Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 51 additions & 7 deletions dist/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -71425,15 +71425,23 @@ async function run() {
if (!commitRange) {
commitRange = await getDefaultCommitRange();
}
// Enforce bundle TTL before invoking CLI verification
// Validate the bundle shape and enforce TTL before invoking CLI verification.
// A malformed bundle (bad JSON, or a missing/invalid timestamp or TTL) fails CLOSED.
if (resolvedBundlePath) {
const bundleContent = fs.readFileSync(resolvedBundlePath, 'utf8');
const bundleJson = JSON.parse(bundleContent);
const ageSeconds = (Date.now() - new Date(bundleJson.bundle_timestamp).getTime()) / 1000;
if (ageSeconds > bundleJson.max_valid_for_secs) {
core.error(`Bundle expired: ${Math.round(ageSeconds)}s old, max ${bundleJson.max_valid_for_secs}s. ` +
`Refresh with: auths id export-bundle --alias <ALIAS> --output bundle.json --max-age-secs ${bundleJson.max_valid_for_secs}`);
core.setFailed('Stale identity bundle — verification aborted');
let bundleJson;
try {
bundleJson = JSON.parse(bundleContent);
}
catch {
core.setFailed('Identity bundle is not valid JSON — verification aborted');
return;
}
const freshness = (0, verifier_1.checkBundleFreshness)(bundleJson, Date.now());
if (!freshness.fresh) {
core.error(`${freshness.reason} ` +
`Refresh with: auths id export-bundle --alias <ALIAS> --output bundle.json --max-age-secs <SECONDS>`);
core.setFailed('Identity bundle rejected — verification aborted');
return;
}
}
Expand Down Expand Up @@ -71876,6 +71884,7 @@ var __importStar = (this && this.__importStar) || (function () {
})();
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.classifyError = classifyError;
exports.checkBundleFreshness = checkBundleFreshness;
exports.runPreflightChecks = runPreflightChecks;
exports.verifyCommits = verifyCommits;
exports.processGpgResults = processGpgResults;
Expand Down Expand Up @@ -71913,6 +71922,41 @@ function classifyError(error) {
return 'invalid_signature';
return 'error';
}
/**
* Validate an identity bundle's shape and freshness, failing CLOSED.
*
* A bundle that does not carry a well-formed `bundle_timestamp` and a finite,
* non-negative numeric `max_valid_for_secs` cannot be freshness-checked, so it is
* rejected rather than silently trusted — a missing or malformed field must never
* skip the staleness check.
*
* Args:
* * `bundleJson`: The parsed bundle JSON (untrusted shape).
* * `nowMs`: The current time in epoch milliseconds.
*
* Usage:
* ```ignore
* const r = checkBundleFreshness(JSON.parse(content), Date.now());
* if (!r.fresh) core.setFailed(r.reason);
* ```
*/
function checkBundleFreshness(bundleJson, nowMs) {
const b = bundleJson;
const ts = b?.bundle_timestamp;
const tsMs = typeof ts === 'string' || typeof ts === 'number' ? new Date(ts).getTime() : NaN;
if (!Number.isFinite(tsMs)) {
return { fresh: false, reason: 'Identity bundle is malformed: missing or invalid `bundle_timestamp`.' };
}
const maxAge = b?.max_valid_for_secs;
if (typeof maxAge !== 'number' || !Number.isFinite(maxAge) || maxAge < 0) {
return { fresh: false, reason: 'Identity bundle is malformed: missing or invalid `max_valid_for_secs`.' };
}
const ageSeconds = (nowMs - tsMs) / 1000;
if (ageSeconds > maxAge) {
return { fresh: false, reason: `Bundle expired: ${Math.round(ageSeconds)}s old, max ${maxAge}s.` };
}
return { fresh: true };
}
/**
* Run pre-flight checks before verification.
* Detects common issues and provides actionable error messages.
Expand Down
2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

38 changes: 37 additions & 1 deletion src/__tests__/verifier.test.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
import { getAuthsDownloadUrl, getBinaryName, getCommitsInRange, verifyChecksum, ensureAuthsInstalled, verifyArtifact, classifyArtifactError, ArtifactVerificationResult, processGpgResults, VerificationResult } from '../verifier';
import { getAuthsDownloadUrl, getBinaryName, getCommitsInRange, verifyChecksum, ensureAuthsInstalled, verifyArtifact, classifyArtifactError, ArtifactVerificationResult, processGpgResults, VerificationResult, checkBundleFreshness } from '../verifier';
import * as crypto from 'crypto';
import * as fs from 'fs';
import * as path from 'path';
Expand Down Expand Up @@ -320,6 +320,42 @@ describe('processGpgResults', () => {
});
});

describe('checkBundleFreshness', () => {
const FIXED_NOW = new Date('2026-06-20T00:00:00Z').getTime();
const wellFormed = (overrides: Record<string, unknown> = {}) => ({
bundle_timestamp: new Date(FIXED_NOW - 1000).toISOString(), // 1s old
max_valid_for_secs: 86400,
...overrides,
});

it('accepts a well-formed, in-window bundle', () => {
expect(checkBundleFreshness(wellFormed(), FIXED_NOW).fresh).toBe(true);
});

it('rejects a bundle missing max_valid_for_secs (no silent skip)', () => {
const { max_valid_for_secs, ...noTtl } = wellFormed();
expect(checkBundleFreshness(noTtl, FIXED_NOW).fresh).toBe(false);
});

