diff options
| author | Divy Srivastava <dj.srivastava23@gmail.com> | 2024-02-28 07:58:02 +0530 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-28 07:58:02 +0530 |
| commit | 9b5d2f8c1bae498d78400c8e9263bcae6e521adf (patch) | |
| tree | 69453f9be9fc65774f3087bb986409aadee5acb4 /tests/util/server/src/servers/registry.rs | |
| parent | e9fe71acb53c8856754ef892c463253cb96087ce (diff) | |
feat(publish): provenance attestation (#22573)
Supply chain security for JSR.
```
$ deno publish --provenance
Successfully published @divy/test_provenance@0.0.3
Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418
```
0. Package has been published.
1. Fetches the version manifest and verifies it's matching with uploaded
files and exports.
2. Builds the attestation SLSA payload using Github actions env.
3. Creates an ephemeral key pair for signing the github token
(aud=sigstore) and DSSE pre authentication tag.
4. Requests a X.509 signing certificate from Fulcio using the challenge
and ephemeral public key PEM.
5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry
to Rekor and gets back the transparency log index.
6. Builds the provenance bundle and posts it to JSR.
Diffstat (limited to 'tests/util/server/src/servers/registry.rs')
| -rw-r--r-- | tests/util/server/src/servers/registry.rs | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/tests/util/server/src/servers/registry.rs b/tests/util/server/src/servers/registry.rs index 0efe06217..1a0caff1f 100644 --- a/tests/util/server/src/servers/registry.rs +++ b/tests/util/server/src/servers/registry.rs @@ -5,6 +5,8 @@ use crate::testdata_path; use super::run_server; use super::ServerKind; use super::ServerOptions; +use base64::engine::general_purpose::STANDARD_NO_PAD; +use base64::Engine as _; use bytes::Bytes; use http_body_util::combinators::UnsyncBoxBody; use http_body_util::Empty; @@ -36,6 +38,77 @@ pub async fn registry_server(port: u16) { .await } +pub async fn provenance_mock_server(port: u16) { + let addr = SocketAddr::from(([127, 0, 0, 1], port)); + + run_server( + ServerOptions { + addr, + error_msg: "Provenance mock server error", + kind: ServerKind::Auto, + }, + provenance_mock_server_handler, + ) + .await +} + +async fn provenance_mock_server_handler( + req: Request<Incoming>, +) -> Result<Response<UnsyncBoxBody<Bytes, Infallible>>, anyhow::Error> { + let path = req.uri().path(); + + // OIDC request + if path.starts_with("/gha_oidc") { + let jwt_claim = json!({ + "sub": "divy", + "email": "divy@deno.com", + "iss": "https://github.com", + }); + let token = format!( + "AAA.{}.", + STANDARD_NO_PAD.encode(serde_json::to_string(&jwt_claim).unwrap()) + ); + let body = serde_json::to_string_pretty(&json!({ + "value": token, + })); + let res = Response::new(UnsyncBoxBody::new(Full::from(body.unwrap()))); + return Ok(res); + } + + // Fulcio + if path.starts_with("/api/v2/signingCert") { + let body = serde_json::to_string_pretty(&json!({ + "signedCertificateEmbeddedSct": { + "chain": { + "certificates": [ + "fake_certificate" + ] + } + } + })); + let res = Response::new(UnsyncBoxBody::new(Full::from(body.unwrap()))); + return Ok(res); + } + + // Rekor + if path.starts_with("/api/v1/log/entries") { + let body = serde_json::to_string_pretty(&json!({ + "transparency_log_1": { + "logID": "test_log_id", + "logIndex": 42069, + } + })); + let res = Response::new(UnsyncBoxBody::new(Full::from(body.unwrap()))); + return Ok(res); + } + + let empty_body = UnsyncBoxBody::new(Empty::new()); + let res = Response::builder() + .status(StatusCode::NOT_FOUND) + .body(empty_body)?; + Ok(res) +} + async fn registry_server_handler( req: Request<Incoming>, ) -> Result<Response<UnsyncBoxBody<Bytes, Infallible>>, anyhow::Error> { |