forked from in-toto/ite-4-demo
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4260a5b
commit 8b4fd45
Showing
3 changed files
with
276 additions
and
28 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -29,14 +29,9 @@ cd .. | |
| For this demo, make sure you have the [github cli tool](https://cli.github.com/) | ||
| installed. | ||
|
|
||
|
|
||
| ## Run the demo commands | ||
|
|
||
| ### 1. Clone project source code (Bob & Alice) | ||
|
|
||
| Since we don't have the project installed locally, we will be cloning them | ||
| ourselves. But in the real world, it is more likely that Bob and Alice already | ||
| have the project locally. | ||
| Also, clone test projects into the home directories of the "players" involved, | ||
| Alice and Bob. In the real world, it is more likely that both already have the | ||
| project installed locally. | ||
|
|
||
| **Note:** If you are testing this demo locally, use a personal fork of the | ||
| `ite-4-demo-test-repo` since you will need access to make and merge PR's. So | ||
|
|
@@ -47,14 +42,16 @@ git clone [email protected]:in-toto/ite-4-demo-test-repo.git functionary_bob/projec | |
| git clone [email protected]:in-toto/ite-4-demo-test-repo.git owner_alice/project | ||
| ``` | ||
|
|
||
| ### 2. Define the software supply chain layout (Alice) | ||
| ## Run the demo commands | ||
|
|
||
| ### 1. Define the software supply chain layout (Alice) | ||
|
|
||
| ```shell | ||
| cd owner_alice | ||
| python create_layout.py | ||
| ``` | ||
|
|
||
| ### 3. Update version number (Bob) | ||
| ### 2. Make and commit changes to the project (Bob) | ||
|
|
||
| Before Bob makes any changes, he will first create a `feature` branch that will | ||
| contain his changes. | ||
|
|
@@ -87,7 +84,7 @@ a link metadata file called `update-version.[Bob's keyid].link`. | |
| in-toto-record stop --step-name commit-changes --key ../bob -p git:commit | ||
| ``` | ||
|
|
||
| ### 4. Submit a pull request (Bob) | ||
| ### 3. Create a pull request (Bob) | ||
|
|
||
| Now that Bob has commited his changes to his local repo, he will push the | ||
| changes to the remote repo. | ||
|
|
@@ -97,51 +94,48 @@ git push --set-upstream origin feature | |
| ``` | ||
|
|
||
| Then, Bob will submit a pull request using `gh` and use `in-toto-run` to | ||
| record the state of the files to create a link. | ||
| record the state of the files to create a link. The output of the `gh` command | ||
| should give you the pull request number, replace the placeholders in the | ||
| following commands with it. | ||
|
|
||
| ```shell | ||
| in-toto-record start -n create-pr -m git:commit --key ../bob | ||
| gh pr create --title "update version" --body "update version number" | ||
| in-toto-record stop -n create-pr -p github:in-toto/ite-4-demo-test-repo:pr:{pr number} --key ../bob | ||
| ``` | ||
|
|
||
| ```shell | ||
| in-toto-run -n open-pr -m git:commit -p github:in-toto/ite-4-demo-test-repo:pr:{pr number} --key ../bob --no-command | ||
| ``` | ||
|
|
||
| ### 5. Approve and merge PR (Alice) | ||
| ### 4. Approve and merge PR (Alice) | ||
|
|
||
| Alice will now review Bob's PR, approve it, and merge it. In order to record the | ||
| merging, Alice will need to pull the new merge commit and record it. | ||
|
|
||
| ```shell | ||
| cd ../../owner_alice/project | ||
| gh pr merge {pr number} | ||
| ``` | ||
|
|
||
| ```shell | ||
| in-toto-record start -n merge-pr -m github:in-toto/ite-4-demo-test-repo:pr:{pr number} git:commit --key ../alice | ||
| gh pr merge {pr number} | ||
| git pull | ||
| in-toto-record stop -n merge-pr -p git:commit --key ../alice | ||
| ``` | ||
|
|
||
| ### 6. Create a tag (Alice) | ||
| ### 5. Create a tag (Alice) | ||
|
|
||
| Then, Alice will tag the new merge commit and record the action. | ||
|
|
||
| ```shell | ||
| in-toto-run -n tag -m git:commit -p git:tag:v0.1 --key ../alice -- git tag v0.1 | ||
| in-toto-run -n tag -m git:commit -p git:tag:release --key ../alice -- git tag release | ||
| ``` | ||
|
|
||
| ### 7. Build the Container Image locally (Alice) | ||
| ### 6. Build the container image locally (Alice) | ||
|
|
||
| Alice can now build the container image. | ||
|
|
||
| ```shell | ||
| in-toto-record start -n build-image -k ../alice -m git:commit git:tag:v0.1 | ||
| in-toto-record start -n build-image -k ../alice -m git:commit git:tag:release | ||
| docker build . -f Containerfile --tag ite-4-demo | ||
| in-toto-record stop -n build-image -k ../alice -p docker://ite-4-demo | ||
| ``` | ||
|
|
||
| ### 8. Verify the workflow | ||
| ### 7. Verify the workflow (Client) | ||
|
|
||
| Copy the layout and the links to a new directory to verify the integrity of the | ||
| workflow. | ||
|
|
@@ -155,3 +149,21 @@ cp owner_alice/root.layout final_product | |
| cd final_product | ||
| in-toto-verify --layout root.layout --layout-key ../owner_alice/alice.pub | ||
| ``` | ||
| ## Cleaning up and automated run through | ||
|
|
||
| ### Clean slate | ||
|
|
||
| If you want to run the demo again, remove all the files and reset all of the | ||
| repos by running the following script. | ||
|
|
||
| ```shell | ||
| python3 run_demo.py --clean | ||
| ``` | ||
|
|
||
| ### Automated run through | ||
|
|
||
| Use the same script to have an automated run through of the demo. | ||
|
|
||
| ```shell | ||
| python3 run_demo.py | ||
| ``` | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,236 @@ | ||
| import os | ||
| import sys | ||
| import shlex | ||
| import subprocess | ||
| import argparse | ||
| from shutil import copyfile, copytree, rmtree | ||
|
|
||
| NO_PROMPT = False | ||
|
|
||
|
|
||
| def prompt_key(prompt): | ||
| if NO_PROMPT: | ||
| print("\n" + prompt) | ||
| return | ||
| inp = False | ||
| while inp != "": | ||
| try: | ||
| inp = input("\n{} -- press any key to continue".format(prompt)) | ||
| except Exception: | ||
| pass | ||
|
|
||
|
|
||
| def supply_chain(): | ||
|
|
||
| prompt_key("Define the supply chain layout (Alice)") | ||
| os.chdir("owner_alice") | ||
| create_layout_cmd = "python create_layout.py" | ||
| print(create_layout_cmd) | ||
| subprocess.call(shlex.split(create_layout_cmd)) | ||
|
|
||
| prompt_key("Make and commit changes to the project (Bob)") | ||
| os.chdir("../functionary_bob/project") | ||
| checkout_new_branch_cmd = "git checkout -b feature" | ||
| print(checkout_new_branch_cmd) | ||
| subprocess.call(shlex.split(checkout_new_branch_cmd)) | ||
|
|
||
| make_commit_changes_start_cmd = ("in-toto-record" | ||
| " start" | ||
| " --verbose" | ||
| " --step-name commit-changes" | ||
| " --key ../bob" | ||
| " --materials git:commit") | ||
| print(make_commit_changes_start_cmd) | ||
| subprocess.call(shlex.split(make_commit_changes_start_cmd)) | ||
|
|
||
| make_changes_cmd = r"perl -i -p -e 's/(\d+)/$1 + 1/eg' foo.py" | ||
| print(make_changes_cmd) | ||
| subprocess.call(shlex.split(make_changes_cmd)) | ||
|
|
||
| add_changes_cmd = "git add foo.py" | ||
| print(add_changes_cmd) | ||
| subprocess.call(shlex.split(add_changes_cmd)) | ||
|
|
||
| commit_changes_cmd = "git commit -m 'update version'" | ||
| print(commit_changes_cmd) | ||
| subprocess.call(shlex.split(commit_changes_cmd)) | ||
|
|
||
| make_commit_changes_stop_cmd = ("in-toto-record" | ||
| " stop" | ||
| " --verbose" | ||
| " --step-name commit-changes" | ||
| " --key ../bob" | ||
| " --products git:commit") | ||
| print(make_commit_changes_stop_cmd) | ||
| subprocess.call(shlex.split(make_commit_changes_stop_cmd)) | ||
|
|
||
| prompt_key("Create a Pull Request (Bob)") | ||
| push_changes_cmd = "git push --set-upstream origin feature" | ||
| print(push_changes_cmd) | ||
| subprocess.call(shlex.split(push_changes_cmd)) | ||
|
|
||
| create_pr_start_cmd = ("in-toto-record" | ||
| " start" | ||
| " --verbose" | ||
| " --step-name create-pr" | ||
| " --key ../bob" | ||
| " --materials git:commit") | ||
| print(create_pr_start_cmd) | ||
| subprocess.call(shlex.split(create_pr_start_cmd)) | ||
|
|
||
| create_pr_cmd = ("gh pr create" | ||
| " --title 'update version'" | ||
| " --body 'update version number'") | ||
| print(create_pr_cmd) | ||
| pr_link = subprocess.check_output(shlex.split(create_pr_cmd)) | ||
| pr_number = pr_link.decode().replace('\n', '').split('/')[-1] | ||
|
|
||
| create_pr_stop_cmd = ( | ||
| "in-toto-record" | ||
| " stop" | ||
| " --verbose" | ||
| " --step-name create-pr" | ||
| " --key ../bob" | ||
| f" --products github:in-toto/ite-4-demo-test-repo:pr:{pr_number}") | ||
| print(create_pr_stop_cmd) | ||
| subprocess.call(shlex.split(create_pr_stop_cmd)) | ||
|
|
||
| prompt_key("Approve and merge PR (Alice)") | ||
| os.chdir("../../owner_alice/project") | ||
| merge_pr_start_cmd = ( | ||
| "in-toto-record" | ||
| " start" | ||
| " --verbose" | ||
| " --step-name merge-pr" | ||
| " --key ../alice" | ||
| f" --materials github:in-toto/ite-4-demo-test-repo:pr:{pr_number} git:commit" | ||
| ) | ||
| print(merge_pr_start_cmd) | ||
| subprocess.call(shlex.split(merge_pr_start_cmd)) | ||
|
|
||
| merge_pr_cmd = f"gh pr merge {pr_number}" | ||
| print(merge_pr_cmd) | ||
| subprocess.call(shlex.split(merge_pr_cmd)) | ||
|
|
||
| pull_merge_commit_cmd = "git pull" | ||
| print(pull_merge_commit_cmd) | ||
| subprocess.call(shlex.split(pull_merge_commit_cmd)) | ||
|
|
||
| merge_pr_stop_cmd = ("in-toto-record" | ||
| " stop" | ||
| " --verbose" | ||
| " --step-name merge-pr" | ||
| " --key ../alice" | ||
| " --products git:commit") | ||
| print(merge_pr_stop_cmd) | ||
| subprocess.call(shlex.split(merge_pr_stop_cmd)) | ||
|
|
||
| prompt_key("Create a Tag (Alice)") | ||
| tag_cmd = ("in-toto-run" | ||
| " --verbose" | ||
| " --step-name tag" | ||
| " --key ../alice" | ||
| " --materials git:commit" | ||
| " --products git:tag:release" | ||
| " -- git tag release") | ||
| print(tag_cmd) | ||
| subprocess.call(shlex.split(tag_cmd)) | ||
|
|
||
| prompt_key("Build the container image (Alice)") | ||
