wip: implement verification attestor that returns a slsa VSA

Co-authored-by: Kris Coleman <[email protected]>

attestation/policyverify/policyverify.go

@@ -88,7 +88,15 @@ func (vs *Attestor) RunType() attestation.RunType {
 }
 
 func (vs *Attestor) Subjects() map[string]cryptoutil.DigestSet {
-	return map[string]cryptoutil.DigestSet{}
+	subjects := map[string]cryptoutil.DigestSet{}
+	for _, digest := range vs.subjectDigests {
+		subjects[fmt.Sprintf("artifact:%v", digest)] = cryptoutil.DigestSet{
+			cryptoutil.DigestValue{Hash: crypto.SHA256, GitOID: false}: digest,
+		}
+	}
+
+	subjects[fmt.Sprintf("policy:%v", vs.VerificationSummary.Policy.URI)] = vs.VerificationSummary.Policy.Digest
+	return subjects
 }
 
 func (vo *Attestor) Attest(ctx *attestation.AttestationContext) error {
@@ -147,7 +155,7 @@ func (vo *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	policyResult, policyErr := pol.Verify(ctx.Context(), policy.WithSubjectDigests(vo.subjectDigests), policy.WithVerifiedSource(verifiedSource))
 	if _, ok := policyErr.(policy.ErrPolicyDenied); ok {
 		accepted = false
-	} else if err != nil {
+	} else if policyErr != nil {
 		return fmt.Errorf("failed to verify policy: %w", err)
 	}
 
@@ -159,15 +167,15 @@ func (vo *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	return policyErr
 }
 
-func calculateGitoid(b []byte) (cryptoutil.DigestSet, error) {
+func calculateDigest(b []byte) (cryptoutil.DigestSet, error) {
 	return cryptoutil.CalculateDigestSetFromBytes(b, []crypto.Hash{crypto.SHA256})
 }
 
 func verificationSummaryFromResults(policyEnvelope dsse.Envelope, policyResult policy.PolicyResult, accepted bool) (slsa.VerificationSummary, error) {
 	inputAttestations := make([]slsa.ResourceDescriptor, 0, len(policyResult.EvidenceByStep))
 	for _, input := range policyResult.EvidenceByStep {
 		for _, attestation := range input {
-			digest, err := calculateGitoid(attestation.Envelope.Payload)
+			digest, err := calculateDigest(attestation.Envelope.Payload)
 			if err != nil {
 				log.Debugf("failed to calculate evidence hash: %v", err)
 				continue
@@ -180,7 +188,7 @@ func verificationSummaryFromResults(policyEnvelope dsse.Envelope, policyResult p
 		}
 	}
 
-	policyDigest, err := calculateGitoid(policyEnvelope.Payload)
+	policyDigest, err := calculateDigest(policyEnvelope.Payload)
 	if err != nil {
 		return slsa.VerificationSummary{}, fmt.Errorf("failed to calculate policy digest: %w", err)
 	}
@@ -196,10 +204,9 @@ func verificationSummaryFromResults(policyEnvelope dsse.Envelope, policyResult p
 		},
 		TimeVerified: time.Now(),
 		Policy: slsa.ResourceDescriptor{
-			URI:    "",
+			URI:    policyDigest[cryptoutil.DigestValue{Hash: crypto.SHA256, GitOID: false}], //TODO: find a better value for this...
 			Digest: policyDigest,
 		},
-		// ResourceURI: ,
 		InputAttestations:  inputAttestations,
 		VerificationResult: verificationResult,
 	}, nil

slsa/verificationsummary.go

@@ -26,7 +26,6 @@ type ResourceDescriptor struct {
 type VerificationSummary struct {
 	Verifier           Verifier             `json:"verifier"`
 	TimeVerified       time.Time            `json:"timeVerified"`
-	ResourceURI        string               `json:"resourceUri"`
 	Policy             ResourceDescriptor   `json:"policy"`
 	InputAttestations  []ResourceDescriptor `json:"inputAttestations"`
 	VerificationResult VerificationResult   `json:"verificationResult"`

verify.go

@@ -94,7 +94,10 @@ type VerifyResult struct {
 // if verifiation is successful.
 func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (VerifyResult, error) {
 	vo := verifyOptions{}
+<<<<<<< HEAD
 
+=======
+>>>>>>> 64906f9 (wip: implement verification attestor that returns a slsa VSA)
 	for _, opt := range opts {
 		opt(&vo)
 	}