Refactor invocation entrypoint to configSource

Signed-off-by: Marco Franssen <marco.franssen@philips.com>
philips-labs · Nov 11, 2021 · 19073a9 · 19073a9
1 parent af780dc
commit 19073a9
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 9 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -33,7 +33,7 @@ jobs:
 
       - name: Lint
         run: |
-          result=$(make lint)
+          result="$(make lint)"
           echo "$result"
           [ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0
 

diff --git a/lib/github/provenance_test.go b/lib/github/provenance_test.go
@@ -397,7 +397,7 @@ func TestGenerateProvenanceFromGitHubReleaseErrors(t *testing.T) {
 
 func assertInvocation(assert *assert.Assertions, recipe intoto.Invocation) {
 	assert.Equal(0, recipe.DefinedInMaterial)
-	assert.Equal("", recipe.EntryPoint)
+	assert.Equal("", recipe.ConfigSource.EntryPoint)
 	assert.Nil(recipe.Environment)
 	assert.Nil(recipe.Arguments)
 }

diff --git a/lib/intoto/intoto.go b/lib/intoto/intoto.go
@@ -8,7 +8,7 @@ import (
 
 const (
 	// SlsaPredicateType the predicate type for SLSA intoto statements
-	SlsaPredicateType = "https://slsa.dev/provenance/v0.1"
+	SlsaPredicateType = "https://slsa.dev/provenance/v0.2"
 	// StatementType the type of the intoto statement
 	StatementType = "https://in-toto.io/Statement/v0.1"
 )
@@ -73,8 +73,10 @@ func WithInvocation(buildType, entryPoint string, environment json.RawMessage, a
 	return func(s *Statement) {
 		s.Predicate.BuildType = buildType
 		s.Predicate.Invocation = Invocation{
-			EntryPoint: entryPoint,
-			Arguments:  arguments,
+			ConfigSource: ConfigSource{
+				EntryPoint: entryPoint,
+			},
+			Arguments: arguments,
 			// Subject to change and simplify https://github.com/slsa-framework/slsa/issues/178
 			// Index in materials containing the recipe steps that are not implied by recipe.type. For example, if the recipe type were "make", then this would point to the source containing the Makefile, not the make program itself.
 			// Omit this field (or use null) if the recipe doesn't come from a material.
@@ -137,11 +139,17 @@ type Metadata struct {
 // Invocation Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible).
 type Invocation struct {
 	DefinedInMaterial int             `json:"definedInMaterial"`
-	EntryPoint        string          `json:"entryPoint"`
+	ConfigSource      ConfigSource    `json:"configSource"`
 	Arguments         json.RawMessage `json:"arguments"`
 	Environment       json.RawMessage `json:"environment"`
 }
 
+// ConfigSource Describes where the config file that kicked off the build came from.
+// This is effectively a pointer to the source where buildConfig came from.
+type ConfigSource struct {
+	EntryPoint string `json:"entryPoint"`
+}
+
 // Completeness Indicates that the builder claims certain fields in this message to be complete.
 type Completeness struct {
 	Arguments   bool `json:"arguments"`

diff --git a/lib/intoto/intoto_test.go b/lib/intoto/intoto_test.go
@@ -1,6 +1,8 @@
 package intoto
 
 import (
+	"encoding/json"
+	"fmt"
 	"testing"
 	"time"
 
@@ -64,20 +66,90 @@ func TestSLSAProvenanceStatement(t *testing.T) {
 		WithBuilder(builderID),
 		WithInvocation(
 			buildType,
-			"CI workflow",
+			"ci.yaml:build",
 			nil,
 			nil,
 			provenanceActionMaterial,
 		),
 	)
+	assertStatement(assert, stmt, builderID, buildType, provenanceActionMaterial)
+}
+
+func assertStatement(assert *assert.Assertions, stmt *Statement, builderID, buildType string, material []Item) {
 	i := stmt.Predicate.Invocation
 	assert.Equal(SlsaPredicateType, stmt.PredicateType)
 	assert.Equal(StatementType, stmt.Type)
 	assert.Len(stmt.Subject, 1)
 	assert.Equal(builderID, stmt.Predicate.Builder.ID)
 	assert.Equal(buildType, stmt.Predicate.BuildType)
-	assert.Equal("CI workflow", i.EntryPoint)
+	assert.Equal("ci.yaml:build", i.ConfigSource.EntryPoint)
 	assert.Nil(i.Arguments)
 	assert.Equal(0, i.DefinedInMaterial)
-	assert.Equal(provenanceActionMaterial, stmt.Predicate.Materials)
+	assert.Equal(material, stmt.Predicate.Materials)
+}
+
+func TestSLSAProvenanceStatementJSON(t *testing.T) {
+	assert := assert.New(t)
+
+	builderID := "https://github.com/philips-labs/slsa-provenance-action/Attestations/GitHubHostedActions@v1"
+	buildType := "https://github.com/Attestations/GitHubActionsWorkflow@v1"
+	materialJSON := `[
+		{
+		  "uri": "git+https://github.com/philips-labs/slsa-provenance-action",
+		  "digest": {
+			"sha1": "a3bc1c27230caa1cc3c27961f7e9cab43cd208dc"
+		  }
+		}
+	  ]`
+	var material []Item
+	err := json.Unmarshal([]byte(materialJSON), &material)
+	assert.NoError(err)
+
+	jsonStatement := fmt.Sprintf(`{
+		"_type": "https://in-toto.io/Statement/v0.1",
+		"subject": [
+		  {
+			"name": "salsa.txt",
+			"digest": {
+			  "sha256": "f8161d035cdf328c7bb124fce192cb90b603f34ca78d73e33b736b4f6bddf993"
+			}
+		  }
+		],
+		"predicateType": "https://slsa.dev/provenance/v0.2",
+		"predicate": {
+		  "builder": {
+			"id": "%s"
+		  },
+		  "buildType": "%s",
+		  "invocation": {
+			"configSource": {
+			  "entryPoint": "ci.yaml:build",
+			  "uri": "git+https://github.com/philips-labs/slsa-provenance-action",
+			  "digest": {
+				"sha1": "a3bc1c27230caa1cc3c27961f7e9cab43cd208dc"
+			  }
+			},
+			"parameters": null,
+			"environment": null
+		  },
+		  "buildConfig": null,
+		  "metadata": {
+			"buildInvocationId": "https://github.com/philips-labs/slsa-provenance-action/actions/runs/1303916967",
+			"buildFinishedOn": "2021-10-04T11:08:34Z",
+			"completeness": {
+			  "parameters": true,
+			  "environment": false,
+			  "materials": false
+			},
+			"reproducible": false
+		  },
+		  "materials": %s
+		}
+	  }
+`, builderID, buildType, materialJSON)
+
+	var stmt Statement
+	err = json.Unmarshal([]byte(jsonStatement), &stmt)
+	assert.NoError(err)
+	assertStatement(assert, &stmt, builderID, buildType, material)
 }