From 083b7b39266f39a835ca1ca2ff8ab9af6eb8640c Mon Sep 17 00:00:00 2001 From: Jawed khelil Date: Mon, 17 Jun 2024 14:45:27 +0200 Subject: [PATCH] Include the ServiceAccount running a pipeline in the chains provenance --- pkg/chains/formats/slsa/v1/intotoite6_test.go | 14 ++++---- .../slsa/v1/pipelinerun/pipelinerun.go | 36 ++++++++++--------- .../slsa/v1/pipelinerun/provenance_test.go | 28 ++++++++------- .../slsa/v1/pipeline-output-image.json | 1 + 4 files changed, 44 insertions(+), 35 deletions(-) diff --git a/pkg/chains/formats/slsa/v1/intotoite6_test.go b/pkg/chains/formats/slsa/v1/intotoite6_test.go index 504d7034cf..42daa9eb86 100644 --- a/pkg/chains/formats/slsa/v1/intotoite6_test.go +++ b/pkg/chains/formats/slsa/v1/intotoite6_test.go @@ -572,9 +572,10 @@ func getBuildPipelineRun() pipelinerun.BuildConfig { Name: "git-clone", Kind: "ClusterTask", }, - StartedOn: e1BuildStart, - FinishedOn: e1BuildFinished, - Status: "Succeeded", + StartedOn: e1BuildStart, + FinishedOn: e1BuildFinished, + ServiceAccountName: "pipeline", + Status: "Succeeded", Steps: []attest.StepAttestation{ { EntryPoint: "git clone", @@ -626,9 +627,10 @@ func getBuildPipelineRun() pipelinerun.BuildConfig { Name: "build", Kind: "ClusterTask", }, - StartedOn: e1BuildStart, - FinishedOn: e1BuildFinished, - Status: "Succeeded", + StartedOn: e1BuildStart, + FinishedOn: e1BuildFinished, + ServiceAccountName: "pipeline", + Status: "Succeeded", Steps: []attest.StepAttestation{ { EntryPoint: "", diff --git a/pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go b/pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go index cf258c398c..bca58915de 100644 --- a/pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go +++ b/pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go @@ -37,15 +37,16 @@ type BuildConfig struct { } type TaskAttestation struct { - Name string `json:"name,omitempty"` - After []string `json:"after,omitempty"` - Ref v1beta1.TaskRef `json:"ref,omitempty"` - StartedOn time.Time `json:"startedOn,omitempty"` - FinishedOn time.Time `json:"finishedOn,omitempty"` - Status string `json:"status,omitempty"` - Steps []attest.StepAttestation `json:"steps,omitempty"` - Invocation slsa.ProvenanceInvocation `json:"invocation,omitempty"` - Results []v1beta1.TaskRunResult `json:"results,omitempty"` + Name string `json:"name,omitempty"` + After []string `json:"after,omitempty"` + Ref v1beta1.TaskRef `json:"ref,omitempty"` + StartedOn time.Time `json:"startedOn,omitempty"` + FinishedOn time.Time `json:"finishedOn,omitempty"` + ServiceAccountName string `json:"serviceAccountName,omitempty"` + Status string `json:"status,omitempty"` + Steps []attest.StepAttestation `json:"steps,omitempty"` + Invocation slsa.ProvenanceInvocation `json:"invocation,omitempty"` + Results []v1beta1.TaskRunResult `json:"results,omitempty"` } const statementInTotoV01 = "https://in-toto.io/Statement/v0.1" @@ -149,14 +150,15 @@ func buildConfig(ctx context.Context, pro *objects.PipelineRunObjectV1Beta1) Bui } task := TaskAttestation{ - Name: t.Name, - After: after, - StartedOn: tr.Status.StartTime.Time.UTC(), - FinishedOn: tr.Status.CompletionTime.Time.UTC(), - Status: getStatus(tr.Status.Conditions), - Steps: steps, - Invocation: attest.Invocation(tr, params, paramSpecs), - Results: tr.Status.TaskRunResults, + Name: t.Name, + After: after, + StartedOn: tr.Status.StartTime.Time.UTC(), + FinishedOn: tr.Status.CompletionTime.Time.UTC(), + ServiceAccountName: pro.Spec.ServiceAccountName, + Status: getStatus(tr.Status.Conditions), + Steps: steps, + Invocation: attest.Invocation(tr, params, paramSpecs), + Results: tr.Status.TaskRunResults, } if t.TaskRef != nil { diff --git a/pkg/chains/formats/slsa/v1/pipelinerun/provenance_test.go b/pkg/chains/formats/slsa/v1/pipelinerun/provenance_test.go index 91ddb0bd41..1a8c27592c 100644 --- a/pkg/chains/formats/slsa/v1/pipelinerun/provenance_test.go +++ b/pkg/chains/formats/slsa/v1/pipelinerun/provenance_test.go @@ -94,9 +94,10 @@ func TestBuildConfig(t *testing.T) { Name: "git-clone", Kind: "ClusterTask", }, - StartedOn: e1BuildStart, - FinishedOn: e1BuildFinished, - Status: "Succeeded", + ServiceAccountName: "pipeline", + StartedOn: e1BuildStart, + FinishedOn: e1BuildFinished, + Status: "Succeeded", Steps: []attest.StepAttestation{ { EntryPoint: "git clone", @@ -148,9 +149,10 @@ func TestBuildConfig(t *testing.T) { Name: "build", Kind: "ClusterTask", }, - StartedOn: e1BuildStart, - FinishedOn: e1BuildFinished, - Status: "Succeeded", + StartedOn: e1BuildStart, + FinishedOn: e1BuildFinished, + ServiceAccountName: "pipeline", + Status: "Succeeded", Steps: []attest.StepAttestation{ { EntryPoint: "", @@ -285,9 +287,10 @@ func TestBuildConfigTaskOrder(t *testing.T) { Name: "git-clone", Kind: "ClusterTask", }, - StartedOn: e1BuildStart, - FinishedOn: e1BuildFinished, - Status: "Succeeded", + StartedOn: e1BuildStart, + FinishedOn: e1BuildFinished, + ServiceAccountName: "pipeline", + Status: "Succeeded", Steps: []attest.StepAttestation{ { EntryPoint: "git clone", @@ -341,9 +344,10 @@ func TestBuildConfigTaskOrder(t *testing.T) { Name: "build", Kind: "ClusterTask", }, - StartedOn: e1BuildStart, - FinishedOn: e1BuildFinished, - Status: "Succeeded", + StartedOn: e1BuildStart, + FinishedOn: e1BuildFinished, + ServiceAccountName: "pipeline", + Status: "Succeeded", Steps: []attest.StepAttestation{ { EntryPoint: "", diff --git a/test/testdata/slsa/v1/pipeline-output-image.json b/test/testdata/slsa/v1/pipeline-output-image.json index 2c57b0090b..1a1ee3e9ca 100644 --- a/test/testdata/slsa/v1/pipeline-output-image.json +++ b/test/testdata/slsa/v1/pipeline-output-image.json @@ -28,6 +28,7 @@ "ref": {}, "startedOn": "{{index .BuildStartTimes 0}}", "finishedOn": "{{index .BuildFinishedTimes 0}}", + "serviceAccountName": "default", "status": "Succeeded", "steps": [ {