hishtory/client/lib/slsa.go

package lib

import (
	"bufio"
	"context"
	"crypto/sha256"
	"encoding/hex"
	"errors"
	"fmt"
	"io"
	"os"
	"strings"

	"github.com/ddworken/hishtory/client/hctx"
	"github.com/ddworken/hishtory/shared"
	"github.com/slsa-framework/slsa-verifier/options"
	"github.com/slsa-framework/slsa-verifier/verifiers"
)

var errUserAbortUpdate error = errors.New("update cancelled")

func verify(ctx context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {
	provenanceOpts := &options.ProvenanceOpts{
		ExpectedSourceURI: source,
		ExpectedBranch:    &branch,
		ExpectedDigest:    artifactHash,
	}
	if versionTag != "" {
		provenanceOpts.ExpectedVersionedTag = &versionTag
	}
	builderOpts := &options.BuilderOpts{}
	_, _, err := verifiers.Verify(ctx, provenance, artifactHash, provenanceOpts, builderOpts)
	return err
}

func checkForDowngrade(currentVersionS, newVersionS string) error {
	currentVersion, err := shared.ParseVersionString(currentVersionS)
	if err != nil {
		return fmt.Errorf("failed to parse current version string: %w", err)
	}
	newVersion, err := shared.ParseVersionString(newVersionS)
	if err != nil {
		return fmt.Errorf("failed to parse new version string: %w", err)
	}
	if currentVersion.GreaterThan(newVersion) {
		return fmt.Errorf("failed to update because the new version (%#v) is a downgrade compared to the current version (%#v)", newVersionS, currentVersionS)
	}
	return nil
}

func VerifyBinary(ctx context.Context, binaryPath, attestationPath, versionTag string) error {
	if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {
		return nil
	}
	resp, err := ApiGet(ctx, "/api/v1/slsa-status?newVersion="+versionTag)
	if err != nil {
		hctx.GetLogger().Infof("Failed to query SLSA status (err=%#v), assuming that SLSA is currently working", err)
	}
	if err == nil && string(resp) != "OK" {
	slsa_status_error:
		fmt.Printf("SLSA verification is currently experiencing issues:%s\nWhat would you like to do?", string(resp))
		fmt.Println("To abort the update, type 'a'")
		fmt.Println("To continue with the update even though it may fail, type 'c'")
		fmt.Println("To update and skip SLSA validation, type 's'")
		reader := bufio.NewReader(os.Stdin)
		userChoice, err := reader.ReadString('\n')
		if err != nil {
			fmt.Printf("failed to read response: %v\n", err)
			goto slsa_status_error
		}
		userChoice = strings.TrimSpace(userChoice)
		switch userChoice {
		case "a", "A":
			return errUserAbortUpdate
		case "c", "C":
			// Continue the update and perform SLSA validation even though it may fail
			goto slsa_status_error_continue_update
		case "s", "S":
			// Skip validation and return nil as if the binary passed validation
			return nil
		default:
			fmt.Printf("user selection %#v was not one of 'a', 'c', 's'\n", userChoice)
			goto slsa_status_error
		}
	}
slsa_status_error_continue_update:
	if err := checkForDowngrade(Version, versionTag); err != nil && os.Getenv("HISHTORY_ALLOW_DOWNGRADE") == "true" {
		return err
	}

	attestation, err := os.ReadFile(attestationPath)
	if err != nil {
		return fmt.Errorf("failed to read attestation file: %w", err)
	}

	hash, err := getFileHash(binaryPath)
	if err != nil {
		return err
	}

	return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)
}

func getFileHash(binaryPath string) (string, error) {
	binaryFile, err := os.Open(binaryPath)
	if err != nil {
		return "", fmt.Errorf("failed to read binary for verification purposes: %w", err)
	}
	defer binaryFile.Close()

	hasher := sha256.New()
	if _, err := io.Copy(hasher, binaryFile); err != nil {
		return "", fmt.Errorf("failed to hash binary: %w", err)
	}
	hash := hex.EncodeToString(hasher.Sum(nil))
	return hash, nil
}

func HandleSlsaFailure(srcErr error) error {
	if errors.Is(srcErr, errUserAbortUpdate) {
		return srcErr
	}
	fmt.Printf("\nFailed to verify SLSA provenance! This is likely due to a SLSA bug (SLSA is a brand new standard, and like all new things, has bugs). Ignoring this failure means falling back to the way most software does updates. Do you want to ignore this failure and update anyways? [y/N]")
	reader := bufio.NewReader(os.Stdin)
	resp, err := reader.ReadString('\n')
	if err == nil && strings.TrimSpace(resp) == "y" {
		fmt.Println("Proceeding with update...")
		return nil
	}
	return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %w", srcErr)
}
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`package lib`

