Closed achamayou closed 3 months ago
@achamayou We already have an endpoint to get the current SCITT configuration: https://github.com/microsoft/scitt-ccf-ledger/blob/7653085d4964218ef55bf24821bb2fd97fec74d0/app/src/service_endpoints.h#L224.
Are you referring to something else? If so, could you please provide more details?
@andpiccione, thank you, I need more coffee :) I guess it's worth adding a test to make sure the policy is included there.
FYI x509 certs are visible in /gov/kv/tls/ca_cert_bundles
, they are configured through the set_ca_cert_bundle
action https://github.com/microsoft/scitt-ccf-ledger/blob/main/docs/configuration.md#trust-stores
@ivarprudnikov the /gov/kv/*
endpoints are auto-generated by CCF, and are deprecated in favour of Azure-compliant, schema-first versioned APIs: https://microsoft.github.io/CCF/main/governance/gov_api_schemas/classic.html
Indeed the config is there already, closing this issue. To repro:
echo <<< EOL
{
"policy": {
"policy_script": "export function apply(profile, phdr) { if (profile !== 'IETF') { return 'Unexpected profile'; } if (!phdr.issuer) {return 'Issuer not found'} if (phdr.issuer !== 'did:x509:0:sha256:HnwZ4lezuxq/GVcl/Sk7YWW170qAD0DZBLXilXet0jg=::eku:1.3.6.1.4.1.311.10.3.13') { return 'Invalid issuer'; } }"
},
"authentication": {
"allow_unauthenticated": true
}
}
EOL >> test-config.json;
./pyscitt.sh governance propose_configuration -k --url https://localhost:8000 --member-key workspace/member0_privk.pem --member-cert workspace/member0_cert.pem --configuration test-config.json
curl -k https://localhost:8000/configuration
...
{"authentication":{"allow_unauthenticated":true},"policy":{"policy_script":"export function apply(profile, phdr) { if (profile !== 'IETF') { return 'Unexpected profile'; } if (!phdr.issuer) {return 'Issuer not found'} if (phdr.issuer !== 'did:x509:0:sha256:HnwZ4lezuxq/GVcl/Sk7YWW170qAD0DZBLXilXet0jg=::eku:1.3.6.1.4.1.311.10.3.13') { return 'Invalid issuer'; } }"}}
While the service configuration, including registration policies, is updated through governance proposals, it would be convenient for users of the service to be able to fetch the current version through an endpoint.
@ivarprudnikov suggested a similar endpoint exists for the configured x509 roots of trust used to decide acceptance in situations that don't use IETF/did:x509, but I can't seem to find it. This new endpoint would fulfill a similar purpose for security policies.