sigstore / rekor-server Goto Github PK

Cryptographic, immutable, append only software release ledger.

License: Apache License 2.0

Dockerfile 1.20% Go 97.92% Shell 0.88%

provenance security supply-chain transparency-log

rekor-server's Introduction

sigstore framework

sigstore/sigstore contains common Sigstore code: that is, code shared by infrastructure (e.g., Fulcio and Rekor) and Go language clients (e.g., Cosign and Gitsign).

This library currently provides:

A signing interface (support for ecdsa, ed25519, rsa, DSSE (in-toto))
OpenID Connect fulcio client code

The following KMS systems are available:

AWS Key Management Service
Azure Key Vault
HashiCorp Vault
Google Cloud Platform Key Management Service

For example code, look at the relevant test code for each main code file.

Fuzzing

The fuzzing tests are within https://github.com/sigstore/sigstore/tree/main/test/fuzz

Security

Should you discover any security issues, please refer to sigstores security process

For container signing, you want cosign

rekor-server's People

Contributors

Stargazers

Watchers

Forkers

dlorenc bobcallaway krishchow sfrias

rekor-server's Issues

Rare edge case of updates with 0 tree entries

2020-09-20T13:38:29.124+0100    ERROR   app/api.go:321  rpc error: code = InvalidArgument desc = GetConsistencyProofRequest.SecondTreeSize: 0, want > 0
github.com/projectrekor/rekor-server/app.writeError
        /Users/lukehinds/go/src/github.com/projectrekor/rekor-server/app/api.go:321
github.com/projectrekor/rekor-server/app.wrap.func1
        /Users/lukehinds/go/src/github.com/projectrekor/rekor-server/app/api.go:253
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2042
github.com/go-chi/chi.(*Mux).routeHTTP
        /Users/lukehinds/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/mux.go:431
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2042
github.com/go-chi/chi/middleware.Recoverer.func1
        /Users/lukehinds/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/recoverer.go:37
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2042
github.com/go-chi/chi/middleware.RequestLogger.func1.1
        /Users/lukehinds/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/logger.go:46
net/http.HandlerFunc.ServeHTTP
        /usr/local/go/src/net/http/server.go:2042
github.com/go-chi/chi/middleware.RequestID.func1
        /Users/lukehinds/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/request_id.go:

Implement Github Actions

Set actions for

lint
test
build

name: Build and Test

# This workflow will run on master branch and on any pull requests targeting master
on:
  push:
    branches:
      - master
    tags: []
  pull_request:
  
jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Set up Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.12

      - name: Check out code
        uses: actions/checkout@v1

      - name: Lint Go Code
        run: |
          export PATH=$PATH:$(go env GOPATH)/bin # temporary fix. See https://github.com/actions/setup-go/issues/14
          go get -u golang.org/x/lint/golint 
          make lint
          
  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - name: Set up Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.12

      - name: Check out code
        uses: actions/checkout@v1

      - name: Run Unit tests.
        run: make test-coverage
      
      - name: Upload Coverage report to CodeCov
        uses: codecov/[email protected]
        with:
          token: ${{secrets.CODECOV_TOKEN}}
          file: ./coverage.txt

  build:
    name: Build
    runs-on: ubuntu-latest 
    needs: [lint, test]
    steps:
      - name: Set up Go
        uses: actions/setup-go@v1
        with:
          go-version: 1.12

      - name: Check out code
        uses: actions/checkout@v1

      - name: Build
        run: make build

Provide an API in rekor that a monitor can use to tail and build its own tree that can then be processed accordingly to the monitors functional needs (parse out a provenence file for whatever its monitoring).

Having taking a cursory look, I believe we need to make use of the GetLeavesByRange \ GetLeavesByIndex calls. A monitor can then pull down leafs from index value of 0 to the complete treesize. They can then monitor the treesize and an increment of >1 means new entries are available to pull down.

