Security Policy: Move fragment extraction#2542
Conversation
MahatiC
force-pushed
the
policy-refactor
branch
2 times, most recently
from
57a463d to
37ea7f4
Compare
MahatiC
force-pushed
the
policy-refactor
branch
from
37ea7f4 to
4b55375
Compare
| sha.Write(blob) | ||
| timestamp := time.Now() | ||
| fragmentPath := fmt.Sprintf("fragment-%x-%d.blob", sha.Sum(nil), timestamp.UnixMilli()) | ||
| _ = os.WriteFile(filepath.Join(os.TempDir(), fragmentPath), blob, 0644) |
There was a problem hiding this comment.
any reason we're ignoring this error?
There was a problem hiding this comment.
This is just purely for internal debug purposes, so we don't want to throw any errors on failure to write this.
| _ = os.WriteFile(filepath.Join(os.TempDir(), fragmentPath), blob, 0644) | ||
|
|
||
| unpacked, err := cosesign1.UnpackAndValidateCOSE1CertChain(raw) | ||
| if err != nil { |
There was a problem hiding this comment.
is it expected that we always keep the fragment file in temp directory regardless of the validation result?
There was a problem hiding this comment.
Yes, as it is just for debug purpose.
| "issuer": issuer, // eg the DID:x509:blah.... | ||
| "feed": feed, | ||
| "cty": unpacked.ContentType, | ||
| "chainPem": chainPem, |
There was a problem hiding this comment.
do we want to log chainPem?
There was a problem hiding this comment.
This is a CA cert pem which contains public certs - used for troubleshooting
| // (ie fingerprint of a non leaf cert and the subject matches the leaf cert) | ||
| // 3 - Check that this issuer/feed match the requirement of the user provided | ||
| // security policy (done in the regoby LoadFragment) | ||
| func ExtractAndVerifyFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (issuer string, feed string, payloadString string, err error) { |
There was a problem hiding this comment.
we could also put this into its own file, e.g. pkg/securitypolicy/fragments.go
There was a problem hiding this comment.
At this point, it's just a helper function, so leaving it here seems appropriate.
Move inject and load fragment into the securitypolicy pkg Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
MahatiC
force-pushed
the
policy-refactor
branch
from
4b55375 to
27ea7d4
Compare
KenGordon
left a comment
KenGordon
left a comment
There was a problem hiding this comment.
Approved. This has been discussed at length. There is some subsequent refactoring (or other duplicated logic) in another PR.
3 participants
Fragment extraction and validation is a common operation across C-LCOW and C-WCOW. This PR moves that functionality into the SecurityPolicy package, so that gcs and gcs-sidecar can call directly into it.