Added tenancy aware attestation commands #9542
Conversation
|
Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message. |
| require.NoError(t, err) | ||
| } | ||
|
|
||
| func ValidateSignerWorkflow(t *testing.T) { |
There was a problem hiding this comment.
These tests wasn't run before, so I fixed that.
| for _, target := range tufOpt.targets { | ||
| t, err := tufClient.GetTarget(target) | ||
| if err != nil { | ||
| return err |
There was a problem hiding this comment.
If we can't reach the target here, should the client facing error message include some content about checking the URL itself? Maybe the returned error already includes something like this.
There was a problem hiding this comment.
The error will contain context concerning the target, but we can do better. Let me add more context to the error message.
internal/ghinstance/host.go
Outdated
| func TenantName(h string) (string, bool) { | ||
| normalizedHostName := NormalizeHostname(h) | ||
| return cutSuffix(normalizedHostName, "."+tenancyHost) | ||
| t, f := cutSuffix(normalizedHostName, "."+tenancyHost) | ||
|
|
||
| if !f { | ||
| return t, f | ||
| } | ||
|
|
||
| // make sure tenant name is valid | ||
| re := regexp.MustCompile(`^[a-z0-9\-]+$`) | ||
| if !re.MatchString(t) { | ||
| return "", false | ||
| } | ||
| return t, true |
There was a problem hiding this comment.
@kommendorkapten : Could you elaborate on how gh would behave when invalid tenant hosts were specified? Any console output you could share?
Depending on βοΈ, we might need to revisit this because this is a larger issue than just core gh as cli/go-gh has similar capability. π€
There was a problem hiding this comment.
That is a good question. Currently some commands are failing before this test happens, as they are instantiating the API client first, which tries to parse (and possibly connect) the URL. But as this function can be called from everywhere we should be on par in cli/go-gh, I can prepare a PR once we have a rough agreement on how the cli should behave.
As the tenant is derived from the hostname, this PR simply prompts invalid hostname $host. Having all commands exhibit a similar behaviour should be good.
One thing though, TenantName returns bool (found), but with a corresponding check of IsTenancy, an error case can be detected.
There was a problem hiding this comment.
@andyfeller any thoughts?
There was a problem hiding this comment.
I'm trying to think of a middle ground as this feels suboptimal. π€ Let me see if I can unwind what's going on here to see what alternatives might be available.
Is there somewhere else we can handle invalid tenancy names?
The only place I see ghrepo.TenantName being called is within ghrepo.FormatRemoteUrl, which is used throughout the code base:
Lines 95 to 103 in 78c1d00
If we accepted this code as is, it feels like we'd disguise the problem of an invalid tenancy name as an error with a seemingly legitimate URL.
Above, you state there are some scenarios that are failing, however I don't have a clear idea of concrete examples.
Currently some commands are failing before this test happens, as they are instantiating the API client first, which tries to parse (and possibly connect) the URL.
Putting that aside, I also see elsewhere in the code we have HostnameValidator which is also used throughout code:
cli/internal/ghinstance/host.go
Lines 62 to 70 in 78c1d00
Thoughts
- Should
HostnameValidatoractually be what's enhanced to determine if a tenancy host has a valid name?
There was a problem hiding this comment.
Yeah, I'm also thinking how we can make this validation happen as early as possible.
A common flow is to call go-gh/v2/pkg/auth.DefaultHost() This function does not perform any validation, only reads the name from the config or the GH_HOST environment variable.
Should
HostnameValidatoractually be what's enhanced to determine if a tenancy host has a valid name?
YES, I support that. I would love for having a single consistent method that could be used to verify that a host is valid. And a tenant name is simply a valid domain label ([a-zA-Z0-9\-]+) that is part of a hostname. So verifying that hostname is valid (i.e parse with net/url/Parse) ought to be enough.
My recommendation would anyway be to remove the added check in this PR, create a new issue on going over host verification in the cli, and create a separate PR for that, as I think that would be easier to reason about. Sounds goo @andyfeller?
There was a problem hiding this comment.
created #9598 for tracking.
