fixup! feat: Enable Witness Policy verify from Archivista

Signed-off-by: Kairo Araujo <kairo.araujo@testifysec.com>

Author: Kairo Araujo

.gitignore

@@ -2,6 +2,8 @@ bin/
 build/
 vendor/
 .dccache
+.vscode
+.profile.cov
 test/testapp
 test/test-attestation.json
 test/policy-signed.json
@@ -15,4 +17,4 @@ sarif-report.json
 test/log
 node_modules
 .DS_Store
-docs-website/.docusaurus
+docs-website/.docusaurus

cmd/verify.go

@@ -26,8 +26,9 @@ import (
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/source"
+	archivista_client "github.com/in-toto/witness/internal/archivista"
+	"github.com/in-toto/witness/internal/policy"
 	"github.com/in-toto/witness/options"
-	"github.com/in-toto/witness/pkg"
 	"github.com/spf13/cobra"
 )
 
@@ -95,7 +96,7 @@ func runVerify(ctx context.Context, vo options.VerifyOptions, verifiers ...crypt
 		verifiers = append(verifiers, v)
 	}
 
-	policyEnvelope, err := pkg.LoadPolicy(ctx, vo.PolicyFilePath, pkg.NewArchivistaClient(vo.ArchivistaOptions.Url, archivistaClient))
+	policyEnvelope, err := policy.LoadPolicy(ctx, vo.PolicyFilePath, archivista_client.NewArchivistaClient(vo.ArchivistaOptions.Url, archivistaClient))
 	if err != nil {
 		return fmt.Errorf("failed to load policy: %w", err)
 	}

internal/archivista/archivista.go

@@ -0,0 +1,58 @@
+// Copyright 2024 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package archivista
+
+import (
+	"context"
+
+	"github.com/in-toto/go-witness/archivista"
+	"github.com/in-toto/go-witness/dsse"
+)
+
+type aClient struct {
+	url    string
+	client Clienter
+}
+
+// Define Client Interface for Archivista
+type Clienter interface {
+	Download(ctx context.Context, gitoid string) (dsse.Envelope, error)
+	Store(ctx context.Context, env dsse.Envelope) (string, error)
+	SearchGitoids(ctx context.Context, vars archivista.SearchGitoidVariables) ([]string, error)
+}
+
+func NewArchivistaClient(url string, client *archivista.Client) Clienter {
+
+	if client == nil {
+		return nil
+	}
+
+	return &aClient{
+		url:    url,
+		client: client,
+	}
+}
+
+func (ac *aClient) Download(ctx context.Context, gitoid string) (dsse.Envelope, error) {
+	return ac.client.Download(ctx, gitoid)
+}
+
+func (ac *aClient) Store(ctx context.Context, env dsse.Envelope) (string, error) {
+	return ac.client.Store(ctx, env)
+}
+
+func (ac *aClient) SearchGitoids(ctx context.Context, vars archivista.SearchGitoidVariables) ([]string, error) {
+	return ac.client.SearchGitoids(ctx, vars)
+}

internal/policy/policy.go

@@ -0,0 +1,57 @@
+// Copyright 2024 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policy
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/go-witness/log"
+	"github.com/in-toto/witness/internal/archivista"
+)
+
+// Load policy from a file or Archivista
+//
+// It prefers to load from a file, if it fails, it tries to load from Archivista
+func LoadPolicy(ctx context.Context, policy string, ac archivista.Clienter) (dsse.Envelope, error) {
+	policyEnvelope := dsse.Envelope{}
+
+	filePolicy, err := os.Open(policy)
+	if err != nil {
+		log.Debug("failed to open policy file: ", policy)
+		if ac == nil {
+			return policyEnvelope, fmt.Errorf("failed to open file to sign: %w", err)
+		} else {
+			log.Debug("attempting to fetch policy " + policy + " from archivista")
+			policyEnvelope, err = ac.Download(ctx, policy)
+			if err != nil {
+				return policyEnvelope, fmt.Errorf("failed to fetch policy from archivista: %w", err)
+			}
+			log.Debug("policy " + policy + " downloaded from archivista")
+		}
+
+	} else {
+		defer filePolicy.Close()
+		decoder := json.NewDecoder(filePolicy)
+		if err := decoder.Decode(&policyEnvelope); err != nil {
+			return policyEnvelope, fmt.Errorf("could not unmarshal policy envelope: %w", err)
+		}
+	}
+
+	return policyEnvelope, nil
+}

internal/policy/policy_test.go

@@ -0,0 +1,103 @@
+// Copyright 2024 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policy
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/in-toto/go-witness/dsse"
+	"github.com/in-toto/witness/internal/archivista"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/suite"
+)
+
+// Mock archivista client
+type ArchivistaClienterMock struct {
+	mock.Mock
+	archivista.Clienter
+}
+
+func (m *ArchivistaClienterMock) Download(ctx context.Context, path string) (dsse.Envelope, error) {
+	args := m.Called()
+	return dsse.Envelope{}, args.Error(1)
+}
+
+// Define test suite
+type UTPolicySuite struct {
+	suite.Suite
+	mockedAC *ArchivistaClienterMock
+}
+
+func TestUTPolicySuite(t *testing.T) {
+	suite.Run(t, new(UTPolicySuite))
+}
+
+// Setup test suite
+func (ut *UTPolicySuite) SetupTest() {
+	ut.mockedAC = &ArchivistaClienterMock{}
+
+}
+
+// Test LoadPolicy with file
+func (ut *UTPolicySuite) TestLoadPolicyFile() {
+	ctx := context.Background()
+	policy := "../../test/policy-hello-signed.json"
+
+	// Load policy from file
+	policyEnvelope, err := LoadPolicy(ctx, policy, nil)
+	ut.NoError(err)
+	ut.NotNil(policyEnvelope)
+}
+
+// Test LoadPolicy with file not found
+func (ut *UTPolicySuite) TestLoadPolicyFileNotFound() {
+	ctx := context.Background()
+	policy := "notfound"
+
+	// Load policy from file
+	_, err := LoadPolicy(ctx, policy, nil)
+	ut.Error(err)
+	ut.Contains(err.Error(), "no such file or directory")
+}
+
+// Test LoadPolicy with archivista
+func (ut *UTPolicySuite) TestLoadPolicyArchivista() {
+	ctx := context.Background()
+	policy := "testgitoid"
+
+	// Mock archivista client
+	ut.mockedAC.On("Download").Return(dsse.Envelope{}, nil)
+
+	// Load policy from archivista
+	policyEnvelope, err := LoadPolicy(ctx, policy, ut.mockedAC)
+	ut.NoError(err)
+	ut.NotNil(policyEnvelope)
+}
+
+// Test LoadPolicy with archivista not found
+func (ut *UTPolicySuite) TestLoadPolicyArchivistaNotFound() {
+	ctx := context.Background()
+	policy := "testgitoid"
+
+	// Mock archivista client
+	ut.mockedAC.On("Download").Return(dsse.Envelope{}, errors.New("not found"))
+
+	// Load policy from archivista
+	_, err := LoadPolicy(ctx, policy, ut.mockedAC)
+	ut.Error(err)
+	ut.Contains(err.Error(), "failed to fetch policy from archivista")
+}