Re: [SCITT] scitt-api-emulator: pull request: policy engine: Simple decoupled file based policy engine
John Andersen <johnandersenpdx@gmail.com> Fri, 28 April 2023 04:32 UTC
Return-Path: <johnandersenpdx@gmail.com>
X-Original-To: scitt@ietfa.amsl.com
Delivered-To: scitt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95CB6C1516E3 for <scitt@ietfa.amsl.com>; Thu, 27 Apr 2023 21:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDzt5dWBtg0t for <scitt@ietfa.amsl.com>; Thu, 27 Apr 2023 21:32:29 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBEAFC15198D for <scitt@ietf.org>; Thu, 27 Apr 2023 21:32:28 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-3f19a7f9424so69190435e9.2 for <scitt@ietf.org>; Thu, 27 Apr 2023 21:32:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682656346; x=1685248346; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3Ibr3eCY6jDiNf8/CXPF++eTtVrOy13QH8zuIxoI2H4=; b=H0K8Ouq57lZlmh5iHSN2GIUcUhr6vljwhLMWBLKZCeuSrNx5WV8ZDwltpECrZ3//jN Xbzr+OwDfGba/Y/5sVpzRIN5+PMyj1C0dSKHOdtlVPOjf1/DRWj5FyDaIyvNIHhoXjvg P0lGjbLDjfxPGnAhTsTqU7pkATVADRkqxFinQudpEDyW9z7YF3CWunfUfkERZUTA8Cim 1skOU4yPcSBv2azbQ1OYp/+kg+wohEfQ4lTpRlT6UEjdETqn51QND/V1SZFCwTUT+wpB 0rrLO96ZKJZ53z5r5Ee3SK3g/IZxb9+YriGQuruntX9pXCJl9S5xWBBs8TUVzVeckY5G K7Dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682656346; x=1685248346; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3Ibr3eCY6jDiNf8/CXPF++eTtVrOy13QH8zuIxoI2H4=; b=gekHw30sIuMxxeahi7pxelV95JYg/KnEzXsGJn87Y4wbgCyVgF2jY4ZYkiFN18oiz2 AoEC14169NA7mK87kkNNJu1MBWghp1LzFAgAKZ364zUwDA34rpp6+HdL+vieUGFA9dsW ReGZ79KHFQInx/2b5gP2Ge3ORH690WEn5yp2vmVvWfGaShQ5otYum/hX6SZ2QzMl7gzJ VoTRew5oM/jIzctNsLEsfyE8cCocOdDtDGltq4Bf9bOHPsND5imEmrigO/f0KDZVr6IF zl/qp4OTuUinzskJ4PpIfvjBbE+xkVHDYybJY3T5hARSC443Iguf9drkVCxGzTa8l5ZD pDqQ==
X-Gm-Message-State: AC+VfDzt8J9TKtcleuW9lX2wruKTE7e8UgyyqHqC10XJpjORDG37gstE 7PNQyBt4eACDJ7rpdZOrrmm3zvV1zNFqV+g6+qc=
X-Google-Smtp-Source: ACHHUZ7nOx57g7ZdO7mcPiR1q3iJuecF/7Rqpgzp/EfyG2CiSgtAA0BTKI20zZ3TzcZWR2FSJhCiqh7uQNlTePwfMkQ=
X-Received: by 2002:a05:600c:3641:b0:3ed:c468:ab11 with SMTP id y1-20020a05600c364100b003edc468ab11mr2976912wmq.28.1682656346138; Thu, 27 Apr 2023 21:32:26 -0700 (PDT)
MIME-Version: 1.0
References: <DM4PR11MB64537FB8099E45140E75E867BB8F9@DM4PR11MB6453.namprd11.prod.outlook.com>
In-Reply-To: <DM4PR11MB64537FB8099E45140E75E867BB8F9@DM4PR11MB6453.namprd11.prod.outlook.com>
From: John Andersen <johnandersenpdx@gmail.com>
Date: Thu, 27 Apr 2023 21:32:14 -0700
Message-ID: <CAPFAYiXOo-6=gDM8anpftZQTXvYkwNn-emmM4Qdq_U7G9s0wOw@mail.gmail.com>
To: "Andersen, John S" <john.s.andersen@intel.com>
Cc: "scitt@ietf.org" <scitt@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ca6caf05fa5df55b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/scitt/z1DpS7sjHEK33qdHgnw-l9H_QiA>
Subject: Re: [SCITT] scitt-api-emulator: pull request: policy engine: Simple decoupled file based policy engine
X-BeenThere: scitt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Supply Chain Integrity, Transparency, and Trust" <scitt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scitt>, <mailto:scitt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scitt/>
List-Post: <mailto:scitt@ietf.org>
List-Help: <mailto:scitt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scitt>, <mailto:scitt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Apr 2023 04:32:33 -0000
Hi all, Ive updated the pull request to align with Darrel’s review comments on error properties. However, as mentioned in https://github.com/ietf-wg-scitt/draft-ietf-scitt-architecture/issues/62 it would be great to return an object in addition to or instead of a string. Or allow for other properties which would be fully content-typeable to a custom response object within the error response on claim insert failure. Lack of this prevents an automated conversation to resolve issues with claim insertion. Human readable strings are great, but ideally a human doesn't even get involved and machines can auto remediate issues due to detailed failure reasoning. This way the a human readable string might only be needed after a failed machine driven insert conversation (more than one call response). Thank you, John On Fri, Mar 31, 2023 at 15:05 Andersen, John S <john.s.andersen@intel.com> wrote: > Hi all, > > > > Happy Friday! > > > > Just wanted to see if the mailing list had any thoughts on this and > broadcast for visibility and others who want to experiment in this space as > well as hoping for review/merge of this PR. > > > > https://github.com/scitt-community/scitt-api-emulator/pull/27 enables a > simple insert policy based engine based on presence of > operation.policy.