Merge pull request #186 from kpcyrd/better-attestation

Better attestations

Author: kpcyrd

Cargo.lock

@@ -1,6 +1,6 @@
 use crate::config::ConfigFile;
 use crate::errors::*;
-use crate::{auth, http, PkgArtifact, PkgGroup, PkgRelease, Status};
+use crate::{auth, http, PkgArtifact, PkgGroup, PkgRelease, PublicKeys, Status};
 use chrono::prelude::*;
 use serde::{Deserialize, Serialize};
 use std::borrow::Cow;
@@ -205,6 +205,17 @@ impl Client {
         Ok(attestation.to_vec())
     }
 
+    pub async fn fetch_public_keys(&self) -> Result<PublicKeys> {
+        let keys = self
+            .get(Cow::Borrowed("api/v0/public-keys"))
+            .send()
+            .await?
+            .error_for_status()?
+            .json()
+            .await?;
+        Ok(keys)
+    }
+
     pub async fn list_queue(&self, list: &ListQueue) -> Result<QueueList> {
         let pkgs = self
             .post(Cow::Borrowed("api/v0/queue/list"))

common/src/api.rs

@@ -85,6 +85,7 @@ pub struct HttpConfig {
     pub bind_addr: Option<String>,
     pub real_ip_header: Option<String>,
     pub post_body_size_limit: Option<usize>,
+    pub transparently_sign_attestations: Option<bool>,
     pub endpoint: Option<String>,
 }
 

common/src/config.rs

@@ -162,3 +162,8 @@ impl FromStr for Status {
         }
     }
 }
+
+#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
+pub struct PublicKeys {
+    pub current: Vec<String>,
+}

common/src/lib.rs

@@ -1,3 +1,9 @@
+use crate::errors::*;
+use std::fs::{self, OpenOptions};
+use std::io::prelude::*;
+use std::os::unix::fs::OpenOptionsExt;
+use std::path::Path;
+
 pub fn secs_to_human(duration: i64) -> String {
     let secs = duration % 60;
     let mins = duration / 60;
@@ -16,6 +22,29 @@ pub fn secs_to_human(duration: i64) -> String {
     out.join(" ")
 }
 
+pub fn load_or_create<F: Fn() -> Result<Vec<u8>>>(path: &Path, func: F) -> Result<Vec<u8>> {
+    let data = match OpenOptions::new()
+        .mode(0o640)
+        .write(true)
+        .create_new(true)
+        .open(path)
+    {
+        Ok(mut file) => {
+            // file didn't exist yet, generate new key
+            let data = func()?;
+            file.write_all(&data[..])?;
+            data
+        }
+        Err(_err) => {
+            // assume the file already exists, try reading the content
+            debug!("Loading data from file: {path:?}");
+            fs::read(path)?
+        }
+    };
+
+    Ok(data)
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

common/src/utils.rs

@@ -5,6 +5,10 @@
 ## If you use a reverse proxy, use this header instead of the actual connecting ip.
 ## Make sure the reverse proxy has filters in place to prevent spoofing issues.
 #real_ip_header = "X-Real-IP"
+## By default, the daemon attaches a new signature to existing attestations,
+## if there is no signature by the current long-term private key yet.
+## To turn this off, change this setting to `false` explicitly.
+#transparently_sign_attestations = true
 ## Set a default endpoint for rebuildctl. This is especially useful for the sync timer.
 #endpoint = "http://127.0.0.1:8484"
 

contrib/confs/rebuilderd.conf

@@ -21,13 +21,16 @@ assets = [
 [dependencies]
 actix-web = "4.1.0"
 chrono = { version = "0.4.19", features = ["serde"] }
-clap = { version = "4", features = ["derive"] }
+clap = { version = "4", features = ["derive", "env"] }
+data-encoding = "2"
 diesel = { version = "2", features = ["sqlite", "r2d2", "chrono", "i-implement-a-third-party-backend-and-opt-into-breaking-changes"] }
 diesel_migrations = { version = "2", features = ["sqlite"] }
 dirs-next = "2.0.0"
 dotenvy = "0.15.0"
 env_logger = "0.11"
+in-toto = "0.4.0"
 log = "0.4.17"
+pem = "3"
 rand = "0.9"
 rebuilderd-common = { version = "=0.23.0", path = "../common" }
 serde = { version = "1.0.137", features = ["derive"] }

