fix: Fix missing checks on product include/exclude glob for attestation.

Signed-off-by: Matthias Glastra <[email protected]>
in-toto · Apr 12, 2024 · 81bff39 · 81bff39
1 parent 9fb8891
commit 81bff39
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 12 deletions.
diff --git a/attestation/file/file.go b/attestation/file/file.go
@@ -19,14 +19,15 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/gobwas/glob"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/log"
 )
 
 // recordArtifacts will walk basePath and record the digests of each file with each of the functions in hashes.
 // If file already exists in baseArtifacts and the two artifacts are equal the artifact will not be in the
 // returned map of artifacts.
-func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.DigestSet, hashes []cryptoutil.DigestValue, visitedSymlinks map[string]struct{}) (map[string]cryptoutil.DigestSet, error) {
+func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.DigestSet, hashes []cryptoutil.DigestValue, visitedSymlinks map[string]struct{}, includeGlob glob.Glob, excludeGlob glob.Glob) (map[string]cryptoutil.DigestSet, error) {
 	artifacts := make(map[string]cryptoutil.DigestSet)
 	err := filepath.Walk(basePath, func(path string, info fs.FileInfo, err error) error {
 		if err != nil {
@@ -57,15 +58,15 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest
 			}
 
 			visitedSymlinks[linkedPath] = struct{}{}
-			symlinkedArtifacts, err := RecordArtifacts(linkedPath, baseArtifacts, hashes, visitedSymlinks)
+			symlinkedArtifacts, err := RecordArtifacts(linkedPath, baseArtifacts, hashes, visitedSymlinks, includeGlob, excludeGlob)
 			if err != nil {
 				return err
 			}
 
 			for artifactPath, artifact := range symlinkedArtifacts {
 				// all artifacts in the symlink should be recorded relative to our basepath
 				joinedPath := filepath.Join(relPath, artifactPath)
-				if shouldRecord(joinedPath, artifact, baseArtifacts) {
+				if shouldRecord(joinedPath, artifact, baseArtifacts, includeGlob, excludeGlob) {
 					artifacts[filepath.Join(relPath, artifactPath)] = artifact
 				}
 			}
@@ -78,7 +79,7 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest
 			return err
 		}
 
-		if shouldRecord(relPath, artifact, baseArtifacts) {
+		if shouldRecord(relPath, artifact, baseArtifacts, includeGlob, excludeGlob) {
 			artifacts[relPath] = artifact
 		}
 
@@ -91,7 +92,20 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest
 // shouldRecord determines whether artifact should be recorded.
 // if the artifact is already in baseArtifacts, check if it's changed
 // if it is not equal to the existing artifact, return true, otherwise return false
-func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[string]cryptoutil.DigestSet) bool {
+func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[string]cryptoutil.DigestSet, includeGlob glob.Glob, excludeGlob glob.Glob) bool {
+
+	includePath := true
+	if excludeGlob != nil && excludeGlob.Match(path) {
+		includePath = false
+	}
+	if includeGlob != nil && includeGlob.Match(path) {
+		includePath = true
+	}
+
+	if !includePath {
+		return false
+	}
+
 	if previous, ok := baseArtifacts[path]; ok && artifact.Equal(previous) {
 		return false
 	}

diff --git a/attestation/material/material.go b/attestation/material/material.go
@@ -69,7 +69,7 @@ func New(opts ...Option) *Attestor {
 }
 
 func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
-	materials, err := file.RecordArtifacts(ctx.WorkingDir(), nil, ctx.Hashes(), map[string]struct{}{})
+	materials, err := file.RecordArtifacts(ctx.WorkingDir(), nil, ctx.Hashes(), map[string]struct{}{}, nil, nil)
 	if err != nil {
 		return err
 	}

diff --git a/attestation/product/product.go b/attestation/product/product.go
@@ -164,7 +164,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	a.compiledExcludeGlob = compiledExcludeGlob
 
 	a.baseArtifacts = ctx.Materials()
-	products, err := file.RecordArtifacts(ctx.WorkingDir(), a.baseArtifacts, ctx.Hashes(), map[string]struct{}{})
+	products, err := file.RecordArtifacts(ctx.WorkingDir(), a.baseArtifacts, ctx.Hashes(), map[string]struct{}{}, compiledIncludeGlob, compiledExcludeGlob)
 	if err != nil {
 		return err
 	}
@@ -194,15 +194,18 @@ func (a *Attestor) Products() map[string]attestation.Product {
 func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 	subjects := make(map[string]cryptoutil.DigestSet)
 	for productName, product := range a.products {
+
+		includeSubject := true
 		if a.compiledExcludeGlob != nil && a.compiledExcludeGlob.Match(productName) {
-			continue
+			includeSubject = false
 		}
-
-		if a.compiledIncludeGlob != nil && !a.compiledIncludeGlob.Match(productName) {
-			continue
+		if a.compiledIncludeGlob != nil && a.compiledIncludeGlob.Match(productName) {
+			includeSubject = true
 		}
 
-		subjects[fmt.Sprintf("file:%v", productName)] = product.Digest
+		if includeSubject {
+			subjects[fmt.Sprintf("file:%v", productName)] = product.Digest
+		}
 	}
 
 	return subjects