Skip to content

Commit

Permalink
add in-toto monkeypatch and updated layout to include proper keys
Browse files Browse the repository at this point in the history
  • Loading branch information
@alanssitis
alanssitis committed Oct 14, 2022
1 parent 15acca1 commit e1d09f4
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 48 deletions.
4 changes: 4 additions & 0 deletions .gitmodules
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[submodule "in-toto"]
path = in-toto
url = https://github.com/SolidifiedRay/in-toto.git
branch = ITE-4-monkey-patch
1 change: 1 addition & 0 deletions in-toto
Submodule in-toto added at fceda1
104 changes: 56 additions & 48 deletions owner_alice/create_layout.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,57 +2,65 @@
from in_toto.models.layout import Layout
from in_toto.models.metadata import Metablock


def main():
# Load Alice's private key to later sign the layout
key_alice = interface.import_rsa_privatekey_from_file("alice")
# Fetch and load Bob's and Carl's public keys
# to specify that they are authorized to perform certain step in the layout
key_bob = interface.import_rsa_publickey_from_file("../functionary_bob/bob.pub")

layout = Layout.read({
"_type": "layout",
"keys": {
key_bob["keyid"]: key_bob,
},
"steps": [{
"name": "update-version",
"expected_materials": [["ALLOW", "foo.py"], ["ALLOW", "*"]],
"expected_products": [["MODIFY", "foo.py"]],
"pubkeys": [key_bob["keyid"]],
"expected_command": [],
"threshold": 1,
},{
"name": "pull-request",
"expected_materials": [["MATCH", "*", "WITH", "PRODUCTS", "FROM",
"update-version"]],
"expected_products": [["ALLOW", "*"]],
"pubkeys": [key_bob["keyid"]],
"expected_command": [],
"threshold": 1,
},{
"name": "merge-pr",
"expected_materials": [["ALLOW", "*"]],
"expected_products": [["ALLOW", "*"]],
"pubkeys": [key_alice["keyid"]],
"expected_command": [],
"threshold": 1,
},{
"name": "tag",
"expected_materials": [["ALLOW", "*"]],
"expected_products": [["ALLOW", "*"]],
"pubkeys": [key_alice["keyid"]],
"expected_command": [],
"threshold": 1,
# Load Alice's private key to later sign the layout
priv_key_alice = interface.import_rsa_privatekey_from_file("alice")

# Load public keys
pub_key_alice = interface.import_rsa_publickey_from_file(
"../functionary_bob/bob.pub")
pub_key_bob = interface.import_rsa_publickey_from_file("alice.pub")

layout = Layout.read({
"_type":
"layout",
"keys": {
pub_key_alice["keyid"]: pub_key_alice,
pub_key_bob["keyid"]: pub_key_bob,
},
"steps": [{
"name": "update-version",
"expected_materials": [["ALLOW", "foo.py"], ["ALLOW", "*"]],
"expected_products": [["MODIFY", "foo.py"]],
"pubkeys": [pub_key_bob["keyid"]],
"expected_command": [],
"threshold": 1,
}, {
"name":
"pull-request",
"expected_materials":
[["MATCH", "*", "WITH", "PRODUCTS", "FROM", "update-version"]],
"expected_products": [["ALLOW", "*"]],
"pubkeys": [pub_key_bob["keyid"]],
"expected_command": [],
"threshold":
1,
}, {
"name": "merge-pr",
"expected_materials": [["ALLOW", "*"]],
"expected_products": [["ALLOW", "*"]],
"pubkeys": [pub_key_alice["keyid"]],
"expected_command": [],
"threshold": 1,
}, {
"name": "tag",
"expected_materials": [["ALLOW", "*"]],
"expected_products": [["ALLOW", "*"]],
"pubkeys": [pub_key_alice["keyid"]],
"expected_command": [],
"threshold": 1,
}],
"inspect":[],
})
"inspect": [],
})

metadata = Metablock(signed=layout)

metadata = Metablock(signed=layout)
# Sign and dump layout to "root.layout"
metadata.sign(priv_key_alice)
metadata.dump("root.layout")
print('Created in-toto layout as "root.layout".')

# Sign and dump layout to "root.layout"
metadata.sign(key_alice)
metadata.dump("root.layout")
print('Created demo in-toto layout as "root.layout".')

if __name__ == '__main__':
main()
main()

0 comments on commit e1d09f4

Please sign in to comment.