			`import (`
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00			`"bufio"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`"context"`
			`"crypto/sha256"`
			`"encoding/hex"`
Update SLSA integration to always prompt the user before suspected broken updates 2023-11-11 20:26:39 +01:00			`"errors"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`"fmt"`
			`"io"`
			`"os"`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`"strings"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00
Update SLSA integration to always prompt the user before suspected broken updates 2023-11-11 20:26:39 +01:00			`"github.com/ddworken/hishtory/client/hctx"`
Update slsa integration to use the shared library for parsing version strings 2023-11-10 05:51:47 +01:00			`"github.com/ddworken/hishtory/shared"`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`"github.com/slsa-framework/slsa-verifier/options"`
			`"github.com/slsa-framework/slsa-verifier/verifiers"`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`)`

Update SLSA integration to always prompt the user before suspected broken updates 2023-11-11 20:26:39 +01:00			`var errUserAbortUpdate error = errors.New("update cancelled")`

no context pointers 2023-09-05 21:45:17 +02:00			`func verify(ctx context.Context, provenance []byte, artifactHash, source, branch, versionTag string) error {`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`provenanceOpts := &options.ProvenanceOpts{`
Update slsa validation to not validate version when running in github actions, since the one in actions isn't associated with a released version 2023-11-05 09:15:54 +01:00			`ExpectedSourceURI: source,`
			`ExpectedBranch: &branch,`
			`ExpectedDigest: artifactHash,`
			`}`
			`if versionTag != "" {`
			`provenanceOpts.ExpectedVersionedTag = &versionTag`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`}`
			`builderOpts := &options.BuilderOpts{}`
no context pointers 2023-09-05 21:45:17 +02:00			`_, _, err := verifiers.Verify(ctx, provenance, artifactHash, provenanceOpts, builderOpts)`
Bump go version, remove the vendored slsa library, and depend on a newer copy with a different API. Updates now work. 2022-09-02 09:15:58 +02:00			`return err`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`

Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`func checkForDowngrade(currentVersionS, newVersionS string) error {`
Update slsa integration to use the shared library for parsing version strings 2023-11-10 05:51:47 +01:00			`currentVersion, err := shared.ParseVersionString(currentVersionS)`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`if err != nil {`
Update slsa integration to use the shared library for parsing version strings 2023-11-10 05:51:47 +01:00			`return fmt.Errorf("failed to parse current version string: %w", err)`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`}`
Update slsa integration to use the shared library for parsing version strings 2023-11-10 05:51:47 +01:00			`newVersion, err := shared.ParseVersionString(newVersionS)`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`if err != nil {`
Update slsa integration to use the shared library for parsing version strings 2023-11-10 05:51:47 +01:00			`return fmt.Errorf("failed to parse new version string: %w", err)`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`}`
Update slsa integration to use the shared library for parsing version strings 2023-11-10 05:51:47 +01:00			`if currentVersion.GreaterThan(newVersion) {`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`return fmt.Errorf("failed to update because the new version (%#v) is a downgrade compared to the current version (%#v)", newVersionS, currentVersionS)`
			`}`
			`return nil`
			`}`

