up

scripts/policy/attest-verify.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Create and verify a DSSE attestation for a policy blob using cosign.
+# Intended for CI and offline use; works with base64 inlined keys.
+
+usage() {
+  cat <<'USAGE'
+Usage: attest-verify.sh --file <path> [--predicate <json>] [--type stella.policy] [--out-dir out/policy-sign]
+Env:
+  COSIGN_KEY_B64   base64-encoded PEM private key (if not using COSIGN_KEY path)
+  COSIGN_PASSWORD  passphrase for the private key (optional)
+USAGE
+}
+
+FILE=""
+PREDICATE=""
+TYPE="stella.policy"
+OUT_DIR="out/policy-sign"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --file) FILE="$2"; shift 2;;
+    --predicate) PREDICATE="$2"; shift 2;;
+    --type) TYPE="$2"; shift 2;;
+    --out-dir) OUT_DIR="$2"; shift 2;;
+    -h|--help) usage; exit 0;;
+    *) echo "Unknown arg: $1" >&2; usage; exit 1;;
+  esac
+done
+
+if [[ -z "$FILE" ]]; then echo "--file is required" >&2; exit 1; fi
+if [[ ! -f "$FILE" ]]; then echo "file not found: $FILE" >&2; exit 1; fi
+
+if ! command -v cosign >/dev/null 2>&1; then
+  echo "cosign is required on PATH" >&2
+  exit 1
+fi
+
+mkdir -p "$OUT_DIR"
+BASENAME=$(basename "$FILE")
+KEY_PATH=${COSIGN_KEY:-"$OUT_DIR/cosign.key"}
+PUB_OUT="$OUT_DIR/cosign.pub"
+BUNDLE="$OUT_DIR/${BASENAME}.attestation.sigstore"
+
+if [[ -n "${COSIGN_KEY_B64:-}" ]]; then
+  printf "%s" "$COSIGN_KEY_B64" | base64 -d > "$KEY_PATH"
+  chmod 600 "$KEY_PATH"
+fi
+
+if [[ ! -f "$KEY_PATH" ]]; then
+  echo "Missing signing key; set COSIGN_KEY_B64 or COSIGN_KEY path" >&2
+  exit 1
+fi
+
+export COSIGN_PASSWORD=${COSIGN_PASSWORD:-}
+
+if [[ -z "$PREDICATE" ]]; then
+  PREDICATE="$OUT_DIR/${BASENAME}.predicate.json"
+  sha256sum "$FILE" | awk '{print $1}' > "$OUT_DIR/${BASENAME}.sha256"
+  cat > "$PREDICATE" <<EOF
+{
+  "file": "$FILE",
+  "sha256": "$(cat "$OUT_DIR/${BASENAME}.sha256")",
+  "createdAt": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
+  "type": "$TYPE"
+}
+EOF
+fi
+
+cosign public-key --key "$KEY_PATH" > "$PUB_OUT"
+
+cosign attest-blob \
+  --predicate "$PREDICATE" \
+  --type "$TYPE" \
+  --bundle "$BUNDLE" \
+  --key "$KEY_PATH" \
+  "$FILE"
+
+cosign verify-blob-attestation \
+  --key "$PUB_OUT" \
+  --type "$TYPE" \
+  --bundle "$BUNDLE" \
+  "$FILE"
+
+printf "Attestation bundle -> %s\nVerified with -> %s\n" "$BUNDLE" "$PUB_OUT"

scripts/policy/batch-simulate.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+ROOT=$(cd "$(dirname "$0")/.." && pwd)
+CLI_PROJECT="$ROOT/Cli/StellaOps.Cli/StellaOps.Cli.csproj"
+POLICY_FILES=("docs/examples/policies/baseline.stella" "docs/examples/policies/internal-only.stella" "docs/examples/policies/serverless.stella")
+SBOM_FILE="docs/examples/policies/sample-sbom.json"
+OUT_DIR="${OUT_DIR:-out/policy-sim}"
+THRESHOLD=${THRESHOLD:-0}
+
+usage() {
+  cat <<'USAGE'
+Batch policy simulate harness (DEVOPS-POLICY-27-002)
+- Runs stella policy simulate against sample policies and a sample SBOM
+- Fails if violation count exceeds THRESHOLD (default 0)
+
+Env/flags:
+  OUT_DIR=out/policy-sim
+  THRESHOLD=0
+  SBOM_FILE=docs/examples/policies/sample-sbom.json
+USAGE
+}
+
+if [[ ${1:-} == "-h" || ${1:-} == "--help" ]]; then usage; exit 0; fi
+mkdir -p "$OUT_DIR"
+
+violations=0
+for policy in "${POLICY_FILES[@]}"; do
+  name=$(basename "$policy" .stella)
+  report="$OUT_DIR/${name}-simulate.json"
+  dotnet run --project "$CLI_PROJECT" -- policy simulate --policy "$policy" --sbom "$SBOM_FILE" --format json --no-color > "$report"
+  # count violations if field exists
+  count=$(python - <<PY "$report"
+import json,sys
+with open(sys.argv[1]) as f:
+    data=json.load(f)
+viol = 0
+if isinstance(data, dict):
+    viol = len(data.get("violations", [])) if isinstance(data.get("violations", []), list) else 0
+print(viol)
+PY)
+  echo "[$name] violations=$count" | tee -a "$OUT_DIR/summary.txt"
+  violations=$((violations + count))
+done
+
+echo "total_violations=$violations" | tee -a "$OUT_DIR/summary.txt"
+if (( violations > THRESHOLD )); then
+  echo "Violation threshold exceeded ($violations > $THRESHOLD)" >&2
+  exit 1
+fi

