Chains Spire Verification (#24)

* Implement Chains API server with GRPC, and add in an integration test

* Add SPIRE verification to chains

* fix merge conflict

* pull main and tidy

Signed-off-by: pxp928 <parth.psu@gmail.com>

* added spire annotation verification

Signed-off-by: pxp928 <parth.psu@gmail.com>

* error if spire verification fails

Signed-off-by: pxp928 <parth.psu@gmail.com>

* changed to check status annotations

Signed-off-by: pxp928 <parth.psu@gmail.com>

* removed local spire and moved condition check

Signed-off-by: pxp928 <parth.psu@gmail.com>

* updated condition check and spire check to format

Signed-off-by: pxp928 <parth.psu@gmail.com>

* fixed typo

Signed-off-by: pxp928 <parth.psu@gmail.com>

* fixed vendor for pipelines

Signed-off-by: pxp928 <parth.psu@gmail.com>

Co-authored-by: Priya Wadhwa <priyawadhwa@google.com>

config/100-deployment.yaml

@@ -92,6 +92,9 @@ spec:
           mountPath: /etc/signing-secrets
         - name: oidc-info
           mountPath: /var/run/sigstore/cosign
+        - name: spiffe-workload-api
+          mountPath: /spiffe-workload-api
+          readOnly: true
         env:
         - name: SYSTEM_NAMESPACE
           valueFrom:
@@ -120,3 +123,6 @@ spec:
                 path: oidc-token
                 expirationSeconds: 600 # Use as short-lived as possible.
                 audience: sigstore
+      - name: spiffe-workload-api
+        csi:
+          driver: "csi.spiffe.io"

go.mod

@@ -4,6 +4,8 @@ go 1.17
 
 replace k8s.io/kube-openapi => k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c
 
+replace github.com/tektoncd/pipeline v0.31.1-0.20220105002759-3e137645be61 => ../pipeline
+
 require (
 	cloud.google.com/go/compute v1.6.1
 	cloud.google.com/go/storage v1.22.0
@@ -15,7 +17,7 @@ require (
 	github.com/google/addlicense v1.0.0
 	github.com/google/go-cmp v0.5.8
 	github.com/google/go-containerregistry v0.8.1-0.20220216220642-00c59d91847c
-	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20220310143843-f1fa40b162a1
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20220328141311-efc62d802606
 	github.com/google/go-licenses v0.0.0-20210816172045-3099c18c36e1
 	github.com/grafeas/grafeas v0.2.1
 	github.com/hashicorp/errwrap v1.1.0
@@ -44,7 +46,7 @@ require (
 	github.com/sigstore/sigstore v1.2.1-0.20220424143412-3d41663116d5
 	github.com/spiffe/go-spiffe/v2 v2.1.0
 	github.com/tektoncd/pipeline v0.31.1-0.20220105002759-3e137645be61
-	github.com/tektoncd/plumbing v0.0.0-20211012143332-c7cc43d9bc0c
+	github.com/tektoncd/plumbing v0.0.0-20220329085922-d765a5cba75f
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	go.uber.org/atomic v1.9.0
 	go.uber.org/zap v1.21.0
@@ -262,7 +264,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/julz/importas v0.1.0 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
 	github.com/kisielk/errcheck v1.6.0 // indirect
 	github.com/kisielk/gotool v1.0.0 // indirect
 	github.com/klauspost/compress v1.15.1 // indirect
@@ -340,6 +342,7 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.11.0 // indirect
+	github.com/spiffe/spire-api-sdk v1.2.1 // indirect
 	github.com/src-d/gcfg v1.4.0 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
 	github.com/stretchr/objx v0.3.0 // indirect
@@ -348,6 +351,7 @@ require (
 	github.com/sylvia7788/contextcheck v1.0.4 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
 	github.com/tdakkota/asciicheck v0.1.1 // indirect
+	github.com/tektoncd/resolution v0.0.0-20220331203013-e4203c70c5eb // indirect
 	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
 	github.com/tetafro/godot v1.4.11 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
@@ -362,7 +366,7 @@ require (
 	github.com/uudashr/gocognit v1.0.5 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/xanzy/go-gitlab v0.64.0 // indirect
-	github.com/xanzy/ssh-agent v0.2.1 // indirect
+	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	github.com/yagipy/maintidx v1.0.0 // indirect
 	github.com/yeya24/promlinter v0.1.1-0.20210918184747-d757024714a1 // indirect
@@ -415,7 +419,7 @@ require (
 	gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gopkg.in/yaml.v3 v3.0.0 // indirect
 	honnef.co/go/tools v0.2.2 // indirect
 	k8s.io/apiextensions-apiserver v0.23.4 // indirect
 	k8s.io/gengo v0.0.0-20220307231824-4627b89bbf1b // indirect

pkg/chains/formats/format.go

@@ -13,9 +13,20 @@ limitations under the License.
 
