[SCITT] scitt-api-emulator: pull request: policy engine: Simple decoupled file based policy engine
"Andersen, John S" <john.s.andersen@intel.com> Fri, 31 March 2023 22:05 UTC
Return-Path: <john.s.andersen@intel.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06870C151545 for <scitt@ietfa.amsl.com>; Fri, 31 Mar 2023 15:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=intel.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TtQhPITce7j for <scitt@ietfa.amsl.com>; Fri, 31 Mar 2023 15:05:49 -0700 (PDT)
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E7CDC15153C for <scitt@ietf.org>; Fri, 31 Mar 2023 15:05:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1680300349; x=1711836349; h=from:to:subject:date:message-id:mime-version; bh=yBcwS6kEeK4j+591pigHV0NsG8nAOwEUgnC+/NgSFhU=; b=WDwPfbXr7gh+5y/7Z4YyRX5mb642dE4LTqg4jbmiwNnfOckRVMW0j9Gb mAW6prXhBgrfu7kb9s/YkoAdvs5EEpFAHgGN/wvHog36WcGM1I2hrhd4x KrUbevexbbsVvvvYHGLOeE2Lq/q7AVFNH690bGDcpQCEBV6ZHum77UesW 7ZEB3TtIDpFh8rS4pZhkcTgYEsUo63vkAEL/Ik2ujCV57JfKOukXv+DI/ jGpOoXPpaeL5SwlKDe2fm0Ji9Js+CBkbSEdvfwgi8sx8uMjNxGK3sLgWr 3aNNIKdl7Ec2TEzcO1Mj/Bl8Vmy6qsYr8wX+QwJ0xdboZawQ2TxqaMJ1H Q==;
X-IronPort-AV: E=McAfee;i="6600,9927,10666"; a="325549031"
X-IronPort-AV: E=Sophos;i="5.98,307,1673942400"; d="scan'208,217";a="325549031"
Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 Mar 2023 15:05:46 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10666"; a="1014995119"
X-IronPort-AV: E=Sophos;i="5.98,307,1673942400"; d="scan'208,217";a="1014995119"
Received: from fmsmsx601.amr.corp.intel.com ([10.18.126.81]) by fmsmga005.fm.intel.com with ESMTP; 31 Mar 2023 15:05:46 -0700
Received: from fmsmsx603.amr.corp.intel.com (10.18.126.83) by fmsmsx601.amr.corp.intel.com (10.18.126.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Fri, 31 Mar 2023 15:05:45 -0700
Received: from FMSEDG603.ED.cps.intel.com (10.1.192.133) by fmsmsx603.amr.corp.intel.com (10.18.126.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21 via Frontend Transport; Fri, 31 Mar 2023 15:05:45 -0700
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (104.47.73.47) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.21; Fri, 31 Mar 2023 15:05:45 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lP9Xdq8ls9MlPxVd7Eb2MegIjzX3SE8jw3SGM5C9/s/p7krAbYdY3uW84Ah1UMp4aIfw6tkmepyK4Gm/akLhVup96rJLBpJWISnkjaneFa+IfloxzpbIKuRifWXFnWlhFCy/XvWjvsHpfh1PvwysDXLZ7O8NoVStodT5ozBawWt79HfHt+JB8G8bq3SR0ffEcqz0SHbJkvINi+AO25Z+vfI4El9nLx0xRoL/SpHShQ31v5zGLAOuIhVu7WZehYU3Ht8EadtmH7FK/5VbCmS4AqYcBN8xMTx6Bfc/wUN1sUOz4jWRkbpWv7rkEhUcbOH0181ajvY4r9ZroE5SI1KFBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Lrkx77PL8tqpKavBYKSJmkgboX//U4SImCellsqiOgs=; b=BbcjgD3Wp/+X04vcnmH9XRp8H+AK3Tjwx9TuM++oVb14Z1KDIGyLoZ5JjbKLFmzMYrdT3XNm9Ia2lBzesnzqGlRK3kdYpylJkt3fGCDSwRx4+fYEsBsmJJgnwnn1HPot9EqLq1XdBT0orR6UYCg2zaIe1YEwxJIlABkSq0ig8IG7UTjmfi1E6+We3aaLjtajrgVj065Y8EZaAuNr7okYuN3F3fdBOGzT31ggoa9kvRboVYb8/S+bW62BSJziOZkqO0W4ERCyYP//YovoIC8hM8Kzq7LgMSHXvnuYqKtNwZ5bZzUVbJigzBUNMo1e/sISGwdgcQEkMUOn9z/s+cZQJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Received: from DM4PR11MB6453.namprd11.prod.outlook.com (2603:10b6:8:b6::16) by DS0PR11MB7482.namprd11.prod.outlook.com (2603:10b6:8:14a::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6222.33; Fri, 31 Mar 2023 22:05:43 +0000