scripts/policy/rotate-key.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Generates a new cosign keypair for policy signing.
+# Outputs PEMs in out/policy-sign/keys and base64 ready for CI secrets.
+
+OUT_DIR=${OUT_DIR:-out/policy-sign/keys}
+PREFIX=${PREFIX:-policy-cosign}
+PASSWORD=${COSIGN_PASSWORD:-}
+
+mkdir -p "$OUT_DIR"
+KEY_PREFIX="$OUT_DIR/$PREFIX"
+
+if ! command -v cosign >/dev/null 2>&1; then
+  echo "cosign is required on PATH" >&2
+  exit 1
+fi
+
+export COSIGN_PASSWORD="$PASSWORD"
+cosign version >/dev/null
+cosign generate-key-pair --output-key-prefix "$KEY_PREFIX" >/dev/null
+
+BASE64_PRIV=$(base64 < "${KEY_PREFIX}.key" | tr -d '\n')
+BASE64_PUB=$(base64 < "${KEY_PREFIX}.pub" | tr -d '\n')
+
+cat > "$OUT_DIR/README.txt" <<EOF
+Key prefix: $KEY_PREFIX
+Private key (base64): $BASE64_PRIV
+Public key (base64): $BASE64_PUB
+Set secrets:
+  POLICY_COSIGN_KEY_B64=$BASE64_PRIV
+  POLICY_COSIGN_PUB_B64=$BASE64_PUB
+EOF
+
+printf "Generated keys under %s\n" "$OUT_DIR"

scripts/policy/sign-policy.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Signs a policy file with cosign and verifies it. Intended for CI and offline use.
+# Requires COSIGN_KEY_B64 (private key PEM base64) or KMS envs; optional COSIGN_PASSWORD.
+
+usage() {
+  cat <<'USAGE'
+Usage: sign-policy.sh --file <path> [--out-dir out/policy-sign]
+Env:
+  COSIGN_KEY_B64   base64-encoded PEM private key (if not using KMS)
+  COSIGN_PASSWORD  passphrase for the key (can be empty for test keys)
+  COSIGN_PUBLIC_KEY_PATH optional path to write public key for verify step
+USAGE
+}
+
+FILE=""
+OUT_DIR="out/policy-sign"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --file) FILE="$2"; shift 2;;
+    --out-dir) OUT_DIR="$2"; shift 2;;
+    -h|--help) usage; exit 0;;
+    *) echo "Unknown arg: $1" >&2; usage; exit 1;;
+  esac
+done
+
+if [[ -z "$FILE" ]]; then echo "--file is required" >&2; exit 1; fi
+if [[ ! -f "$FILE" ]]; then echo "file not found: $FILE" >&2; exit 1; fi
+
+mkdir -p "$OUT_DIR"
+BASENAME=$(basename "$FILE")
+SIG="$OUT_DIR/${BASENAME}.sig"
+PUB_OUT="${COSIGN_PUBLIC_KEY_PATH:-$OUT_DIR/cosign.pub}"
+
+if [[ -n "${COSIGN_KEY_B64:-}" ]]; then
+  KEYFILE="$OUT_DIR/cosign.key"
+  printf "%s" "$COSIGN_KEY_B64" | base64 -d > "$KEYFILE"
+  chmod 600 "$KEYFILE"
+  export COSIGN_KEY="$KEYFILE"
+fi
+
+export COSIGN_PASSWORD=${COSIGN_PASSWORD:-}
+cosign version >/dev/null
+
+cosign sign-blob "$FILE" --output-signature "$SIG"
+cosign public-key --key "$COSIGN_KEY" > "$PUB_OUT"
+cosign verify-blob --key "$PUB_OUT" --signature "$SIG" "$FILE"
+
+printf "Signed %s -> %s\nPublic key -> %s\n" "$FILE" "$SIG" "$PUB_OUT"