stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save work

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-19 09:40:41 +02:00
parent 2eafe98d44
commit 43882078a4
44 changed files with 3044 additions and 492 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
src/Policy/StellaOps.Policy.Engine/Attestation/PolicyDecisionAttestationService.cs
View File

@@ -85,8 +85,21 @@ public sealed class PolicyDecisionAttestationService : IPolicyDecisionAttestatio
var payloadBase64 = Convert.ToBase64String(statementJson);
// Sign the payload
string? tenantId = request.TenantId;
if (string.IsNullOrWhiteSpace(tenantId) && _signerClient is not null && options.UseSignerService)
{
return new PolicyDecisionAttestationResult
{
Success = false,
Error = "TenantId is required when using the signer service"
};
}
tenantId ??= "unknown";
string? attestationDigest;
string? keyId;
VexDsseSignature signature;
if (_signerClient is not null && options.UseSignerService)
{
@@ -96,7 +109,7 @@ public sealed class PolicyDecisionAttestationService : IPolicyDecisionAttestatio
PayloadType = PredicateTypes.StellaOpsPolicyDecision,
PayloadBase64 = payloadBase64,
KeyId = request.KeyId ?? options.DefaultKeyId,
TenantId = request.TenantId
TenantId = tenantId
},
cancellationToken).ConfigureAwait(false);
@@ -110,25 +123,39 @@ public sealed class PolicyDecisionAttestationService : IPolicyDecisionAttestatio
};
}
// Compute attestation digest from signed payload
attestationDigest = ComputeDigest(statementJson);
keyId = signResult.KeyId;
signature = new VexDsseSignature
{
KeyId = signResult.KeyId,
Sig = signResult.Signature!
};
}
else
{
// Create unsigned attestation (dev/test mode)
attestationDigest = ComputeDigest(statementJson);
// Create locally-signed envelope (dev/test mode; placeholder signature).
keyId = null;
_logger.LogDebug("Created unsigned attestation (signer service not available)");
signature = SignLocally(PredicateTypes.StellaOpsPolicyDecision, statementJson);
_logger.LogDebug("Created locally-signed attestation (signer service not available)");
}
var envelope = new VexDsseEnvelope
{
PayloadType = PredicateTypes.StellaOpsPolicyDecision,
Payload = payloadBase64,
Signatures = [signature]
};
var envelopeJson = SerializeCanonical(envelope);
var envelopeDigestHex = Convert.ToHexString(SHA256.HashData(envelopeJson)).ToLowerInvariant();
attestationDigest = $"sha256:{envelopeDigestHex}";
// Submit to Rekor if requested
RekorSubmissionResult? rekorResult = null;
var shouldSubmitToRekor = request.SubmitToRekor || options.SubmitToRekorByDefault;
if (shouldSubmitToRekor && attestationDigest is not null)
{
rekorResult = await SubmitToRekorAsync(attestationDigest, cancellationToken)
rekorResult = await SubmitEnvelopeToRekorAsync(envelope, envelopeDigestHex, request, cancellationToken)
.ConfigureAwait(false);
if (!rekorResult.Success)
@@ -266,6 +293,99 @@ public sealed class PolicyDecisionAttestationService : IPolicyDecisionAttestatio
return JsonSerializer.SerializeToUtf8Bytes(value, CanonicalJsonOptions);
}
private static VexDsseSignature SignLocally(string payloadType, byte[] payload)
{
// DSSE PAE: "DSSEv1" + len(payloadType) + payloadType + len(payload) + payload
using var ms = new MemoryStream();
using var writer = new BinaryWriter(ms);
var prefix = "DSSEv1 "u8;
writer.Write(prefix);
var typeBytes = Encoding.UTF8.GetBytes(payloadType);
writer.Write(typeBytes.Length.ToString());
writer.Write(' ');
writer.Write(typeBytes);
writer.Write(' ');
writer.Write(payload.Length.ToString());
writer.Write(' ');
writer.Write(payload);
var pae = ms.ToArray();
var signatureBytes = SHA256.HashData(pae);
return new VexDsseSignature
{
Sig = Convert.ToBase64String(signatureBytes)
};
}
private async Task<RekorSubmissionResult> SubmitEnvelopeToRekorAsync(
VexDsseEnvelope envelope,
string envelopeDigestHex,
PolicyDecisionAttestationRequest request,
CancellationToken cancellationToken)
{
if (_rekorClient is null)
{
return new RekorSubmissionResult
{
Success = false,
Error = "Rekor client not available"
};
}
var subjectUris = request.Subjects
.OrderBy(static x => x.Name, StringComparer.Ordinal)
.Select(static subject =>
{
var digest = subject.Digest
.OrderBy(static kvp => kvp.Key, StringComparer.Ordinal)
.Select(static kvp => $"{kvp.Key}:{kvp.Value}")
.FirstOrDefault();
return digest is null ? subject.Name : $"{subject.Name}@{digest}";
})
.ToList();
var submitResult = await _rekorClient.SubmitAsync(
new VexRekorSubmitRequest
{
Envelope = envelope,
EnvelopeDigest = envelopeDigestHex,
ArtifactKind = "policy-decision",
SubjectUris = subjectUris
},
cancellationToken).ConfigureAwait(false);
if (!submitResult.Success)
{
return new RekorSubmissionResult
{
Success = false,
Error = submitResult.Error ?? "Rekor submission failed"
};
}
if (submitResult.Metadata is null)
{
return new RekorSubmissionResult
{
Success = false,
Error = "Rekor submission succeeded but no metadata was returned"
};
}
return new RekorSubmissionResult
{
Success = true,
LogIndex = submitResult.Metadata.Index,
Uuid = submitResult.Metadata.Uuid,
IntegratedTime = submitResult.Metadata.IntegratedAt
};
}
private static string ComputeDigest(byte[] data)
{
var hash = SHA256.HashData(data);