doc: CLI spec for trust policy management (DO NOT REVIEW) #505
Conversation
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Codecov Report
@@ Coverage Diff @@
## main #505 +/- ##
=======================================
Coverage 29.57% 29.57%
=======================================
Files 26 26
Lines 1515 1515
=======================================
Hits 448 448
Misses 1050 1050
Partials 17 17 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
yizha1
requested review from
vaninrao10,
priteshbandi,
FeynmanZhou,
iamsamirzon,
JeyJeyGao,
patrickzheng200,
shizhMSFT and
toddysm
yizha1
added
documentation
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
Signed-off-by: Yi Zha <yizha1@microsoft.com>
|
|
||
| An example of `trustpolicy.json`: | ||
|
|
||
| ```json |
There was a problem hiding this comment.
Do we need json example in this doc when we already have link to specification which contains similar json?
| ```json | |
| ```jsonc |
| "level": "strict" | ||
| "override" : { | ||
| "expiry" : "log", | ||
| "authenticity": "log" |
There was a problem hiding this comment.
A couple of suggestions, if we want to display policy in this doc:
- First example should be simple and should not contain overrides.
- For override, please only show expiry. Adding override for authenticity has major security implications.
- Prod trust policy should be first and then dev
- We should show wildcard policy
| --scope stringArray repository URIs to which the policy applies (default ["*"]) | ||
| --trust-store stringArray trust stores in format "<trust_store_type>:<trust_store_name>" | ||
| --verification-level string verification level, options: "strict", "permissive", "audit", "skip" (default "strict") | ||
| --x509-cert stringArray paths to x509 certificate file that certificate subject is retrieved from |
There was a problem hiding this comment.
How are expecting user to use use --x509-cert? IMO software publisher will distribute software and share the identity(not the certificate) that consumer needs to trust.
There was a problem hiding this comment.
@priteshbandi The --x509-cert here is designed for one scenario: Users have the certificate file, not the identity, then with this flag, notation policy command can retrieve the identity from the certificate file for the users. One question for your case: If it is the identity shared to users, how can users add certificate file using notation cert add command?
| --trust-store stringArray trust stores in format "<trust_store_type>:<trust_store_name>" | ||
| --verification-level string verification level, options: "strict", "permissive", "audit", "skip" (default "strict") | ||
| --x509-cert stringArray paths to x509 certificate file that certificate subject is retrieved from | ||
| --x509-id stringArray trust identities, user trusted x509 certificate subjects |
There was a problem hiding this comment.
should we rename this to --trusted-identity
| ### notation policy delete | ||
|
|
||
| ```text | ||
| Delete trust policies. User cannot delete all the trust policies, at least one trust policy should be configured for signature verification. |
There was a problem hiding this comment.
user cannot delete all the trust policies, at least one trust policy should be configured for signature verification.
Instead of restricting it should add a disclaimer that for signature verification, notation needs at least one trust-policy?
|
|
||
| The execution fails in one of below cases: | ||
|
|
||
| - Version doesn't support. Currently only `1.0` version is supported. |
There was a problem hiding this comment.
| - Version doesn't support. Currently only `1.0` version is supported. | |
| - Unsupported Version. Currently only `1.0` version is supported. |
| The execution fails in one of below cases: | ||
|
|
||
| - Version doesn't support. Currently only `1.0` version is supported. | ||
| - The trust policy name exists. |
There was a problem hiding this comment.
| - The trust policy name exists. | |
| - A trust policy with same name already exists. |
|
|
||
| ```json | ||
| { | ||
| "name": "wabbit-networks-dev", | ||
| "registryScopes": [ "*" ], | ||
| "signatureVerification": { | ||
| "level": "strict" | ||
| }, | ||
| "trustStores": [ "ca:wabbit-networks-dev" ], | ||
| "trustedIdentities": [ | ||
| "*" | ||
| ] | ||
| } |
There was a problem hiding this comment.
IMO we don't need to display both json and text format for each variation of a command, its making doc large and doesnt adds much value.
| - Version doesn't support. Currently only `1.0` version is supported. | ||
| - The trust policy name doesn't exists. | ||
| - More than one trust policy that uses a global scope, that is, the value of `registryScopes` is `["*"]`. | ||
| - The values of `trustIdentities` overlap. For example, the following two identity values are overlapping: | ||
| - "C=US, ST=WA, O=wabbit-network.io, OU=org1" | ||
| - "C=US, ST=WA, O=wabbit-network.io" |
There was a problem hiding this comment.
IMO this is redundant information and can be removed.
| name: wabbit-network-dev | ||
| registryScopes: ["dev.wabbitnetworks.io/net-monitor"] | ||
|
|
||
| name: wabbit-network-prod | ||
| registryScopes: ["prod.wabbitnetworks.io/net-monitor"] |
There was a problem hiding this comment.
Should we use tree based representation here?
| | [plugin](./commandline/plugin.md) | Manage plugins | | ||
| | [policy](./commandline/policy.md) | Manage trust policies | | ||
| | [sign](./commandline/sign.md) | Sign artifacts | |
There was a problem hiding this comment.
| | [plugin](./commandline/plugin.md) | Manage plugins | | |
| | [policy](./commandline/policy.md) | Manage trust policies | | |
| | [sign](./commandline/sign.md) | Sign artifacts | | |
| | [plugin](./commandline/plugin.md) | Manage plugins | | |
| | [policy](./commandline/policy.md) | Manage trust policies | | |
| | [sign](./commandline/sign.md) | Sign artifacts | |
|
|
||
| Upon successful execution, the added trust policy is printed out. For example: | ||
|
|
||
| In text format |
There was a problem hiding this comment.
Do we really need text format for the notation policy command set? To be honest, the text format is less readable than the json format for a human.
| list, ls | ||
|
|
||
| Flags: | ||
| --details list the details of trust policies |
There was a problem hiding this comment.
We could have something like --raw or --export to print the trustpolicy.json file directly.
|
Based on the community discussion, move this PR out of rc.2, and I will update it to phase-1 later for rc.3 |
yizha1
changed the title
Update:
Signed-off-by: Yi Zha yizha1@microsoft.com