forked from sigstore/rekor
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathwatch.go
More file actions
178 lines (155 loc) · 4.8 KB
/
watch.go
File metadata and controls
178 lines (155 loc) · 4.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
//
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package app
import (
"context"
"crypto"
"crypto/x509"
"encoding/json"
"encoding/pem"
"errors"
"flag"
"fmt"
"os"
"time"
_ "gocloud.dev/blob/fileblob" // fileblob
_ "gocloud.dev/blob/gcsblob"
"github.com/spf13/cobra"
"github.com/spf13/viper"
"gocloud.dev/blob"
"github.com/sigstore/rekor/pkg/client"
genclient "github.com/sigstore/rekor/pkg/generated/client"
"github.com/sigstore/rekor/pkg/log"
"github.com/sigstore/rekor/pkg/util"
"github.com/sigstore/sigstore/pkg/signature"
)
const rekorSthBucketEnv = "REKOR_STH_BUCKET"
// watchCmd represents the serve command
var watchCmd = &cobra.Command{
Use: "watch",
Short: "Start a process to watch and record STH's from Rekor",
Long: `Start a process to watch and record STH's from Rekor`,
PreRun: func(cmd *cobra.Command, args []string) {
// these are bound here so that they are not overwritten by other commands
if err := viper.BindPFlags(cmd.Flags()); err != nil {
log.Logger.Fatal("Error initializing cmd line args: ", err)
}
},
RunE: func(cmd *cobra.Command, args []string) error {
// Setup the logger to dev/prod
log.ConfigureLogger(viper.GetString("log_type"))
// workaround for https://github.com/sigstore/rekor/issues/68
// from https://github.com/golang/glog/commit/fca8c8854093a154ff1eb580aae10276ad6b1b5f
_ = flag.CommandLine.Parse([]string{})
host := viper.GetString("rekor_server.address")
port := viper.GetUint("port")
interval := viper.GetDuration("interval")
url := fmt.Sprintf("http://%s:%d", host, port)
c, err := client.GetRekorClient(url)
if err != nil {
return err
}
keyResp, err := c.Pubkey.GetPublicKey(nil)
if err != nil {
return err
}
publicKey := keyResp.Payload
block, _ := pem.Decode([]byte(publicKey))
if block == nil {
return errors.New("failed to decode public key of server")
}
pub, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return err
}
ctx := context.Background()
bucketURL := os.Getenv(rekorSthBucketEnv)
if bucketURL == "" {
log.CliLogger.Fatalf("%s env var must be set", rekorSthBucketEnv)
}
bucket, err := blob.OpenBucket(ctx, bucketURL)
if err != nil {
return err
}
defer bucket.Close()
tick := time.NewTicker(interval)
var last *SignedAndUnsignedLogRoot
for {
<-tick.C
log.Logger.Info("performing check")
lr, err := doCheck(c, pub)
if err != nil {
log.Logger.Warnf("error verifiying tree: %s", err)
continue
}
log.Logger.Infof("Found and verified state at %d", lr.VerifiedLogRoot.Size)
if last != nil && last.VerifiedLogRoot.Size == lr.VerifiedLogRoot.Size {
log.Logger.Infof("Last tree size is the same as the current one: %d %d",
last.VerifiedLogRoot.Size, lr.VerifiedLogRoot.Size)
// If it's the same, it shouldn't have changed but we'll still upload anyway
// in case that failed.
}
if err := uploadToBlobStorage(ctx, bucket, lr); err != nil {
log.Logger.Warnf("error uploading result: %s", err)
continue
}
last = lr
}
},
}
func init() {
watchCmd.Flags().Duration("interval", 1*time.Minute, "Polling interval")
rootCmd.AddCommand(watchCmd)
}
func doCheck(c *genclient.Rekor, pub crypto.PublicKey) (*SignedAndUnsignedLogRoot, error) {
li, err := c.Tlog.GetLogInfo(nil)
if err != nil {
return nil, fmt.Errorf("getting log info: %w", err)
}
sth := util.SignedCheckpoint{}
if err := sth.UnmarshalText([]byte(*li.Payload.SignedTreeHead)); err != nil {
return nil, fmt.Errorf("unmarshalling tree head: %w", err)
}
verifier, err := signature.LoadVerifier(pub, crypto.SHA256)
if err != nil {
return nil, err
}
if !sth.Verify(verifier) {
return nil, fmt.Errorf("signed tree head failed verification: %w", err)
}
return &SignedAndUnsignedLogRoot{
VerifiedLogRoot: &sth,
}, nil
}
func uploadToBlobStorage(ctx context.Context, bucket *blob.Bucket, lr *SignedAndUnsignedLogRoot) error {
b, err := json.Marshal(lr)
if err != nil {
return err
}
objName := fmt.Sprintf("sth-%d.json", lr.VerifiedLogRoot.Size)
w, err := bucket.NewWriter(ctx, objName, nil)
if err != nil {
return err
}
defer w.Close()
if _, err := w.Write(b); err != nil {
return err
}
return nil
}
// For JSON marshalling
type SignedAndUnsignedLogRoot struct {
VerifiedLogRoot *util.SignedCheckpoint
}