microsoft / scitt-ccf-ledger

Supply Chain Integrity Transparency and Trust ledger application using Confidential Consortium Framework (CCF)
MIT License
35 stars 18 forks source link

Expose service configuration through an endpoint #207

Closed achamayou closed 3 months ago

achamayou commented 3 months ago

While the service configuration, including registration policies, is updated through governance proposals, it would be convenient for users of the service to be able to fetch the current version through an endpoint.

@ivarprudnikov suggested a similar endpoint exists for the configured x509 roots of trust used to decide acceptance in situations that don't use IETF/did:x509, but I can't seem to find it. This new endpoint would fulfill a similar purpose for security policies.

andpiccione commented 3 months ago

@achamayou We already have an endpoint to get the current SCITT configuration: https://github.com/microsoft/scitt-ccf-ledger/blob/7653085d4964218ef55bf24821bb2fd97fec74d0/app/src/service_endpoints.h#L224.

Are you referring to something else? If so, could you please provide more details?

achamayou commented 3 months ago

@andpiccione, thank you, I need more coffee :) I guess it's worth adding a test to make sure the policy is included there.

ivarprudnikov commented 3 months ago

FYI x509 certs are visible in /gov/kv/tls/ca_cert_bundles, they are configured through the set_ca_cert_bundle action https://github.com/microsoft/scitt-ccf-ledger/blob/main/docs/configuration.md#trust-stores

achamayou commented 3 months ago

@ivarprudnikov the /gov/kv/* endpoints are auto-generated by CCF, and are deprecated in favour of Azure-compliant, schema-first versioned APIs: https://microsoft.github.io/CCF/main/governance/gov_api_schemas/classic.html

ivarprudnikov commented 3 months ago

Indeed the config is there already, closing this issue. To repro:

echo <<< EOL
{
    "policy": {
        "policy_script": "export function apply(profile, phdr) { if (profile !== 'IETF') { return 'Unexpected profile'; } if (!phdr.issuer) {return 'Issuer not found'} if (phdr.issuer !== 'did:x509:0:sha256:HnwZ4lezuxq/GVcl/Sk7YWW170qAD0DZBLXilXet0jg=::eku:1.3.6.1.4.1.311.10.3.13') { return 'Invalid issuer'; } }"
    },
    "authentication": {
        "allow_unauthenticated": true
    }
}
EOL >> test-config.json;
./pyscitt.sh governance propose_configuration -k --url https://localhost:8000 --member-key workspace/member0_privk.pem --member-cert workspace/member0_cert.pem --configuration test-config.json
curl -k https://localhost:8000/configuration
...
{"authentication":{"allow_unauthenticated":true},"policy":{"policy_script":"export function apply(profile, phdr) { if (profile !== 'IETF') { return 'Unexpected profile'; } if (!phdr.issuer) {return 'Issuer not found'} if (phdr.issuer !== 'did:x509:0:sha256:HnwZ4lezuxq/GVcl/Sk7YWW170qAD0DZBLXilXet0jg=::eku:1.3.6.1.4.1.311.10.3.13') { return 'Invalid issuer'; } }"}}