A good example here:

https://github.com/benlaurie/trillian-examples/blob/39a83ab3df9b83997733e2c05c730accb7e336b9/registers/trillian_client/client.go#L46-L88

func (t *trillianClient) Scan(logID int64, s LogScanner) error {
	ctx := context.Background()


	rr := &trillian.GetLatestSignedLogRootRequest{LogId: logID}
	lr, err := t.tc.GetLatestSignedLogRoot(ctx, rr)
	if err != nil {
		log.Fatalf("Can't get log root: %v", err)
	}


	ts := lr.SignedLogRoot.TreeSize
	for n := int64(0); n < ts; {
		g := &trillian.GetLeavesByRangeRequest{LogId: logID, StartIndex: n, Count: chunk}
		r, err := t.tc.GetLeavesByRange(ctx, g)
		if err != nil {
			return fmt.Errorf("Can't get leaf %d: %v", n, err)
		}


		// Deal with server skew, if tree size has reduced.
		// Don't allow increases so this terminates eventually.
		rts := r.SignedLogRoot.TreeSize
		if rts < ts {
			ts = rts
		}


		if n < ts && len(r.Leaves) == 0 {
			return fmt.Errorf("No progress at leaf %d", n)
		}


		for m := 0; m < len(r.Leaves) && n < ts; n++ {
			if r.Leaves[m] == nil {
				return fmt.Errorf("Can't get leaf %d (no error)", n)
			}
			if r.Leaves[m].LeafIndex != n {
				return fmt.Errorf("Got index %d expected %d", r.Leaves[n].LeafIndex, n)
			}
			err := s.Leaf(r.Leaves[m])
			if err != nil {
				return err
			}
			m++
		}
	}
	return nil

Need to think about the two use cases:

I am a monitor and I want everything
I am monitor, I have everything, I just want the latest index entry.

Method 1 is going to be quite resource intensive (unless I have missed something). If we have a massive tree and a monitor wants the whole lot, how are we going to manage that. We can add in some form of rate limiter to protect the service, but is there a cheaper way of catering to this use case.

GetProof failing when leaf does not exist

Send a file that is not yet entered:

go run main.go get --linkfile /home/luke/pathlib.py

2020-09-25T11:08:43.623+0100    INFO    app/api.go:167  Received file : /home/luke/pathlib.py                                                                                                                                    
                                                                                                                                                                                                                                 
 panic: runtime error: invalid memory address or nil pointer dereference                                                                                                                                                         
                                                                                                                                                                                                                                 
 -> github.com/projectrekor/rekor-server/app.(*trillianclient).getProof                                                                                                                                                          
 ->   /home/luke/go/src/github.com/lukehinds/rekor-server/app/trillian_client.go:96                                                                                                                                              
                                                                                                                                                                                                                                 
    github.com/projectrekor/rekor-server/app.(*API).getProofHandler                                                                                                                                                              
      /home/luke/go/src/github.com/lukehinds/rekor-server/app/api.go:175                                                                                                                                                         
    github.com/projectrekor/rekor-server/app.wrap.func1                                                                                                                                                                          
      /home/luke/go/src/github.com/lukehinds/rekor-server/app/api.go:261                                                                                                                                                         
    net/http.HandlerFunc.ServeHTTP                                                                                                                                                                                               
      /usr/lib/go/src/net/http/server.go:2042
    github.com/go-chi/chi.(*Mux).routeHTTP
      /home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/mux.go:431
    net/http.HandlerFunc.ServeHTTP
      /usr/lib/go/src/net/http/server.go:2042
    github.com/go-chi/chi/middleware.Recoverer.func1
      /home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/recoverer.go:37
    net/http.HandlerFunc.ServeHTTP
      /usr/lib/go/src/net/http/server.go:2042
    github.com/go-chi/chi/middleware.RequestLogger.func1.1
      /home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/logger.go:46
    net/http.HandlerFunc.ServeHTTP
      /usr/lib/go/src/net/http/server.go:2042
    github.com/go-chi/chi/middleware.RequestID.func1
      /home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/request_id.go:76
    net/http.HandlerFunc.ServeHTTP