Received: from DM4PR11MB6453.namprd11.prod.outlook.com ([fe80::b4e6:da50:65e2:3615]) by DM4PR11MB6453.namprd11.prod.outlook.com ([fe80::b4e6:da50:65e2:3615%8]) with mapi id 15.20.6156.028; Fri, 31 Mar 2023 22:05:43 +0000
From: "Andersen, John S" <john.s.andersen@intel.com>
To: "scitt@ietf.org" <scitt@ietf.org>
Thread-Topic: scitt-api-emulator: pull request: policy engine: Simple decoupled file based policy engine
Thread-Index: AdlkHObk+JNhCB92QHqB99feUWquaA==
Date: Fri, 31 Mar 2023 22:05:43 +0000
Message-ID: <DM4PR11MB64537FB8099E45140E75E867BB8F9@DM4PR11MB6453.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM4PR11MB6453:EE_|DS0PR11MB7482:EE_
x-ms-office365-filtering-correlation-id: 40e4639c-1078-4a34-2b49-08db323412b0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: g+wDcOzkevaMzIksnl7fgbYZe/B56pAzhOpaAT1CO/VkHN4cb6wkG5pdNgPCEDF+rDCsFCfSm/44gwn0ZKm5B6I9vQonIMKl28rSmLDZKt/ETNKZWR954etS2a7+GLGpSXT7dU2h8YFTUbFLkID+RO3ga+z5TDURwJ/hEX5+w8z7RetcY9/tUz9MIJeZ0zNwJcUcblpLo5R2X5rxVuCytTMQqi3T0NYfPccGK6NkO6BZhgGs1imiW9AdPI4TMpfDoHQRWFC/AHQRT9Z9qDi5B4d0v/aU1MdpBUBxBeFkg68Mhkjd5hnbvl3WtARj/q6IH+fh0vs4QvmUnrkVwwxGezgvhgiCjffu4FtvHM3Zoz0Ta+3stcX6gIO0eSPOpwhiEQ1c8xd7M+hmrnjFg1rvc0Y0w7bG8c8UTw0fbmWH2k3l5liuOHFiqXa2cduDd8oRxDi42HG46G9G1uB5fMKyj6gH25iW6sEUWlGNJTt4s8BxprgjlR9vsrveqmYwxU3jkqaJIfbCcD/MA8bIIWVHQdKsnlcMX1MRCEhDuSP/x5g99bkdNN1KQbFZyv14o3nFWDCY6vFklsOq/sA2sJV2/JVAmWQAjo3DWF0kjVabyQ33g/y9uVuHj8Tkazb0aCZDUpcvJYy7vB/HFF//sT6i1Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB6453.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(39860400002)(346002)(376002)(136003)(366004)(451199021)(33656002)(66476007)(86362001)(316002)(38070700005)(6916009)(66446008)(66556008)(8676002)(64756008)(8936002)(71200400001)(478600001)(76116006)(7696005)(41300700001)(966005)(5660300002)(55016003)(82960400001)(66946007)(26005)(186003)(122000001)(52536014)(38100700002)(2906002)(6506007)(166002)(83380400001)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: X36U2VnWRu3RZh/2L8rO0o2C/aMheUfSd9ozmPfUpJnza4Nr7yp5Qeiqh1XgtNHPn78OcS+2sUpjPmg1eN1LL8EzFrnUnMEoFTf9iEdpSY9Fz6dKqDhWxioJhNvcggXrtWYMSOViR/BpO6TNxKGkloA39FuNV4bCDoiKOmJZtP/8BhVsHS6kH+6fi6UOnAM4/vvqKVFD26DrjXmQHlBR/PKyoVcFzKn+omp0u3Hpgx9h5BZL8oLcotmbUvCAbaYyxvfQ2spCqsF38Z2dFlX9ZB4jt9gpJ0OSyG0OT8bldPp+ZKko/7vMuk03bRM+m1K8ClRAifJysP3zedwaFcl9U4c9QTfwXu2/x2W5/ynHwF/WQURtOB87uLxQ8X4iWZvzQUX99eDDYknkRhXgOm0NA25zyCe3yUmY/U4prEPd/S9gNEMiWSFkOwXqG+m/XcRgaTMvZcLgdwha0iCy+m1GbMzPpEo3nWoSSmYuJhO1VxwkapdFvXRYOkDYiA+njrv7Mepn//xVTADACetfO8vvCAb7KmwmKFN9C/SPtMMBGbP6XLOFo6+ndjozSNr71GC5TmXVJE/efaXXKKq27Stx1ek6Jn7CMj0gwWDzqdG2y1e/wTuprojxhZb7GBybcvvO6keAc4/0pc1gjgxpKprcdtbxdJQo1ISoWQguxpBvYGjTgfYKsPT82M7G0oVfhpkWy0mJEA/GMEtAkBpbYp4G9Al8JSK3xkeJJvv6AKUq5bPiHNfa5OlymPgWR1Ztxd6SOlz2e7MwddaWR9D1BwVNFE2wWiiSWdQgkPDsFGwtpd8ix0JCpjTVmDT+MnonnOeMAhQCay0NcuaxWgghKt1Sy4Ci1ipEXwSVrxS33/QwxiNODjQIHFjkb7IAfgXOtlK/PAbeILSOlj3vBvrmt0Kt0WlJKUw97UpY9fhaNFOtBhEeMJhnRA/A+nW8h3FfWUUXMt1nEFRSkZZLLCAUPfzReJbyFZDGJNiU7XHP8L0S8aM7cRMUevNnd1RhBtDzds04obyyv9JEpaFsMPLrxWotjS2OFUU6KSyMI89+EE+zIl16GnOp8cxdTNoYBFZDfdRdeEE2ou/VFeZb19EwFbNpzQiTk8ihHxEALV94ruDBo4Rmy+Iq+AqEQanzhKNSMdrRsupMr/JRHz7mZg/io5YPqIMQDdP6nPgC2lZa8678V7SjXrujEZv6T6QCM1vREQzJYK+runzo95qW7LMq5kCgnRnKGDkRZb8TMzEMF229h2g9sYPUb6htTmudLvQbk3VMuNfprh0o6Yk7Hh7JXes005J7T4SxbPNOzKR4bt1olmn0JU7j/D1LMq9eV/4mYrs/M+s5EzBA1VQNconuQog39NU0Z9oB/JocN/S3GoAFMBtcmv36M/QVn9IZxTDcGeBDIx6NFQx8FJTuUg/U77FKDuVW+tB8tOX35xFLoJtzpoiGm6mhZ0te+E8lBYXr1Fm7Hk8nJOGID3by9pTX3sey0Ie61nwz9bRTXYsNcJ8dHfJ/2+w/xUW4X7h7llJyoFWVFktLHsYI9lv2T/mzgB/6996d3bsGZlIrx4YUURyUmzGSfkEHXUS7WlplhK6ulKJx
Content-Type: multipart/alternative; boundary="_000_DM4PR11MB64537FB8099E45140E75E867BB8F9DM4PR11MB6453namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB6453.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 40e4639c-1078-4a34-2b49-08db323412b0
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2023 22:05:43.5967 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y2S8z2URssv9utB9YMot/5ONKFyWQ7BjeqBH1aWruMRDzlDKCFrlph2nAoJ6ruoJB4p9t105m7n0p4QjR2DkYQaX5q/GhoBRzkxm2N1ohY8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB7482
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/PwcesOR1txbHOIjMhMOt01YWDjo>
Subject: [SCITT] scitt-api-emulator: pull request: policy engine: Simple decoupled file based policy engine
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2023 22:05:54 -0000
Hi all, Happy Friday! Just wanted to see if the mailing list had any thoughts on this and broadcast for visibility and others who want to experiment in this space as well as hoping for review/merge of this PR. https://github.com/scitt-community/scitt-api-emulator/pull/27 enables a simple insert policy based engine based on presence of operation.policy.{insert,denied,failure} files. Currently only for use with use_lro=True. This is a simple way to enable evaluation of claims prior to submission by arbitrary policy engines which watch the workspace (fanotify, inotify, etc.). We could also load content from those files in the future, for aiding in explaining reasons for failure or denial. Left that out for now to strip to the bare minimum. Thank you, John Associated docs reproduced below: Registration Policies<https://github.com/scitt-community/scitt-api-emulator/blob/2787820abf3fa4701bc46a9629cd98d11254fbe6/docs/registration_policies.md#registration-policies> * References * 5.2.2. Registration Policies<https://www.ietf.org/archive/id/draft-birkholz-scitt-architecture-02.html#name-registration-policies> Simple decoupled file based policy engine The SCITT API emulator can deny entry based on presence of operation.policy.{insert,denied,failure} files. Currently only for use with use_lro=True. This is a simple way to enable evaluation of claims prior to submission by arbitrary policy engines which watch the workspace (fanotify, inotify, etc.). Start the server $ rm -rf workspace/ $ mkdir -p workspace/storage/operations $ scitt-emulator server --workspace workspace/ --tree-alg CCF --use-lro Service parameters: workspace/service_parameters.json ^C Modification of config to non-* insert policy. Restart SCITT API emulator server after this. $ echo "$(cat workspace/service_parameters.json)" \ | jq '.insertPolicy = "external"' \ | tee workspace/service_parameters.json.new \ && mv workspace/service_parameters.json.new workspace/service_parameters.json { "serviceId": "emulator", "treeAlgorithm": "CCF", "signatureAlgorithm": "ES256", "serviceCertificate": "-----BEGIN CERTIFICATE-----", "insertPolicy": "external" } Basic policy engine in two files enforce_policy.py import os import sys import pathlib cose_path = pathlib.Path(sys.argv[-1]) policy_action_path = cose_path.with_suffix(".policy." + os.environ["POLICY_ACTION"].lower()) policy_action_path.write_text("") Simple drop rule based on claim content blocklist. is_on_blocklist.py import os import sys import json import cbor2 import pycose from pycose.messages import CoseMessage, Sign1Message from scitt_emulator.scitt import ClaimInvalidError, COSE_Headers_Issuer BLOCKLIST_DEFAULT = [ "did:web:example.com", ] BLOCKLIST_DEFAULT_JSON = json.dumps(BLOCKLIST_DEFAULT) BLOCKLIST = json.loads(os.environ.get("BLOCKLIST", BLOCKLIST_DEFAULT_JSON)) claim = sys.stdin.buffer.read() msg = CoseMessage.decode(claim) if pycose.headers.ContentType not in msg.phdr: raise ClaimInvalidError( "Claim does not have a content type header parameter" ) if COSE_Headers_Issuer not in msg.phdr: raise ClaimInvalidError("Claim does not have an issuer header parameter") if msg.phdr[COSE_Headers_Issuer] not in BLOCKLIST: sys.exit(1) # EXIT_SUCCESS == MUST block. In case of thrown errors/exceptions. Example running blocklist check and enforcement to disable issuer (example: did:web:example.com). $ npm install -g nodemon $ nodemon -e .cose --exec 'find workspace/storage/operations -name \*.cose -exec nohup sh -xc "echo {} && (python3 is_on_blocklist.py < {} && POLICY_ACTION=denied python3 enforce_policy.py {}) || POLICY_ACTION=insert python3 enforce_policy.py {}" \;' Create claim from blocked issuer (.com) and from non-blocked (.org). $ scitt-emulator client create-claim --issuer did:web:example.com --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose Claim written to claim.cose $ scitt-emulator client submit-claim --claim claim.cose --out claim.receipt.cbor Traceback (most recent call last): File "/home/alice/.local/bin/scitt-emulator", line 33, in <module> sys.exit(load_entry_point('scitt-emulator', 'console_scripts', 'scitt-emulator')()) File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/cli.py", line 22, in main args.func(args) File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/client.py", line 182, in <lambda> func=lambda args: submit_claim( File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/client.py", line 93, in submit_claim raise_for_operation_status(operation) File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/client.py", line 29, in raise_for_operation_status raise RuntimeError(f"Operation error: {operation['error']}") RuntimeError: Operation error: {'status': 'denied'} $ scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose Claim written to claim.cose $ scitt-emulator client submit-claim --claim claim.cose --out claim.receipt.cbor Claim registered with entry ID 1 Receipt written to claim.receipt.cbor
- [SCITT] scitt-api-emulator: pull request: policy … Andersen, John S
- Re: [SCITT] scitt-api-emulator: pull request: pol… John Andersen