This is done by inspecting the current hostname to determine if tenancy is enabled. The attestation commands also accepts a --hostname parameter, that is used to pick the current host, similar to how the GH_HOST variable can be used. Signed-off-by: Fredrik Skogman <[email protected]>
c16d932 to
1b59ec8
Compare
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://redirect.github.com/cli/cli) | minor | `v2.56.0` -> `v2.57.0` | --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.57.0`](https://redirect.github.com/cli/cli/releases/tag/v2.57.0): GitHub CLI 2.57.0 [Compare Source](https://redirect.github.com/cli/cli/compare/v2.56.0...v2.57.0) #### What's Changed - Move non-integration tests to different test file by [@​codysoyland](https://redirect.github.com/codysoyland) in [https://github.com/cli/cli/pull/9577](https://redirect.github.com/cli/cli/pull/9577) - Added tenancy aware attestation commands by [@​kommendorkapten](https://redirect.github.com/kommendorkapten) in [https://github.com/cli/cli/pull/9542](https://redirect.github.com/cli/cli/pull/9542) - Added `--active` flag to the `gh auth status` command by [@​velumuruganr](https://redirect.github.com/velumuruganr) in [https://github.com/cli/cli/pull/9520](https://redirect.github.com/cli/cli/pull/9520) - build(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to 0.6.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/cli/cli/pull/9601](https://redirect.github.com/cli/cli/pull/9601) - `gh attestation verify` test for custom OIDC issuers by [@​bdehamer](https://redirect.github.com/bdehamer) in [https://github.com/cli/cli/pull/9595](https://redirect.github.com/cli/cli/pull/9595) - Suggest installing Rosetta when extension installation fails due to missing `darwin-arm64` binary, but a `darwin-amd64` binary is available by [@​timrogers](https://redirect.github.com/timrogers) in [https://github.com/cli/cli/pull/9599](https://redirect.github.com/cli/cli/pull/9599) - Update `gh attestation verify` bundle parsing and validation errors by [@​malancas](https://redirect.github.com/malancas) in [https://github.com/cli/cli/pull/9564](https://redirect.github.com/cli/cli/pull/9564) - Suppress `attestation verify` output when no TTY present by [@​bdehamer](https://redirect.github.com/bdehamer) in [https://github.com/cli/cli/pull/9612](https://redirect.github.com/cli/cli/pull/9612) - Use api subdomains for tenant hosts by [@​williammartin](https://redirect.github.com/williammartin) in [https://github.com/cli/cli/pull/9618](https://redirect.github.com/cli/cli/pull/9618) #### New Contributors - [@​kommendorkapten](https://redirect.github.com/kommendorkapten) made their first contribution in [https://github.com/cli/cli/pull/9542](https://redirect.github.com/cli/cli/pull/9542) - [@​velumuruganr](https://redirect.github.com/velumuruganr) made their first contribution in [https://github.com/cli/cli/pull/9520](https://redirect.github.com/cli/cli/pull/9520) - [@​bdehamer](https://redirect.github.com/bdehamer) made their first contribution in [https://github.com/cli/cli/pull/9595](https://redirect.github.com/cli/cli/pull/9595) - [@​timrogers](https://redirect.github.com/timrogers) made their first contribution in [https://github.com/cli/cli/pull/9599](https://redirect.github.com/cli/cli/pull/9599) **Full Changelog**: cli/cli@v2.56.0...v2.57.0 </details> --- ### Configuration π **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/izumin5210/dotfiles). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: izumin5210-update-aqua-checksum[bot] <169593670+izumin5210-update-aqua-checksum[bot]@users.noreply.github.com>
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://github.com/cli/cli) | minor | `v2.55.0` -> `v2.57.