Skip to content

Commit

Permalink
attestation: only include config if not tracked
Browse files Browse the repository at this point in the history 
If the configuration file (kas project config) is tracked, we do not
need to include it in the attestation data. By that, we reduce the size
of the attestation and also avoid a potential leak of information in
case the receiver of the attestation data should not have access to the
repo (and project config file).

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
  • Loading branch information
@fmoessbauer @jan-kiszka
fmoessbauer authored and jan-kiszka committed Dec 21, 2024
1 parent 36bb048 commit 6c534f0
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions kas/attestation.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ def type_(self):

def as_dict(self):
res_deps = []
tracked_repos = []
for r in self._ctx.config.get_repos():
if r.operations_disabled:
if not r.url or not r.revision:
Expand All @@ -137,11 +138,16 @@ def as_dict(self):
'annotations': annotations
}
res_deps.append(dep)
tracked_repos.append(r)

# (abspath, relpath)
config_files = [(Path(c), self._make_relative_path(Path(c)))
for c in self._ctx.config.filenames]
for ca, cr in config_files:
if any([r.contains_path(cr) for r in tracked_repos]):
logging.debug(f'Config file {cr} is tracked')
continue

with open(ca, 'rb') as f:
content = f.read()
rd = {
Expand Down

0 comments on commit 6c534f0

Please sign in to comment.