Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: create CLI spec for managing trust policies (phase 1) #568

Merged
merged 14 commits into from
Mar 17, 2023
232 changes: 232 additions & 0 deletions specs/commandline/policy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@
# notation policy

## Description

As part of signature verification workflow, users need to configure the trust policies to specify trusted identities that signed the artifacts, and the level of signature verification to use. For more details, see [trust policy specification and examples](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy).

The `notation policy` command provides a user-friendly way to manage trust policies. It allows users to initialize trust policies with default values, import trust policies from a JSON file, and show trust policies. To get started user can use following sample trust policy. In this sample, there are four policies configured for different requirements:
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

- The Policy named "wabbit-networks-images" is for verifying images signed by Wabbit Networks and stored in two repositories `registry.acme-rockets.io/software/net-monitor` and `registry.acme-rockets.io/software/net-logger`.
- Policy named "unsigned-image" is for skipping the verification on unsigned images stored in repository `registry.acme-rockets.io/software/unsigned/net-utils`.
- Policy "allow-expired-images" is for logging instead of failing expired images stored in repository `registry.acme-rockets.io/software/legacy/metrics`.
- Policy "global-policy-for-all-other-images" is for verifying any other images that signed by the ACME Rockets.

```jsonc
{
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
"version": "1.0",
"trustPolicies": [
{
"name": "wabbit-networks-images",
"registryScopes": [
"registry.acme-rockets.io/software/net-monitor",
"registry.acme-rockets.io/software/net-logger"
],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:wabbit-networks",
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
]
},
{
"name": "unsigned-image",
"registryScopes": [ "registry.acme-rockets.io/software/unsigned/net-utils" ],
"signatureVerification": {
"level" : "skip"
}
},
{
"name": "allow-expired-images",
"registryScopes": [ "registry.acme-rockets.io/software/legacy/metrics" ],
"signatureVerification": {
"level" : "strict",
"override" : {
"expiry" : "log"
}
},
"trustStores": ["ca:acme-rockets"],
"trustedIdentities": ["*"]
},
{
"name": "global-policy-for-all-other-images",
"registryScopes": [ "*" ],
"signatureVerification": {
"level": "strict"
},
"trustStores": [
"ca:acme-rockets"
],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, CN=SecureBuilder"
]
}
]
}
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```

## Outline

### notation policy command

```text
Manage trust policies for signature verification.

Usage:
notation policy [command]

Available Commands:
import import trust policies from a JSON file
init initialize trust policies with default values
show show trust policies

Flags:
-h, --help help for policy
```

### notation policy import

```text
Import trust policies from a JSON file
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy import [flags] <file_path>

Flags:
-d, --debug debug mode
--force override the existing trust policies, never prompt
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
-h, --help help for import
-v, --verbose verbose mode
```

### notation policy init

```text
Initialize trust policies with default values
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy init [flags]
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Flags:
-d, --debug debug mode
--force override the existing trust polices, never prompt
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
-h, --help help for export
--ts stringArray specify the trust stores in format "<type>:<name>", e.g. "ca:my_store"
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
-v, --verbose verbose mode
```

### notation policy show

```text
Show trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Usage:
notation policy [flags] show
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

Flags:
-d, --debug debug mode
-h, --help help for show
-v, --verbose verbose mode
```

## Usage

### Initialize trust policies with default values

```shell
notation policy init
```

Upon successful execution, trust policies with default values are created as following. Make sure to update the `trustStores` property with correct values.
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

```jsonc
{
"version": "1.0",
"trustPolicies": [
{
"name": "policy-by-init-command",
"registryScopes": ["*"],
"signatureVerification": {
"level": "strict"
},
"trustStores": ["ca:default"],
"trustedIdentities": ["*"]
}
]
}

```

Use `--force` flag to override existing policies without prompt.

### Initialize trust policies with specified trust stores

```shell
notation policy init --ts "ca:my_store" --ts "ca:my_store_2"
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```

Upon successful execution, trust policies with default values and specified trust stores are created as following:
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

```jsonc
{
"version": "1.0",
"trustPolicies": [
{
"name": "policy-by-init-command",
"registryScopes": ["*"],
"signatureVerification": {
"level": "strict"
},
"trustStores": ["ca:my_store", "ca:my_store_2"],
"trustedIdentities": ["*"]
}
]
}
```

Use `--force` flag to override existing policies without prompt.

### Show trust policies

```shell
notation policy show
```

Upon successful execution, the trust policies are printed out in the console. If trust policies are not configured, users should receive an error message, and a tip to initialize trust policies using command `notation policy init`.

### Export trust policies into a JSON file

Users can redirect the output of command `notation policy show` to a JSON file.

```shell
notation policy show > ./trust_policy.json
```

### Import trust policies from a JSON file

```shell
notation policy import ./my_policy.json
```

The trust policies in the JSON file will be validated according to [trust policy properties](https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.2/specs/trust-store-trust-policy.md#trust-policy-properties). A successful message should be printed out if trust policies are imported successfully. Error logs including the reason should be printed out if the importing fails.

Use `--force` flag to override existing policies without prompt.
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

### Update trust policies
yizha1 marked this conversation as resolved.
Show resolved Hide resolved

The steps to update trust policies:

1. Export trust policies into a JSON file.

```shell
notation policy show > ./trust_policy.json
```

2. Edit the exported JSON file "trust_policy.json", update trust policies and save the file.
3. Import trust policies from the file.

```shell
notation policy import ./trust_policy.json
yizha1 marked this conversation as resolved.
Show resolved Hide resolved
```
27 changes: 14 additions & 13 deletions specs/notation-cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,19 @@ This spec contains reference information on using notation commands. Each comman

## Notation Commands

| Command | Description |
| ------------------------------------------- | ----------------------------------------- |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

| Command | Description |
| ------------------------------------------- | ---------------------------------------------------------- |
| [certificate](./commandline/certificate.md) | Manage certificates in trust store |
| [inspect](./commandline/inspect.md) | Inspect signatures |
| [key](./commandline/key.md) | Manage keys used for signing |
| [list](./commandline/list.md) | List signatures of the signed artifact |
| [login](./commandline/login.md) | Login to registries |
| [logout](./commandline/logout.md) | Log out from the logged in registries |
| [plugin](./commandline/plugin.md) | Manage plugins |
| [policy](./commandline/policy.md) | [Preview] Manage trust policies for signature verification |
| [sign](./commandline/sign.md) | Sign artifacts |
| [verify](./commandline/verify.md) | Verify artifacts |
| [version](./commandline/version.md) | Print the version of notation CLI |

## Notation Outline

Expand All @@ -34,6 +34,7 @@ Available Commands:
login Login to registry
logout Log out from the logged in registries
plugin Manage plugins
policy [Preview] Manage trust policies for signature verification
sign Sign artifacts
verify Verify artifacts
version Show the notation version information
Expand Down