2022-06-20 10:20:00 +00:00
|
|
|
import json
|
2022-07-01 14:25:16 +00:00
|
|
|
import logging
|
|
|
|
import typing
|
2023-06-07 14:09:15 +00:00
|
|
|
from pathlib import Path
|
|
|
|
from functools import wraps
|
2022-06-20 10:20:00 +00:00
|
|
|
|
|
|
|
from plumbum import local, ProcessExecutionError
|
|
|
|
|
|
|
|
|
2023-06-07 14:09:15 +00:00
|
|
|
def with_env_context(func):
|
|
|
|
@wraps(func)
|
|
|
|
def wrapper(self, *args, **kwargs):
|
|
|
|
if not isinstance(self, CasWrapper):
|
|
|
|
raise TypeError(
|
|
|
|
'Cannot use "with_env_context" decorator outside of CasWrapper instance'
|
|
|
|
)
|
|
|
|
with local.env(
|
|
|
|
VCN_LC_HOST=self._vcn_lc_host,
|
|
|
|
VCN_LC_API_KEY=self._vcn_lc_api_key,
|
|
|
|
VCN_LC_PORT=self._vcn_lc_port,
|
|
|
|
):
|
|
|
|
return func(self, *args, **kwargs)
|
|
|
|
return wrapper
|
|
|
|
|
|
|
|
|
2022-06-20 10:20:00 +00:00
|
|
|
class CasWrapper:
|
|
|
|
"""
|
2023-06-07 14:09:15 +00:00
|
|
|
The python wrapper around binary `vcn`
|
2022-06-20 10:20:00 +00:00
|
|
|
from Codenotary Community Attestation Service
|
|
|
|
"""
|
|
|
|
|
2023-06-07 14:09:15 +00:00
|
|
|
def _is_binary_present(self):
|
|
|
|
if not self._full_binary_path.exists():
|
2022-09-13 11:39:54 +00:00
|
|
|
raise FileNotFoundError(
|
2023-06-07 14:09:15 +00:00
|
|
|
f'Binary VCN is not found in {self._binary_path} on the machine',
|
2022-09-13 11:39:54 +00:00
|
|
|
)
|
|
|
|
|
2022-06-20 10:20:00 +00:00
|
|
|
def __init__(
|
|
|
|
self,
|
2023-06-07 14:09:15 +00:00
|
|
|
vcn_lc_api_key: str,
|
|
|
|
vcn_lc_host: str = "eval-honeywell.codenotary.com",
|
|
|
|
vcn_lc_port: int = 443,
|
2022-07-01 14:25:16 +00:00
|
|
|
logger: logging.Logger = None,
|
2023-06-07 14:09:15 +00:00
|
|
|
binary_name: str = "vcn",
|
|
|
|
binary_path: str = "/usr/local/bin/",
|
2022-06-20 10:20:00 +00:00
|
|
|
):
|
2023-06-07 14:09:15 +00:00
|
|
|
self._vcn_lc_api_key = vcn_lc_api_key
|
|
|
|
self._vcn_lc_host = vcn_lc_host
|
|
|
|
self._vcn_lc_port = vcn_lc_port
|
|
|
|
self._binary_name = binary_name
|
|
|
|
self._binary_path = binary_path
|
|
|
|
self._full_binary_path = Path(self._binary_path, self._binary_name)
|
|
|
|
self._vcn = local[self._full_binary_path]
|
2022-07-01 14:25:16 +00:00
|
|
|
self._logger = logger
|
|
|
|
if self._logger is None:
|
|
|
|
self._logger = logging.getLogger()
|
2023-06-07 14:09:15 +00:00
|
|
|
self._is_binary_present()
|
2022-07-01 14:25:16 +00:00
|
|
|
|
2023-06-07 14:09:15 +00:00
|
|
|
def get_version(self):
|
|
|
|
self._is_binary_present()
|
|
|
|
command = self._vcn['--version']
|
2022-09-13 11:57:26 +00:00
|
|
|
version = command().split()[-1].split('v')[1]
|
2022-09-13 11:39:54 +00:00
|
|
|
return version
|
|
|
|
|
2023-06-07 14:09:15 +00:00
|
|
|
@with_env_context
|
2022-07-01 14:25:16 +00:00
|
|
|
def ensure_login(self):
|
2023-06-07 14:09:15 +00:00
|
|
|
self._vcn['login']()
|
2022-06-20 10:20:00 +00:00
|
|
|
|
2023-06-07 14:09:15 +00:00
|
|
|
@with_env_context
|
2022-06-21 06:59:43 +00:00
|
|
|
def notarize(
|
|
|
|
self,
|
|
|
|
local_path: str,
|
2022-07-01 14:25:16 +00:00
|
|
|
metadata: typing.Dict = None,
|
2022-06-21 06:59:43 +00:00
|
|
|
) -> str:
|
2022-06-20 10:20:00 +00:00
|
|
|
"""
|
2023-06-07 14:09:15 +00:00
|
|
|
Wrapper around `vcn notarize`
|
2022-06-21 06:59:43 +00:00
|
|
|
:param local_path: path to a local Git repo
|
|
|
|
:param metadata: additional metadata
|
2022-06-20 10:20:00 +00:00
|
|
|
:return: hash of notarized commit
|
|
|
|
:rtype: str
|
|
|
|
"""
|
2023-06-07 14:09:15 +00:00
|
|
|
command = self._vcn[
|
2022-06-20 10:20:00 +00:00
|
|
|
'notarize',
|
2022-06-21 06:59:43 +00:00
|
|
|
local_path,
