hishtory/client/lib/slsa.go

package lib

import (
	"bufio"
	"context"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"io"
	"os"
	"strconv"
	"strings"

	"github.com/slsa-framework/slsa-verifier/options"
	"github.com/slsa-framework/slsa-verifier/verifiers"
)

func verify(ctx context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {
	provenanceOpts := &options.ProvenanceOpts{
		ExpectedSourceURI:    source,
		ExpectedBranch:       &branch,
		ExpectedDigest:       artifactHash,
		ExpectedVersionedTag: &versionTag,
	}
	builderOpts := &options.BuilderOpts{}
	_, _, err := verifiers.Verify(ctx, provenance, artifactHash, provenanceOpts, builderOpts)
	return err
}

func checkForDowngrade(currentVersionS, newVersionS string) error {
	currentVersion, err := strconv.Atoi(strings.TrimPrefix(currentVersionS, "v0."))
	if err != nil {
		return fmt.Errorf("failed to parse current version %#v", currentVersionS)
	}
	newVersion, err := strconv.Atoi(strings.TrimPrefix(newVersionS, "v0."))
	if err != nil {
		return fmt.Errorf("failed to parse updated version %#v", newVersionS)
	}
	if currentVersion > newVersion {
		return fmt.Errorf("failed to update because the new version (%#v) is a downgrade compared to the current version (%#v)", newVersionS, currentVersionS)
	}
	return nil
}

func VerifyBinary(ctx context.Context, binaryPath, attestationPath, versionTag string) error {
	if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {
		return nil
	}
	resp, err := ApiGet("/api/v1/slsa-status?newVersion=" + versionTag)
	if err != nil {
		return nil
	}
	if string(resp) != "OK" {
		fmt.Printf("SLSA verification is currently broken (%s), skipping SLSA validation...\n", string(resp))
		return nil
	}

	if err := checkForDowngrade(Version, versionTag); err != nil && os.Getenv("HISHTORY_ALLOW_DOWNGRADE") == "true" {
		return err
	}

	attestation, err := os.ReadFile(attestationPath)
	if err != nil {
		return fmt.Errorf("failed to read attestation file: %w", err)
	}

	hash, err := getFileHash(binaryPath)
	if err != nil {
		return err
	}

	return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)
}

func getFileHash(binaryPath string) (string, error) {
	binaryFile, err := os.Open(binaryPath)
	if err != nil {
		return "", fmt.Errorf("failed to read binary for verification purposes: %w", err)
	}
	defer binaryFile.Close()

	hasher := sha256.New()
	if _, err := io.Copy(hasher, binaryFile); err != nil {
		return "", fmt.Errorf("failed to hash binary: %w", err)
	}
	hash := hex.EncodeToString(hasher.Sum(nil))
	return hash, nil
}

func HandleSlsaFailure(srcErr error) error {
	fmt.Printf("\nFailed to verify SLSA provenance! This is likely due to a SLSA bug (SLSA is a brand new standard, and like all new things, has bugs). Ignoring this failure means falling back to the way most software does updates. Do you want to ignore this failure and update anyways? [y/N]")
	reader := bufio.NewReader(os.Stdin)
	resp, err := reader.ReadString('\n')
	if err == nil && strings.TrimSpace(resp) == "y" {
		fmt.Println("Proceeding with update...")
		return nil
	}
	return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %w", srcErr)
}
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`package lib`

			`import (`
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00			`"bufio"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`"context"`
			`"crypto/sha256"`
			`"encoding/hex"`
			`"fmt"`
			`"io"`
			`"os"`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`"strconv"`
			`"strings"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`"github.com/slsa-framework/slsa-verifier/options"`
			`"github.com/slsa-framework/slsa-verifier/verifiers"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`)`

no context pointers 2023-09-05 21:45:17 +02:00			`func verify(ctx context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`provenanceOpts := &options.ProvenanceOpts{`
			`ExpectedSourceURI: source,`
			`ExpectedBranch: &branch,`
			`ExpectedDigest: artifactHash,`
			`ExpectedVersionedTag: &versionTag,`
			`}`
			`builderOpts := &options.BuilderOpts{}`
no context pointers 2023-09-05 21:45:17 +02:00			`_, _, err := verifiers.Verify(ctx, provenance, artifactHash, provenanceOpts, builderOpts)`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`return err`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`

Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`func checkForDowngrade(currentVersionS, newVersionS string) error {`
			`currentVersion, err := strconv.Atoi(strings.TrimPrefix(currentVersionS, "v0."))`
			`if err != nil {`
			`return fmt.Errorf("failed to parse current version %#v", currentVersionS)`
			`}`
			`newVersion, err := strconv.Atoi(strings.TrimPrefix(newVersionS, "v0."))`
			`if err != nil {`
			`return fmt.Errorf("failed to parse updated version %#v", newVersionS)`
			`}`
			`if currentVersion > newVersion {`
			`return fmt.Errorf("failed to update because the new version (%#v) is a downgrade compared to the current version (%#v)", newVersionS, currentVersionS)`
			`}`
			`return nil`
			`}`

Move a bunch of update-specific code out of the generic lib.go file and into the update command 2023-09-14 07:45:49 +02:00			`func VerifyBinary(ctx context.Context, binaryPath, attestationPath, versionTag string) error {`
Working update code for macos 2022-05-27 08:45:08 +02:00			`if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {`
			`return nil`
			`}`
Add integration to disable SLSA verification if there is a current SLSA outage 2022-11-01 01:32:55 +01:00			`resp, err := ApiGet("/api/v1/slsa-status?newVersion=" + versionTag)`
			`if err != nil {`
			`return nil`
			`}`
			`if string(resp) != "OK" {`
			`fmt.Printf("SLSA verification is currently broken (%s), skipping SLSA validation...\n", string(resp))`
			`return nil`
			`}`
Working update code for macos 2022-05-27 08:45:08 +02:00
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`if err := checkForDowngrade(Version, versionTag); err != nil && os.Getenv("HISHTORY_ALLOW_DOWNGRADE") == "true" {`
			`return err`
			`}`

Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`attestation, err := os.ReadFile(attestationPath)`
			`if err != nil {`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			`return fmt.Errorf("failed to read attestation file: %w", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`

Working update code for macos 2022-05-27 08:45:08 +02:00			`hash, err := getFileHash(binaryPath)`
			`if err != nil {`
			`return err`
			`}`

Pipe ctx into the slsa code to avoid context.TODO() 2022-09-22 05:22:34 +02:00			`return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)`
Working update code for macos 2022-05-27 08:45:08 +02:00			`}`

			`func getFileHash(binaryPath string) (string, error) {`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`binaryFile, err := os.Open(binaryPath)`
			`if err != nil {`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			`return "", fmt.Errorf("failed to read binary for verification purposes: %w", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
			`defer binaryFile.Close()`

			`hasher := sha256.New()`
			`if _, err := io.Copy(hasher, binaryFile); err != nil {`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			`return "", fmt.Errorf("failed to hash binary: %w", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
			`hash := hex.EncodeToString(hasher.Sum(nil))`
Working update code for macos 2022-05-27 08:45:08 +02:00			`return hash, nil`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00
Move a bunch of update-specific code out of the generic lib.go file and into the update command 2023-09-14 07:45:49 +02:00			`func HandleSlsaFailure(srcErr error) error {`
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00			`fmt.Printf("\nFailed to verify SLSA provenance! This is likely due to a SLSA bug (SLSA is a brand new standard, and like all new things, has bugs). Ignoring this failure means falling back to the way most software does updates. Do you want to ignore this failure and update anyways? [y/N]")`
			`reader := bufio.NewReader(os.Stdin)`
			`resp, err := reader.ReadString('\n')`
			`if err == nil && strings.TrimSpace(resp) == "y" {`
			`fmt.Println("Proceeding with update...")`
			`return nil`
			`}`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %w", srcErr)
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00			`}`