Trusted Artifact chain policy #868
Conversation
zregvart
force-pushed
the
issue/EC-252
branch
from
aac36eb
to
c0665a6
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #868 +/- ##
==========================================
Coverage 100.00% 100.00%
==========================================
Files 105 107 +2
Lines 4952 5052 +100
==========================================
+ Hits 4952 5052 +100
|
There was a problem hiding this comment.
I can think of two ways to get around the check in its current state:
- use a result name that doesn't end with _ARTIFACT
params:
- name: SOURCE_ARTIFACT
value: $(tasks.my-task.results.SOURCE_TARBALL)- Don't use a result at all, pass a hardcoded value
params:
- name: SOURCE_ARTIFACT
value: 'file:sha256-{digest_known_ahead_of_time}'
EC sees the resolved value, e.g. A successful check bypass would involve tricking EC into thinking that a certain digest came from a trusted task when it didn't. It's important to note that the Tasks in this repo are mostly blindly trusted. If someone were to update the buildah task definition, for example, to not use the expected param name, or to even use the artifact without checking its digest, it would totally fool EC. We have a spike to see what we can do about this. |
|
If I understand this PR correctly, the check:
IIUC the tree is constructed by matching the result values of each task to the param values of each task. But
|
|
@chmeliik, you are correct. We should have a policy rule that ensures that any used |
I think that covers the hardcoded params problem 👍 (assuming that the trusted-artifact params of trusted tasks will always be called For the "result name doesn't end with _ARTIFACT" problem, the fix is probably to just not filter results by name |
zregvart
force-pushed
the
issue/EC-252
branch
from
c0665a6
to
62c9c5d
Compare
|
We raised the issue of all trusted artifact inputs being produced on the pipeline on one of the first team demos of this feature. The threat modeling for such a case goes something like this: a malicious actor introduces an untrusted Task on the pipeline that modifies or produces a trusted artifact directly into the artifact store, the same malicious actor also needs to modify the pipeline so that the input artifact (Task parameter) is not set to a fixed value. The newly added rule in 62c9c5d#diff-91d65f0192b90a30de0005fc38d3f727ef11a0dfb68e5b5f34d6ce988917279cR79-R114 should check that all input artifacts have been produced on the pipeline. The malicious actor could still produce the artifact on the pipeline, i.e. set the value of the Task result to circumvent that new rule, though such attempt should be caught by the existing rule making sure that all Tasks on the chain are acceptable. The issue of result/parameter names not being named |
zregvart
force-pushed
the
issue/EC-252
branch
2 times, most recently
from
d64eb2c
to
6035f42
Compare
|
Let's revive this. |
|
I've rebased and added one more test case for when there are not TA parameters/results on the pipeline. What we also need is a change in |
Merging the packages probably makes sense. I think we need to take into account two scenarios:
I'd like to focus on the usage aspect of this. The same policy config should work with either scenario above. This should simplify migration. |
Given the change in[1], and the new data available in the attestation, we can create a chain of PipelineRun tasks that contributed to the image artifact being built. Namely, the `*_ARTIFACT` parameters of a task should reference the `*_ARTIFACT` results of a task whose artifact(s) it depends on. Given such a chain, we can examine if all the Tasks comprising that chain are acceptable. This assumes that any acceptable Task conforms to using _only_ the trusted artifacts when performing the its undertaking. Reference: EC-252 [1] konflux-ci/build-definitions#712
|
We probably also want to verify non-builder Tasks. For example, the sast-snyk-check-oci-ta Task does not produce an image, but it should consume the SOURCE_ARTIFACT produced from a trusted Task. So maybe the convention here is look at any Task that does take a |
|
Changes were merged as part of #1007. I'll close this out and have a follow up PR/stories to address some of the comments. |
Filed https://issues.redhat.com/browse/EC-652 to follow up on this. |
Given the change in[1], and the new data available in the attestation, we can create a chain of PipelineRun tasks that contributed to the image artifact being built.
Namely, the
*_ARTIFACTparameters of a task should reference the*_ARTIFACTresults of a task whose artifact(s) it depends on.Given such a chain, we can examine if all the Tasks comprising that chain are acceptable.
This assumes that any acceptable Task conforms to using only the trusted artifacts when performing the its undertaking.
reference: https://issues.redhat.com/browse/EC-252
[1] konflux-ci/build-definitions#712