v0.0.6-beta (#18)

* Upgrade aws-sdk-go Dependencies * v0.0.5-beta * v0.0.5-beta * v0.0.6-beta * v0.0.6-beta
coinbase · Feb 21, 2024 · f3a0f7a · f3a0f7a
1 parent 130d682
commit f3a0f7a
Show file tree

Hide file tree

Showing 30 changed files with 354 additions and 233 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -18,24 +18,28 @@ RUN apt update && apt clean && \
         exit 1; \
     fi
 
-# Deploy Image
-FROM alpine:3.17
+# Deploy Image using Alpine Linux
+FROM alpine:3.19
 
-# Non-Root User
-RUN adduser --home /home/baseca baseca --gecos "baseca" --disabled-password && \
-    apk --no-cache add ca-certificates && \
+# Add a Non-Root User
+RUN addgroup -S baseca && adduser -S baseca -G baseca && \
+    mkdir -p /home/baseca/config && \
+    chown -R baseca:baseca /home/baseca
+
+# Install Required Dependencies
+RUN apk --no-cache add ca-certificates && \
     rm -rf /var/cache/apk/*
 
 # Copy Binary and Configuration from Build Image
 COPY --from=builder /baseca/target/bin/linux/baseca /home/baseca/baseca
 COPY --from=builder /baseca/config /home/baseca/config
 
-# Permissions for Non-Root User
+# Set permissions for copied files
 RUN chown -R baseca:baseca /home/baseca
 
 # Switch to Non-Root User
 USER baseca
 WORKDIR /home/baseca
 
 # Execute coinbase/baseca
-CMD ["/home/baseca/baseca"]
+CMD ["/home/baseca/baseca"]
diff --git a/docs/ENDPOINTS.md b/docs/ENDPOINTS.md
@@ -59,7 +59,7 @@ Sign Certificate Signing Request (CSR)
 Service Account Authentication
 
 **Client Example**
-[sign_csr.go](../examples/certificate/baseca.v1.Certificate/sign_csr.go)
+[sign_csr.go](../examples/baseca.v1.Certificate/sign_csr.go)
 
 **Request**
 
@@ -340,7 +340,7 @@ Manual Sign Certificate Signing Request (CSR)
 Provisioner Account Authentication
 
 **Client Example**
-[operations_sign_csr.go](../examples/certificate/baseca.v1.Certificate/operations_sign_csr.go)
+[operations_sign_csr.go](../examples/baseca.v1.Certificate/operations_sign_csr.go)
 
 **Request**
 

diff --git a/docs/GETTING_STARTED.md b/docs/GETTING_STARTED.md
@@ -320,48 +320,36 @@ import (
     "log"
 
     baseca "github.com/coinbase/baseca/pkg/client"
+    "github.com/coinbase/baseca/pkg/types"
 )
 
 func main() {
-    configuration := baseca.Configuration{
-      URL:         "localhost:9090",
-      Environment: baseca.Env.Local,
-    }
-
-    authentication := baseca.Authentication{
-      ClientId:    "CLIENT_ID",
-      ClientToken: "CLIENT_TOKEN",
-    }
-
-    client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
-    if err != nil {
-      fmt.Println(err)
-    }
+    client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+      baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+      baseca.WithInsecure()) // Insecure for Local Development
 
     if err != nil {
-      // Handle Error
       log.Fatal(err)
     }
 
-    metadata := baseca.CertificateRequest{
+    metadata := types.CertificateRequest{
       CommonName:            "development.coinbase.com",
       SubjectAlternateNames: []string{"development.coinbase.com"},
       SigningAlgorithm:      x509.SHA512WithRSA,
       PublicKeyAlgorithm:    x509.RSA,
       KeySize:               4096,
-      DistinguishedName: baseca.DistinguishedName{
+      DistinguishedName: types.DistinguishedName{
         Organization: []string{"Coinbase"},
         // Additional Fields
       },
-      Output: baseca.Output{
+      Output: types.Output{
         PrivateKey:                   "/tmp/private.key", // baseca Generate Private Key Output Location
         Certificate:                  "/tmp/certificate.crt", // baseca Signed Leaf Certificate Output Location
         IntermediateCertificateChain: "/tmp/intermediate_chain.crt", // baseca Signed Certificate Chain Up to Intermediate CA Output Location
         RootCertificateChain:         "/tmp/root_chain.crt", // baseca Signed Full Certificate Chain Output Location
         CertificateSigningRequest:    "/tmp/certificate_request.csr", // baseca CSR Output Location
       },
       }
-    }
 
     response, err := client.IssueCertificate(metadata)
 

diff --git a/docs/SCOPE.md b/docs/SCOPE.md
@@ -35,7 +35,6 @@ grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
           "sandbox_use1"
         ],
         "certificate_validity": 30, # << Certificate Validity Scope >>
-        "account_type": "SERVICE",
         "subordinate_ca": "infrastructure", # << Subordinate CA Scope >>
         "team": "Infrastructure Security",
         "email": "security@coinbase.com"

diff --git a/docs/images/baseca_image.png b/docs/images/baseca_image.png
diff --git a/examples/baseca.v1.Certificate/code_sign.go b/examples/baseca.v1.Certificate/code_sign.go
@@ -3,49 +3,47 @@ package examples
 import (
 	"crypto/x509"
 	"log"
-	"os"
 
 	baseca "github.com/coinbase/baseca/pkg/client"
 	"github.com/coinbase/baseca/pkg/types"
 )
 
 func CodeSign() {
-	configuration := baseca.Configuration{
-		URL:         "localhost:9090",
-		Environment: baseca.Env.Local,
-	}
-
-	authentication := baseca.Authentication{
-		ClientId:    "CLIENT_ID",
-		ClientToken: "CLIENT_TOKEN",
-	}
-
-	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
+	client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+		baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+		baseca.WithInsecure())
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	metadata := baseca.CertificateRequest{
-		CommonName:            "example.coinbase.com",
-		SubjectAlternateNames: []string{"example.coinbase.com"},
-		SigningAlgorithm:      x509.ECDSAWithSHA384,
-		PublicKeyAlgorithm:    x509.ECDSA,
-		KeySize:               256,
-		DistinguishedName: baseca.DistinguishedName{
-			Organization: []string{"Coinbase"},
-			// Additional Fields
+	metadata := types.Signature{
+		CertificateRequest: types.CertificateRequest{
+			CommonName:            "example.coinbase.com",
+			SubjectAlternateNames: []string{"example.coinbase.com"},
+			SigningAlgorithm:      x509.ECDSAWithSHA512,
+			PublicKeyAlgorithm:    x509.ECDSA,
+			KeySize:               256,
+			Output: types.Output{
+				PrivateKey:                   "/tmp/private.key",
+				Certificate:                  "/tmp/certificate.crt",
+				IntermediateCertificateChain: "/tmp/intermediate_chain.crt",
+				RootCertificateChain:         "/tmp/root_chain.crt",
+				CertificateSigningRequest:    "/tmp/certificate_request.csr",
+			},
+			DistinguishedName: types.DistinguishedName{
+				Organization: []string{"Coinbase"},
+			},
 		},
-		Output: baseca.Output{
-			PrivateKey:                   "/tmp/private.key",
-			Certificate:                  "/tmp/certificate.crt",
-			IntermediateCertificateChain: "/tmp/intermediate_chain.crt",
-			RootCertificateChain:         "/tmp/root_chain.crt",
-			CertificateSigningRequest:    "/tmp/certificate_request.csr",
+		SigningAlgorithm: x509.ECDSAWithSHA512,
+		Data: types.Data{
+			Path: types.Path{
+				File:   "/path/to/artifact",
+				Buffer: 4096,
+			},
 		},
 	}
 
-	data, _ := os.ReadFile("/bin/chmod")
-	signature, chain, err := client.GenerateSignature(metadata, &data)
+	signature, chain, err := client.GenerateSignature(metadata)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -57,15 +55,15 @@ func CodeSign() {
 		SigningAlgorithm: x509.ECDSAWithSHA512,
 		Data: types.Data{
 			Path: types.Path{
-				File:   "/bin/chmod",
+				File:   "/path/to/artifact",
 				Buffer: 4096,
 			},
 		},
 	}
 
 	tc := types.TrustChain{
-		CommonName:                "sandbox.coinbase.com",
-		CertificateAuthorityFiles: []string{"/path/to/intermediate_ca.crt"},
+		CommonName:                "example.coinbase.com",
+		CertificateAuthorityFiles: []string{"/path/to/intermetidate.crt"},
 	}
 
 	err = baseca.ValidateSignature(tc, manifest)

diff --git a/examples/baseca.v1.Certificate/operations_sign_csr.go b/examples/baseca.v1.Certificate/operations_sign_csr.go
@@ -6,20 +6,13 @@ import (
 
 	apiv1 "github.com/coinbase/baseca/gen/go/baseca/v1"
 	baseca "github.com/coinbase/baseca/pkg/client"
+	"github.com/coinbase/baseca/pkg/types"
 )
 
 func OperationsSignCSR() {
-	configuration := baseca.Configuration{
-		URL:         "localhost:9090",
-		Environment: baseca.Env.Local,
-	}
-
-	authentication := baseca.Authentication{
-		ClientId:    "CLIENT_ID",
-		ClientToken: "CLIENT_TOKEN",
-	}
-
-	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
+	client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+		baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+		baseca.WithInsecure())
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -32,17 +25,17 @@ func OperationsSignCSR() {
 		Validity:      30,
 	}
 
-	certificateRequest := baseca.CertificateRequest{
+	certificateRequest := types.CertificateRequest{
 		CommonName:            "example.coinbase.com",
 		SubjectAlternateNames: []string{"example.coinbase.com"},
 		SigningAlgorithm:      x509.SHA384WithRSA,
 		PublicKeyAlgorithm:    x509.RSA,
 		KeySize:               4096,
-		DistinguishedName: baseca.DistinguishedName{
+		DistinguishedName: types.DistinguishedName{
 			Organization: []string{"Coinbase"},
 			// Additional Fields
 		},
-		Output: baseca.Output{
+		Output: types.Output{
 			PrivateKey:                   "/tmp/sandbox.key",
 			CertificateSigningRequest:    "/tmp/sandbox.csr",
 			Certificate:                  "/tmp/sandbox.crt",

diff --git a/examples/baseca.v1.Certificate/sign_csr.go b/examples/baseca.v1.Certificate/sign_csr.go
@@ -5,35 +5,32 @@ import (
 	"log"
 
 	baseca "github.com/coinbase/baseca/pkg/client"
+	"github.com/coinbase/baseca/pkg/types"
 )
 
 func SignCSR() {
-	configuration := baseca.Configuration{
-		URL:         "localhost:9090",
-		Environment: baseca.Env.Local,
-	}
-
-	authentication := baseca.Authentication{
-		ClientId:    "CLIENT_ID",
-		ClientToken: "CLIENT_TOKEN",
-	}
-
-	client, err := baseca.LoadDefaultConfiguration(configuration, baseca.Attestation.Local, authentication)
+	client, err := baseca.NewClient("localhost:9090", baseca.Attestation.Local,
+		baseca.WithClientId("CLIENT_ID"), baseca.WithClientToken("CLIENT_TOKEN"),
+		baseca.WithInsecure())
 	if err != nil {
 		log.Fatal(err)
 	}
 
-	metadata := baseca.CertificateRequest{
+	metadata := types.CertificateRequest{
 		CommonName:            "example.coinbase.com",
 		SubjectAlternateNames: []string{"example.coinbase.com"},
 		SigningAlgorithm:      x509.ECDSAWithSHA384,
 		PublicKeyAlgorithm:    x509.ECDSA,
 		KeySize:               256,
-		DistinguishedName: baseca.DistinguishedName{
-			Organization: []string{"Coinbase"},
+		DistinguishedName: types.DistinguishedName{
+			Organization:       []string{"Coinbase"},
+			Locality:           []string{"San Francisco"},
+			Province:           []string{"California"},
+			Country:            []string{"US"},
+			OrganizationalUnit: []string{"Security"},
 			// Additional Fields
 		},
-		Output: baseca.Output{
+		Output: types.Output{
 			PrivateKey:                   "/tmp/private.key",
 			Certificate:                  "/tmp/certificate.crt",
 			IntermediateCertificateChain: "/tmp/intermediate_chain.crt",

diff --git a/go.mod b/go.mod
@@ -4,7 +4,6 @@ go 1.21
 
 require (
 	github.com/allegro/bigcache/v3 v3.1.0
-	github.com/aws/aws-sdk-go v1.45.1
 	github.com/aws/aws-sdk-go-v2 v1.21.0
 	github.com/aws/aws-sdk-go-v2/config v1.18.38
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.36
@@ -31,7 +30,7 @@ require (
 	go.uber.org/fx v1.20.0
 	go.uber.org/mock v0.3.0
 	go.uber.org/zap v1.25.0
-	golang.org/x/crypto v0.14.0
+	golang.org/x/crypto v0.19.0
 	golang.org/x/net v0.17.0
 	google.golang.org/grpc v1.57.1
 	google.golang.org/protobuf v1.31.0
@@ -76,8 +75,8 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	go.uber.org/dig v1.17.0 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/sys v0.17.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect