+cli
51b99ca 
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
@lukpueh
Copy link
Member Author

lukpueh commented May 4, 2023

kudos to @adityasaky for starting this feature in #582 🎉

@lukpueh lukpueh mentioned this pull request May 4, 2023
Closed
3 tasks
adityasaky
adityasaky approved these changes May 4, 2023
View reviewed changes
Copy link
Member

@adityasaky adityasaky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very neat and clean! Thanks for picking this one up. 😄

in_toto/in_toto_check_materials.py Outdated
print(f"Only in products: {name}")

for name in only_materials:
print(f"Only in materials: {name}")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we say something other than materials? Depending on context of use, it may not fir the materials terminology, say at the last step.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Although, in the last step we'd still be checking the materials of the last step, right? I think the terminology fits the use case that motivated this. But you are right that the tool could be used for something else too. Let me adopt the naming you suggested in the original PR.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies, I was thinking of how we'd align it with final product verification if we wanted to in future.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I renamed in the last commit. Please re-approve.

@lukpueh
rename: check-materials -> match-products
a955197 
Although the use case that motivated this tool, was to check untrusted
materials. The tool may also be used to check artifacts that are not
materials. In either case, the local artifacts are matched against the
products of a link. Hence the new name. h/t @adityasaky

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
adityasaky
adityasaky approved these changes May 4, 2023
View reviewed changes
tests/test_runlib.py Outdated Show resolved Hide resolved
tests/test_in_toto_match_products.py Outdated Show resolved Hide resolved
@lukpueh @adityasaky
Apply suggestions from code review
6145c0f 
Co-authored-by: Aditya Sirish <8928778+adityasaky@users.noreply.github.com>
Signed-off-by: Lukas Pühringer <luk.puehringer@gmail.com>
@adityasaky adityasaky merged commit 464e7f1 into in-toto:develop May 4, 2023
14 checks passed
@adityasaky
Copy link
Member

Thanks @lukpueh!

@adityasaky adityasaky mentioned this pull request Jun 1, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adityasaky adityasaky adityasaky approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@lukpueh @adityasaky