Reject placeholder OpenBao drill evidence

This commit is contained in:
2026-06-02 02:02:09 +02:00
parent 606a5f3e1e
commit 18c1b86498
4 changed files with 37 additions and 4 deletions

View File

@@ -95,6 +95,16 @@ for marker in secret_markers:
if marker in encoded:
errors.append(f"secret-looking marker present: {marker}")
placeholder_markers = [
"YYYY-MM-DD",
"example",
"Do not record",
"<",
]
for marker in placeholder_markers:
if marker in encoded:
errors.append(f"template placeholder present: {marker}")
if errors:
for error in errors:
print(f"[FAIL] {error}", file=sys.stderr)

View File

@@ -81,6 +81,9 @@ for key in ("snapshot_sha256", "encrypted_snapshot_sha256"):
value = str(data.get(key, ""))
if value and not sha_pattern.match(value):
errors.append(f"{key} must be a sha256 hex digest, optionally prefixed with sha256:")
digest = value.removeprefix("sha256:").lower()
if digest and len(set(digest)) <= 1:
errors.append(f"{key} must not be a placeholder digest")
for key in required_true:
if data.get(key) is not True:
@@ -100,6 +103,19 @@ for marker in secret_markers:
if marker in encoded:
errors.append(f"secret-looking marker present: {marker}")
placeholder_markers = [
"YYYY-MM-DD",
"example",
"operator-local encrypted restore drill workspace",
"approved encrypted custody location",
"disposable cluster, VM, or namespace reference",
"Do not record",
"<",
]
for marker in placeholder_markers:
if marker in encoded:
errors.append(f"template placeholder present: {marker}")
if errors:
for error in errors:
print(f"[FAIL] {error}", file=sys.stderr)