-
Notifications
You must be signed in to change notification settings - Fork 455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SHA-256 in Windows workload attestor plugin #3100
Support SHA-256 in Windows workload attestor plugin #3100
Conversation
Add the following to the Windows workload attestor to bring it into feature parity with the Unix workload attestor: - `discover_workload_path` configuration option - `workload_size_limit` configuration option - `windows:path` workload path selector - `windows:sha256` workload path selector Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job!!!
I just added some comments
Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
Thanks for the review @MarcosDY! I have updated the PR with your suggestions. :) |
Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks great!!! just some minor comments
pkg/agent/plugin/workloadattestor/windows/windows_windows_test.go
Outdated
Show resolved
Hide resolved
Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
Thanks! Should be good to go. :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
@@ -60,12 +82,28 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque | |||
selectorValues = addSelectorValueIfNotEmpty(selectorValues, "group_name", group) | |||
} | |||
|
|||
// obtaining the workload process path and digest are behind a config flag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that this is true for the unix attestor but I'm not sure that there are extra permissions requirements in Windows (i.e. the QueryFullProcessImageName function needs that the handle must be created with the PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION access right, which we have).
I still think that this should be behind a config flag due to the cost of calculating the SHA256 digest, that may not be needed by everyone. But looks like this comment needs to be updated.
* Support SHA-256 in Windows workload attestor plugin (spiffe#2980) Add the following to the Windows workload attestor to bring it into feature parity with the Unix workload attestor: - `discover_workload_path` configuration option - `workload_size_limit` configuration option - `windows:path` workload path selector - `windows:sha256` workload path selector Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
Pull Request check list
Affected functionality
Adding capabilities to the Windows workload attestor.
Description of change
Add the following to the Windows workload attestor to bring it into feature parity with the Unix workload attestor:
discover_workload_path
configuration optionworkload_size_limit
configuration optionwindows:path
workload path selectorwindows:sha256
workload path selectorWhich issue this PR fixes
fixes #2980