[SECURESIGN-3399] tuf init: add CLI options for configurable Rekor, Fulcio, CTLog, and TSA URIs instead of hardcoded values

[fghanmi]

PR Type

Enhancement

---

Description

• Add CLI options for configurable Rekor, Fulcio, CTLog, and TSA URIs

• Replace hardcoded service URIs with environment variables

• Enable flexible service endpoint configuration via command-line arguments

---

Diagram Walkthrough

flowchart LR
  CLI["CLI Arguments<br/>--fulcio-uri<br/>--tsa-uri<br/>--ctlog-uri<br/>--rekor-uri"] -- "Parse options" --> ENV["Environment Variables<br/>FULCIO_URI<br/>TSA_URI<br/>CTLOG_URI<br/>REKOR_URI"]
  ENV -- "Replace hardcoded" --> TUFTOOL["Tuftool Commands<br/>with dynamic URIs"]

Loading

File Walkthrough

Relevant files

Enhancement

tuf-repo-init.sh Add configurable service URI CLI options                                  rhtas/tuf-repo-init.sh Added four new CLI options: --fulcio-uri, --tsa-uri, --ctlog-uri, and --rekor-uri with documentation Introduced four new environment variables to store the URI values Added argument parsing logic for each new CLI option Replaced hardcoded service URIs in tuftool commands with variable references +40/-4

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🔴	Misconfigured Rekor options Description: Rekor options appear swapped: new code sets --set-rekor-target to the URI ("${REKOR_URI}") and keeps --rekor-uri hardcoded, which likely exposes incorrect configuration and could cause the tool to trust an attacker-controlled Rekor endpoint or break verification; expected is --set-rekor-target "${REKOR_KEY}" and --rekor-uri "${REKOR_URI}". tuf-repo-init.sh [262-274] Referred Code if [ -n "${REKOR_KEY}" ]; then echo "Adding Rekor public key ${REKOR_KEY} ..." tuftool rhtas \ --follow \ --root "${ROOT}" \ --key "${KEYDIR}/snapshot.pem" \ --key "${KEYDIR}/targets.pem" \ --key "${KEYDIR}/timestamp.pem" \ --set-rekor-target "${REKOR_URI}" \ --rekor-uri "https://rekor.rhtas" \ --targets-expires "${METADATA_EXPIRATION}" \ --targets-version 1 \ --snapshot-expires "${METADATA_EXPIRATION}" \
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
🟢	No codebase code duplication found No new components were introduced in the PR code
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing validation: Newly added URI inputs are accepted and passed through without validation or error handling for empty, malformed, or missing values. Referred Code --fulcio-uri) FULCIO_URI="$2" shift shift ;; --tsa-cert) TSA_CERT="$2" shift shift ;; --tsa-uri) TSA_URI="$2" shift shift ;; --ctlog-key) CTLOG_KEY="$2" shift shift ;; --ctlog-uri) ... (clipped 14 lines) Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing auditing: The new CLI options and environment variables are parsed and used without adding any audit logging of critical actions (e.g., when URIs are applied to configure trust services). Referred Code shift shift ;; --fulcio-cert) FULCIO_CERT="$2" shift shift ;; --fulcio-uri) FULCIO_URI="$2" shift shift ;; --tsa-cert) TSA_CERT="$2" shift shift ;; --tsa-uri) TSA_URI="$2" shift ... (clipped 22 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated inputs: External inputs for service URIs are used without sanitization or basic checks (e.g., scheme/host validation), which may risk misconfiguration or injection into command arguments. Referred Code --fulcio-uri) FULCIO_URI="$2" shift shift ;; --tsa-cert) TSA_CERT="$2" shift shift ;; --tsa-uri) TSA_URI="$2" shift shift ;; --ctlog-key) CTLOG_KEY="$2" shift shift ;; --ctlog-uri) ... (clipped 14 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	✅ Incorrect variable usage breaks Rekor configuration Suggestion Impact: The commit updated the script to use --set-rekor-target "${REKOR_KEY}" and --rekor-uri "${REKOR_URI}", correcting the previously incorrect variable and hardcoded URI. code diff: - --set-rekor-target "${REKOR_URI}" \ - --rekor-uri "https://rekor.rhtas" \ + --set-rekor-target "${REKOR_KEY}" \ + --rekor-uri "${REKOR_URI}" \ The Rekor configuration is broken because --set-rekor-target is incorrectly passed the Rekor URI instead of the key, and --rekor-uri remains hardcoded instead of using the new variable. Examples: rhtas/tuf-repo-init.sh [270-271] --set-rekor-target "${REKOR_URI}" \ --rekor-uri "https://rekor.rhtas" \ Solution Walkthrough: Before: if [ -n "${REKOR_KEY}" ]; then echo "Adding Rekor public key ${REKOR_KEY} ..." tuftool rhtas \ ... --set-rekor-target "${REKOR_URI}" \ --rekor-uri "https://rekor.rhtas" \ ... fi After: if [ -n "${REKOR_KEY}" ]; then echo "Adding Rekor public key ${REKOR_KEY} ..." tuftool rhtas \ ... --set-rekor-target "${REKOR_KEY}" \ --rekor-uri "${REKOR_URI}" \ ... fi Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical bug where the Rekor configuration is broken due to incorrect variable usage and a failure to replace a hardcoded URI, completely undermining the PR's goal for that service.	High
Possible issue	✅ Fix incorrect variable and hardcoded URI Suggestion Impact: The commit changed --set-rekor-target to use ${REKOR_KEY} and replaced the hardcoded --rekor-uri with ${REKOR_URI}, exactly as suggested. code diff: - --set-rekor-target "${REKOR_URI}" \ - --rekor-uri "https://rekor.rhtas" \ + --set-rekor-target "${REKOR_KEY}" \ + --rekor-uri "${REKOR_URI}" \ In the tuftool command for Rekor, change --set-rekor-target to use the ${REKOR_KEY} variable and update the hardcoded --rekor-uri to use the ${REKOR_URI} variable. rhtas/tuf-repo-init.sh [270-271] ---set-rekor-target "${REKOR_URI}" \ ---rekor-uri "https://rekor.rhtas" \ +--set-rekor-target "${REKOR_KEY}" \ +--rekor-uri "${REKOR_URI}" \ [Suggestion processed] Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies two bugs in the PR that would break the Rekor integration: passing the wrong variable to --set-rekor-target and using a hardcoded URI for --rekor-uri, which defeats the purpose of the change.	High
General	Provide default values for URI variables Initialize the new FULCIO_URI, TSA_URI, CTLOG_URI, and REKOR_URI variables with their previous hardcoded default values instead of empty strings. rhtas/tuf-repo-init.sh [53-56] -export FULCIO_URI="" -export TSA_URI="" -export CTLOG_URI="" -export REKOR_URI="" +export FULCIO_URI="https://fulcio.rhtas" +export TSA_URI="https://tsa.rhtas" +export CTLOG_URI="https://ctlog.rhtas" +export REKOR_URI="https://rekor.rhtas" Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out that initializing URI variables to empty strings is a regression, as it removes the previous default behavior and could cause errors if flags are not provided.	Medium
Update