Release v2.6.0

.github/workflows/cicd.yaml

@@ -207,6 +207,7 @@ jobs:
             "regular",
             "cosign",
             "multi-cosigned",
+            "rekor-cosigned",
             "namespace-val",
             "deployment",
             "pre-config",

.github/workflows/codeql-analysis.yml

@@ -21,9 +21,9 @@ jobs:
       uses: actions/checkout@v3
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: 'python'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/dockerhub-check.yml

@@ -39,5 +39,9 @@ jobs:
         run: DOCKER_CONTENT_TRUST=0 docker pull docker.io/securesystemsengineering/testimage:multi-cosigned-charlie-alice
       - name: Check Cosign multisigner test image signed by alice, bob and charlie
         run: DOCKER_CONTENT_TRUST=0 docker pull docker.io/securesystemsengineering/testimage:multi-cosigned-alice-bob-charlie
+      - name: Check Cosign cosigned testimage not in rekor log
+        run: DOCKER_CONTENT_TRUST=0 docker pull docker.io/securesystemsengineering/testimage:rekor-cosigned-notl
+      - name: Check Cosign cosigned testimage in rekor log
+        run: DOCKER_CONTENT_TRUST=0 docker pull docker.io/securesystemsengineering/testimage:rekor-cosigned-tl
       - name: Check alerting endpoint image
         run: DOCKER_CONTENT_TRUST=0 docker pull docker.io/securesystemsengineering/alerting-endpoint

Makefile

@@ -1,6 +1,6 @@
 NAMESPACE = connaisseur
 IMAGE := $(shell yq e '.deployment.image' helm/values.yaml)
-COSIGN_VERSION = 1.7.2
+COSIGN_VERSION = 1.8.0
 
 .PHONY: all docker install uninstall upgrade annihilate
 
@@ -19,6 +19,9 @@ install:
 	#
 	helm install connaisseur helm --atomic --create-namespace --namespace $(NAMESPACE)
 
+dev-install:
+	helm install --set deployment.replicasCount=1,deployment.imagePullPolicy=Never connaisseur helm --atomic --create-namespace --namespace $(NAMESPACE) 
+
 uninstall:
 	helm uninstall connaisseur -n $(NAMESPACE)
 	kubectl delete ns $(NAMESPACE)

connaisseur/exceptions.py

@@ -91,6 +91,10 @@ class UnknownAPIVersionError(UnknownTypeException):
     pass
 
 
+class WrongKeyError(UnknownTypeException):
+    pass
+
+
 class AmbiguousDigestError(BaseConnaisseurException):
     pass
 

connaisseur/res/config_schema.json

@@ -126,6 +126,10 @@
                         },
                         "then": {
                             "properties": {
+                                "host": {
+                                    "type": "string",
+                                    "pattern": "(https?:\\/\\/)?(([a-z0-9]+([\\-\\.]{1}[a-z0-9]+)*\\.[a-z]{2,5})|(localhost))(:[0-9]{1,5})?(\\/.*)?"
+                                },
                                 "trust_roots": {
                                     "type": "array",
                                     "items": {
@@ -236,4 +240,4 @@
         "validators",
         "policy"
     ]
-}
+}

connaisseur/trust_root.py

@@ -0,0 +1,90 @@
+import base64
+import re
+
+import ecdsa
+import rsa
+
+from connaisseur.exceptions import InvalidFormatException
+
+KMS_REGEX = r"^(awskms|gcpkms|azurekms|hashivault|k8s):\/{2,3}[a-zA-Z0-9_.+\/:-]+$"
+KEYLESS_REGEX = r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$"
+
+
+class TrustRootInterface:
+    """
+    Interface from which all trust roots inherit.
+    """
+
+    def __new__(cls, data: object):
+        instance = super(TrustRootInterface, cls).__new__(cls)
+        instance.__init__(data)
+        return instance
+
+    def __init__(self, data: object) -> None:
+        self.value = data
+
+    def __str__(self) -> str:
+        return self.value
+
+
+class TrustRoot(TrustRootInterface):
+    """
+    Abstract TrustRoot class used to represent key material or similar entities, used in
+    verification processes.
+
+    May contain a public key, reference to a key or any other type of trust root.
+    """
+
+    value: object
+
+    def __new__(cls, data: str):
+        try:
+            tr_cls, tr_data = TrustRoot.__get_type_cls_and_data(data)
+            return tr_cls.__new__(tr_cls, tr_data)
+        except Exception as err:
+            msg = "Error loading the trust root."
+            raise InvalidFormatException(message=msg) from err
+
+    @staticmethod
+    def __get_type_cls_and_data(data: str):
+        if re.match(KEYLESS_REGEX, data):
+            return KeyLessTrustRoot, data
+        elif re.match(KMS_REGEX, data):
+            return KMSKey, data
+        elif key := TrustRoot.__check_and_return_ecdsa(data):
+            return ECDSAKey, key
+        elif key := TrustRoot.__check_and_return_rsa(data):
+            return RSAKey, key
+        return None, data
+
+    @staticmethod
+    def __check_and_return_ecdsa(data: str):
+        try:
+            return ecdsa.VerifyingKey.from_pem(data)
+        except Exception:
+            return None
+
+    @staticmethod
+    def __check_and_return_rsa(data: str):
+        try:
+            return rsa.PublicKey.load_pkcs1_openssl_pem(data)
+        except Exception:
+            return None
+
+
+class ECDSAKey(TrustRootInterface):
+    def __str__(self) -> str:
+        return base64.b64encode(self.value.to_der()).decode("utf-8")
+
+
+class RSAKey(TrustRootInterface):
+    def __str__(self) -> str:
+        return base64.b64encode(self.value.save_pkcs1("DER")).decode("utf-8")
+
+
+class KMSKey(TrustRootInterface):
+    pass
+
+
+class KeyLessTrustRoot(TrustRootInterface):
+    pass