Move a bunch of update-specific code out of the generic lib.go file and into the update command 2023-09-14 07:45:49 +02:00			`func VerifyBinary(ctx context.Context, binaryPath, attestationPath, versionTag string) error {`
Working update code for macos 2022-05-27 08:45:08 +02:00			`if os.Getenv("HISHTORY_DISABLE_SLSA_ATTESTATION") == "true" {`
			`return nil`
			`}`
Always include user and device ID in API request headers, so that they're available in all server-side handlers 2023-10-14 19:52:35 +02:00			`resp, err := ApiGet(ctx, "/api/v1/slsa-status?newVersion="+versionTag)`
Add integration to disable SLSA verification if there is a current SLSA outage 2022-11-01 01:32:55 +01:00			`if err != nil {`
Update SLSA integration to always prompt the user before suspected broken updates 2023-11-11 20:26:39 +01:00			`hctx.GetLogger().Infof("Failed to query SLSA status (err=%#v), assuming that SLSA is currently working", err)`
Add integration to disable SLSA verification if there is a current SLSA outage 2022-11-01 01:32:55 +01:00			`}`
Update SLSA integration to always prompt the user before suspected broken updates 2023-11-11 20:26:39 +01:00			`if err == nil && string(resp) != "OK" {`
			`slsa_status_error:`
			`fmt.Printf("SLSA verification is currently experiencing issues:%s\nWhat would you like to do?", string(resp))`
			`fmt.Println("To abort the update, type 'a'")`
			`fmt.Println("To continue with the update even though it may fail, type 'c'")`
			`fmt.Println("To update and skip SLSA validation, type 's'")`
			`reader := bufio.NewReader(os.Stdin)`
			`userChoice, err := reader.ReadString('\n')`
			`if err != nil {`
			`fmt.Printf("failed to read response: %v\n", err)`
			`goto slsa_status_error`
			`}`
			`userChoice = strings.TrimSpace(userChoice)`
			`switch userChoice {`
			`case "a", "A":`
			`return errUserAbortUpdate`
			`case "c", "C":`
			`// Continue the update and perform SLSA validation even though it may fail`
			`goto slsa_status_error_continue_update`
			`case "s", "S":`
			`// Skip validation and return nil as if the binary passed validation`
			`return nil`
			`default:`
			`fmt.Printf("user selection %#v was not one of 'a', 'c', 's'\n", userChoice)`
			`goto slsa_status_error`
			`}`
Add integration to disable SLSA verification if there is a current SLSA outage 2022-11-01 01:32:55 +01:00			`}`
Update SLSA integration to always prompt the user before suspected broken updates 2023-11-11 20:26:39 +01:00			`slsa_status_error_continue_update:`
Fix test on incorrect update output + prevent downgrades 2022-06-05 06:42:40 +02:00			`if err := checkForDowngrade(Version, versionTag); err != nil && os.Getenv("HISHTORY_ALLOW_DOWNGRADE") == "true" {`
			`return err`
			`}`

Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`attestation, err := os.ReadFile(attestationPath)`
			`if err != nil {`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			`return fmt.Errorf("failed to read attestation file: %w", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`

Working update code for macos 2022-05-27 08:45:08 +02:00			`hash, err := getFileHash(binaryPath)`
			`if err != nil {`
			`return err`
			`}`

Pipe ctx into the slsa code to avoid context.TODO() 2022-09-22 05:22:34 +02:00			`return verify(ctx, attestation, hash, "github.com/ddworken/hishtory", "master", versionTag)`
Working update code for macos 2022-05-27 08:45:08 +02:00			`}`

			`func getFileHash(binaryPath string) (string, error) {`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`binaryFile, err := os.Open(binaryPath)`
			`if err != nil {`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			`return "", fmt.Errorf("failed to read binary for verification purposes: %w", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
			`defer binaryFile.Close()`

			`hasher := sha256.New()`
			`if _, err := io.Copy(hasher, binaryFile); err != nil {`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			`return "", fmt.Errorf("failed to hash binary: %w", err)`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
			`hash := hex.EncodeToString(hasher.Sum(nil))`
Working update code for macos 2022-05-27 08:45:08 +02:00			`return hash, nil`
Add SLSA verification of updated binary Currently the SLSA verifier is meant to be used a standalone binary. I copied a bit of code from their main (and imported the rest of their code as a library) in order to support embedding it as a library. This ensures that the updated hishtory passes SLSA L3. 2022-04-17 01:02:07 +02:00			`}`
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00
Move a bunch of update-specific code out of the generic lib.go file and into the update command 2023-09-14 07:45:49 +02:00			`func HandleSlsaFailure(srcErr error) error {`
Update SLSA integration to always prompt the user before suspected broken updates 2023-11-11 20:26:39 +01:00			`if errors.Is(srcErr, errUserAbortUpdate) {`
			`return srcErr`
			`}`
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00			`fmt.Printf("\nFailed to verify SLSA provenance! This is likely due to a SLSA bug (SLSA is a brand new standard, and like all new things, has bugs). Ignoring this failure means falling back to the way most software does updates. Do you want to ignore this failure and update anyways? [y/N]")`
			`reader := bufio.NewReader(os.Stdin)`
			`resp, err := reader.ReadString('\n')`
			`if err == nil && strings.TrimSpace(resp) == "y" {`
			`fmt.Println("Proceeding with update...")`
			`return nil`
			`}`
wrap errors with %w instead of using %v 2023-09-05 21:08:55 +02:00			return fmt.Errorf("failed to verify SLSA provenance of the updated binary, aborting update (to bypass, set `export HISHTORY_DISABLE_SLSA_ATTESTATION=true`): %w", srcErr)
Add better handling for SLSA errors 2022-10-03 05:14:54 +02:00			`}`