 package formats
 
+import (
+	"context"
+	"fmt"
+
+	"github.com/pkg/errors"
+	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
+	"github.com/tektoncd/pipeline/pkg/spire"
+	"go.uber.org/zap"
+	"knative.dev/pkg/apis"
+)
+
 // Payloader is an interface to generate a chains Payload from a TaskRun
 type Payloader interface {
-	CreatePayload(obj interface{}) (interface{}, error)
+	CreatePayload(ctx context.Context, obj interface{}) (interface{}, error)
 	Type() PayloadType
 	Wrap() bool
 }
@@ -30,3 +41,33 @@ const (
 )
 
 var AllFormatters = []PayloadType{PayloadTypeTekton, PayloadTypeSimpleSigning, PayloadTypeInTotoIte6}
+
+func VerifySpire(ctx context.Context, tr *v1beta1.TaskRun, spireControllerAPI *spire.SpireControllerApiClient, logger *zap.SugaredLogger) error {
+	if err := verifySignedTaskrrunResults(tr); err != nil {
+		return err
+	} else {
+		if len(tr.Status.TaskRunResults) > 0 {
+			logger.Info("spire taskrun status condition verified")
+		}
+	}
+	if err := spireControllerAPI.VerifyStatusInternalAnnotation(ctx, tr, logger); err != nil {
+		return errors.Wrap(err, "verifying SPIRE")
+	} else {
+		logger.Info("internal status annotation verified by spire")
+	}
+	return nil
+}
+
+func verifySignedTaskrrunResults(tr *v1beta1.TaskRun) error {
+	if len(tr.Status.TaskRunResults) > 0 {
+		taskRunCondition := tr.Status.GetCondition(apis.ConditionType(v1beta1.TaskRunConditionResultsVerified.String()))
+		if taskRunCondition != nil {
+			if taskRunCondition.IsFalse() {
+				return errors.New("taskrun status condition not verified. Spire taskrun results verification failure")
+			}
+		} else {
+			return fmt.Errorf("could not find condition Type %s in taskrun status", v1beta1.TaskRunConditionResultsVerified.String())
+		}
+	}
+	return nil
+}

pkg/chains/formats/intotoite6/intotoite6.go

@@ -17,6 +17,7 @@ limitations under the License.
 package intotoite6
 
 import (
+	"context"
 	"fmt"
 	"sort"
 	"strings"
@@ -29,6 +30,8 @@ import (
 	"github.com/tektoncd/chains/pkg/config"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 	"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1"
+	"github.com/tektoncd/pipeline/pkg/spire"
+	spireconfig "github.com/tektoncd/pipeline/pkg/spire/config"
 	"go.uber.org/zap"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -42,26 +45,37 @@ const (
 )
 
 type InTotoIte6 struct {
-	builderID string
-	logger    *zap.SugaredLogger
+	builderID          string
+	logger             *zap.SugaredLogger
+	spireEnabled       bool
+	spireControllerAPI *spire.SpireControllerApiClient
 }
 
 func NewFormatter(cfg config.Config, logger *zap.SugaredLogger) (formats.Payloader, error) {
 	return &InTotoIte6{
-		builderID: cfg.Builder.ID,
-		logger:    logger,
+		builderID:    cfg.Builder.ID,
+		logger:       logger,
+		spireEnabled: cfg.SPIRE.Enabled,
+		spireControllerAPI: spire.NewSpireControllerApiClient(spireconfig.SpireConfig{
+			SocketPath: cfg.SPIRE.SocketPath,
+		}),
 	}, nil
 }
 
 func (i *InTotoIte6) Wrap() bool {
 	return true
 }
 
-func (i *InTotoIte6) CreatePayload(obj interface{}) (interface{}, error) {
+func (i *InTotoIte6) CreatePayload(ctx context.Context, obj interface{}) (interface{}, error) {
 	var tr *v1beta1.TaskRun
 	switch v := obj.(type) {
 	case *v1beta1.TaskRun:
 		tr = v
+		if i.spireEnabled {
+			if err := formats.VerifySpire(ctx, tr, i.spireControllerAPI, i.logger); err != nil {
+				return nil, err
+			}
+		}
 	default:
 		return nil, fmt.Errorf("intoto does not support type: %s", v)
 	}

pkg/chains/formats/intotoite6/intotoite6_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package intotoite6
 
 import (
+	"context"
 	"encoding/json"
 	"io/ioutil"
 	"testing"
@@ -105,7 +106,7 @@ func TestCreatePayload1(t *testing.T) {
 	}
 	i, _ := NewFormatter(cfg, logtesting.TestLogger(t))
 
-	got, err := i.CreatePayload(tr)
+	got, err := i.CreatePayload(context.Background(), tr)
 
 	if err != nil {
 		t.Errorf("unexpected error: %s", err.Error())
@@ -151,7 +152,7 @@ func TestCreatePayload2(t *testing.T) {
 		},
 	}
 	i, _ := NewFormatter(cfg, logtesting.TestLogger(t))
-	got, err := i.CreatePayload(tr)
+	got, err := i.CreatePayload(context.Background(), tr)
 
 	if err != nil {
 		t.Errorf("unexpected error: %s", err.Error())
@@ -171,7 +172,7 @@ func TestCreatePayloadNilTaskRef(t *testing.T) {
 	}
 	f, _ := NewFormatter(cfg, logtesting.TestLogger(t))
 
-	p, err := f.CreatePayload(tr)
+	p, err := f.CreatePayload(context.Background(), tr)
 	if err != nil {
 		t.Errorf("unexpected error: %s", err.Error())
 	}
@@ -231,7 +232,7 @@ func TestMultipleSubjects(t *testing.T) {
 	}
 
 	i, _ := NewFormatter(cfg, logtesting.TestLogger(t))
-	got, err := i.CreatePayload(tr)
+	got, err := i.CreatePayload(context.Background(), tr)
 	if err != nil {
 		t.Errorf("unexpected error: %s", err.Error())
 	}
@@ -266,7 +267,7 @@ func TestCreatePayloadError(t *testing.T) {
 	f, _ := NewFormatter(cfg, logtesting.TestLogger(t))
 
 	t.Run("Invalid type", func(t *testing.T) {
-		p, err := f.CreatePayload("not a task ref")
+		p, err := f.CreatePayload(context.Background(), "not a task ref")
 
 		if p != nil {
 			t.Errorf("Unexpected payload")