Support unsigned command verification into the tool #15
Conversation
|
I'm wondering how configurable this needs to be @lox... I'm thinking this could instead be some hard coded rules that are:
Keen for thoughts, as the above is really the behaviour most people would want (I imagine) |
|
Note that the rules get slightly complex if plugins are referenced, but the if strings.HasPrefix(command, "buildkite-signed-pipeline upload") {
// do kingpin parsing of `command`
// work out what the `file` is (if any)
// check to make sure `file` is a file in the repository
} |
|
I'll look at this as part of #16 -- as this PR closes the possibility of plugins to be injected into "allowed commands" |
|
I reckon it might be a good idea to write up in the README "attack scenarios", e.g what potential threats we are aiming to solve and scenarios and how |
|
Good idea, will help shape this :-) |
| log.Println("✅ Allowing allow-listed command as no signature is specified, and no plugins are referenced") | ||
| return nil | ||
| } | ||
| log.Println("❗️Forcing signature check as pstep has an expected signature or referenced plugins") |
|
After writing up the attack scenarios (great suggestion, many thanks 😁) I'm not convinced this level of flexibility is needed as from what I've seen consumers want to be able to:
Do you think it's worth addressing those first? This PR won't let you call |
|
After some thought, I completely agree. I reckon we should keep it simple and not introduce this! |
|
Awesome, will look at a simple PR that let's through unsigned |
This closes #14 by allowing a list of commands to be specified that can remain unsigned. This ensures plugins are still verified, and/or the step is still verified if a step signature is found.
I'll look at a "command eval" style approach in a future PR -- e.g. any script in the repository may be executed by default.