Support SHA-256 in Windows workload attestor plugin #3100
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add the following to the Windows workload attestor to bring it into feature parity with the Unix workload attestor: - `discover_workload_path` configuration option - `workload_size_limit` configuration option - `windows:path` workload path selector - `windows:sha256` workload path selector Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
nweedon-u
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
MarcosDY
reviewed
May 23, 2022
Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
|
Thanks for the review @MarcosDY! I have updated the PR with your suggestions. :) |
Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
MarcosDY
reviewed
May 26, 2022
pkg/agent/plugin/workloadattestor/windows/windows_windows_test.go
Outdated
Show resolved
Hide resolved
Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
Thanks! Should be good to go. :) |
| @@ -60,12 +82,28 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque | |||
| selectorValues = addSelectorValueIfNotEmpty(selectorValues, "group_name", group) | |||
| } | |||
|
|
|||
| // obtaining the workload process path and digest are behind a config flag | |||
There was a problem hiding this comment.
I think that this is true for the unix attestor but I'm not sure that there are extra permissions requirements in Windows (i.e. the QueryFullProcessImageName function needs that the handle must be created with the PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION access right, which we have).
I still think that this should be behind a config flag due to the cost of calculating the SHA256 digest, that may not be needed by everyone. But looks like this comment needs to be updated.
stevend-uber
pushed a commit
to stevend-uber/spire
that referenced
this pull request
Oct 16, 2023
* Support SHA-256 in Windows workload attestor plugin (spiffe#2980) Add the following to the Windows workload attestor to bring it into feature parity with the Unix workload attestor: - `discover_workload_path` configuration option - `workload_size_limit` configuration option - `windows:path` workload path selector - `windows:sha256` workload path selector Signed-off-by: Niall Weedon <niall.weedon@unity3d.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Affected functionality
Adding capabilities to the Windows workload attestor.
Description of change
Add the following to the Windows workload attestor to bring it into feature parity with the Unix workload attestor:
discover_workload_pathconfiguration optionworkload_size_limitconfiguration optionwindows:pathworkload path selectorwindows:sha256workload path selectorWhich issue this PR fixes
fixes #2980