{insert,denied,failure} files. Currently only for use with > use_lro=True. This is a simple way to enable evaluation of claims prior to > submission by arbitrary policy engines which watch the workspace (fanotify, > inotify, etc.). > > > > We could also load content from those files in the future, for aiding in > explaining reasons for failure or denial. Left that out for now to strip to > the bare minimum. > > > > Thank you, > > John > > > > > > Associated docs reproduced below: > > > Registration Policies > <https://github.com/scitt-community/scitt-api-emulator/blob/2787820abf3fa4701bc46a9629cd98d11254fbe6/docs/registration_policies.md#registration-policies> > > - References > - 5.2.2. Registration Policies > <https://www.ietf.org/archive/id/draft-birkholz-scitt-architecture-02.html#name-registration-policies> > > Simple decoupled file based policy engine > > The SCITT API emulator can deny entry based on presence of > operation.policy.{insert,denied,failure} files. Currently only for use > with use_lro=True. > > This is a simple way to enable evaluation of claims prior to submission by > arbitrary policy engines which watch the workspace (fanotify, inotify, > etc.). > > Start the server > > $ rm -rf workspace/ > > $ mkdir -p workspace/storage/operations > > $ scitt-emulator server --workspace workspace/ --tree-alg CCF --use-lro > > Service parameters: workspace/service_parameters.json > > ^C > > > > Modification of config to non-* insert policy. Restart SCITT API emulator > server after this. > > > > $ echo "$(cat workspace/service_parameters.json)" \ > > | jq '.insertPolicy = "external"' \ > > | tee workspace/service_parameters.json.new \ > > && mv workspace/service_parameters.json.new workspace/service_parameters.json > > { > > "serviceId": "emulator", > > "treeAlgorithm": "CCF", > > "signatureAlgorithm": "ES256", > > "serviceCertificate": "-----BEGIN CERTIFICATE-----", > > "insertPolicy": "external" > > } > > > > Basic policy engine in two files > > *enforce_policy.py* > > import os > > import sys > > import pathlib > > > > cose_path = pathlib.Path(sys.argv[-1]) > > policy_action_path = cose_path.with_suffix(".policy." + os.environ["POLICY_ACTION"].lower()) > > policy_action_path.write_text("") > > > > Simple drop rule based on claim content blocklist. > > *is_on_blocklist.py* > > import os > > import sys > > import json > > > > import cbor2 > > import pycose > > from pycose.messages import CoseMessage, Sign1Message > > > > from scitt_emulator.scitt import ClaimInvalidError, COSE_Headers_Issuer > > > > BLOCKLIST_DEFAULT = [ > > "did:web:example.com", > > ] > > BLOCKLIST_DEFAULT_JSON = json.dumps(BLOCKLIST_DEFAULT) > > BLOCKLIST = json.loads(os.environ.get("BLOCKLIST", BLOCKLIST_DEFAULT_JSON)) > > > > claim = sys.stdin.buffer.read() > > > > msg = CoseMessage.decode(claim) > > > > if pycose.headers.ContentType not in msg.phdr: > > raise ClaimInvalidError( > > "Claim does not have a content type header parameter" > > ) > > if COSE_Headers_Issuer not in msg.phdr: > > raise ClaimInvalidError("Claim does not have an issuer header parameter") > > > > if msg.phdr[COSE_Headers_Issuer] not in BLOCKLIST: > > sys.exit(1) > > > > # EXIT_SUCCESS == MUST block. In case of thrown errors/exceptions. > > > > Example running blocklist check and enforcement to disable issuer > (example: did:web:example.com). > > > > $ npm install -g nodemon > > $ nodemon -e .cose --exec 'find workspace/storage/operations -name \*.cose -exec nohup sh -xc "echo {} && (python3 is_on_blocklist.py < {} && POLICY_ACTION=denied python3 enforce_policy.py {}) || POLICY_ACTION=insert python3 enforce_policy.py {}" \;' > > Create claim from blocked issuer (.com) and from non-blocked (.org). > > $ scitt-emulator client create-claim --issuer did:web:example.com --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose > > Claim written to claim.cose > > $ scitt-emulator client submit-claim --claim claim.cose --out claim.receipt.cbor > > Traceback (most recent call last): > > File "/home/alice/.local/bin/scitt-emulator", line 33, in <module> > > sys.exit(load_entry_point('scitt-emulator', 'console_scripts', 'scitt-emulator')()) > > File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/cli.py", line 22, in main > > args.func(args) > > File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/client.py", line 182, in <lambda> > > func=lambda args: submit_claim( > > File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/client.py", line 93, in submit_claim > > raise_for_operation_status(operation) > > File "/home/alice/Documents/python/scitt-api-emulator/scitt_emulator/client.py", line 29, in raise_for_operation_status > > raise RuntimeError(f"Operation error: {operation['error']}") > > RuntimeError: Operation error: {'status': 'denied'} > > $ scitt-emulator client create-claim --issuer did:web:example.org --content-type application/json --payload '{"sun": "yellow"}' --out claim.cose > > Claim written to claim.cose > > $ scitt-emulator client submit-claim --claim claim.cose --out claim.receipt.cbor > > Claim registered with entry ID 1 > > Receipt written to claim.receipt.cbor > > > -- > SCITT mailing list > SCITT@ietf.org > https://www.ietf.org/mailman/listinfo/scitt >
- [SCITT] scitt-api-emulator: pull request: policy … Andersen, John S
- Re: [SCITT] scitt-api-emulator: pull request: pol… John Andersen