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.57.0`](https://github.com/cli/cli/releases/tag/v2.57.0): GitHub CLI 2.57.0 [Compare Source](cli/cli@v2.56.0...v2.57.0) #### What's Changed - Move non-integration tests to different test file by [@​codysoyland](https://github.com/codysoyland) in cli/cli#9577 - Added tenancy aware attestation commands by [@​kommendorkapten](https://github.com/kommendorkapten) in cli/cli#9542 - Added `--active` flag to the `gh auth status` command by [@​velumuruganr](https://github.com/velumuruganr) in cli/cli#9520 - build(deps): bump github.com/sigstore/sigstore-go from 0.6.1 to 0.6.2 by [@​dependabot](https://github.com/dependabot) in cli/cli#9601 - `gh attestation verify` test for custom OIDC issuers by [@​bdehamer](https://github.com/bdehamer) in cli/cli#9595 - Suggest installing Rosetta when extension installation fails due to missing `darwin-arm64` binary, but a `darwin-amd64` binary is available by [@​timrogers](https://github.com/timrogers) in cli/cli#9599 - Update `gh attestation verify` bundle parsing and validation errors by [@​malancas](https://github.com/malancas) in cli/cli#9564 - Suppress `attestation verify` output when no TTY present by [@​bdehamer](https://github.com/bdehamer) in cli/cli#9612 - Use api subdomains for tenant hosts by [@​williammartin](https://github.com/williammartin) in cli/cli#9618 #### New Contributors - [@​kommendorkapten](https://github.com/kommendorkapten) made their first contribution in cli/cli#9542 - [@​velumuruganr](https://github.com/velumuruganr) made their first contribution in cli/cli#9520 - [@​bdehamer](https://github.com/bdehamer) made their first contribution in cli/cli#9595 - [@​timrogers](https://github.com/timrogers) made their first contribution in cli/cli#9599 **Full Changelog**: cli/cli@v2.56.0...v2.57.0 ### [`v2.56.0`](https://github.com/cli/cli/releases/tag/v2.56.0): GitHub CLI 2.56.0 [Compare Source](cli/cli@v2.55.0...v2.56.0) #### Important note about renewed GPG key The Debian and RedHat releases have been signed with a new GPG key. If you are experiencing issues updating your `.deb` or `.rpm` packages, please read [cli/cli#9569](cli/cli#9569). #### What's Changed - Always print URL scheme to stdout by [@​heaths](https://github.com/heaths) in cli/cli#9471 - Quote repo names consistently in `gh repo sync` stdout by [@​muzimuzhi](https://github.com/muzimuzhi) in cli/cli#9491 - Fetch bundle from OCI registry for verify by [@​ejahnGithub](https://github.com/ejahnGithub) in cli/cli#9421 - Remove `Internal` from `gh repo create` prompt when owner is not an org by [@​jtmcg](https://github.com/jtmcg) in cli/cli#9465 - Drop surplus trailing space char in flag names in web by [@​muzimuzhi](https://github.com/muzimuzhi) in cli/cli#9495 - fix the trimming of log filenames for `gh run view` by [@​benebsiny](https://github.com/benebsiny) in cli/cli#9482 - "offline" verification using the bundle of attestations without any additional handling of the file by [@​aryanbhosale](https://github.com/aryanbhosale) in cli/cli#9523 - build(deps): bump actions/attest-build-provenance from 1.4.1 to 1.4.2 by [@​dependabot](https://github.com/dependabot) in cli/cli#9518 - Fix doc typo for `repo sync` by [@​muzimuzhi](https://github.com/muzimuzhi) in cli/cli#9509 - Correct the help message for -F by [@​Goooler](https://github.com/Goooler) in cli/cli#9525 - chore: fix some function names by [@​crystalstall](https://github.com/crystalstall) in cli/cli#9555 - verify 2nd artifact without swapping order by [@​aryanbhosale](https://github.com/aryanbhosale) in cli/cli#9532 - `gh attestation verify` handles empty JSONL files by [@​malancas](https://github.com/malancas) in cli/cli#9541 - Enhance Linux installation docs to redirect users to GPG renewal issue, better troubleshooting support by [@​andyfeller](https://github.com/andyfeller) in cli/cli#9573 - Upgrade sigstore-go to v0.6.1 by [@​codysoyland](https://github.com/codysoyland) in cli/cli#9566 - Check for nil values to prevent nil dereference panic by [@​codysoyland](https://github.com/codysoyland) in cli/cli#9578 - build(deps): bump actions/attest-build-provenance from 1.4.2 to 1.4.3 by [@​dependabot](https://github.com/dependabot) in cli/cli#9575 #### New Contributors - [@​aryanbhosale](https://github.com/aryanbhosale) made their first contribution in cli/cli#9523 - [@​Goooler](https://github.com/Goooler) made their first contribution in cli/cli#9525 - [@​crystalstall](https://github.com/crystalstall) made their first contribution in cli/cli#9555 **Full Changelog**: cli/cli@v2.55.0...v2.56.0 </details> --- ### Configuration π **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
This PR introduces a functionality to configure the host using --hostname flag instead of using GH_HOST environment variable.
It also updates the attestation commands (verify, download, inspect and trusted-root) to support tenancy mode.