rescript-openapi 0.1.0

Generate type-safe ReScript clients from OpenAPI specifications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

-- SPDX-License-Identifier: PLMP-1.0-or-later
-- Trustfile template - cryptographic and provenance verification

module Trustfile where

import Control.Monad (forM)
import System.Directory (doesFileExist)
import System.Environment (lookupEnv)
import System.Exit (exitFailure, exitSuccess)
import System.Process (readProcessWithExitCode)

policyPath :: FilePath
policyPath = "policy/policy.ncl"

policyHashPath :: FilePath
policyHashPath = "policy/policy.ncl.sha256"

schemaPath :: FilePath
schemaPath = "schema/schema.json"

schemaSigPath :: FilePath
schemaSigPath = "schema/schema.sig"

schemaPubPath :: FilePath
schemaPubPath = "schema/schema.pub"

driverPaths :: [FilePath]
driverPaths = ["drivers/gateway-driver.bin"]

migrationsPath :: FilePath
migrationsPath = "migrations/provenance.json"

migrationsSigPath :: FilePath
migrationsSigPath = "migrations/provenance.sig"

migrationsPubPath :: FilePath
migrationsPubPath = "migrations/provenance.pub"

runCmd :: String -> [String] -> IO Bool
runCmd cmd args = do
  (code, _out, _err) <- readProcessWithExitCode cmd args ""
  pure (code == mempty)

readFirstWord :: FilePath -> IO (Maybe String)
readFirstWord path = do
  exists <- doesFileExist path
  if not exists
    then pure Nothing
    else do
      content <- readFile path
      pure (case words content of
        [] -> Nothing
        (w:_) -> Just w)

verifyPolicyHash :: IO Bool
verifyPolicyHash = do
  expected <- readFirstWord policyHashPath
  case expected of
    Nothing -> pure False
    Just hash -> do
      (code, out, _err) <- readProcessWithExitCode "sha256sum" [policyPath] ""
      if code /= mempty
        then pure False
        else do
          let actual = case words out of
                [] -> ""
                (w:_) -> w
          pure (actual == hash)

verifySchemaSignature :: IO Bool
verifySchemaSignature = do
  filesOk <- and <$> mapM doesFileExist [schemaPath, schemaSigPath, schemaPubPath]
  if not filesOk
    then pure False
    else runCmd "openssl" ["dgst", "-sha256", "-verify", schemaPubPath, "-signature", schemaSigPath, schemaPath]

verifyKyber1024Signatures :: IO Bool
verifyKyber1024Signatures = do
  cmd <- lookupEnv "KYBER_VERIFY_CMD"
  let kyberCmd = maybe "kyber-verify" id cmd
  results <- forM driverPaths $ \path -> do
    let sig = path <> ".sig"
    let pub = path <> ".pub"
    filesOk <- and <$> mapM doesFileExist [path, sig, pub]
    if not filesOk
      then pure False
      else runCmd kyberCmd ["--pub", pub, "--sig", sig, "--file", path]
  pure (and results)

verifyMigrationProvenance :: IO Bool
verifyMigrationProvenance = do
  filesOk <- and <$> mapM doesFileExist [migrationsPath, migrationsSigPath, migrationsPubPath]
  if not filesOk
    then pure False
    else runCmd "openssl" ["dgst", "-sha256", "-verify", migrationsPubPath, "-signature", migrationsSigPath, migrationsPath]

main :: IO ()
main = do
  policyOk <- verifyPolicyHash
  schemaOk <- verifySchemaSignature
  driversOk <- verifyKyber1024Signatures
  migrationsOk <- verifyMigrationProvenance
  if and [policyOk, schemaOk, driversOk, migrationsOk]
    then exitSuccess
    else exitFailure