From 8936fdb911284d41cb30a3ba8c6206ceb563c58c Mon Sep 17 00:00:00 2001 From: linus-sun Date: Tue, 19 Nov 2024 00:29:44 +0000 Subject: [PATCH] refactoring ct workflow Signed-off-by: linus-sun --- cmd/ct_monitor/main.go | 60 +++++++++++++-------------------------- cmd/rekor_monitor/main.go | 2 ++ pkg/ct/consistency.go | 10 +++---- 3 files changed, 26 insertions(+), 46 deletions(-) diff --git a/cmd/ct_monitor/main.go b/cmd/ct_monitor/main.go index 180aa0d4..c42f8e02 100644 --- a/cmd/ct_monitor/main.go +++ b/cmd/ct_monitor/main.go @@ -16,7 +16,6 @@ package main import ( - "context" "flag" "fmt" "log" @@ -31,15 +30,14 @@ import ( "github.com/sigstore/rekor-monitor/pkg/ct" "github.com/sigstore/rekor-monitor/pkg/identity" "github.com/sigstore/rekor-monitor/pkg/notifications" - "github.com/sigstore/rekor-monitor/pkg/util/file" "gopkg.in/yaml.v2" ) // Default values for monitoring job parameters const ( - publicRekorServerURL = "https://rekor.sigstore.dev" - logInfoFileName = "logInfo.txt" - outputIdentitiesFileName = "identities.txt" + publicCTServerURL = "https://ctfe.sigstore.dev/2022" + logInfoFileName = "ctLogInfo.txt" + outputIdentitiesFileName = "ctIdentities.txt" ) // This main function performs a periodic identity search. @@ -49,18 +47,11 @@ func main() { configFilePath := flag.String("config-file", "", "path to yaml configuration file containing identity monitor settings") configYamlInput := flag.String("config", "", "path to yaml configuration file containing identity monitor settings") once := flag.Bool("once", true, "whether to run the monitor on a repeated interval or once") - serverURL := flag.String("url", publicRekorServerURL, "URL to the rekor server that is to be monitored") + logInfoFile := flag.String("file", logInfoFileName, "path to the initial log info checkpoint file to be read from") + serverURL := flag.String("url", publicCTServerURL, "URL to the rekor server that is to be monitored") interval := flag.Duration("interval", 5*time.Minute, "Length of interval between each periodical consistency check") flag.Parse() - if *configFilePath == "" && *configYamlInput == "" { - log.Fatalf("empty configuration input") - } - - if *configFilePath != "" && *configYamlInput != "" { - log.Fatalf("only input one of configuration file path or yaml input") - } - var config notifications.IdentityMonitorConfiguration if *configFilePath != "" { @@ -94,8 +85,6 @@ func main() { monitoredValues := identity.MonitoredValues{ CertificateIdentities: config.MonitoredValues.CertificateIdentities, - Subjects: config.MonitoredValues.Subjects, - Fingerprints: config.MonitoredValues.Fingerprints, OIDMatchers: allOIDMatchers, } @@ -120,24 +109,17 @@ func main() { for ; ; <-ticker.C { inputEndIndex := config.EndIndex - var currentSTH *ctgo.SignedTreeHead - if config.StartIndex == nil || config.EndIndex == nil { - currentSTH, err = fulcioClient.GetSTH(context.Background()) - if err != nil { - fmt.Fprintf(os.Stderr, "error getting signed tree head: %v", err) - return - } + // TODO: Handle Rekor sharding + // https://github.com/sigstore/rekor-monitor/issues/57 + var prevSTH *ctgo.SignedTreeHead + prevSTH, currentSTH, err := ct.RunConsistencyCheck(fulcioClient, *logInfoFile) + if err != nil { + fmt.Fprintf(os.Stderr, "failed to successfully complete consistency check: %v", err) + return } if config.StartIndex == nil { - if config.LogInfoFile != "" { - var prevSTH *ctgo.SignedTreeHead - prevSTH, err = file.ReadLatestCTSignedTreeHead(config.LogInfoFile) - if err != nil { - fmt.Fprintf(os.Stderr, "reading checkpoint log: %v", err) - return - } - + if prevSTH != nil { checkpointStartIndex := int(prevSTH.TreeSize) //nolint: gosec // G115, log will never be large enough to overflow config.StartIndex = &checkpointStartIndex } else { @@ -155,16 +137,12 @@ func main() { fmt.Fprintf(os.Stderr, "start index %d must be strictly less than end index %d", *config.StartIndex, *config.EndIndex) } - _, err = ct.IdentitySearch(fulcioClient, *config.StartIndex, *config.EndIndex, monitoredValues) - if err != nil { - fmt.Fprintf(os.Stderr, "failed to successfully complete identity search: %v", err) - return - } - - err = ct.RunConsistencyCheck(fulcioClient, config.LogInfoFile) - if err != nil { - fmt.Fprintf(os.Stderr, "failed to successfully complete consistency check: %v", err) - return + if identity.MonitoredValuesExist(monitoredValues) { + _, err = ct.IdentitySearch(fulcioClient, *config.StartIndex, *config.EndIndex, monitoredValues) + if err != nil { + fmt.Fprintf(os.Stderr, "failed to successfully complete identity search: %v", err) + return + } } if *once || inputEndIndex != nil { diff --git a/cmd/rekor_monitor/main.go b/cmd/rekor_monitor/main.go index 2ff69f20..8375d68f 100644 --- a/cmd/rekor_monitor/main.go +++ b/cmd/rekor_monitor/main.go @@ -124,6 +124,8 @@ func main() { for ; ; <-ticker.C { inputEndIndex := config.EndIndex + // TODO: Handle Rekor sharding + // https://github.com/sigstore/rekor-monitor/issues/57 var logInfo *models.LogInfo logInfo, err = rekor.RunConsistencyCheck(rekorClient, verifier, *logInfoFile) if err != nil { diff --git a/pkg/ct/consistency.go b/pkg/ct/consistency.go index d6992755..1513f10e 100644 --- a/pkg/ct/consistency.go +++ b/pkg/ct/consistency.go @@ -76,10 +76,10 @@ func verifyCertificateTransparencyConsistency(logInfoFile string, logClient *ctc } // RunConsistencyCheck periodically verifies the root hash consistency of a certificate transparency log. -func RunConsistencyCheck(logClient *ctclient.LogClient, logInfoFile string) error { +func RunConsistencyCheck(logClient *ctclient.LogClient, logInfoFile string) (*ct.SignedTreeHead, *ct.SignedTreeHead, error) { currentSTH, err := logClient.GetSTH(context.Background()) if err != nil { - return fmt.Errorf("error fetching latest STH: %v", err) + return nil, nil, fmt.Errorf("error fetching latest STH: %v", err) } fi, err := os.Stat(logInfoFile) @@ -88,15 +88,15 @@ func RunConsistencyCheck(logClient *ctclient.LogClient, logInfoFile string) erro if err == nil && fi.Size() != 0 { prevSTH, err = verifyCertificateTransparencyConsistency(logInfoFile, logClient, currentSTH) if err != nil { - return fmt.Errorf("error verifying consistency between previous and current STHs: %v", err) + return nil, nil, fmt.Errorf("error verifying consistency between previous and current STHs: %v", err) } } if prevSTH == nil || prevSTH.TreeSize != currentSTH.TreeSize { if err := file.WriteCTSignedTreeHead(currentSTH, logInfoFile); err != nil { - return fmt.Errorf("failed to write checkpoint: %v", err) + return nil, nil, fmt.Errorf("failed to write checkpoint: %v", err) } } - return nil + return prevSTH, currentSTH, nil }