feat(attestation): in-toto 1.0 resource descriptor support (#103)

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Author: migmartri

app/cli/api/attestation/v1/crafting_state.go

@@ -0,0 +1,41 @@
+//
+// Copyright 2023 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+import (
+	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+)
+
+type NormalizedMaterialOutput struct {
+	Value, Digest string
+	IsOutput      bool
+}
+
+func (m *Attestation_Material) NormalizedOutput() *NormalizedMaterialOutput {
+	switch m.MaterialType {
+	case schemaapi.CraftingSchema_Material_ARTIFACT, schemaapi.CraftingSchema_Material_SBOM_CYCLONEDX_JSON, schemaapi.CraftingSchema_Material_SBOM_SPDX_JSON:
+		a := m.GetArtifact()
+		return &NormalizedMaterialOutput{a.Name, a.Digest, a.IsSubject}
+	case schemaapi.CraftingSchema_Material_CONTAINER_IMAGE:
+		a := m.GetContainerImage()
+		return &NormalizedMaterialOutput{a.Name, a.Digest, a.IsSubject}
+	case schemaapi.CraftingSchema_Material_STRING:
+		a := m.GetString_()
+		return &NormalizedMaterialOutput{Value: a.Value}
+	}
+
+	return nil
+}

app/cli/internal/action/workflow_run_describe.go

@@ -23,7 +23,7 @@ import (
 	"time"
 
 	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
-	"github.com/chainloop-dev/chainloop/internal/attestation/renderer"
+	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
 
 	"github.com/in-toto/in-toto-golang/in_toto"
@@ -47,7 +47,7 @@ type WorkflowRunAttestationItem struct {
 	CreatedAt   *time.Time     `json:"createdAt"`
 	Envelope    *dsse.Envelope `json:"envelope"`
 	statement   *in_toto.Statement
-	predicateV1 *renderer.ChainloopProvenancePredicateV1
+	predicateV1 *chainloop.ProvenancePredicateV01
 	Materials   []*Material `json:"materials,omitempty"`
 	EnvVars     []*EnvVar   `json:"envvars,omitempty"`
 }
@@ -63,7 +63,7 @@ type EnvVar struct {
 	Value string `json:"value"`
 }
 
-func (i *WorkflowRunAttestationItem) Predicate() *renderer.ChainloopProvenancePredicateV1 {
+func (i *WorkflowRunAttestationItem) Predicate() *chainloop.ProvenancePredicateV01 {
 	return i.predicateV1
 }
 
@@ -125,8 +125,8 @@ func (action *WorkflowRunDescribe) Run(runID string, verify bool, publicKey stri
 		return nil, fmt.Errorf("un-marshaling predicate: %w", err)
 	}
 
-	var predicate *renderer.ChainloopProvenancePredicateV1
-	if statement.PredicateType == renderer.ChainloopPredicateTypeV1 {
+	var predicate *chainloop.ProvenancePredicateV01
+	if statement.PredicateType == chainloop.PredicateTypeV01 {
 		if predicate, err = extractPredicateV1(statement); err != nil {
 			return nil, fmt.Errorf("extracting predicate: %w", err)
 		}
@@ -156,13 +156,13 @@ func (action *WorkflowRunDescribe) Run(runID string, verify bool, publicKey stri
 	return item, nil
 }
 
-func extractPredicateV1(statement *in_toto.Statement) (*renderer.ChainloopProvenancePredicateV1, error) {
+func extractPredicateV1(statement *in_toto.Statement) (*chainloop.ProvenancePredicateV01, error) {
 	jsonPredicate, err := json.Marshal(statement.Predicate)
 	if err != nil {
 		return nil, fmt.Errorf("un-marshaling predicate: %w", err)
 	}
 
-	predicate := &renderer.ChainloopProvenancePredicateV1{}
+	predicate := &chainloop.ProvenancePredicateV01{}
 	if err := json.Unmarshal(jsonPredicate, predicate); err != nil {
 		return nil, fmt.Errorf("un-marshaling predicate: %w", err)
 	}

app/controlplane/internal/biz/integration/dependencytrack/dependencytrack.go

@@ -28,11 +28,11 @@ import (
 	contractAPI "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/integrations/dependencytrack"
-	"github.com/chainloop-dev/chainloop/internal/attestation/renderer"
+	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
+	errors "github.com/go-kratos/kratos/v2/errors"
 	"github.com/go-kratos/kratos/v2/log"
-	"github.com/go-openapi/errors"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 
@@ -106,11 +106,16 @@ func (uc *Integration) UploadSBOMs(envelope *dsse.Envelope, orgID, workflowID st
 	}
 
 	// There is at least one enabled integration, extract the SBOMs
-	predicate, err := renderer.ExtractPredicate(envelope)
+	predicates, err := chainloop.ExtractPredicate(envelope)
 	if err != nil {
 		return err
 	}
 
+	predicate := predicates.V01
+	if predicate == nil {
+		return errors.Forbidden("not implemented", "only v0.1 predicate is supported for now")
+	}
+
 	repo, err := uc.ociUC.FindMainRepo(ctx, orgID)
 	if err != nil {
 		return err

app/controlplane/internal/service/attestation.go

@@ -28,7 +28,7 @@ import (
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz/integration/dependencytrack"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext"
-	"github.com/chainloop-dev/chainloop/internal/attestation/renderer"
+	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	casJWT "github.com/chainloop-dev/chainloop/internal/robotaccount/cas"
 	sl "github.com/chainloop-dev/chainloop/internal/servicelogger"
@@ -282,11 +282,16 @@ func bizAttestationToPb(att *biz.Attestation) (*cpAPI.AttestationItem, error) {
 		return nil, err
 	}
 
-	predicate, err := renderer.ExtractPredicate(att.Envelope)
+	predicates, err := chainloop.ExtractPredicate(att.Envelope)
 	if err != nil {
 		return nil, err
 	}
 
+	predicate := predicates.V01
+	if predicate == nil {
+		return nil, errors.InternalServer("invalid attestation type", "attestation does not contain a V01 predicate")
+	}
+
 	return &cpAPI.AttestationItem{
 		Envelope:  encodedAttestation,
 		EnvVars:   extractEnvVariables(predicate.Env),
@@ -308,7 +313,7 @@ func extractEnvVariables(in map[string]string) []*cpAPI.AttestationItem_EnvVaria
 	return res
 }
 
-func extractMaterials(in []*renderer.ChainloopProvenanceMaterial) []*cpAPI.AttestationItem_Material {
+func extractMaterials(in []*chainloop.ProvenanceMaterial) []*cpAPI.AttestationItem_Material {
 	res := make([]*cpAPI.AttestationItem_Material, 0, len(in))
 	for _, m := range in {
 		res = append(res, &cpAPI.AttestationItem_Material{Name: m.Name, Value: m.Material.String(), Type: m.Type})

go.mod

@@ -22,7 +22,6 @@ require (
 	github.com/getsentry/sentry-go v0.17.0
 	github.com/go-kratos/kratos/contrib/log/zap/v2 v2.0.0-20230113095809-bebea0c103a8
 	github.com/go-kratos/kratos/v2 v2.5.3
-	github.com/go-openapi/errors v0.20.3
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/go-containerregistry v0.14.1-0.20230409045903-ed5c185df419
@@ -110,6 +109,7 @@ require (
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
+	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/inflect v0.19.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect