Skip to content

Commit

Permalink
Merge pull request #89 from kommendorkapten/add-azure
Browse files Browse the repository at this point in the history 
Added azure kms support
  • Loading branch information
@jku
jku authored Jun 2, 2023
2 parents b9b6e41 + 290105a commit 94217d1
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 26 deletions.
84 changes: 62 additions & 22 deletions playground/signer/playground_sign/delegate.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,13 @@
import click
import logging
import os
from securesystemslib.signer import GCPSigner, SigstoreKey, SSlibKey, KEY_FOR_TYPE_AND_SCHEME
from securesystemslib.signer import (
AzureSigner,
GCPSigner,
KEY_FOR_TYPE_AND_SCHEME,
SSlibKey,
SigstoreKey,
)

from playground_sign._common import (
bold,
Expand Down Expand Up @@ -96,7 +102,7 @@ def _get_repo_name(remote: str):
# http urls on the other hand are not relative: remove the leading /
return repo.lstrip("/")

def _sigstore_import(pull_remote: str) -> list[ SigstoreKey]:
def _sigstore_import(pull_remote: str) -> list[SigstoreKey]:
# WORKAROUND: build sigstore key and uri here since there is no import yet
issuer = "https://token.actions.githubusercontent.com"
repo = _get_repo_name(pull_remote)
Expand Down Expand Up @@ -131,26 +137,7 @@ def _get_online_input(
if choice == 0:
break
if choice == 1:
# TODO use value_proc argument to validate the input
key_id = click.prompt(
bold("Press enter to use Sigstore, or enter a Google Cloud KMS key id"),
default=""
)
if key_id == "LOCAL_TESTING_KEY":
# This could be generic support for env var keys... but for now is just for the one testing key
# the private key is 1d9a024348e413892aeeb8cc8449309c152f48177200ee61a02ae56f450c6480
uri = "envvar:LOCAL_TESTING_KEY"
key = SSlibKey("fa47289", "ed25519", "ed25519", {"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"}, {"x-playground-online-uri": uri})
config.keys = [key]
elif key_id == "":
config.keys = _sigstore_import(user_config.pull_remote)
else:
try:
uri, key = GCPSigner.import_(key_id)
key.unrecognized_fields["x-playground-online-uri"] = uri
config.keys = [key]
except Exception as e:
raise click.ClickException(f"Failed to read Google Cloud KMS key: {e}")
config.keys = _collect_online_keys()
if choice == 2:
config.timestamp_expiry = click.prompt(
bold(f"Please enter timestamp expiry in days"),
Expand All @@ -176,6 +163,59 @@ def _get_online_input(

return config

def _collect_online_keys() -> list[SSlibKey]:
# TODO use value_proc argument to validate the input

while True:
click.echo(
f" 1. Sigstore\n"
f" 2. Google Cloud KMS\n"
f" 3. Azure Key Vault"
)
choice = click.prompt(
bold("Please select online key type"),
type=click.IntRange(1, 4),
default=1,
show_default=True,
)
if choice == 1:
return _sigstore_import(user_config.pull_remote)
if choice == 2:
key_id = _collect_string("Enter a Google Cloud KMS key id")
try:
uri, key = GCPSigner.import_(key_id)
key.unrecognized_fields["x-playground-online-uri"] = uri
return [key]
except Exception as e:
raise click.ClickException(f"Failed to read Google Cloud KMS key: {e}")
if choice == 3:
vault_name = _collect_string("Enter Azure vault name")
key_name = _collect_string("Enter key name")
try:
uri, key = AzureSigner.import_(vault_name, key_name)
key.unrecognized_fields["x-playground-online-uri"] = uri
return [key]
except Exception as e:
raise click.ClickException(f"Failed to read Azure Keyvault key: {e}")
if choice == 4:
# This could be generic support for env var keys... but for now is just for the one testing key
# the private key is 1d9a024348e413892aeeb8cc8449309c152f48177200ee61a02ae56f450c6480
uri = "envvar:LOCAL_TESTING_KEY"
key = SSlibKey("fa47289", "ed25519", "ed25519", {"public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"}, {"x-playground-online-uri": uri})
return [key]


def _collect_string(prompt: str) -> str:
while True:
data = click.prompt(
bold(prompt),
default=""
)
if data == "":
continue
else:
return data


def _init_repository(repo: SignerRepository, user_config: SignerConfig) -> bool:
click.echo("Creating a new Playground TUF repository")
Expand Down
8 changes: 4 additions & 4 deletions playground/tests/e2e.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ signer_init()
"" # Configure root ? [enter to continue]
"" # Configure targets? [enter to continue]
"1" # Configure online roles? [1: configure key]
"LOCAL_TESTING_KEY" # Enter key id
"4" # Enter online key type
"" # Configure online roles? [enter to continue]
"2" # Choose signing key [2: yubikey]
"" # Insert HW key and press enter
Expand Down Expand Up @@ -158,7 +158,7 @@ signer_init_shorter_snapshot_expiry()
"" # Configure root ? [enter to continue]
"" # Configure targets? [enter to continue]
"1" # Configure online roles? [1: configure key]
"LOCAL_TESTING_KEY" # Enter key id
"4" # Enter online key type
"3" # Configure online roles? [3: configure snapshot]
"10" # Enter expiry [10 days]
"4" # Enter signing period [4 days]
Expand Down Expand Up @@ -196,7 +196,7 @@ signer_init_multiuser()
"2" # Enter threshold
"" # Configure targets? [enter to continue]
"1" # Configure online roles? [1: configure key]
"LOCAL_TESTING_KEY" # Enter key id
"4" # Enter online key type
"" # Configure online roles? [enter to continue]
"2" # Choose signing key [2: yubikey]
"" # Insert HW key and press enter
Expand Down Expand Up @@ -500,7 +500,7 @@ test_target_changes()
repo_status_fail sign/new-targets
signer_sign user1 sign/new-targets

# user2: delete one target, modify another. repo modifies metadata, user2 signs
# user2: delete one target, modify another. repo modifies metadata, user2 signs
signer_modify_targets user2 sign/new-targets
repo_status_fail sign/new-targets
signer_sign user2 sign/new-targets
Expand Down

0 comments on commit 94217d1

Please sign in to comment.