Skip to content

Commit

Permalink
Upgrading SLSA and intoto libraries to not use deprecated structs and…
Browse files Browse the repository at this point in the history
… linter fixes.
  • Loading branch information
renzodavid9 committed May 21, 2024
1 parent 3daa525 commit 1611c11
Show file tree
Hide file tree
Showing 54 changed files with 2,769 additions and 1,659 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ require (
github.com/google/go-licenses v1.6.0
github.com/grafeas/grafeas v0.2.3
github.com/hashicorp/go-multierror v1.1.1
github.com/in-toto/attestation v1.0.1
github.com/in-toto/in-toto-golang v0.9.1-0.20240317085821-8e2966059a09
github.com/opencontainers/go-digest v1.0.0
github.com/pkg/errors v0.9.1
Expand Down Expand Up @@ -254,7 +255,6 @@ require (
github.com/hashicorp/vault/api v1.12.2 // indirect
github.com/hexops/gotextdiff v1.0.3 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/in-toto/attestation v1.0.1 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jcmturner/aescts/v2 v2.0.0 // indirect
Expand Down
2 changes: 1 addition & 1 deletion pkg/artifacts/signable_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@ const (
var ignore = []cmp.Option{cmpopts.IgnoreUnexported(name.Registry{}, name.Repository{}, name.Digest{})}

func TestOCIArtifact_ExtractObjects(t *testing.T) {

tests := []struct {
name string
obj objects.TektonObject
Expand Down Expand Up @@ -808,6 +807,7 @@ func TestExtractBuildArtifactsFromResults(t *testing.T) {
}

func createDigest(t *testing.T, dgst string) name.Digest {
t.Helper()
result, err := name.NewDigest(dgst)
if err != nil {
t.Fatal(err)
Expand Down
33 changes: 17 additions & 16 deletions pkg/chains/formats/slsa/extract/extract.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ import (
"strings"

"github.com/google/go-containerregistry/pkg/name"
intoto "github.com/in-toto/in-toto-golang/in_toto"
intoto "github.com/in-toto/attestation/go/v1"
"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
"github.com/tektoncd/chains/internal/backport"
"github.com/tektoncd/chains/pkg/artifacts"
Expand All @@ -44,8 +44,8 @@ import (
// - the `*_URL` or `*_URI` fields cannot be empty.
//
//nolint:all
func SubjectDigests(ctx context.Context, obj objects.TektonObject, slsaconfig *slsaconfig.SlsaConfig) []intoto.Subject {
var subjects []intoto.Subject
func SubjectDigests(ctx context.Context, obj objects.TektonObject, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
var subjects []*intoto.ResourceDescriptor

switch obj.GetObject().(type) {
case *v1.PipelineRun:
Expand All @@ -61,7 +61,7 @@ func SubjectDigests(ctx context.Context, obj objects.TektonObject, slsaconfig *s
return subjects
}

func subjectsFromPipelineRun(ctx context.Context, obj objects.TektonObject, slsaconfig *slsaconfig.SlsaConfig) []intoto.Subject {
func subjectsFromPipelineRun(ctx context.Context, obj objects.TektonObject, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
prSubjects := subjectsFromTektonObject(ctx, obj)

// If deep inspection is not enabled, just return subjects observed on the pipelinerun level
Expand All @@ -71,13 +71,14 @@ func subjectsFromPipelineRun(ctx context.Context, obj objects.TektonObject, slsa

logger := logging.FromContext(ctx)
// If deep inspection is enabled, collect subjects from child taskruns
var result []intoto.Subject
var result []*intoto.ResourceDescriptor

pro := obj.(*objects.PipelineRunObjectV1)

pSpec := pro.Status.PipelineSpec
if pSpec != nil {
pipelineTasks := append(pSpec.Tasks, pSpec.Finally...)
pipelineTasks := pSpec.Tasks
pipelineTasks = append(pipelineTasks, pSpec.Finally...)
for _, t := range pipelineTasks {
tr := pro.GetTaskRunFromTask(t.Name)
// Ignore Tasks that did not execute during the PipelineRun.
Expand All @@ -97,14 +98,14 @@ func subjectsFromPipelineRun(ctx context.Context, obj objects.TektonObject, slsa
return result
}

func subjectsFromTektonObject(ctx context.Context, obj objects.TektonObject) []intoto.Subject {
func subjectsFromTektonObject(ctx context.Context, obj objects.TektonObject) []*intoto.ResourceDescriptor {
logger := logging.FromContext(ctx)
var subjects []intoto.Subject
var subjects []*intoto.ResourceDescriptor

imgs := artifacts.ExtractOCIImagesFromResults(ctx, obj.GetResults())
for _, i := range imgs {
if d, ok := i.(name.Digest); ok {
subjects = artifact.AppendSubjects(subjects, intoto.Subject{
subjects = artifact.AppendSubjects(subjects, &intoto.ResourceDescriptor{
Name: d.Repository.Name(),
Digest: common.DigestSet{
"sha256": strings.TrimPrefix(d.DigestStr(), "sha256:"),
Expand All @@ -120,7 +121,7 @@ func subjectsFromTektonObject(ctx context.Context, obj objects.TektonObject) []i
logger.Errorf("Digest %s should be in the format of: algorthm:abc", obj.Digest)
continue
}
subjects = artifact.AppendSubjects(subjects, intoto.Subject{
subjects = artifact.AppendSubjects(subjects, &intoto.ResourceDescriptor{
Name: obj.URI,
Digest: common.DigestSet{
splits[0]: splits[1],
Expand All @@ -133,7 +134,7 @@ func subjectsFromTektonObject(ctx context.Context, obj objects.TektonObject) []i
splits := strings.Split(s.Digest, ":")
alg := splits[0]
digest := splits[1]
subjects = artifact.AppendSubjects(subjects, intoto.Subject{
subjects = artifact.AppendSubjects(subjects, &intoto.ResourceDescriptor{
Name: s.URI,
Digest: common.DigestSet{
alg: digest,
Expand Down Expand Up @@ -173,7 +174,7 @@ func subjectsFromTektonObject(ctx context.Context, obj objects.TektonObject) []i
}
}
}
subjects = artifact.AppendSubjects(subjects, intoto.Subject{
subjects = artifact.AppendSubjects(subjects, &intoto.ResourceDescriptor{
Name: url,
Digest: common.DigestSet{
"sha256": strings.TrimPrefix(digest, "sha256:"),
Expand Down Expand Up @@ -211,8 +212,8 @@ func RetrieveAllArtifactURIs(ctx context.Context, obj objects.TektonObject, deep
// with the fields `uri`, `digest`, and `isBuildArtifact` set to true.
// - Use the IMAGES type-hint
// - Use the *IMAGE_URL / *IMAGE_DIGEST type-hint suffix
func SubjectsFromBuildArtifact(ctx context.Context, results []objects.Result) []intoto.Subject {
var subjects []intoto.Subject
func SubjectsFromBuildArtifact(ctx context.Context, results []objects.Result) []*intoto.ResourceDescriptor {
var subjects []*intoto.ResourceDescriptor
logger := logging.FromContext(ctx)
buildArtifacts := artifacts.ExtractBuildArtifactsFromResults(ctx, results)
for _, ba := range buildArtifacts {
Expand All @@ -224,7 +225,7 @@ func SubjectsFromBuildArtifact(ctx context.Context, results []objects.Result) []

alg := splits[0]
digest := splits[1]
subjects = artifact.AppendSubjects(subjects, intoto.Subject{
subjects = artifact.AppendSubjects(subjects, &intoto.ResourceDescriptor{
Name: ba.URI,
Digest: common.DigestSet{
alg: digest,
Expand All @@ -235,7 +236,7 @@ func SubjectsFromBuildArtifact(ctx context.Context, results []objects.Result) []
imgs := artifacts.ExtractOCIImagesFromResults(ctx, results)
for _, i := range imgs {
if d, ok := i.(name.Digest); ok {
subjects = artifact.AppendSubjects(subjects, intoto.Subject{
subjects = artifact.AppendSubjects(subjects, &intoto.ResourceDescriptor{
Name: d.Repository.Name(),
Digest: common.DigestSet{
"sha256": strings.TrimPrefix(d.DigestStr(), "sha256:"),
Expand Down
42 changes: 21 additions & 21 deletions pkg/chains/formats/slsa/extract/extract_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@ import (

"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
intoto "github.com/in-toto/in-toto-golang/in_toto"
intoto "github.com/in-toto/attestation/go/v1"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/compare"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
"github.com/tektoncd/chains/pkg/chains/objects"
v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
"google.golang.org/protobuf/testing/protocmp"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
logtesting "knative.dev/pkg/logging/testing"
)
Expand All @@ -45,7 +46,7 @@ func TestSubjectDigestsAndRetrieveAllArtifactURIs(t *testing.T) {
name string
// a map of url:digest pairs for type hinting results
results map[string]string
wantSubjects []intoto.Subject
wantSubjects []*intoto.ResourceDescriptor
wantFullURLs []string
}{
{
Expand All @@ -54,7 +55,7 @@ func TestSubjectDigestsAndRetrieveAllArtifactURIs(t *testing.T) {
artifactURL1: "sha256:" + artifactDigest1,
artifactURL2: "sha256:" + artifactDigest2,
},
wantSubjects: []intoto.Subject{
wantSubjects: []*intoto.ResourceDescriptor{
{
Name: artifactURL1,
Digest: map[string]string{
Expand Down Expand Up @@ -110,7 +111,7 @@ func TestSubjectDigestsAndRetrieveAllArtifactURIs(t *testing.T) {
}
for _, o := range runObjects {
gotSubjects := extract.SubjectDigests(ctx, o, &slsaconfig.SlsaConfig{DeepInspectionEnabled: false})
if diff := cmp.Diff(tc.wantSubjects, gotSubjects, compare.SubjectCompareOption()); diff != "" {
if diff := cmp.Diff(tc.wantSubjects, gotSubjects, compare.SubjectCompareOption(), protocmp.Transform()); diff != "" {
t.Errorf("Wrong subjects extracted, diff=%s", diff)
}

Expand All @@ -119,7 +120,6 @@ func TestSubjectDigestsAndRetrieveAllArtifactURIs(t *testing.T) {
t.Errorf("Wrong URIs extracted, diff=%s", diff)
}
}

})
}
}
Expand All @@ -129,14 +129,14 @@ func TestPipelineRunObserveModeForSubjects(t *testing.T) {
name string
pro objects.TektonObject
deepInspectionEnabled bool
wantSubjects []intoto.Subject
wantSubjects []*intoto.ResourceDescriptor
wantFullURLs []string
}{
{
name: "deep inspection disabled",
pro: createProWithPipelineResults(map[string]string{artifactURL1: "sha256:" + artifactDigest1}),
deepInspectionEnabled: false,
wantSubjects: []intoto.Subject{
wantSubjects: []*intoto.ResourceDescriptor{
{
Name: artifactURL1,
Digest: map[string]string{
Expand All @@ -150,7 +150,7 @@ func TestPipelineRunObserveModeForSubjects(t *testing.T) {
name: "deep inspection enabled: no duplication",
pro: createProWithTaskRunResults(nil, []artifact{{uri: artifactURL2, digest: "sha256:" + artifactDigest2}}),
deepInspectionEnabled: true,
wantSubjects: []intoto.Subject{
wantSubjects: []*intoto.ResourceDescriptor{
{
Name: artifactURL2,
Digest: map[string]string{
Expand All @@ -167,7 +167,7 @@ func TestPipelineRunObserveModeForSubjects(t *testing.T) {
{uri: artifactURL2, digest: "sha256:" + artifactDigest2},
}),
deepInspectionEnabled: true,
wantSubjects: []intoto.Subject{
wantSubjects: []*intoto.ResourceDescriptor{
{
Name: artifactURL2,
Digest: map[string]string{
Expand All @@ -193,7 +193,7 @@ func TestPipelineRunObserveModeForSubjects(t *testing.T) {
{uri: artifactURL2, digest: "sha256:" + artifactDigest2},
}),
deepInspectionEnabled: true,
wantSubjects: []intoto.Subject{
wantSubjects: []*intoto.ResourceDescriptor{
{
Name: artifactURL2,
Digest: map[string]string{
Expand All @@ -208,12 +208,12 @@ func TestPipelineRunObserveModeForSubjects(t *testing.T) {
{
name: "deep inspection enabled: pipelinerun and taskrun have duplicated results",
pro: createProWithTaskRunResults(
createProWithPipelineResults(map[string]string{artifactURL1: "sha256:" + artifactDigest1}).(*objects.PipelineRunObjectV1),
createProWithPipelineResults(map[string]string{artifactURL1: "sha256:" + artifactDigest1}),
[]artifact{
{uri: artifactURL1, digest: "sha256:" + artifactDigest1},
}),
deepInspectionEnabled: true,
wantSubjects: []intoto.Subject{
wantSubjects: []*intoto.ResourceDescriptor{
{
Name: artifactURL1,
Digest: map[string]string{
Expand All @@ -228,12 +228,12 @@ func TestPipelineRunObserveModeForSubjects(t *testing.T) {
{
name: "deep inspection enabled: pipelinerun and taskrun have different results",
pro: createProWithTaskRunResults(
createProWithPipelineResults(map[string]string{artifactURL1: "sha256:" + artifactDigest1}).(*objects.PipelineRunObjectV1),
createProWithPipelineResults(map[string]string{artifactURL1: "sha256:" + artifactDigest1}),
[]artifact{
{uri: artifactURL2, digest: "sha256:" + artifactDigest2},
}),
deepInspectionEnabled: true,
wantSubjects: []intoto.Subject{
wantSubjects: []*intoto.ResourceDescriptor{
{
Name: artifactURL1,
Digest: map[string]string{
Expand All @@ -259,7 +259,7 @@ func TestPipelineRunObserveModeForSubjects(t *testing.T) {
ctx := logtesting.TestContextWithLogger(t)

gotSubjects := extract.SubjectDigests(ctx, tc.pro, &slsaconfig.SlsaConfig{DeepInspectionEnabled: tc.deepInspectionEnabled})
if diff := cmp.Diff(tc.wantSubjects, gotSubjects, compare.SubjectCompareOption()); diff != "" {
if diff := cmp.Diff(tc.wantSubjects, gotSubjects, compare.SubjectCompareOption(), protocmp.Transform()); diff != "" {
t.Errorf("Wrong subjects extracted, diff=%s, %s", diff, gotSubjects)
}

Expand All @@ -275,7 +275,7 @@ func TestSubjectsFromBuildArtifact(t *testing.T) {
tests := []struct {
name string
results []objects.Result
expectedSubjects []intoto.Subject
expectedSubjects []*intoto.ResourceDescriptor
}{
{
name: "no type-hinted build artifacts",
Expand Down Expand Up @@ -332,7 +332,7 @@ func TestSubjectsFromBuildArtifact(t *testing.T) {
}),
},
},
expectedSubjects: []intoto.Subject{
expectedSubjects: []*intoto.ResourceDescriptor{
{
Name: "gcr.io/test/img4",
Digest: map[string]string{
Expand Down Expand Up @@ -391,7 +391,7 @@ func TestSubjectsFromBuildArtifact(t *testing.T) {
),
},
},
expectedSubjects: []intoto.Subject{
expectedSubjects: []*intoto.ResourceDescriptor{
{
Name: "gcr.io/test/img1",
Digest: map[string]string{
Expand Down Expand Up @@ -433,14 +433,14 @@ func TestSubjectsFromBuildArtifact(t *testing.T) {
t.Run(test.name, func(t *testing.T) {
ctx := logtesting.TestContextWithLogger(t)
got := extract.SubjectsFromBuildArtifact(ctx, test.results)
if diff := cmp.Diff(test.expectedSubjects, got); diff != "" {
if diff := cmp.Diff(test.expectedSubjects, got, protocmp.Transform()); diff != "" {
t.Errorf("Wrong subjects from build artifacts, +got -want, diff=%s", diff)
}
})
}
}

func createTaskRunObjectWithResults(results map[string]string) objects.TektonObject {
func createTaskRunObjectWithResults(results map[string]string) *objects.TaskRunObjectV1 {
trResults := []v1.TaskRunResult{}
prefix := 0
for url, digest := range results {
Expand All @@ -462,7 +462,7 @@ func createTaskRunObjectWithResults(results map[string]string) objects.TektonObj
)
}

func createProWithPipelineResults(results map[string]string) objects.TektonObject {
func createProWithPipelineResults(results map[string]string) *objects.PipelineRunObjectV1 {
prResults := []v1.PipelineRunResult{}
prefix := 0
for url, digest := range results {
Expand Down
Loading

0 comments on commit 1611c11

Please sign in to comment.