Skip to content
This repository has been archived by the owner on Nov 22, 2024. It is now read-only.

policy engine: Execution of YAML workflows #48

Closed
wants to merge 54 commits into from
Closed

policy engine: Execution of YAML workflows #48

wants to merge 54 commits into from

Conversation

johnandersen777
Copy link

@johnandersen777 johnandersen777 commented Aug 7, 2024
edited
Loading

@pdxjohnny
create statement: As standalone file for rev a4645e4bc3e78ad5cfd9f834…
85ae013 
…7c7e0ac8267c1079 of SCITT arch

Related: ietf-wg-scitt/draft-ietf-scitt-architecture@a4645e4
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
scitt: create_claim: Update to rev a4645e4bc3e78ad5cfd9f8347c7e0ac826…
d1b026d 
…7c1079 of SCITT arch

Related: ietf-wg-scitt/draft-ietf-scitt-architecture@a4645e4
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
docs: registration policies: CWT decode and COSESign1.verify_signature
bba1817 
- Working with SSH authorized_keys and OIDC style jwks
  - CWT decode
  - COSESign1.verify_signature
  - Working registration policy

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
verify statement: As standalone file
40c1423 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
create statement: Issuer as public key using did:key if not given
d606d4e 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Remove unused imports
b67f664 
$ git ls-files '*.py' | xargs autoflake --in-place --remove-all-unused-imports --ignore-init-module-imports

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
key loader format url referencing x509: Initial commit
3ae05c2 
Asciinema: https://asciinema.org/a/627130
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
tests: key loader format url referencing x509: In progress
7fe5f9b 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
key helpers: verification key to object: In progress
d46b262 
Tests passing as of https://asciinema.org/a/627194

Asciinema: https://asciinema.org/a/627150
Asciinema: https://asciinema.org/a/627165
Asciinema: https://asciinema.org/a/627183
Asciinema: https://asciinema.org/a/627193
Asciinema: https://asciinema.org/a/627194
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
docs: registration policies: x509 subject validation
c131ca9 
Asciinema: https://asciinema.org/a/627198
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
key loader: x509: Remove
572ae9f 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
key loader: did: jwk: Ditch multibase did keys
91262c3 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
test: docs: registration polcies: Ensure both ssh and oidc notary pub…
2e8ea4f 
…lic key resolvers tested seperatly

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
key loader: did: web: SCITT SCRAPI transparency-configuration
301909d 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Implement GitHub Actions workflow evaluation as step towards workflow…
a20338a 
… based policy engine. TODO Receipts with attestations for SLSA L4

NO_CELERY=1 GITHUB_TOKEN=$(gh auth token) nodemon -e py --exec 'clear; python -m pytest -s -vv scitt_emulator/policy_engine.py; test 1'

jsonschema -i <(cat request.yml | python -c 'import json, yaml, sys; print(json.dumps(yaml.safe_load(sys.stdin.read()), indent=4, sort_keys=True))') <(python -c 'import json, scitt_emulator.policy_engine; print(json.dumps(scitt_emulator.policy_engine.PolicyEngineRequest.model_json_schema(), indent=4, sort_keys=True))')

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Start on plugins for issuing secrets.GITHUB_TOKEN if not already in c…
12ace47 
…ontext.secrets

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
policy engine: Make context request context and make context for in m…
7ac4dea 
…em config

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
GitHub App style token issuance
3ded5f7 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Refactoring github app init to work for fastapi and celery
90ca27e 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
LifespanCallbacks for Celery
68e3f3b 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
working on webhooks
3f729ee 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Updates to status check runs. All tests and CLI tests passing
5e0a141 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Token usage for commit status when check-runs cannot be used
2784e12 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Handle always() if conditions, add stack path, fix output capture
1865f5e 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Vendor entrypoint_style_load into policy_engine.py
534650d 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Ensure celery worker starts for test of /webhook/github
a4c5119 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Enable setting rediss:// connection URIs
3ee35fc 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Report errors from /request/status/{task_id}
5d93869 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Client
56eba3b 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Download deno if not present
2c3761e 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
pdxjohnny and others added 20 commits March 23, 2024 22:02
@pdxjohnny
Use make_entrypoint_style_string() inferred modele path for CELERY_WO…
fd0d807 
…RKER_EXEC_WITH_PYTHON

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Fix for lifespan_github_token try_env bail if not set
22bd3f2 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Update client examples to set TASK_ID env var
d04bab2 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Celery worker improve deno and nodejs caching
aa6a688 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
make_default_policy_engine_context()
ab7a877 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Ensure step.shell uses sys.executable when attempting python exec
95c494c 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Add /rate_limit endpoint
5d2571c 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Only download node when running api if NO_CELERY=1
9a9ab75 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
create_statement: Correct data type of payload argument to bytes
f48aa9b 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
token: issue: Fix verify_statement call
4d7ce01 
Working with litellm[proxy]@2f0a9aa17d5291d91e9dac196b72334bbb0eaf2a

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Update policy_engine.py add mermaid
088ec48 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
policy engine: step parse outputs github actions: Fix output parsing …
71a296b 
…do not set new key when within current key

Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
TODO convert aiohttp to httpx
9adffbc 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
@pdxjohnny
Added deps to extras
c668660 
Signed-off-by: John Andersen <johnandersenpdx@gmail.com>
working
6c3312d 
Signed-off-by: John Andersen <john.s.andersen@intel.com>
optional sender.webhook_workflow
1f6d754 
Signed-off-by: John Andersen <john.s.andersen@intel.com>
policy engine: GitHubWebhookEvent data structures
97ebf7d 
Signed-off-by: John Andersen <john.s.andersen@intel.com>
policy engine: parse notices
05b39af 
Signed-off-by: John Andersen <john.s.andersen@intel.com>
policy engine: fix annotations
2527af8 
Signed-off-by: John Andersen <john.s.andersen@intel.com>
policy engine: annotations: Trigger actions based off findings
ab60710 
Signed-off-by: John Andersen <john.s.andersen@intel.com>
John Andersen added 4 commits August 20, 2024 18:35
policy engine: exceptions: Add DownloadStepUsesError
a8d0ce0 
Signed-off-by: John Andersen <john.s.andersen@intel.com>
policy engine: enable nested execution of composite actions witout ce…
bd42a5d 
…lery

Signed-off-by: John Andersen <john.s.andersen@intel.com>
policy engine: event seralization for non-working celery and addition…
10b190f 
… of uvicorn package

Signed-off-by: John Andersen <john.s.andersen@intel.com>
policy engine: set fqdn and failure_on_error_annotations_present stag…
dc7a0b7 
…ing code

Signed-off-by: John Andersen <john.s.andersen@intel.com>
@johnandersen777 johnandersen777 mentioned this pull request Aug 22, 2024
Closed
@SteveLasker
Copy link
Contributor

Thank you @pdxjohnny. This repo flushed out a number of scenarios to enable the group to make progress.
At this point, the repo has become out of date with the drafts and we've shifted to production implementations making this repo more confusing to folks looking to engage.
We'll archive this repo for reference of the work.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@johnandersen777 @SteveLasker @pdxjohnny