Secure Arguments and Environment Variables Tutorial
Part 2: Determine the Hash Value of an existing Policy
To get more familiar with CAS policies, we determine the hash value of a policy. We need to know the hash value of a policy when we want to update a policy in an atomic manner, i.e., we can atomically read a policy, modify the policy, and then update the policy in one logical step. This is important in case multiple entities have the right to update a policy and a previous update cannot just be ignored.
In part 1, we assigned the hash value of the generated policy to environment variable
PREDECESSOR. If we keep this value, we can use this value to update the policy. If some other entity has the right to update the policy and has done so, we need to determine the new hash value. Also, in case we did not save the latest hash value, we have to be able to determine the hash value.
We show how to determine the hash value of a policy using three different ways.
- by reading the policy from CAS and then calculating the hash value, and
- by calculating the hash value based on the policy that we uploaded,
- by comparing our local policy with the policy that is stored in the CAS.
Depending on the context, you might use the variant that is most convenient for you.
Determine the hash by reading the policy
The SCONE CLI contains a command to print the hash of a policy. You can execute this as follows:
scone session read $SESSION > session_read.yaml
To determine the hash value of this policy, we can execute the following:
scone session calculate-hash session_read.yaml
This will print the same hash value as we seen above, i.e.,
Determine the hash with existing policy file
We can determine the hash value based on the policy that we uploaded to the CAS.
If we still have this policy in our filesystem we can use this file instead.
The hash value of a policy depends on how we uploaded / created the policy.
A simple call to
scone session calculate-hash will fail:
scone session calculate-hash session.yaml
Cannot calculate session hash! The session, explicitly or through the default access policy, references its creator. If not explicitly specified in the session, the creator is automatically assigned to the identity uploading the session. You may use --with-self-as-creator to pretend you created the session, or remove all creator references.
Since the SCONE CLI uploads a session with TLS by default, we can compute the session hash as follows:
scone session calculate-hash session.yaml --with-self-as-creator tls
Verifying a Policy
Another way to determine the session hash is to verify the session. In this case, we have a local copy of the policy in the filesystem and we connect to CAS to ensure that this is still the up-to-date policy, i.e., it has not been updated yet.
We can use the original policy stored in
session.yaml or the session that we read from CAS, i.e.,
scone session verify session.yaml
scone session verify session_read.yaml