Verify step signatures

[moskyb]

This PR: Enables the buildkite-agent to verify incoming jobs against signatures uploaded in their pipeline uploads.

This is done by a process (vaguely):

• When accepting a job, the Job sent by the backend will (WIP) now include a step attribute, which contains a subset of information contained in the step upload - at current, it's the step's command and signature, though as we sign more elements of the signature, this will expand to include other elements
• After accepting the job, but before kicking off the bootstrap process, the agent computes a signature for the step, and compares it to the signature shipped in the accept payload
• With the step verified, we need to check that the Job's elements match the Step's
• If they match, run the job
• If they don't (or there's a signature mismatch, or any other error happens during this process), fail the job with exit status -1, and an informational signal reason - this is all handled very similarly to the existing pre-bootstrap hook

[triarius]

Looking good.

I think all my comments are just various degrees of nits.

But I would encourage exploring what putting this stuff in a different package would look like.

[triarius]

Maybe explain what these are. The other one seems obvious, but it deserves a doc comment too.

[triarius]

I see they're explained below, but this is a higher level. I think it's good to talk about them here as well.

[moskyb]

error handling? what's that?

[DrJosh9000]

Good stuff ...but still reviewing...

[DrJosh9000]

Oh goodness. When did we start depending on exp packages?

At least these will be making their way into Go 1.21 largely the same.

[moskyb]

um, it's, um, it's hard to say, exactly, when (May 5th 2022) this started or who (extremely me) started it

[DrJosh9000]

Welp, looks like maps.Keys isn't making it to stdlib maps (yet): golang/go#61538

(slices.Contains is still in, so I'll let this PR slide)

[triarius]

This is shaping up to be amazing!

[triarius]

I do think the if/else chain I suggested last time looks better here.

I, too, generally prefer switches to if/else chains, but here:

1. There is no added efficiency in using a switch as all the case statements have to be evaluated in order in the worst case as there is no value to switch on.
2. This statement leaks the ise variable. The if/else chain would scope it exclusively to the appropriate branch

But I'm not going to die on this hill.

[DrJosh9000]

If I were to change anything, it would be to replace default: with case err != nil:, and not make err == nil a case in the switch.

As in, the other side of "indent error flow" is "don't indent non-error flow".

[triarius]

🎉

[triarius]

This is great!

[DrJosh9000]

Huzzah! 🧃

[DrJosh9000]

We'll also have to set the new field in unmarshalMap.

[moskyb]

oooh good point

[DrJosh9000]

... and interpolate ...

[DrJosh9000]

Welp, looks like maps.Keys isn't making it to stdlib maps (yet): golang/go#61538

(slices.Contains is still in, so I'll let this PR slide)

[DrJosh9000]

It's used between signature-missing and signature-invalid, so perhaps

Suggested change

	var noSignatureBehaviors = []string{agent.VerificationBehaviourBlock, agent.VerificationBehaviourWarn}
	var verificationFailureBehaviors = []string{agent.VerificationBehaviourBlock, agent.VerificationBehaviourWarn}

[DrJosh9000]

Job looks big enough that I'd make this receiver *Job (for not-copying-it-over-stack reasons, not for modifying-the-fields reasons).

[DrJosh9000]

I was going to suggest it would be simpler to override BUILDKITE_COMMAND with step.Command, than to carefully compare each field.

But thinking about it, they would only differ if the backend (ours or the hypothetical attacker's) is doing crimes, in which case we probably shouldn't run anything. And the backend can't migrate away from passing BUILDKITE_COMMAND without breaking every old agent version. (Ah, but it could sniff the agent version then vary the job...)

Might be worth documenting that?

[moskyb]

just to double check, are saying that it might be good to document that the only reason that step and job fields should differ is if an attacker is doing crimes on the backend?

[DrJosh9000]

It might not be the only reason, but it definitely seems like a reason

[dabarrell]

My initial thought was that AGENT_REFUSED might already serve the purpose here, but I imagine you're trying to tick off the objective of showing verification failure in the timeline at the same time.

It feels a little strange to be embedding the failure mode into the signal reason like this. We probably don't want to pack signal reason with a whole bunch of values - more a class of error, rather than an error string, if that makes sense. Beyond feeling a bit wrong, think about how they're used - if a user wanted to catch the errors for an automatic retry, for example, they'd need to list them all. Have you considered one signal reason for these (perhaps VERIFICATION_FAILED, and showing the actual error in the agent/job logs?

[triarius]

If signal reason was designed for users to catch and retry, then I don't think we should be overloading its use to also display information in the timeline. Is there another way of creating a job event for signing failures? If not, I think we should examine building one when the time to build the timeline feature arrives.