daemon/Cargo.toml

@@ -1,3 +1,4 @@
+use crate::attestation::{self, Attestation};
 use crate::auth;
 use crate::config::Config;
 use crate::dashboard::DashboardState;
@@ -10,9 +11,10 @@ use actix_web::http::header::{AcceptEncoding, ContentEncoding, Encoding, Header}
 use actix_web::{get, http, post, HttpRequest, HttpResponse, Responder};
 use chrono::prelude::*;
 use diesel::SqliteConnection;
+use in_toto::crypto::PrivateKey;
 use rebuilderd_common::api::*;
 use rebuilderd_common::errors::*;
-use rebuilderd_common::{PkgRelease, Status};
+use rebuilderd_common::{PkgRelease, PublicKeys, Status};
 use std::collections::HashSet;
 use std::net::IpAddr;
 use std::sync::{Arc, RwLock};
@@ -429,6 +431,7 @@ pub async fn ping_build(
 pub async fn report_build(
     req: HttpRequest,
     cfg: web::Data<Config>,
+    privkey: web::Data<Arc<PrivateKey>>,
     report: web::Json<BuildReport>,
     pool: web::Data<Pool>,
 ) -> web::Result<impl Responder> {
@@ -474,11 +477,17 @@ pub async fn report_build(
         };
 
         let encoded_attestation = match &rebuild.attestation {
-            Some(attestation) => Some(
-                zstd_compress(attestation.as_bytes())
-                    .await
-                    .map_err(Error::from)?,
-            ),
+            Some(attestation) => {
+                let mut attestation = Attestation::parse(attestation.as_bytes())?;
+
+                // add additional signature
+                attestation.sign(&privkey)?;
+
+                // compress attestation
+                let compressed = attestation.to_compressed_bytes().await?;
+
+                Some(compressed)
+            }
             _ => None,
         };
 
@@ -541,20 +550,33 @@ pub async fn get_build_log(
 pub async fn get_attestation(
     req: HttpRequest,
     id: web::Path<i32>,
+    cfg: web::Data<Config>,
+    privkey: web::Data<Arc<PrivateKey>>,
     pool: web::Data<Pool>,
 ) -> web::Result<impl Responder> {
     let mut connection = pool.get().map_err(Error::from)?;
 
-    let build = match models::Build::get_id(*id, connection.as_mut()) {
-        Ok(build) => build,
-        Err(_) => return Ok(not_found()),
+    let Ok(mut build) = models::Build::get_id(*id, connection.as_mut()) else {
+        return Ok(not_found());
     };
 
-    if let Some(attestation) = build.attestation {
-        forward_compressed_data(req, "application/json; charset=utf-8", attestation).await
-    } else {
-        Ok(not_found())
+    let Some(mut attestation) = build.attestation else {
+        return Ok(not_found());
+    };
+
+    if cfg.transparently_sign_attestations {
+        let (bytes, has_new_signature) =
+            attestation::compressed_attestation_sign_if_necessary(attestation, &privkey).await?;
+
+        if has_new_signature {
+            build.attestation = Some(bytes.clone());
+            build.update(connection.as_mut())?;
+        }
+
+        attestation = bytes;
     }
+
+    forward_compressed_data(req, "application/json; charset=utf-8", attestation).await
 }
 
 #[get("/api/v0/builds/{id}/diffoscope")]
@@ -596,3 +618,11 @@ pub async fn get_dashboard(
     let resp = state.get_response()?;
     Ok(HttpResponse::Ok().json(resp))
 }
+
+#[get("/api/v0/public-keys")]
+pub async fn get_public_key(privkey: web::Data<Arc<PrivateKey>>) -> web::Result<impl Responder> {
+    let pubkey = attestation::pubkey_to_pem(privkey.public())?;
+    Ok(HttpResponse::Ok().json(PublicKeys {
+        current: vec![pubkey],
+    }))
+}

daemon/src/api.rs

@@ -0,0 +1,29 @@
+use clap::{ArgAction, Parser};
+use std::path::PathBuf;
+
+#[derive(Debug, Parser)]
+#[command(version)]
+pub struct Args {
+    /// Verbose logging
+    #[arg(short, long, action(ArgAction::Count))]
+    pub verbose: u8,
+    /// Load and print a config
+    #[arg(long, group = "action")]
+    pub check_config: bool,
+    /// Generate a signing keypair (this usually happens automatically)
+    #[arg(long, group = "action")]
+    pub keygen: bool,
+    /// Derive the public key from a private key file
+    #[arg(long, group = "action")]
+    pub derive_pubkey: Option<PathBuf>,
+    /// Configuration file path
+    #[arg(short, long)]
+    pub config: Option<PathBuf>,
+    /// Long-term key used to sign attestations
+    #[arg(
+        long,
+        env = "REBUILDERD_SIGNING_KEY",
+        default_value = "./rebuilderd.sign.key"
+    )]
+    pub signing_key: PathBuf,
+}