|
2022-06-20 10:20:00 +00:00
|
|
|
'-o',
|
|
|
|
'json',
|
|
|
|
]
|
2022-06-21 06:59:43 +00:00
|
|
|
if metadata is not None:
|
|
|
|
for key, value in metadata.items():
|
|
|
|
command = command[
|
|
|
|
'-a',
|
|
|
|
f'{key}={value}',
|
|
|
|
]
|
2023-06-07 14:09:15 +00:00
|
|
|
result_of_execution = command()
|
|
|
|
result_of_execution, *_ = json.loads(result_of_execution)
|
|
|
|
return result_of_execution['hash']
|
2022-06-20 10:20:00 +00:00
|
|
|
|
2022-09-14 15:58:37 +00:00
|
|
|
def notarize_no_exc(
|
|
|
|
self,
|
|
|
|
local_path: str,
|
|
|
|
metadata: typing.Dict = None,
|
|
|
|
) -> typing.Tuple[bool, str]:
|
2022-09-14 16:28:45 +00:00
|
|
|
"""
|
|
|
|
Wrapper for avoiding raising exceptions during notarization.
|
|
|
|
Return `success` flag instead for library user to react respectively.
|
|
|
|
:param local_path: path to a local Git repo
|
|
|
|
:param metadata: additional metadata
|
|
|
|
:return: boolean flag for operation success and the hash
|
|
|
|
of the notarized artifact.
|
|
|
|
:rtype: tuple
|
|
|
|
"""
|
2022-09-14 15:58:37 +00:00
|
|
|
success = False
|
|
|
|
try:
|
2023-06-07 14:09:15 +00:00
|
|
|
vcn_hash = self.notarize(local_path, metadata=metadata)
|
2022-09-14 15:58:37 +00:00
|
|
|
success = True
|
|
|
|
except Exception:
|
|
|
|
self._logger.exception('Cannot notarize artifact: %s',
|
|
|
|
local_path)
|
2023-06-07 14:09:15 +00:00
|
|
|
vcn_hash = ''
|
|
|
|
return success, vcn_hash
|
2022-09-14 15:58:37 +00:00
|
|
|
|
2023-06-07 14:09:15 +00:00
|
|
|
@with_env_context
|
2022-06-21 06:56:58 +00:00
|
|
|
def authenticate(
|
|
|
|
self,
|
|
|
|
local_path: str,
|
2022-07-01 14:25:16 +00:00
|
|
|
return_json: bool = False,
|
|
|
|
use_hash: bool = False,
|
2023-06-07 14:09:15 +00:00
|
|
|
signer_id: str = "",
|
|
|
|
) -> typing.Union[bool, dict]:
|
2022-06-20 10:20:00 +00:00
|
|
|
"""
|
2023-06-07 14:09:15 +00:00
|
|
|
Wrapper around `vcn authenticate`
|
2022-06-21 06:56:58 +00:00
|
|
|
:param local_path: path to a local Git repo
|
|
|
|
(should be started from `git://`)
|
2022-07-01 14:25:16 +00:00
|
|
|
or to a single local file or hash
|
|
|
|
:param return_json: flag for return json response
|
|
|
|
:param use_hash: flag for authenticate by hash
|
2022-06-20 10:20:00 +00:00
|
|
|
:return: true if a commit is trusted, vice versa - false
|
2022-07-01 14:25:16 +00:00
|
|
|
or dict with result if return_json param is True
|
|
|
|
:rtype: bool or dict
|
2022-06-20 10:20:00 +00:00
|
|
|
"""
|
2022-07-01 14:25:16 +00:00
|
|
|
command_args = ['authenticate', local_path]
|
|
|
|
if use_hash:
|
|
|
|
command_args = ['authenticate', '--hash', local_path]
|
2022-11-08 13:01:33 +00:00
|
|
|
if signer_id:
|
|
|
|
command_args.extend(('--signerID', signer_id))
|
2022-07-01 14:25:16 +00:00
|
|
|
command_args.extend(('-o', 'json'))
|
2023-06-07 14:09:15 +00:00
|
|
|
command = self._vcn[command_args]
|
2022-06-20 10:20:00 +00:00
|
|
|
try:
|
2023-06-07 14:09:15 +00:00
|
|
|
result_of_execution = command()
|
2022-06-20 10:20:00 +00:00
|
|
|
except ProcessExecutionError:
|
2023-06-07 14:09:15 +00:00
|
|
|
# in case if commit is untrusted
|
|
|
|
result_of_execution = command(retcode=1)
|
2022-07-01 14:25:16 +00:00
|
|
|
json_result = json.loads(result_of_execution)
|
|
|
|
if return_json:
|
|
|
|
return json_result
|
|
|
|
return not bool(json_result['status'])
|
|
|
|
|
|
|
|
def authenticate_source(
|
|
|
|
self,
|
|
|
|
local_path: str,
|
2023-06-07 14:09:15 +00:00
|
|
|
signer_id: str = "",
|
2022-07-01 14:25:16 +00:00
|
|
|
) -> typing.Tuple[bool, typing.Optional[str]]:
|
|
|
|
"""
|
|
|
|
Authenticates source by git path.