Need to validate tree entry and handle not found gracefully

If a unknown tree entry is used, we stack trace and exit with a FATAL

2020-09-14T18:14:46.901+0100	INFO	cmd/root.go:87	Using config file: /home/luke/go/src/github.com/lukehinds/rekor-server/rekor-server.yaml
2020-09-14T18:14:46.901+0100	INFO	app/server.go:55	Starting server...
2020-09-14T18:14:46.901+0100	INFO	app/server.go:61	Listening on 127.0.0.1:3000
2020-09-14T18:14:51.742+0100	INFO	app/api.go:59	Received file : file.txt
2020-09-14T18:14:51.748+0100	FATAL	app/trillian_client.go:156	rpc error: code = NotFound desc = tree 7305461377290870015 not found
github.com/projectrekor/rekor-server/app.(*trillianclient).getLeaf
	/home/luke/go/src/github.com/lukehinds/rekor-server/app/trillian_client.go:156
github.com/projectrekor/rekor-server/app.getHandler
	/home/luke/go/src/github.com/lukehinds/rekor-server/app/api.go:77
net/http.HandlerFunc.ServeHTTP
	/usr/lib/go/src/net/http/server.go:2042
github.com/go-chi/chi.(*Mux).routeHTTP
	/home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/mux.go:431
net/http.HandlerFunc.ServeHTTP
	/usr/lib/go/src/net/http/server.go:2042
github.com/go-chi/chi/middleware.Recoverer.func1
	/home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/recoverer.go:37
net/http.HandlerFunc.ServeHTTP
	/usr/lib/go/src/net/http/server.go:2042
github.com/go-chi/chi/middleware.RequestLogger.func1.1
	/home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/logger.go:46
net/http.HandlerFunc.ServeHTTP
	/usr/lib/go/src/net/http/server.go:2042
github.com/go-chi/chi/middleware.RequestID.func1
	/home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/middleware/request_id.go:76
net/http.HandlerFunc.ServeHTTP
	/usr/lib/go/src/net/http/server.go:2042
github.com/go-chi/chi.(*Mux).ServeHTTP
	/home/luke/go/pkg/mod/github.com/go-chi/[email protected]+incompatible/mux.go:86
net/http.serverHandler.ServeHTTP
	/usr/lib/go/src/net/http/server.go:2843
net/http.(*conn).serve
	/usr/lib/go/src/net/http/server.go:1925
exit status 1

tge

Validate incoming entries

They should be:

Valid in_toto Link files
With a valid signature

Wayward err return

We just need to look at err handling returns from grpc

We return an err to the API struct instance (is that the right golang idiom?)

https://github.com/projectrekor/rekor-server/blob/97ec32e09dfa0acc117ae22909c6d13fe3e80921/app/api.go#L47-L50

But we don't have anywhere to capture that err in the API handlers, e.g.:

https://github.com/projectrekor/rekor-server/blob/97ec32e09dfa0acc117ae22909c6d13fe3e80921/app/api.go#L92-L99

Meanwhile we handle err's locally in gprc.go (which we should be returning if we are checking for it in the calling function)

https://github.com/projectrekor/rekor-server/blob/97ec32e09dfa0acc117ae22909c6d13fe3e80921/app/gprc_client.go#L16-L20

Not a high priority item by any means, as we capture the connection failure:

2020-09-17T12:10:10.528+0100    INFO    cmd/root.go:87  Using config file: /home/luke/go/src/github.com/lukehinds/rekor-server/rekor-server.yaml
2020/09/17 12:10:10 rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp 127.0.0.1:8091: connect: connection refused"
exit status 1

But logging this so we can look at it later so we can tell the rekor sever user which node being called failed (mapserver, logserver). We will likely want to refactor the grpc handler later (when we run in Secure mode or use more options), so we can always do it then.