Passing SLSA Attest tests for GitHub and GitLab

Signed-off-by: John Kjell <[email protected]>
in-toto · Apr 6, 2024 · 450a306 · 450a306
1 parent 690505e
commit 450a306
Show file tree

Hide file tree

Showing 9 changed files with 339 additions and 89 deletions.
diff --git a/attestation/environment/environment.go b/attestation/environment/environment.go
@@ -35,6 +35,15 @@ var (
 	_ attestation.Attestor = &Attestor{}
 )
 
+type EnvironmentAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *Attestor
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()

diff --git a/attestation/gitlab/gitlab.go b/attestation/gitlab/gitlab.go
@@ -47,6 +47,7 @@ type GitLabAttestor interface {
 	Type() string
 	RunType() attestation.RunType
 	Attest(ctx *attestation.AttestationContext) error
+	Data() *Attestor
 
 	// Subjecter
 	Subjects() map[string]cryptoutil.DigestSet
@@ -131,6 +132,10 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (a *Attestor) Data() *Attestor {
+	return a
+}
+
 func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 	subjects := make(map[string]cryptoutil.DigestSet)
 	hashes := []cryptoutil.DigestValue{{Hash: crypto.SHA256}}

diff --git a/attestation/oci/oci.go b/attestation/oci/oci.go
@@ -44,8 +44,20 @@ const (
 var (
 	_ attestation.Attestor  = &Attestor{}
 	_ attestation.Subjecter = &Attestor{}
+	_ OCIAttestor           = &Attestor{}
 )
 
+type OCIAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+
+	// Subjector
+	Subjects() map[string]cryptoutil.DigestSet
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()

diff --git a/attestation/slsa/slsa.go b/attestation/slsa/slsa.go
@@ -85,6 +85,7 @@ func WithExport(export bool) Option {
 type Provenance struct {
 	PbProvenance prov.Provenance
 	products     map[string]attestation.Product
+	subjects     map[string]cryptoutil.DigestSet
 	export       bool
 }
 
@@ -123,7 +124,7 @@ func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {
 		switch name := attestor.Attestor.Name(); name {
 		// Pre-material Attestors
 		case environment.Name:
-			envs := attestor.Attestor.(*environment.Attestor).Variables
+			envs := attestor.Attestor.(environment.EnvironmentAttestor).Data().Variables
 			pbEnvs := make(map[string]interface{}, len(envs))
 			for name, value := range envs {
 				pbEnvs[name] = value
@@ -152,26 +153,26 @@ func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {
 			digest := make(map[string]string)
 			digest["sha1"] = gh.Data().JWT.Claims["sha"].(string)
 
-			p.PbProvenance.BuildDefinition.ResolvedDependencies = append(
-				p.PbProvenance.BuildDefinition.ResolvedDependencies,
-				&v1.ResourceDescriptor{
-					Name:   gh.Data().ProjectUrl,
-					Digest: digest,
-				})
+			// p.PbProvenance.BuildDefinition.ResolvedDependencies = append(
+			// 	p.PbProvenance.BuildDefinition.ResolvedDependencies,
+			// 	&v1.ResourceDescriptor{
+			// 		Name:   gh.Data().ProjectUrl,
+			// 		Digest: digest,
+			// 	})
 
 		case gitlab.Name:
-			gl := attestor.Attestor.(*gitlab.Attestor)
+			gl := attestor.Attestor.(gitlab.GitLabAttestor)
 			p.PbProvenance.RunDetails.Builder.Id = GLCBuilderId
-			p.PbProvenance.RunDetails.Metadata.InvocationId = gl.PipelineUrl
+			p.PbProvenance.RunDetails.Metadata.InvocationId = gl.Data().PipelineUrl
 			digest := make(map[string]string)
-			digest["sha1"] = gl.JWT.Claims["sha"].(string)
+			digest["sha1"] = gl.Data().JWT.Claims["sha"].(string)
 
-			p.PbProvenance.BuildDefinition.ResolvedDependencies = append(
-				p.PbProvenance.BuildDefinition.ResolvedDependencies,
-				&v1.ResourceDescriptor{
-					Name:   gl.ProjectUrl,
-					Digest: digest,
-				})
+			// p.PbProvenance.BuildDefinition.ResolvedDependencies = append(
+			// 	p.PbProvenance.BuildDefinition.ResolvedDependencies,
+			// 	&v1.ResourceDescriptor{
+			// 		Name:   gl.Data().ProjectUrl,
+			// 		Digest: digest,
+			// 	})
 
 		// Material Attestors
 		case material.Name:
@@ -207,9 +208,19 @@ func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {
 				maps.Copy(p.products, ctx.Products())
 			}
 
+			if p.subjects == nil {
+				p.subjects = attestor.Attestor.(attestation.Subjecter).Subjects()
+			} else {
+				maps.Copy(p.subjects, attestor.Attestor.(attestation.Subjecter).Subjects())
+			}
+
 		// Post Attestors
 		case oci.Name:
-			maps.Copy(p.products, attestor.Attestor.(product.ProductAttestor).Products())
+			if p.subjects == nil {
+				p.subjects = attestor.Attestor.(attestation.Subjecter).Subjects()
+			} else {
+				maps.Copy(p.subjects, attestor.Attestor.(attestation.Subjecter).Subjects())
+			}
 		}
 	}