Skip to content

Commit

Permalink
Add expiration checks for targets and snapshot roles (#24081)
Browse files Browse the repository at this point in the history 
[#8489](fleetdm/confidential#8489)

We had the timestamp check.
Robert added the root check recently.
Am now duplicating the check for `snapshot` and `targets` metadata
files.

PS: Please review with whitespace changes disabled.
  • Loading branch information
@lucasmrod
lucasmrod authored Nov 22, 2024
1 parent 87fac42 commit a8ba004
Showing 1 changed file with 147 additions and 77 deletions.
224 changes: 147 additions & 77 deletions .github/workflows/check-tuf-timestamps.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ name: Check TUF timestamps
on:
pull_request:
paths:
- '.github/workflows/check-tuf-timestamps.yml'
- ".github/workflows/check-tuf-timestamps.yml"
workflow_dispatch: # Manual
schedule:
- cron: '0 10,22 * * *'
- cron: "0 10,22 * * *"

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
Expand All @@ -29,81 +29,151 @@ jobs:
runs-on: ${{ matrix.os }}

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Check remote timestamp.json file
id: check_timestamp
run: |
expires=$(curl -s http://tuf.fleetctl.com/timestamp.json | jq -r '.signed.expires' | cut -c 1-10)
today=$(date "+%Y-%m-%d")
warning_at=$(date -d "$today + 4 day" "+%Y-%m-%d")
expires_sec=$(date -d "$expires" "+%s")
warning_at_sec=$(date -d "$warning_at" "+%s")
if [ "$expires_sec" -le "$warning_at_sec" ]; then
echo "timestamp_warn=true" >> ${GITHUB_OUTPUT}
else
echo "timestamp_warn=false" >> ${GITHUB_OUTPUT}
fi
- name: Check remote root.json file
id: check_root
run: |
expires=$(curl -s http://tuf.fleetctl.com/root.json | jq -r '.signed.expires' | cut -c 1-10)
today=$(date "+%Y-%m-%d")
warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
expires_sec=$(date -d "$expires" "+%s")
warning_at_sec=$(date -d "$warning_at" "+%s")
if [ "$expires_sec" -le "$warning_at_sec" ]; then
echo "root_warn=true" >> ${GITHUB_OUTPUT}
else
echo "root_warn=false" >> ${GITHUB_OUTPUT}
fi
- name: Slack Timestamp Notification
if: ${{ steps.check_timestamp.outputs.timestamp_warn == 'true' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ TUF timestamp.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Check remote timestamp.json file
id: check_timestamp
run: |
expires=$(curl -s http://tuf.fleetctl.com/timestamp.json | jq -r '.signed.expires' | cut -c 1-10)
today=$(date "+%Y-%m-%d")
warning_at=$(date -d "$today + 4 day" "+%Y-%m-%d")
expires_sec=$(date -d "$expires" "+%s")
warning_at_sec=$(date -d "$warning_at" "+%s")
if [ "$expires_sec" -le "$warning_at_sec" ]; then
echo "timestamp_warn=true" >> ${GITHUB_OUTPUT}
else
echo "timestamp_warn=false" >> ${GITHUB_OUTPUT}
fi
- name: Check remote snapshot.json file
id: check_snapshot
run: |
expires=$(curl -s http://tuf.fleetctl.com/snapshot.json | jq -r '.signed.expires' | cut -c 1-10)
today=$(date "+%Y-%m-%d")
warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
expires_sec=$(date -d "$expires" "+%s")
warning_at_sec=$(date -d "$warning_at" "+%s")
if [ "$expires_sec" -le "$warning_at_sec" ]; then
echo "snapshot_warn=true" >> ${GITHUB_OUTPUT}
else
echo "snapshot_warn=false" >> ${GITHUB_OUTPUT}
fi
- name: Check remote targets.json file
id: check_targets
run: |
expires=$(curl -s http://tuf.fleetctl.com/targets.json | jq -r '.signed.expires' | cut -c 1-10)
today=$(date "+%Y-%m-%d")
warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
expires_sec=$(date -d "$expires" "+%s")
warning_at_sec=$(date -d "$warning_at" "+%s")
if [ "$expires_sec" -le "$warning_at_sec" ]; then
echo "targets_warn=true" >> ${GITHUB_OUTPUT}
else
echo "targets_warn=false" >> ${GITHUB_OUTPUT}
fi
- name: Check remote root.json file
id: check_root
run: |
expires=$(curl -s http://tuf.fleetctl.com/root.json | jq -r '.signed.expires' | cut -c 1-10)
today=$(date "+%Y-%m-%d")
warning_at=$(date -d "$today + 30 day" "+%Y-%m-%d")
expires_sec=$(date -d "$expires" "+%s")
warning_at_sec=$(date -d "$warning_at" "+%s")
if [ "$expires_sec" -le "$warning_at_sec" ]; then
echo "root_warn=true" >> ${GITHUB_OUTPUT}
else
echo "root_warn=false" >> ${GITHUB_OUTPUT}
fi
- name: Slack timestamp notification
if: ${{ steps.check_timestamp.outputs.timestamp_warn == 'true' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ TUF timestamp.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

- name: Slack snapshot notification
if: ${{ steps.check_snapshot.outputs.snapshot_warn == 'true' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ TUF snapshot.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
}
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

- name: Slack Root Notification
if: ${{ steps.check_root.outputs.root_warn == 'true' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ TUF root.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

- name: Slack targets notification
if: ${{ steps.check_targets.outputs.targets_warn == 'true' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ TUF targets.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
}
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

- name: Slack root notification
if: ${{ steps.check_root.outputs.root_warn == 'true' }}
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{
"text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "⚠️ TUF root.json is about to expire or has already expired\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK

0 comments on commit a8ba004

Please sign in to comment.