cse-labs / ratify Goto Github PK
View Code? Open in Web Editor NEWThis project forked from ratify-project/ratify
Artifact Ratification Framework
Home Page: https://deislabs.github.io/ratify/
License: Apache License 2.0
This project forked from ratify-project/ratify
Artifact Ratification Framework
Home Page: https://deislabs.github.io/ratify/
License: Apache License 2.0
This documentation would provide guidance for plugin developers
Unit tests with coverage of equivalent state for the updated VerifySubject function of the Executor
Related to #6
Description:
Verify implementation of BYOK with CRDs
Ratify config updates with CRDs needs better documentation in upstream
AC:
Description:
A failed verification is treated as if an exception is being thrown.
Policy provider in JSON config - Passthrough mode helps to verify robust policies in rego.
Without passthrough mode expectation is that if validation of subject fails, loop breaks out.
With passthrough mode on, validation failure or exception thrown, loop continues on to next artifact.
Acceptance Criteria:
Description:
Currently, constraint templates exist in library folder.
Acceptance Criteria:
In current state, policy providers in Ratify serve two purposes:
passthrough
, this is always true)The introduction of passthrough mode allows something external to Ratify make that call -- like Gatekeeper in a Kubernetes cluster. In instances where no external entity is available to step in and make the final decision, the current "any" or "all" checks are rudimentary. Ideally, an orchestrator could be configured to evaluate rego constraints like Gatekeeper through the inclusion of the OPA Constraint Framework library.
The addition of this function may require elevating "constraint evaluation" to be another type of plugin -- just for orchestrators instead the Executor.
Currently it's possible to jam in nonsense, label it as SPDX, and the SBOM verifier is happy to accept it. We want to validate that artifacts are in the correct format before returning isSuccess: true
This is a spike to prove out the idea. We want to start small with a single example/type versus trying to solve the general problem for all possible use cases
Acceptance Criteria
application/spdx+json
The bulk of work surrounding CRDs for the plugin configuration is being handled in the upstream repository. As we shift configuration management out of the Executor and into the purview of the orchestrators, we need to make sure that the orchestrator intended to serve as the Gatekeeper external data provider is configured to be listening for changes to the cache of the CRDs and appropriately add/update/remove such plugin from the Executor with the functions added with #7
gRPC verifier plugins need to be able to call the store functions the Executor exposes as a part of #5. Since the Executor is a part of the core package, it cannot expose service endpoints. This is the responsibility of the orchestrator component.
This includes but is not limited to:
ExecutionMode
what are the options, what impact does it have...Description
Original findings - Current findings reported here
Current behaviour:
If verifier cannot verify - execution moves to next verifier
If verifier can verify - execution loop exits
Assumption is that per artifact type there is only one verifier
Expectation:
If verifier cannot verify - execution moves to next verifier
If verifier can verify - execution moves to next verifier
Acceptance Criteria
How does Ratify (Oras auth providers) handle authenticated connectivity to single/multiple container registries.
How/can this be achieved?
For example, assume both of these registries require auth, what happens when the following is run:
kubectl run demo --image=foobar1.azurecr.io/test/helloworld:signed
kubectl run demo --image=foobar2.azurecr.io/test/helloworld:signed
A quick demo and or explanation of how auth currently works within Ratify (Oras auth providers).
This is documentation for comprehension/understanding and not for integration/development per se.
This would include but is not limited to:
We originally had a vision of a long-running branch here to stage significant changes. We're now currently aiming at pushing small incremental updates to upstream
It would remove a bit of friction for main in both branches to be in sync, but we currently have a few diffs on the cse side
Acceptance Criteria
For the file watching capability in the config manager, if the file hashes don't match, the ManagePlugins
function added with #7
Any orchestrator using the json configuration file will be impacted by these changes.
Description:
Define the purpose of verifiers in current state. What would the purpose of verifiers be in desired state? What should the boundary between responsibility of verifier vs. responsibility of constraint/policy be? This should probably be done by all groups after there is greater familiarity with the codebase and the different components. Ideally, the whole group would reconcile and agree upon the definitions/boundary of desired state.
AC
Description
Using Plugins from ACR
AC
Currently, in pkg/verifier/plugin/plugin.go
, plugins perform the logic to traverse nestedReferences
. Other verifiers, such as notaryv2
do not include this logic, and it is confusing to determine how this feature works
The goal of this story is to move that control flow out of plugins and into pkg/executor/core/executor.go
so that all plugins execute in a consistent manner
Note: this item was already included in the CSE<->Ratify design document
Note 2: Noel has some PoC code on this topic
** Acceptance Criteria **
nestedReferences
and does the work to traverse down into the treeAs a ratify developer, I want to provide extensibility for verifier plugins by providing a gRPC option so that ratify plugin developers can bring their own gRPC verifier plugins
this is the http server which exposes a single endpoint spec'd to integrate with Gatekeeper as an external data provider
this is the http server which exposes a single endpoint spec'd to integrate with Gatekeeper as an external data provider
Unit tests with coverage equivalent to existing state
Coverage of the new plugin management functions
Related to #7
As a ratify developer, I want to provide extensibility for store plugins by providing a gRPC option so that ratify plugin developers can bring their own gRPC store plugins
This should include:
Currently there is a single Dockerfile for Ratify. It lives in the httpserver
folder and the entrypoint command is serve
to boot up an http server.
