Trust Store / Trust Policy CLI UX

# Trust Store / Trust Policy CLI UX Command sets - Manage trust store: `notation cert` - Manage trust policy: `notation policy` ## Manage Trust Store We need a way to do CRUD to the trust store. The store is in the format of `x509/<type>/<name>/*.crt|*.cer|*.pem`. - C: Add certificates to the trust store. - `notation cert add --type <type> --store <name> <path> ...` - Example: - `notation cert add --type ca --store acme-rockets acme_root.crt acme_root_2.crt` - It will add the certificate to `{NOTATION_CONFIG}/truststore/x509/ca/acme-rockets/acme_root.crt` and `{NOTATION_CONFIG}/truststore/x509/ca/acme-rockets/acme_root_2.crt` and where `{NOTATION_CONFIG}` is user level.  - R: Inspect certificates - List all certificates - `notation cert list`  - List all certificate of a certain named store - `notation cert list --store <name>` - List all certificate of a certain named store of a certain type - `notation cert list --type <type> --store <name>` - Show certificate details - `notation cert show --type <type> --store <name> <filename>` - U: N/A (Notation is not allowed users to update an existing certficate since the thumbprint will be inconsistent when updating a certificate) - D: Delete certificates - Delete all certificates of a certain named store - `notation cert delete --store <name> --all` - Scenario: remove all certs of an entity / organization. - Delete all certificates of a certain named store of a certain type - `notation cert delete --type <type> --store <name> --all` - Delete a specific certificate of a certain named store of a certain type - `notation cert delete --type <type> --store <name> <filename>` ## Manage Trust Policy We need a way to do CRUD to the trust policy. ```json { "version": "1.0", "trustPolicies": [ { // Policy for all artifacts, from any registry location. "name": "wabbit-networks-images", // Name of the policy. "registryScopes": [ "*" ], // The registry artifacts to which the policy applies. "signatureVerification": { // The level of verification - strict, permissive, audit, skip. "level" : "audit" }, "trustStores": ["ca:acme-rockets"], // The trust stores that contains the X.509 trusted roots. "trustedIdentities": [ // Identities that are trusted to sign the artifact. "x509.subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder" ] } ] } ``` - C: Add policies - From file - `notation policy add --input @<json_file_path>` - From a JSON object or JSON objects of `trustPolicies`. - `notation policy add --input <json_object>` - The JSON object can be an array or a map. - From options - `notation policy add --name <name> --scope <registry>/<repository> --level <level> --level-override <key>:<value> --trust-store <type>:<name> --identity <identity> [--identity-cert <cert_name>]` - Example: ```sh notation policy add --name wabbit-networks-images \ --scope registry.acme-rockets.io/software/net-monitor \ --scope registry.acme-rockets.io/software/net-logger \ --level strict \ --trust-store ca:wabbit-networks \ --identity "x509.subject: C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" --identity-cert acme_root.crt ``` - R: Inspect policies - List all policies - `notation policy list` to list policy name and scopes - Inspect a policy - `notation policy show <policy_name>` - Present the policy for a certain scope - `notation policy resolve <scope>` to print out the policy details for the specified scope. - U: Update a policy - From file - `notation policy update --input @<json_file_path>` - From a JSON object or JSON objects of `trustPolicies`. - `notation policy update --input <json_object>` - The JSON object can be an array or a map. - From options - `notation policy update [--scope <registry>/<repository] [--level <level>] [--level-override <key>:<value>] [--trust-store <type>:<name>] [--identity <identity>] <policy_name>` - D: Delete policies - `notation policy delete <policy_name> ...`