it('rejects a bundle with a non-numeric max_valid_for_secs', () => {
expect(checkBundleFreshness(wellFormed({ max_valid_for_secs: 'forever' }), FIXED_NOW).fresh).toBe(false);
});

it('rejects a bundle missing or invalid bundle_timestamp', () => {
const { bundle_timestamp, ...noTs } = wellFormed();
expect(checkBundleFreshness(noTs, FIXED_NOW).fresh).toBe(false);
expect(checkBundleFreshness(wellFormed({ bundle_timestamp: 'not-a-date' }), FIXED_NOW).fresh).toBe(false);
});

it('rejects a genuinely stale bundle', () => {
const stale = wellFormed({
bundle_timestamp: new Date(FIXED_NOW - 200_000 * 1000).toISOString(),
max_valid_for_secs: 86400,
});
expect(checkBundleFreshness(stale, FIXED_NOW).fresh).toBe(false);
});
});

describe('ensureAuthsInstalled - cross-run caching', () => {
const realTmpdir = require('os').tmpdir();
const cachePath = path.join(realTmpdir, 'auths-cache');
Expand Down
23 changes: 15 additions & 8 deletions src/main.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import * as fs from 'fs';
import * as os from 'os';
import * as path from 'path';
import * as glob from '@actions/glob';
import { verifyCommits, verifyArtifact, VerifyOptions, VerificationResult, ArtifactVerificationResult, FailureType, ensureAuthsInstalled, runPreflightChecks } from './verifier';
import { verifyCommits, verifyArtifact, VerifyOptions, VerificationResult, ArtifactVerificationResult, FailureType, ensureAuthsInstalled, runPreflightChecks, checkBundleFreshness } from './verifier';

export interface ResolvedIdentity {
mode: 'identity-bundle' | 'kel-native';
Expand Down Expand Up @@ -95,17 +95,24 @@ async function run(): Promise<void> {
commitRange = await getDefaultCommitRange();
}

// Enforce bundle TTL before invoking CLI verification
// Validate the bundle shape and enforce TTL before invoking CLI verification.
// A malformed bundle (bad JSON, or a missing/invalid timestamp or TTL) fails CLOSED.
if (resolvedBundlePath) {
const bundleContent = fs.readFileSync(resolvedBundlePath, 'utf8');
const bundleJson = JSON.parse(bundleContent);
const ageSeconds = (Date.now() - new Date(bundleJson.bundle_timestamp).getTime()) / 1000;
if (ageSeconds > bundleJson.max_valid_for_secs) {
let bundleJson: unknown;
try {
bundleJson = JSON.parse(bundleContent);
} catch {
core.setFailed('Identity bundle is not valid JSON — verification aborted');
return;
}
const freshness = checkBundleFreshness(bundleJson, Date.now());
if (!freshness.fresh) {
core.error(
`Bundle expired: ${Math.round(ageSeconds)}s old, max ${bundleJson.max_valid_for_secs}s. ` +
`Refresh with: auths id export-bundle --alias <ALIAS> --output bundle.json --max-age-secs ${bundleJson.max_valid_for_secs}`
`${freshness.reason} ` +
`Refresh with: auths id export-bundle --alias <ALIAS> --output bundle.json --max-age-secs <SECONDS>`
);
core.setFailed('Stale identity bundle — verification aborted');
core.setFailed('Identity bundle rejected — verification aborted');
return;
}
}
Expand Down
39 changes: 39 additions & 0 deletions src/verifier.ts
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,45 @@ export function classifyError(error: string): FailureType {
return 'error';
}

/** Discriminated result of an identity-bundle freshness check. */
export type BundleFreshness = { fresh: true } | { fresh: false; reason: string };

/**
* Validate an identity bundle's shape and freshness, failing CLOSED.
*
* A bundle that does not carry a well-formed `bundle_timestamp` and a finite,
* non-negative numeric `max_valid_for_secs` cannot be freshness-checked, so it is
* rejected rather than silently trusted — a missing or malformed field must never
* skip the staleness check.
*
* Args:
* * `bundleJson`: The parsed bundle JSON (untrusted shape).
* * `nowMs`: The current time in epoch milliseconds.
*
* Usage:
* ```ignore
* const r = checkBundleFreshness(JSON.parse(content), Date.now());
* if (!r.fresh) core.setFailed(r.reason);
* ```
*/
export function checkBundleFreshness(bundleJson: unknown, nowMs: number): BundleFreshness {
const b = bundleJson as { bundle_timestamp?: unknown; max_valid_for_secs?: unknown };
const ts = b?.bundle_timestamp;
const tsMs = typeof ts === 'string' || typeof ts === 'number' ? new Date(ts).getTime() : NaN;
if (!Number.isFinite(tsMs)) {
return { fresh: false, reason: 'Identity bundle is malformed: missing or invalid `bundle_timestamp`.' };
}
const maxAge = b?.max_valid_for_secs;
if (typeof maxAge !== 'number' || !Number.isFinite(maxAge) || maxAge < 0) {
return { fresh: false, reason: 'Identity bundle is malformed: missing or invalid `max_valid_for_secs`.' };
}
const ageSeconds = (nowMs - tsMs) / 1000;
if (ageSeconds > maxAge) {
return { fresh: false, reason: `Bundle expired: ${Math.round(ageSeconds)}s old, max ${maxAge}s.` };
}
return { fresh: true };
}

export interface VerifyOptions {
identityBundlePath: string;
skipMergeCommits: boolean;
Expand Down
Loading