Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Calculate subjects per formatter #1132

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions pkg/chains/formats/format.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ type Payloader interface {
CreatePayload(ctx context.Context, obj interface{}) (interface{}, error)
Type() config.PayloadType
Wrap() bool
RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error)
}

const (
Expand Down
5 changes: 5 additions & 0 deletions pkg/chains/formats/simple/simple.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,3 +69,8 @@ func (i SimpleContainerImage) ImageName() string {
func (i *SimpleSigning) Type() config.PayloadType {
return formats.PayloadTypeSimpleSigning
}

// RetrieveAllArtifactURIs returns always an error, feature not available for simplesigning formatter.
func (i *SimpleSigning) RetrieveAllArtifactURIs(_ context.Context, _ interface{}) ([]string, error) {
return nil, fmt.Errorf("RetrieveAllArtifactURIs not supported for simeplesining formatter")
}
10 changes: 10 additions & 0 deletions pkg/chains/formats/slsa/v1/intotoite6.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"fmt"

"github.com/tektoncd/chains/pkg/chains/formats"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/pipelinerun"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/taskrun"
Expand Down Expand Up @@ -94,3 +95,12 @@ func (i *InTotoIte6) CreatePayload(ctx context.Context, obj interface{}) (interf
func (i *InTotoIte6) Type() config.PayloadType {
return formats.PayloadTypeSlsav1
}

// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
func (i *InTotoIte6) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
tkObj, ok := obj.(objects.TektonObject)
if !ok {
return nil, fmt.Errorf("intoto does not support type")
}
return extract.RetrieveAllArtifactURIs(ctx, tkObj, i.slsaConfig.DeepInspectionEnabled), nil
}
10 changes: 10 additions & 0 deletions pkg/chains/formats/slsa/v2alpha3/slsav2.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"fmt"

"github.com/tektoncd/chains/pkg/chains/formats"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/pipelinerun"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/taskrun"
Expand Down Expand Up @@ -68,3 +69,12 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
func (s *Slsa) Type() config.PayloadType {
return formats.PayloadTypeSlsav2alpha3
}

// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
tkObj, ok := obj.(objects.TektonObject)
if !ok {
return nil, fmt.Errorf("intoto does not support type")
}
return extract.RetrieveAllArtifactURIs(ctx, tkObj, s.slsaConfig.DeepInspectionEnabled), nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ func GenerateAttestation(ctx context.Context, pro *objects.PipelineRunObjectV1,
return nil, err
}

sub := subjectDigests(ctx, pro, slsaconfig)
sub := SubjectDigests(ctx, pro, slsaconfig)

return provenance.GetSLSA1Statement(pro, sub, &bd, bp, slsaconfig)
}
Expand All @@ -74,7 +74,8 @@ func byproducts(pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaCon
return byProd, nil
}

func subjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
// SubjectDigests calculates the subjects associated with the given PipelineRun.
func SubjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
subjects := extract.SubjectsFromBuildArtifact(ctx, pro.GetResults())

if !slsaconfig.DeepInspectionEnabled {
Expand Down
23 changes: 23 additions & 0 deletions pkg/chains/formats/slsa/v2alpha4/slsav2.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"context"
"fmt"

intoto "github.com/in-toto/attestation/go/v1"
"github.com/tektoncd/chains/pkg/chains/formats"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun"
Expand Down Expand Up @@ -74,3 +75,25 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
func (s *Slsa) Type() config.PayloadType {
return payloadTypeSlsav2alpha4
}

// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
var subjects []*intoto.ResourceDescriptor
var fullURIs []string

switch v := obj.(type) {
case *objects.TaskRunObjectV1:
subjects = taskrun.SubjectDigests(ctx, v)
case *objects.PipelineRunObjectV1:
subjects = pipelinerun.SubjectDigests(ctx, v, s.slsaConfig)
default:
return nil, fmt.Errorf("intoto does not support type: %s", v)
}

for _, s := range subjects {
for algo, digest := range s.Digest {
fullURIs = append(fullURIs, fmt.Sprintf("%s@%s:%s", s.Name, algo, digest))
}
}
return fullURIs, nil
}
20 changes: 18 additions & 2 deletions pkg/chains/storage/grafeas/grafeas.go
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,7 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
}

// create Occurrence_Build for TaskRun
allURIs := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
allURIs := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj)
for _, uri := range allURIs {
occ, err := b.createBuildOccurrence(ctx, obj, payload, signature, uri)
if err != nil {
Expand All @@ -264,6 +264,22 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
return occs, nil
}

func (b *Backend) getAllArtifactURIs(ctx context.Context, payloadFormat config.PayloadType, obj objects.TektonObject) []string {
logger := logging.FromContext(ctx)
payloader, err := formats.GetPayloader(payloadFormat, b.cfg)
if err != nil {
logger.Infof("couldn't get payloader for %v format, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat)
return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
}

if uris, err := payloader.RetrieveAllArtifactURIs(ctx, obj); err == nil {
return uris
}

logger.Infof("couldn't get URIs from payloader %v, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat)
return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
}

func (b *Backend) createAttestationOccurrence(ctx context.Context, payload []byte, signature string, uri string) (*pb.Occurrence, error) {
occurrenceDetails := &pb.Occurrence_Attestation{
Attestation: &pb.AttestationOccurrence{
Expand Down Expand Up @@ -364,7 +380,7 @@ func (b *Backend) getBuildNotePath(obj objects.TektonObject) string {
func (b *Backend) getAllOccurrences(ctx context.Context, obj objects.TektonObject, opts config.StorageOpts) ([]*pb.Occurrence, error) {
result := []*pb.Occurrence{}
// step 1: get all resource URIs created under the taskrun
uriFilters := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
uriFilters := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj)

// step 2: find all build occurrences
if _, ok := formats.IntotoAttestationSet[opts.PayloadFormat]; ok {
Expand Down
Loading
Loading