Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement certificate transparency monitoring workflow #536

Merged
merged 5 commits into from
Nov 20, 2024
Merged

Implement certificate transparency monitoring workflow #536

merged 5 commits into from
Nov 20, 2024

Conversation

linus-sun
Copy link
Collaborator

@linus-sun linus-sun commented Nov 14, 2024
edited
Loading

Summary

Per changes outlined in this doc, this PR implements the certificate transparency monitoring workflow functionality by doing the following:

  • Implements RunConsistencyCheck to verify the consistency proof of a certificate transparency log's signed tree head
  • Implements runnable ct_monitor.go file to perform the identity monitor and consistency check functionality on a certificate transparency log

This PR depends on #527, #534, #535

Release Note

NONE

Documentation

N/A - future PRs will update documentation once the certificate transparency monitor is runnable from a reusable monitoring workflow

@codecov Codecov
Copy link

codecov bot commented Nov 14, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 1.68067% with 117 lines in your changes missing coverage. Please review.

Project coverage is 58.09%. Comparing base (d271ec7) to head (1d50007).
Report is 174 commits behind head on main.

Files with missing lines Patch % Lines
cmd/ct_monitor/main.go 0.00% 91 Missing ⚠️
pkg/ct/consistency.go 7.69% 24 Missing ⚠️
cmd/rekor_monitor/main.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #536      +/-   ##
==========================================
- Coverage   64.02%   58.09%   -5.94%     
==========================================
  Files           4       18      +14     
  Lines         303     1477    +1174     
==========================================
+ Hits          194      858     +664     
- Misses         78      535     +457     
- Partials       31       84      +53

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

@linus-sun linus-sun force-pushed the linussun/ct-consistency-check branch from 8d35132 to ced634c Compare November 14, 2024 20:45
@linus-sun linus-sun marked this pull request as ready for review November 14, 2024 20:55
haydentherapper
haydentherapper reviewed Nov 18, 2024
View reviewed changes
cmd/ct_monitor/main.go Outdated

monitoredValues := identity.MonitoredValues{
CertificateIdentities: config.MonitoredValues.CertificateIdentities,
Subjects: config.MonitoredValues.Subjects,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need subjects, correct? Since subjects are just for special cases of SSH certificates or emails in keys

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removing subjects and fingerprints from this construction

cmd/ct_monitor/main.go Outdated
return
}

err = ct.RunConsistencyCheck(fulcioClient, config.LogInfoFile)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we flip the order of these, to first check consistency before the identity check?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also adding in the current STH as a return value to RunConsistencyCheck to reduce number of calls to GetSTH

@linus-sun linus-sun force-pushed the linussun/ct-consistency-check branch from ced634c to 56f9bc5 Compare November 19, 2024 00:26
haydentherapper
haydentherapper requested changes Nov 19, 2024
View reviewed changes
cmd/ct_monitor/main.go Outdated

// Default values for monitoring job parameters
const (
publicRekorServerURL = "https://rekor.sigstore.dev"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to change this to ctfe.sigstore.dev/2022, and change the var name.

Can we also leave a TODO about figuring out a way to handle log shards? Can link it to #57

cmd/ct_monitor/main.go Outdated
// Default values for monitoring job parameters
const (
publicRekorServerURL = "https://rekor.sigstore.dev"
logInfoFileName = "logInfo.txt"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's create different default file names so they don't collide if run locally. maybe ctLogInfo.txt and ctIdentities.txt or something similar?

cmd/ct_monitor/main.go Outdated
interval := flag.Duration("interval", 5*time.Minute, "Length of interval between each periodical consistency check")
flag.Parse()

if *configFilePath == "" && *configYamlInput == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we copy over the same changes here, that configs aren't required?

cmd/ct_monitor/main.go Outdated
fmt.Fprintf(os.Stderr, "start index %d must be strictly less than end index %d", *config.StartIndex, *config.EndIndex)
}

_, err = ct.IdentitySearch(fulcioClient, *config.StartIndex, *config.EndIndex, monitoredValues)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only run if there's monitorable values?

cmd/ct_monitor/main.go Outdated
inputEndIndex := config.EndIndex

var currentSTH *ctgo.SignedTreeHead
currentSTH, err = ct.RunConsistencyCheck(fulcioClient, config.LogInfoFile)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we copy over the changes that RunConsistencyCheck returns the previous, and it's read in below? Otherwise we'll hit the same bug that we read in the latest as the previous.

@linus-sun linus-sun force-pushed the linussun/ct-consistency-check branch from 0723243 to 8936fdb Compare November 19, 2024 23:18
haydentherapper
haydentherapper reviewed Nov 20, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@linus-sun linus-sun force-pushed the linussun/ct-consistency-check branch 2 times, most recently from 35bfd81 to c512f58 Compare November 20, 2024 01:03
haydentherapper
haydentherapper approved these changes Nov 20, 2024
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more rebase!

@linus-sun linus-sun force-pushed the linussun/ct-consistency-check branch from c512f58 to 1d50007 Compare November 20, 2024 02:12
@haydentherapper haydentherapper merged commit a88973a into sigstore:main Nov 20, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@linus-sun @mihaimaruseac @haydentherapper