appengine

command

v1.0.0 Latest Latest Go to latest Published: Dec 30, 2021 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/google/fresnel

Links

Open Source Insights

README ¶

Fresnel App Engine

Fresnel App Engine runs in your Google Cloud Platform (GCP) project. It serves as the intermediary between a client and the resources needed to build trust for your OS installer.

Project Selection

Fresnel can run in your existing GCP organization, either in its own project, or within a project you already run.

Go to https://console.cloud.google.com
Select your project, or create a new one if necessary.

Installation

Prepare your project to host Fresnel App Engine by following these instructions.
Prepare your app.yaml and pe_allowlist.yaml files.
Test and deploy the application, including these files using gcloud deploy.
Note the address of your AppEngine instance, and update your CLI configuration with this address. The CLI will use this address to obtain seeds during provisioning.

Endpoints

/seed

Used by the Fresnel CLI to obtain seeds when the distribution is configured to request them. Seeds are signed using the AppEngine Identity API, and the CLI asserts that seeds come from the expected App Engine instance.

/sign

Sign is available for use with your OS installer. It fulfills requests for a signed url representing a resource in a google cloud bucket, typically present in the same cloud project as Fresnel App Engine. See below for additional information on how to use the cloud bucket.

If you wish to allow an OS Installer to retrieve a file using the /sign endpoint do the following:

Retrieve a seed beforehand using the /seed endpoint.
Co-locate the seed with your installation image.
When your installer requires a resource from the cloud bucket, send a JSON encoded request to the /sign endpoint that includes your seed.
The /sign endpoint will respond with a signed-url that you can use to retrieve the resource.
Continue provisioning.

This process can be repeated for as many files/resources as are required by your installer.

/sign request format

Installers making requests for signed-url's should submit those requests to the /sign endpoint using the following structure. See the models package in this repository for additional information.

type SignRequest struct {
    Seed      Seed
    Signature []byte
    Mac       []string
    Path      string
    Hash      []byte
}

app.yaml

Your application should be deployed using an app.yaml configured for your project. See the examples folder for a starter configuration.

Env Variables

These are required in order to configure your App Engine instance for your project and use case. They are declared in your app.yaml. See the example for more information.

BUCKET [string]: The identifier for the cloud bucket you want to use with the /sign endpoint.
SIGNED_URL_DURATION [string]: Signed URLs provided by /sign will expire after this duration.
SEED_VALIDITY_DURATION [string]: Seeds will be considered stale and not be accepted by the /sign endpoint after this duration.
VERIFY_SEED [string]: 'true' or 'false' determines if seeds are checked when making requests to /sign.
VERIFY_SEED_SIGNATURE [string]: 'true' or 'false' determines if seed signatures are checked when making requests to /sign.
VERIFY_SEED_SIGNATURE_FALLBACK [string]: 'true' or 'false' if /sign requests provide their own certificate chain, allow these to be used to validate the identity of signer.
VERIFY_SEED_HASH [string]: 'true' or 'false' when making a request to /seed, the hash is checked against pe_allowlist.yaml to see if it is permitted.
VERIFY_SIGN_HASH [string]: 'true' or 'false' a seed hash is verified cryptographically on requests to /sign and pe_allowlist.yaml is checked for the presence of that hash.

Allowlist

The pe_allowlist.yaml file lists the hashes that may be signed when requesting seeds. It is also checked when requests are made to /sign to determine if the seed making the request was generated using an acceptable hash.

pe_allowlist.yaml must be stored in your cloud bucket in the a folder named 'appengine_config'.

See pe_allowlist.yaml in the examples folder for more information.

Cloud Bucket

Configure a cloud bucket where your pe_allowlist and any resources you wish to use with the /sign endpoint can be stored. Your cloud bucket must allow at least read access for the project where you are running your App Engine project.

Documentation ¶

Overview ¶

Package appengine is an web-application that provides a public API for imaging Windows clients. It provides endpoints to permit pre-authorization for builds, and for machines being built to obtain required binaries from a GCS cloud bucket.

Source Files ¶

View all Source files

appengine.go

Directories ¶

Path	Synopsis
endpoints Package endpoints provides the functions used to receive requests and serve data via imaging.	Package endpoints provides the functions used to receive requests and serve data via imaging.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL