intoto: add index on materials digest of slsa provenance (#793)

* add rekor index on materials Signed-off-by: Asra Ali <asraa@google.com> * update Signed-off-by: Asra Ali <asraa@google.com> * update Signed-off-by: Asra Ali <asraa@google.com>
sigstore · Apr 29, 2022 · f91c8d5 · f91c8d5
1 parent 3461b84
commit f91c8d5
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/pkg/types/intoto/v0.0.1/entry.go b/pkg/types/intoto/v0.0.1/entry.go
@@ -92,6 +92,18 @@ func (v V001Entry) IndexKeys() ([]string, error) {
 				result = append(result, alg+":"+ds)
 			}
 		}
+		// Not all in-toto statements will contain a SLSA provenance predicate.
+		// See https://github.com/in-toto/attestation/blob/main/spec/README.md#predicate
+		// for other predicates.
+		if predicate, err := parseSlsaPredicate(v.env.Payload); err == nil {
+			if predicate.Predicate.Materials != nil {
+				for _, s := range predicate.Predicate.Materials {
+					for alg, ds := range s.Digest {
+						result = append(result, alg+":"+ds)
+					}
+				}
+			}
+		}
 	default:
 		log.Logger.Infof("Unknown in_toto Statement Type: %s", v.env.PayloadType)
 	}
@@ -110,6 +122,18 @@ func parseStatement(p string) (*in_toto.Statement, error) {
 	return &ps, nil
 }
 
+func parseSlsaPredicate(p string) (*in_toto.ProvenanceStatement, error) {
+	predicate := in_toto.ProvenanceStatement{}
+	payload, err := base64.StdEncoding.DecodeString(p)
+	if err != nil {
+		return nil, err
+	}
+	if err := json.Unmarshal(payload, &predicate); err != nil {
+		return nil, err
+	}
+	return &predicate, nil
+}
+
 func (v *V001Entry) Unmarshal(pe models.ProposedEntry) error {
 	it, ok := pe.(*models.Intoto)
 	if !ok {

diff --git a/pkg/types/intoto/v0.0.1/entry_test.go b/pkg/types/intoto/v0.0.1/entry_test.go
@@ -37,6 +37,7 @@ import (
 	"github.com/go-openapi/swag"
 	"github.com/google/go-cmp/cmp"
 	"github.com/in-toto/in-toto-golang/in_toto"
+	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -278,6 +279,21 @@ func TestV001Entry_IndexKeys(t *testing.T) {
 				Predicate: "hello",
 			},
 		},
+		{
+			name: "slsa",
+			want: []string{"sha256:bar", hashkey},
+			statement: in_toto.Statement{
+				Predicate: slsa.ProvenancePredicate{
+					Materials: []slsa.ProvenanceMaterial{
+						{
+							URI: "foo",
+							Digest: map[string]string{
+								"sha256": "bar",
+							}},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {