Add a new command validate that takes a YAML file which can describe certificates to not have and certificates to definately have. Can be used to validate things in CI.

Following a discussion on Slack there's a desire to make the APIs for Paranoia available for use. Presently they are in internal/ which forbids their use by other programs (convention by the Go compiler).

We have a few options:

• Move all code currently under internal/ to pkg/, exposing all of it as an API surface.
• Add new code under pkg/ that calls the implementation in internal/, exposing a more selected API surface.

The latter would be more work, but would expose an intentfully designed API instead of everything, which might make future code changes easier without breaking changes.

cc @mt-inside

Hi there, I was at KCD UK when I found out about this project; I immediately found it interesting and wanted to experiment a little bit with it.

Now I've tried adding the paranoia action in a project I'm maintaining where unfortunately I was already adding lots of cerfiicates so I now find myself with having three options:

1. remove all the certs and find a better way to add only a specific subset of certs (I'm still studying whether this is actually feasible but I'm worried it won't)
2. audit every single certificate and add them to the allow list so that, after the audit, I have 100% control and understanding over the certificates I'm using
3. allow any certificate that is installed (like I did in this PR or better by allowing all the current fingerprints) but it practically means I'm not actually using the tool so I'm just wasting action resources without adding any security with the risk of having to patch the paranoia.yml file anytime a new certificate is issued.

I believe that I should stick with option 1, however if that's not feasible what do you think would be the best option in your experience?

Also, assuming that option 1 is not feasible and that auditing +100certificate will be a pain, do you think option 3 can still be useful? I believe it can if paranoia fails the check for some unexpected issues (such as expired certificates, etc) do you see that coming? or have any plan for some interesting features that may be letting me adopt the tool even with such options at hand?

Thanks in advance!
Cheers!

Observed behaviour

When the given container image can't be found the program panics. See the example output below when trying to scan quay.io/cert-manager-controller:v1.8.0:

$ paranoia inspect quay.io/cert-manager-controller:v1.8.0
panic: GET https://quay.io/v2/cert-manager-controller/manifests/v1.8.0: unexpected status code 404 Not Found: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>


goroutine 1 [running]:
github.com/jetstack/paranoia/cmd.glob..func2(0x1719840?, {0xc000119590, 0x1, 0x1?})
        /Users/alexwootton/repos/jetstack/paranoia/cmd/inspect.go:45 +0x611
github.com/spf13/cobra.(*Command).execute(0x1719840, {0xc000119550, 0x1, 0x1})
        /Users/alexwootton/go/pkg/mod/github.com/spf13/[email protected]/command.go:860 +0x663
github.com/spf13/cobra.(*Command).ExecuteC(0x1719340)
        /Users/alexwootton/go/pkg/mod/github.com/spf13/[email protected]/command.go:974 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
        /Users/alexwootton/go/pkg/mod/github.com/spf13/[email protected]/command.go:902
github.com/jetstack/paranoia/cmd.Execute()
        /Users/alexwootton/repos/jetstack/paranoia/cmd/root.go:22 +0x25
main.main()
        /Users/alexwootton/repos/jetstack/paranoia/main.go:8 +0x17
exit status 2

Or this example where the given tag didn't exist:

$ paranoia inspect rancher/jetstack-cert-manager-controller:latest
panic: GET https://index.docker.io/v2/rancher/jetstack-cert-manager-controller/manifests/latest: MANIFEST_UNKNOWN: manifest unknown; unknown tag=latest

goroutine 1 [running]:
github.com/jetstack/paranoia/cmd.glob..func2(0x1719840?, {0xc00006d5c0, 0x1, 0x1?})
        /Users/alexwootton/repos/jetstack/paranoia/cmd/inspect.go:45 +0x611
github.com/spf13/cobra.(*Command).execute(0x1719840, {0xc00006d580, 0x1, 0x1})
        /Users/alexwootton/go/pkg/mod/github.com/spf13/[email protected]/command.go:860 +0x663
github.com/spf13/cobra.(*Command).ExecuteC(0x1719340)
        /Users/alexwootton/go/pkg/mod/github.com/spf13/[email protected]/command.go:974 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
        /Users/alexwootton/go/pkg/mod/github.com/spf13/[email protected]/command.go:902
github.com/jetstack/paranoia/cmd.Execute()
        /Users/alexwootton/repos/jetstack/paranoia/cmd/root.go:22 +0x25
main.main()
        /Users/alexwootton/repos/jetstack/paranoia/main.go:8 +0x17
exit status 2

Expected Behaviour

Human readable error message printed to STDOUT containing relevant details about the error

Add a --output pem option to the export command that will output the full raw certificate data of all found certificates.

Add a suite of integration tests that verify that Paranoia works on a few given containers.

Look for certs in more interesting places than just "files that end in .crt". This could be inside bash scripts, or in the strings of binaries.

Maybe this needs gating behind a --deep flag or something similar, if it's gonna take a while.

We should build a more sophisticated parser that takes no/little assumptions about the shape and location of certificates in an image file system. This will make the tool more robust, and give users a higher degree of confidence of the correctness of the results.

Certs come it different forms- either as '.pem'/'.crt' files, echos in bash scripts, and even hard coded strings in binaries.

The parser should approach parsing files in a "sliding window" strategy, by reading a stream of bytes from the file and attempting to match that against what a certificate looks like; accounting for different encodings (base64, DER/PEM, PKCS#x), as well as string escaping (namely new lines ('/n' '/r').

The current README isn't descriptive of the current or the intended behaviour of the software.

Let's update it to include:

• Short synopsis of functionality (readers should understand the most common/intended use-case for the software)
• Installation requirements/instructions
• Usage examples covering top level functionality (things shown when you run paranoia --help, currently export and inspect)
  • including example output will help potential users evaluate the software without needing to download it
• Feature roadmap (a simple TODO style section at the bottom linking to related GitHub issues would do)
  • this will hopefully give a good indication of the intended direction of development and reduce the number of duplicated enhancement requests

We have a few areas in our application where users can be waiting seconds with no output to stdout even though the application is running.

It would be good to give users some indication of life and progress being made to minimise frustration and confusion. A simple message printed to stdout when starting a potentially long running task could be enough. An animated progress wheel would be a nice touch but potentially more effort than it's worth at this stage.