Skip to content

Commit

Permalink
Calculate subjects per formatter (tektoncd#1132)
Browse files Browse the repository at this point in the history
* Calculate subjects per formatter

* Tests for new retrieve full uris in grafeas
  • Loading branch information
renzodavid9 authored Jun 8, 2024
1 parent badc734 commit 750a98e
Show file tree
Hide file tree
Showing 8 changed files with 353 additions and 12 deletions.
1 change: 1 addition & 0 deletions pkg/chains/formats/format.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ type Payloader interface {
CreatePayload(ctx context.Context, obj interface{}) (interface{}, error)
Type() config.PayloadType
Wrap() bool
RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error)
}

const (
Expand Down
5 changes: 5 additions & 0 deletions pkg/chains/formats/simple/simple.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,8 @@ func (i SimpleContainerImage) ImageName() string {
func (i *SimpleSigning) Type() config.PayloadType {
return formats.PayloadTypeSimpleSigning
}

// RetrieveAllArtifactURIs returns always an error, feature not available for simplesigning formatter.
func (i *SimpleSigning) RetrieveAllArtifactURIs(_ context.Context, _ interface{}) ([]string, error) {
return nil, fmt.Errorf("RetrieveAllArtifactURIs not supported for simeplesining formatter")
}
10 changes: 10 additions & 0 deletions pkg/chains/formats/slsa/v1/intotoite6.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"fmt"

"github.com/tektoncd/chains/pkg/chains/formats"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/pipelinerun"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/taskrun"
Expand Down Expand Up @@ -94,3 +95,12 @@ func (i *InTotoIte6) CreatePayload(ctx context.Context, obj interface{}) (interf
func (i *InTotoIte6) Type() config.PayloadType {
return formats.PayloadTypeSlsav1
}

// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
func (i *InTotoIte6) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
tkObj, ok := obj.(objects.TektonObject)
if !ok {
return nil, fmt.Errorf("intoto does not support type")
}
return extract.RetrieveAllArtifactURIs(ctx, tkObj, i.slsaConfig.DeepInspectionEnabled), nil
}
10 changes: 10 additions & 0 deletions pkg/chains/formats/slsa/v2alpha3/slsav2.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"fmt"

"github.com/tektoncd/chains/pkg/chains/formats"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/pipelinerun"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/taskrun"
Expand Down Expand Up @@ -68,3 +69,12 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
func (s *Slsa) Type() config.PayloadType {
return formats.PayloadTypeSlsav2alpha3
}

// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
tkObj, ok := obj.(objects.TektonObject)
if !ok {
return nil, fmt.Errorf("intoto does not support type")
}
return extract.RetrieveAllArtifactURIs(ctx, tkObj, s.slsaConfig.DeepInspectionEnabled), nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func GenerateAttestation(ctx context.Context, pro *objects.PipelineRunObjectV1,
return nil, err
}

sub := subjectDigests(ctx, pro, slsaconfig)
sub := SubjectDigests(ctx, pro, slsaconfig)

return provenance.GetSLSA1Statement(pro, sub, &bd, bp, slsaconfig)
}
Expand All @@ -74,7 +74,8 @@ func byproducts(pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaCon
return byProd, nil
}

func subjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
// SubjectDigests calculates the subjects associated with the given PipelineRun.
func SubjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
subjects := extract.SubjectsFromBuildArtifact(ctx, pro.GetResults())

if !slsaconfig.DeepInspectionEnabled {
Expand Down
23 changes: 23 additions & 0 deletions pkg/chains/formats/slsa/v2alpha4/slsav2.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"context"
"fmt"

intoto "github.com/in-toto/attestation/go/v1"
"github.com/tektoncd/chains/pkg/chains/formats"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun"
Expand Down Expand Up @@ -74,3 +75,25 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
func (s *Slsa) Type() config.PayloadType {
return payloadTypeSlsav2alpha4
}

// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
var subjects []*intoto.ResourceDescriptor
var fullURIs []string

switch v := obj.(type) {
case *objects.TaskRunObjectV1:
subjects = taskrun.SubjectDigests(ctx, v)
case *objects.PipelineRunObjectV1:
subjects = pipelinerun.SubjectDigests(ctx, v, s.slsaConfig)
default:
return nil, fmt.Errorf("intoto does not support type: %s", v)
}

for _, s := range subjects {
for algo, digest := range s.Digest {
fullURIs = append(fullURIs, fmt.Sprintf("%s@%s:%s", s.Name, algo, digest))
}
}
return fullURIs, nil
}
20 changes: 18 additions & 2 deletions pkg/chains/storage/grafeas/grafeas.go
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,7 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
}

// create Occurrence_Build for TaskRun
allURIs := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
allURIs := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj)
for _, uri := range allURIs {
occ, err := b.createBuildOccurrence(ctx, obj, payload, signature, uri)
if err != nil {
Expand All @@ -264,6 +264,22 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
return occs, nil
}

func (b *Backend) getAllArtifactURIs(ctx context.Context, payloadFormat config.PayloadType, obj objects.TektonObject) []string {
logger := logging.FromContext(ctx)
payloader, err := formats.GetPayloader(payloadFormat, b.cfg)
if err != nil {
logger.Infof("couldn't get payloader for %v format, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat)
return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
}

if uris, err := payloader.RetrieveAllArtifactURIs(ctx, obj); err == nil {
return uris
}

logger.Infof("couldn't get URIs from payloader %v, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat)
return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
}

func (b *Backend) createAttestationOccurrence(ctx context.Context, payload []byte, signature string, uri string) (*pb.Occurrence, error) {
occurrenceDetails := &pb.Occurrence_Attestation{
Attestation: &pb.AttestationOccurrence{
Expand Down Expand Up @@ -364,7 +380,7 @@ func (b *Backend) getBuildNotePath(obj objects.TektonObject) string {
func (b *Backend) getAllOccurrences(ctx context.Context, obj objects.TektonObject, opts config.StorageOpts) ([]*pb.Occurrence, error) {
result := []*pb.Occurrence{}
// step 1: get all resource URIs created under the taskrun
uriFilters := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
uriFilters := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj)

// step 2: find all build occurrences
if _, ok := formats.IntotoAttestationSet[opts.PayloadFormat]; ok {
Expand Down
Loading

0 comments on commit 750a98e

Please sign in to comment.