Add KubeCon + CloudNativeCon NA '23 demo files

.github/workflows/test-e2e-flow.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
         with:
-          go-version: 1.20.x
+          go-version: 1.21.x
 
       - name: Checkout updated scai-gen CLI tools
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11

README.md

@@ -44,7 +44,7 @@ illustrative purposes, and should not be used in production.
 
 [in-toto Attestation Framework]: https://github.com/in-toto/attestation/tree/main/spec
 [intro doc]: docs/intro.md
-[KubeCon + CloudNativeCon NA '23]: docs/kccncna2023.md
+[KubeCon + CloudNativeCon NA '23]: kccncna2023-demo/README.md
 [usage doc]: docs/usage.md
 [SCAI specification]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md
 [SCAI spec doc]: https://arxiv.org/pdf/2210.05813.pdf

go.mod

@@ -1,6 +1,8 @@
 module github.com/in-toto/scai-demos
 
-go 1.20
+go 1.21
+
+toolchain go1.21.5
 
 require (
 	github.com/google/cel-go v0.18.2

docs/kccncna2023.md → kccncna2023-demo/README.md

@@ -25,6 +25,17 @@ the build
 These two attestations are signed using cosign OIDC-based keyless signing,
 and uploaded to the public Rekor log.
 
+### Verified Policies
+
+This demo verifies the following policies using the generated attestations:
+
+* [in-toto Layout] checks that the expected attestations were generated for each step
+of the demo workflow.
+* [SCAI policy] checks the attested attributes against the evidence indicated in the
+SCAI Attribute Report.
+
+This verification flow is implemented in the [verification-flow.sh] script.
+
 ### Additional Tools
 
 This demo makes use of the following additional tools:
@@ -37,9 +48,12 @@ This demo makes use of the following additional tools:
 [Anchore SBOM generator]: https://github.com/anchore/sbom-action
 [attestation-verifier]: https://github.com/in-toto/attestation-verifier
 [demo workflow]: https://github.com/marcelamelara/private-data-objects/blob/intoto-kccncna2023-demo/.github/workflows/intoto-kccncna2023-demo.yml
+[in-toto Layout]: ./policies/layout.yml
 [in-toto Maintainer Track talk]: https://kccncna2023.sched.com/event/1R2mx
 [SLSA generic Provenance generator]: https://github.com/slsa-framework/slsa-github-generator
-[SLSA Provenance]: https://github.com/in-toto/attestation/blob/main/spec/predicates/provenance.md
-[SCAI Attribute Report]: https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md
+[SLSA Provenance]: https://github.com/in-toto/attestation/blob/v1.0.1/spec/predicates/provenance.md
+[SCAI Attribute Report]: https://github.com/in-toto/attestation/v1.0.1/main/spec/predicates/scai.md
+[SCAI policy]: ./policies/has-slsa.yml
 [scai-gen GitHub Actions]: https://github.com/in-toto/scai-demos/tree/main/.github/actions
 [strace]: https://strace.io/
+[verification-flow.sh]: ./verification-flow.sh

kccncna2023-demo/attestations/evidence-collection.1f575092.json

@@ -0,0 +1 @@
+{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGRvX2NsaWVudF93YXdha2EiLCJkaWdlc3QiOnsic2hhMjU2IjoiOWZiN2VmNTUyMjk4ZjhmYmFkODQ2MDRkMDYxMDBlNzYwYjdiOGM0Y2I0ZDZjNGI3Mjc4NjVmMWYyODVkMDZhYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vc2NhaS9hdHRyaWJ1dGUtcmVwb3J0L3YwLjIiLCJwcmVkaWNhdGUiOnsiYXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiSGFzU0JPTSIsImV2aWRlbmNlIjp7ImRpZ2VzdCI6eyJzaGEyNTYiOiJkOTVjMjAyZTBlNDAyMTQ0ZDYzNjM4MGU5ODJlYWZmNTRiZTU1OWI1NTU5OGZkMTgwNzFlOTZkNmYzYTdlYjAzIn0sImRvd25sb2FkTG9jYXRpb24iOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWl0ZXMvMTU0MTc3MjYxNDIvYXJ0aWZhY3RzLzg4MDQwMzM5NSIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3NwZHgranNvbiIsIm5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYS5zcGR4Lmpzb24ifX0seyJhdHRyaWJ1dGUiOiJIYXNTTFNBIiwiZXZpZGVuY2UiOnsiZGlnZXN0Ijp7InNoYTI1NiI6Ijk0ZDE4NzE2ZWU0NDEyMTc1YzVkOWRhMWNlNTA5NDcxNTNlMDljNDc2MmY5MDQ0YWY2ZjJkNjgyOGIxMmZlNWIifSwiZG93bmxvYWRMb2NhdGlvbiI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL3N1aXRlcy8xNTQxNzcyNjE0Mi9hcnRpZmFjdHMvODgwNDAzMzkyL3Bkb19jbGllbnRfd2F3YWthLnNsc2EuaW50b3RvLmpzb25sIiwibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8rZHNzZSIsIm5hbWUiOiJidWlsZC40NTJlNjI4YS5qc29uIn19XX19","signatures":[{"keyid":"1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6","sig":"W5terKjmGajjJLl1mXNgPzIamE0omBDUkXzmrAVZMI51FTvv2a4ixCRAMSvT8qxcs/ZvqMXxMGQV5RR2x1aF1JkBLSP9nY7mQLcl7GYJ6E+KltLMgO3Bw9b4vXDp/JZ1y8Dby+rUEt0umehFJYj0Yl8/ndhWVK6QNMzrCDghK8TdZ8N1+HhyxewOYdP2i+yrM0Ll0Q0DiXO4r5SPGgGTY6BWe5Sjc2HNrt+J6fJcnXpvfCBlTAuG0pGNDbIS9jtimsh+AKAlpdcgJUPGpL3baTRW/1liyzVmtJtIrTl1kDDm/rzKmFi/OaMS6Vwm4RkaEkXaLPYpzz6pBaCHm8JxNJVjijtoTrNyuhEyHuvZW3o/p9/TmW9O6kyDc8Sybk5S8iWca0N3sLAfIsQw4968PHo4p7jf/bWWPFhSag2nIz4fKdiLXSzaDvxKtuuMfa6BG15j45Nwqq6qcKf2ZssYP4sjyuzYcJe912HFPPo8ZasQmFBcuBMhpu7NHU6yP/19"}]}

kccncna2023-demo/policies/has-slsa.yml

@@ -0,0 +1,6 @@
+attestationID: "f7dbd9211f8c9ee70313454ddba0ffacec91139ff325b3ef90eccf706bd06ecf"
+inspections:
+  - name: "build.452e628a.json"
+    expectedAttributes:
+      - rule: "assertion.attribute == 'HasSLSA' && predicateType == 'https://slsa.dev/provenance/v0.2'"
+      - rule: "predicate.buildType == 'https://github.com/slsa-framework/slsa-github-generator/generic@v1'"

kccncna2023-demo/policies/layout.yml

@@ -0,0 +1,48 @@
+expires: "2024-10-10T12:23:22Z"
+functionaries:
+  1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6:
+    keyType: "rsa"
+    scheme: "rsassa-pss-sha256"
+    keyIDHashAlgorithms:
+      - "sha256"
+      - "sha512"
+    keyVal:
+      public: "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0o+jumXN3tE2Xqx1qKjC\ngzCCvAPoOlzQlg+7OLGHnJbQgDxOyhFYMNqJ6cztb26NettmEpPtLDSnM5fPvHuH\nPVoPctzLqE9MiXdD1C7RHbjeSaUBxJV6wSGdAGzNa+8oxxG1ex4H7KHOXD8Mo61o\nitzViEw8knQNDhKHA/JWMnnhX07J1wF+EBWHpBsquAxZMLwy9h4uSlJjbK6TVZS8\nzLEtChVHLqF71px3/rRLlx6gyvSfqsVUd86JDrZtC+MHiq72nnx6N7+4wmSFB6ZQ\naBJvEemP9f54KgSMPLH4fZ63noQKUj9dnOZ+N4f0SGRIIvhN03/LlVA9ifkJBQml\nLKbiNWGAk92+C6NEp2Tj7olNsQ1zOTLzC27CJSWlDq9hSiS7LuaZUy7Gb3acX6Zf\nGZkwYXpXQPp/vM66InJcr5/T1iW/XhtmCHiRd7T24R4qDvS+Xuqv9+pJtHemCUpz\nWhn7N5L7Hr/t0b0SIUNd1PZzD4+lKElcAt99vCVlKQmVAgMBAAE=\n-----END PUBLIC KEY-----"
+    keyID: "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6"
+  452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c:
+    keyType: "ecdsa"
+    scheme: "ecdsa-sha2-nistp256"
+    keyIDHashAlgorithms:
+      - "sha256"
+      - "sha512"
+    keyVal:
+      public: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB0TVhLF/u/aDcn+3ncIW2lfOKFn4\niCY36NC3k/oPa8sJ8X25H//mhY8/6fNyUh4PzjIEyHPOcr8CAi8dWyuRFQ==\n-----END PUBLIC KEY-----"
+    keyID: "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c"
+steps:
+  - name: "build"
+    expectedMaterials:
+      - "ALLOW git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata"
+      - "DISALLOW *"
+    expectedProducts:
+      - "CREATE pdo_client_wawaka"
+      - "DISALLOW *"
+    expectedPredicates:
+      - predicateType: "https://slsa.dev/provenance/v0.2"
+        expectedAttributes:
+          - rule: "predicate.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0'"
+          - rule: "predicate.invocation.configSource.uri == 'git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata'"
+          - rule: "predicate.invocation.configSource.digest.sha1 == '87b74378e8c9ccf335a27ffcdc16636990254e1e'"
+        functionaries:
+          - "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c"
+  - name: "evidence-collection"
+    expectedMaterials:
+      - "MATCH pdo_client_wawaka WITH products FROM build"
+      - "DISALLOW *"
+    expectedPredicates:
+      - predicateType: "https://in-toto.io/attestation/scai/attribute-report/v0.2"
+        expectedAttributes:
+          - rule: "size(predicate.attributes) >= 2"
+          - rule: "predicate.attributes.exists(a, a.attribute == 'HasSBOM')"
+          - rule: "predicate.attributes.exists(a, a.attribute == 'HasSLSA')"
+        functionaries:
+          - "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6"

kccncna2023-demo/verification-flow.sh

@@ -0,0 +1,10 @@
+printf "in-toto KubeCon + CloudNativeCon NA 2023 demo (verification flow only)\n\n"
+
+printf "DISCLAIMER: This verification flow is only for demo purposes.\n"
+printf "A production verification flow includes retrieving and validating the identities/keys of attestation signers, which is not shown in this demo.\n\n"
+
+printf "Verifying ITE-10 Layout\n\n"
+attestation-verifier --attestations-directory ./attestations --layout ./policies/layout.yml
+
+printf "\nVerifying SCAI evidence\n\n"
+scai-gen check evidence --policy-file ./policies/has-slsa.yml --evidence-dir ./evidence-files ./attestations/evidence-collection.1f575092.json

scai-gen/cmd/rekor.go

@@ -0,0 +1,75 @@
+// adapted from https://github.com/slsa-framework/slsa-github-generator/blob/main/signing/sigstore/fulcio.go
+// and https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/attest.go
+package cmd
+
+import (
+	"bufio"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/in-toto/scai-demos/scai-gen/fileio"
+	"github.com/spf13/cobra"
+)
+
+var rekorCmd = &cobra.Command{
+	Use:   "rekor",
+	Args:  cobra.ExactArgs(1),
+	Short: "Parses a Rekor log entry to extract info needed to verify signed in-toto Attestations",
+	RunE:  parseRekorEntry,
+}
+
+func init() {
+	rekorCmd.Flags().StringVarP(
+		&outFile,
+		"out-file",
+		"o",
+		"",
+		"Filename to write out the JSON-encoded object",
+	)
+	reportCmd.MarkFlagRequired("out-file") //nolint:errcheck
+}
+
+func parseRekorEntry(_ *cobra.Command, args []string) error {
+	fmt.Println("EXPERIMENTAL FEATURE. DO NOT USE IN PRODUCTION.")
+
+	entryFile := args[0]
+	readFile, err := os.Open(entryFile)
+	if err != nil {
+		return fmt.Errorf("error reading file: %w", err)
+	}
+
+	fileScanner := bufio.NewScanner(readFile)
+	fileScanner.Split(bufio.ScanLines)
+	var fileLines [][]byte
+
+	for fileScanner.Scan() {
+		fileLines = append(fileLines, fileScanner.Bytes())
+	}
+
+	readFile.Close()
+
+	for _, line := range fileLines {
+		lineStr := string(line)
+		if strings.Contains(lineStr, "publicKey") {
+			pkB64Raw := strings.TrimPrefix(lineStr, "    \"publicKey\": ")
+			pkB64 := strings.Trim(pkB64Raw, "\"")
+
+			pkPem, err := base64.StdEncoding.DecodeString(pkB64)
+			if err != nil {
+				return fmt.Errorf("error decoding base64-encoded public key: %w", err)
+			}
+
+			// dedup
+			// ensure the out directory exists
+			if err = fileio.CreateOutDir(outFile); err != nil {
+				return fmt.Errorf("error creating output directory for file %s: %w", outFile, err)
+			}
+
+			return os.WriteFile(outFile, pkPem, 0644) //nolint:gosec
+		}
+	}
+
+	return nil
+}

scai-gen/cmd/root.go

@@ -23,6 +23,7 @@ func init() {
 	rootCmd.AddCommand(reportCmd)
 	rootCmd.AddCommand(checkCmd)
 	rootCmd.AddCommand(sigstoreCmd)
+	rootCmd.AddCommand(rekorCmd)
 }
 
 // Execute adds all child commands to the root command and sets flags appropriately.