| build_container_start_cmd = ("in-toto-record" | ||
| " start" | ||
| " --verbose" | ||
| " --step-name build-image" | ||
| " --key ../alice" | ||
| " --materials git:commit git:tag:release") | ||
| print(build_container_start_cmd) | ||
| subprocess.call(shlex.split(build_container_start_cmd)) | ||
|
|
||
| build_container_cmd = ("docker build ." | ||
| " --file Containerfile" | ||
| " --tag ite-4-demo") | ||
| print(build_container_cmd) | ||
| subprocess.call(shlex.split(build_container_cmd)) | ||
|
|
||
| build_container_stop_cmd = ("in-toto-record" | ||
| " stop" | ||
| " --verbose" | ||
| " --step-name build-image" | ||
| " --key ../alice" | ||
| " --products docker://ite-4-demo") | ||
| print(build_container_stop_cmd) | ||
| subprocess.call(shlex.split(build_container_stop_cmd)) | ||
|
|
||
| prompt_key("Create final product") | ||
| os.chdir("../..") | ||
| os.makedirs("final_product", exist_ok=True) | ||
| copyfile("owner_alice/root.layout", "final_product/root.layout") | ||
| copyfile("functionary_bob/project/commit-changes.776a00e2.link", | ||
| "final_product/commit-changes.776a00e2.link") | ||
| copyfile("functionary_bob/project/create-pr.776a00e2.link", | ||
| "final_product/create-pr.776a00e2.link") | ||
| copyfile("owner_alice/project/merge-pr.556caebd.link", | ||
| "final_product/merge-pr.556caebd.link") | ||
| copyfile("owner_alice/project/tag.556caebd.link", | ||
| "final_product/tag.556caebd.link") | ||
| copyfile("owner_alice/project/build-image.556caebd.link", | ||
| "final_product/build-image.556caebd.link") | ||
|
|
||
| prompt_key("Verify final product (Client)") | ||
| os.chdir("final_product") | ||
| copyfile("../owner_alice/alice.pub", "alice.pub") | ||
| verify_cmd = ("in-toto-verify" | ||
| " --verbose" | ||
| " --layout root.layout" | ||
| " --layout-key alice.pub") | ||
| print(verify_cmd) | ||
| retval = subprocess.call(shlex.split(verify_cmd)) | ||
| print("Return value: " + str(retval)) | ||
|
|
||
|
|
||
| def main(): | ||
| parser = argparse.ArgumentParser() | ||
| parser.add_argument("-n", | ||
| "--no-prompt", | ||
| help="No prompt.", | ||
| action="store_true") | ||
| parser.add_argument("-c", | ||
| "--clean", | ||
| help="Remove files created during demo.", | ||
| action="store_true") | ||
| args = parser.parse_args() | ||
|
|
||
| if args.clean: | ||
| files_to_delete = [ | ||
| "owner_alice/root.layout", | ||
| "owner_alice/project/merge-pr.556caebd.link", | ||
| "owner_alice/project/tag.556caebd.link", | ||
| "owner_alice/project/build-image.556caebd.link", | ||
| "functionary_bob/project/commit-changes.776a00e2.link", | ||
| "functionary_bob/project/create-pr.776a00e2.link", | ||
| "final_product", | ||
| ] | ||
|
|
||
| for path in files_to_delete: | ||
| if os.path.isfile(path): | ||
| os.remove(path) | ||
| elif os.path.isdir(path): | ||
| rmtree(path) | ||
|
|
||
| # reset project | ||
| os.chdir("functionary_bob/project") | ||
| subprocess.call(shlex.split("git checkout main")) | ||
| subprocess.call(shlex.split("git branch -D feature")) | ||
| subprocess.call(shlex.split("git pull")) | ||
| os.chdir("../..") | ||
|
|
||
| sys.exit(0) | ||
| if args.no_prompt: | ||
| global NO_PROMPT | ||
| NO_PROMPT = True | ||
|
|
||
| supply_chain() | ||
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| main() |