Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encode best practice in default rule behavior for DISALLOW * #287

Closed
ultrasaurus opened this issue Jun 10, 2019 · 17 comments
Closed

encode best practice in default rule behavior for DISALLOW * #287

ultrasaurus opened this issue Jun 10, 2019 · 17 comments

Comments

@ultrasaurus
Copy link

Description of issue or feature request:
CNCF SIG Security assessment notes: "As a recommended best practice, we assume there is a DISALLOW * rule at the end of the rule list for each step." This would be more robust if it was encoded in the step, rather than required for users to specify.

Current behavior:
From the demo, users must specify DISALLOW * as part of the rule...

          "expected_materials": [["MATCH", "demo-project/*", "WITH", "PRODUCTS",
                                "FROM", "clone"], ["DISALLOW", "*"]],
          "expected_products": [["ALLOW", "demo-project/foo.py"], ["DISALLOW", "*"]],

Expected behavior:

You could consider including that as part of the rules "expected_materials and expected_products and make different keys to implement the rare use cases where this is would not be desirable.
@lukpueh lukpueh mentioned this issue Jun 10, 2019
Open
@reza-curtmola
Copy link
Contributor

I believe that DISALLOW * was implicitly included as part of rules, but it was changed a while ago.
There was a discussion back then, and I believe Santiago also pointed out some firewalls that don't have an implicit DISALLOW rule at the end of the ruleset.

@lukpueh
Copy link
Member

lukpueh commented Jun 10, 2019

IIUC the assessment note recommends a default ["DISALLOW", "*"] rule added to each rule list (when using in-toto tooling to create layouts?). This is different from having an implicit disallow everything that has not been consumed until now in the verification routine, as we had it prior to #140.

in-toto/specification#4 calls for documenting the rationale for all artifact rule related design decisions. Currently it only lists pointers to related GitHub issues and prs. We should have the discussion there.

@trishankatdatadog
Copy link
Member

According to @SantiagoTorres, I was also responsible for this, although I can't remember having this discussion, and it is conducive for present purposes to forget about it now even if it happened...

In any case, @adityasaky and I were bitten by this today, and we highly recommend adding an implicit "DISALLOW *" pattern at the end of every step. At the very least, I will add it to my layout library as a default last step.

@JustinCappos
Copy link
Collaborator

poking this issue. Can we make a determination and move forward?

@trishankatdatadog
Copy link
Member

trishankatdatadog commented Dec 23, 2022
edited
Loading

If we DISALLOW * by default in the reference implementation to err on the side of safety by default, how would exceptions work? Would an explicit ALLOW * beforehand have the intended effect, or would the implicit DISALLOW * always prevail?

@reza-curtmola
Copy link
Contributor

reza-curtmola commented Dec 23, 2022 via email

@reza-curtmola
Copy link
Contributor

reza-curtmola commented Dec 23, 2022 via email

@adityasaky
Copy link
Member

adityasaky commented Dec 23, 2022
edited
Loading

Have we considered a reversal of #140? My understanding is we wanted to match firewall rules but I'm not convinced that's the best option for artifact rules. In the general sense, we want firewalls to let through anything that's not on a denylist but I can't see why that should be default behaviour for in-toto.

Perhaps in_toto_verify can provide a flag to not fail when there are unconsumed artifacts matching current behaviour. I also don't think this is a breaking change and it does not affect any layouts that have the explicit DISALLOW now. Edit: It'll break layouts that don't include DISALLOW * at the moment but that's probably a good thing.

@lukpueh
Copy link
Member

lukpueh commented Jan 10, 2023

I lean towards fixing this in artifact rules documentation, e.g. add a paragraph that strongly recommends adding DISALLOW * at the end of layout artifact rule lists (expected_materials or expected_products).

This is not what OP recommends, i.e. adding those rules per default (for whatever that means), nor what has been discussed above, i.e. assuming the rule exists per default (as prior to #140), but has the advantage that it won't break any existing users, and is also an opportunity to review this particular part of the documentation.

If breaking existing users is acceptable, we might want to make more drastic improvements to the verification language
(see notes about "Changes to verification language" from the Nov '22 in-toto community meeting).

@adityasaky
Copy link
Member

@lukpueh do you think you can submit a patch to the spec (and here where we discuss artifact rules) adding this note about DISALLOW *?

@lukpueh
Copy link
Member

lukpueh commented Jan 11, 2023

Unfortunately, improving in-toto documentation is not a priority for me right now.

@adityasaky
Copy link
Member

Gotcha, I'll try and sneak it into in-toto/specification#69 🤔

@adityasaky
Copy link
Member

I emphasized an existing mention of this in the spec here: in-toto/specification@e709692. I'm not sure if we want to make these kinds of recommendations there but curious what others think.

@trishankatdatadog
Copy link
Member

I still disagree that this is a documentation-level thing, but maybe we can have opinionated tools like for ITE-2 fix that instead.

@lukpueh
Copy link
Member

lukpueh commented Jan 12, 2023

I think we actually agree that this should be solved on a spec and implementation level, @trishankatdatadog. I was just trying to say that an isolated fix for disallow *, IMO, is not worth breaking existing clients, given that multiple concerns about the verification language have been raised.

@adityasaky adityasaky mentioned this issue Jan 12, 2023
Merged
3 tasks
@adityasaky
Copy link
Member

Also added a note to artifact rules section in the readme: #530

@JustinCappos
Copy link
Collaborator

With the above documentation changes, I'm going to resolve this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ultrasaurus @lukpueh @JustinCappos @adityasaky @reza-curtmola @trishankatdatadog