|
|
|
|
Returns authenticate result and source commit hash.
|
|
|
|
"""
|
|
|
|
is_authenticated = False
|
2023-06-07 14:09:15 +00:00
|
|
|
commit_vcn_hash = None
|
2022-07-01 14:25:16 +00:00
|
|
|
self.ensure_login()
|
|
|
|
try:
|
2022-11-08 13:01:33 +00:00
|
|
|
result_json = self.authenticate(
|
|
|
|
local_path,
|
|
|
|
return_json=True,
|
2023-06-07 14:09:15 +00:00
|
|
|
signer_id=signer_id,
|
2022-11-08 13:01:33 +00:00
|
|
|
)
|
2022-07-01 14:25:16 +00:00
|
|
|
is_authenticated = result_json['verified']
|
2023-06-07 14:09:15 +00:00
|
|
|
commit_vcn_hash = result_json['hash']
|
2022-07-01 14:25:16 +00:00
|
|
|
# we can fall with ProcessExecutionError,
|
|
|
|
# because source can be not notarized
|
|
|
|
except ProcessExecutionError:
|
|
|
|
self._logger.exception('Cannot authenticate: %s', local_path)
|
2023-06-07 14:09:15 +00:00
|
|
|
return is_authenticated, commit_vcn_hash
|
2022-07-01 14:25:16 +00:00
|
|
|
|
|
|
|
def authenticate_artifact(
|
|
|
|
self,
|
|
|
|
local_path: str,
|
|
|
|
use_hash: bool = False,
|
2023-06-07 14:09:15 +00:00
|
|
|
signer_id: str = "",
|
2022-07-01 14:25:16 +00:00
|
|
|
) -> bool:
|
|
|
|
"""
|
|
|
|
Authenticates artifact by artifact path or hash if `use_hash` is True.
|
|
|
|
Returns authenticate result.
|
|
|
|
"""
|
|
|
|
is_authenticated = False
|
|
|
|
self.ensure_login()
|
|
|
|
try:
|
|
|
|
is_authenticated = self.authenticate(
|
|
|
|
local_path,
|
|
|
|
use_hash=use_hash,
|
|
|
|
return_json=True,
|
2022-11-08 13:01:33 +00:00
|
|
|
signer_id=signer_id
|
2022-07-01 14:25:16 +00:00
|
|
|
)['verified']
|
|
|
|
# we can fall with ProcessExecutionError,
|
|
|
|
# because artifact can be not notarized
|
|
|
|
except ProcessExecutionError:
|
|
|
|
self._logger.exception('Cannot authenticate: %s', local_path)
|
|
|
|
return is_authenticated
|
|
|
|
|
|
|
|
def notarize_artifacts(
|
|
|
|
self,
|
|
|
|
artifact_paths: typing.List[str],
|
|
|
|
metadata: typing.Dict[str, typing.Any],
|
|
|
|
) -> typing.Tuple[bool, typing.Dict[str, str]]:
|
|
|
|
"""
|
|
|
|
Notarize artifacts by their paths.
|
2023-06-07 14:09:15 +00:00
|
|
|
Returns `True` if all artifacts was successful notarizated
|
|
|
|
and dict with VCN hashes.
|
2022-07-01 14:25:16 +00:00
|
|
|
"""
|
|
|
|
all_artifacts_is_notarized = True
|
|
|
|
notarized_artifacts = {}
|
|
|
|
self.ensure_login()
|
2022-08-18 08:27:46 +00:00
|
|
|
|
|
|
|
# ALBS-576: We stopped doing this process in parallel due to the
|
|
|
|
# problems experienced and described in this CAS issue:
|
|
|
|
# https://github.com/codenotary/cas/issues/275
|
|
|
|
# Hence, we decided to go sequential here until the problem is
|
|
|
|
# resolved in CAS itself.
|
|
|
|
for artifact_path in artifact_paths:
|
|
|
|
try:
|
2023-06-07 14:09:15 +00:00
|
|
|
vcn_artifact_hash = self.notarize(artifact_path, metadata)
|
2022-08-18 08:27:46 +00:00
|
|
|
except Exception:
|
|
|
|
self._logger.exception('Cannot notarize artifact: %s',
|
|
|
|
artifact_path)
|
|
|
|
all_artifacts_is_notarized = False
|
|
|
|
continue
|
2023-06-07 14:09:15 +00:00
|
|
|
notarized_artifacts[artifact_path] = vcn_artifact_hash
|
2022-07-01 14:25:16 +00:00
|
|
|
return all_artifacts_is_notarized, notarized_artifacts
|