Although ORAS doesn't have a server component / option, it does provide the option to run the CLI in a container. Gatekeeper also has the gator CLI which can be run in a container too.
Gatekeeper also has a Dockerfile for CRDs which builds separately from the core image
What steps did you take and what happened:
The current TestStore (pkg/referrerstore/mocks/types.go) in the codebase is a partial implementation and cannot be customized to handle nested artifact tests. It only allows one hardcoded return for referrers and subject lookup is hardcoded to look at a tag.
What did you expect to happen:
A test object should be easy to configure and use. It should also be robust enough to handle a variety of test scenarios. A new test store (pkg/referrerstore/mocks/memory_store.go) is being added for nested reference tests and it should superceede and replace the other TestStore.
Anything else you would like to add:
The new test store could also benefit from a fluent builder to make test code more concise, readable, and clean from magic values. A proposed example below:
store := mocks.CreateEmptyMemoryTestStore()
subjectUri := store.AddSubject("test-image-subject", mocks.DockerMediaType).
WithReferrer("sbom", mocks.ArtifactMediaType, mocks.SbomArtifactType).
WithReferrer("image-sig", mocks.ArtifactMediaType, mocks.SignatureArtifactType).
GetTestUri()
store.AddSubject("sbom", mocks.ArtifactMediaType).
WithReferrer("sbom-sig", mocks.ArtifactMediaType, mocks.SignatureArtifactType)
Environment:
kubectl version
):Whether e2e or integration, tests need to be included to ensure confidence in the gRPC plugin path through tangible results.
The requirement isn't 1 standalone test for each, but each should be covered by at least 1 test:
GetBlobContent
GetReferenceManifest
GetSubjectDescriptor
ListReferrers
GetBlobContent
GetReferenceManifest
GetSubjectDescriptor
ListReferrers
Description
Currently 2 SBOM plugins - SBOM verifier, License checker
Need to check efficiency or capability of SBOMs generated by MS SBOM tool
Acceptance Criteria
Description
We have some great documentation that came out of the exploration phase.
We need to push the relevant/beneficial ones upstream.
AC
We've created an out of tree verifier, but have not done the same with a store. The goal of this issue is to create a simple store and answer the following questions
Acceptance Criteria
There is currently a verifier plugin template located at https://github.com/noelbundick-msft/ratify-verifier-plugin
Noel will not maintain this
We need to get it moved into deislabs, if possible
Acceptance Criteria
Description
Need to find out if something like an SBOM crawler to scan contents of SBOM exists.
AC
New AC below
Create prototype that will
Unit tests for the revamped verify function with coverage equivalent to current state
related to #4
This is expected to be in the same vein as the existing VerifySubject function. It will be unused code and a separate issue will handle the switch over to this function from the current.
Additional params:
Although the respective config objects should be the parameters, when it comes to execution, this function should accept only the "name" property to be provided. If only the name is provided, then the plugin in question must exist in the cached plugin instantiations.
The devcontainer currently does some useful things to put the default wabbitnetworks.azurecr.io
cert into the correct location
With the inclusion of notation rc1 changes, the cert location has changed from ~/.ratify/ratify-certs/notary
to ~/.ratify/ratify-certs/notary/truststore/x509/ca/certs
. We need to land the file in the correct location when we set it up in .devcontainer/post-create.sh
We also need to merge #53
Acceptance Criteria
wabbitnetworks.azurecr.io/test/net-monitor:signed
Description:
This entails exploring what is currently possible with out of tree plugins, what are the limitations.
Out of Tree plugin -- one that is not included in the ratify repo.
Acceptance Criteria:
Try working with out of tree plugins with following ways:
Just tested out changing helm values and running helm upgrade and seems to work fine. Interested to hear if anyone is still having issues with this. - Josh (not sure why it is not allowing me to add my own comment so it looks like Noel wrote this but he did not)
Passthrough mode used to be important & impacted control flow. Now, it only forces the top-level isSuccess
property to true
It may not be needed anymore. Figure it out, make a recommendation in Ratify issues + community call (or close this)
This involves updating the actual plugins themselves. The specifics of the updated Verify signature are dependent on decisions made as a part of #4.
Verifier plugins to update include:
For performance reasons, the Executor must be able to instantiate plugins and hold them in memory separate from core VerifySubject
request.
A v2 of the Executor struct should be made & the Config object should be removed. The ReferrerStores and Verifiers can stay -- these will continue to serve as the in memory storage for instantiated plugins.
The following functions must be added to the Executor:
Whether e2e or integration, tests need to be included to ensure confidence in the gRPC plugin path through tangible results.
The requirement isn't 1 standalone test for each, but each should be covered by at least 1 test:
To decouple the verifiers and stores, the Executor must have public/accessible functions which can call the appropriate store and return the result.
The parameters must include:
Required functions:
GetReferenceManifest
GetBlobContent
TODO: May need to rephrase to provide more context/clarity
Decouple store context from binary plugins, figure out how orchestration works so that verify is NOT interacting w/ store directly -- provides flexibility for verifier interface
This is expected to be introduced alongside the existing Verify
function here in the plugin runner for binary verifiers. It will be unused code and a separate issue will handle the switch over to this function from the current.
In place of accepting the store config as a parameter, the verifier should be passed the information required to call the Executor. The functions the Executor will exposed are handled with issue #5
Includes unit tests
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.