Calculate subjects per formatter (tektoncd#1132)

* Calculate subjects per formatter

* Tests for new retrieve full uris in grafeas

Author: renzodavid9

pkg/chains/formats/format.go

@@ -25,6 +25,7 @@ type Payloader interface {
 	CreatePayload(ctx context.Context, obj interface{}) (interface{}, error)
 	Type() config.PayloadType
 	Wrap() bool
+	RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error)
 }
 
 const (

pkg/chains/formats/simple/simple.go

@@ -69,3 +69,8 @@ func (i SimpleContainerImage) ImageName() string {
 func (i *SimpleSigning) Type() config.PayloadType {
 	return formats.PayloadTypeSimpleSigning
 }
+
+// RetrieveAllArtifactURIs returns always an error, feature not available for simplesigning formatter.
+func (i *SimpleSigning) RetrieveAllArtifactURIs(_ context.Context, _ interface{}) ([]string, error) {
+	return nil, fmt.Errorf("RetrieveAllArtifactURIs not supported for simeplesining formatter")
+}

pkg/chains/formats/slsa/v1/intotoite6.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/tektoncd/chains/pkg/chains/formats"
+	"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/pipelinerun"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/taskrun"
@@ -94,3 +95,12 @@ func (i *InTotoIte6) CreatePayload(ctx context.Context, obj interface{}) (interf
 func (i *InTotoIte6) Type() config.PayloadType {
 	return formats.PayloadTypeSlsav1
 }
+
+// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
+func (i *InTotoIte6) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
+	tkObj, ok := obj.(objects.TektonObject)
+	if !ok {
+		return nil, fmt.Errorf("intoto does not support type")
+	}
+	return extract.RetrieveAllArtifactURIs(ctx, tkObj, i.slsaConfig.DeepInspectionEnabled), nil
+}

pkg/chains/formats/slsa/v2alpha3/slsav2.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/tektoncd/chains/pkg/chains/formats"
+	"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/pipelinerun"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/taskrun"
@@ -68,3 +69,12 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
 func (s *Slsa) Type() config.PayloadType {
 	return formats.PayloadTypeSlsav2alpha3
 }
+
+// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
+func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
+	tkObj, ok := obj.(objects.TektonObject)
+	if !ok {
+		return nil, fmt.Errorf("intoto does not support type")
+	}
+	return extract.RetrieveAllArtifactURIs(ctx, tkObj, s.slsaConfig.DeepInspectionEnabled), nil
+}

pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun/pipelinerun.go

@@ -46,7 +46,7 @@ func GenerateAttestation(ctx context.Context, pro *objects.PipelineRunObjectV1,
 		return nil, err
 	}
 
-	sub := subjectDigests(ctx, pro, slsaconfig)
+	sub := SubjectDigests(ctx, pro, slsaconfig)
 
 	return provenance.GetSLSA1Statement(pro, sub, &bd, bp, slsaconfig)
 }
@@ -73,7 +73,8 @@ func byproducts(pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaCon
 	return byProd, nil
 }
 
-func subjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
+// SubjectDigests calculates the subjects associated with the given PipelineRun.
+func SubjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
 	subjects := extract.SubjectsFromBuildArtifact(ctx, pro.GetResults())
 
 	if !slsaconfig.DeepInspectionEnabled {

pkg/chains/formats/slsa/v2alpha4/slsav2.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 
+	intoto "github.com/in-toto/attestation/go/v1"
 	"github.com/tektoncd/chains/pkg/chains/formats"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun"
@@ -74,3 +75,25 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
 func (s *Slsa) Type() config.PayloadType {
 	return payloadTypeSlsav2alpha4
 }
+
+// RetrieveAllArtifactURIs returns the full URI of all artifacts detected as subjects.
+func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
+	var subjects []*intoto.ResourceDescriptor
+	var fullURIs []string
+
+	switch v := obj.(type) {
+	case *objects.TaskRunObjectV1:
+		subjects = taskrun.SubjectDigests(ctx, v)
+	case *objects.PipelineRunObjectV1:
+		subjects = pipelinerun.SubjectDigests(ctx, v, s.slsaConfig)
+	default:
+		return nil, fmt.Errorf("intoto does not support type: %s", v)
+	}
+
+	for _, s := range subjects {
+		for algo, digest := range s.Digest {
+			fullURIs = append(fullURIs, fmt.Sprintf("%s@%s:%s", s.Name, algo, digest))
+		}
+	}
+	return fullURIs, nil
+}

pkg/chains/storage/grafeas/grafeas.go

@@ -253,7 +253,7 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
 	}
 
 	// create Occurrence_Build for TaskRun
-	allURIs := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
+	allURIs := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj)
 	for _, uri := range allURIs {
 		occ, err := b.createBuildOccurrence(ctx, obj, payload, signature, uri)
 		if err != nil {
@@ -264,6 +264,22 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
 	return occs, nil
 }
 
+func (b *Backend) getAllArtifactURIs(ctx context.Context, payloadFormat config.PayloadType, obj objects.TektonObject) []string {
+	logger := logging.FromContext(ctx)
+	payloader, err := formats.GetPayloader(payloadFormat, b.cfg)
+	if err != nil {
+		logger.Infof("couldn't get payloader for %v format, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat)
+		return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
+	}
+
+	if uris, err := payloader.RetrieveAllArtifactURIs(ctx, obj); err == nil {
+		return uris
+	}
+
+	logger.Infof("couldn't get URIs from payloader %v, will use extract.RetrieveAllArtifactURIs method instead", payloadFormat)
+	return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
+}
+
 func (b *Backend) createAttestationOccurrence(ctx context.Context, payload []byte, signature string, uri string) (*pb.Occurrence, error) {
 	occurrenceDetails := &pb.Occurrence_Attestation{
 		Attestation: &pb.AttestationOccurrence{
@@ -364,7 +380,7 @@ func (b *Backend) getBuildNotePath(obj objects.TektonObject) string {
 func (b *Backend) getAllOccurrences(ctx context.Context, obj objects.TektonObject, opts config.StorageOpts) ([]*pb.Occurrence, error) {
 	result := []*pb.Occurrence{}
 	// step 1: get all resource URIs created under the taskrun
-	uriFilters := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
+	uriFilters := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj)
 
 	// step 2: find all build occurrences
 	if _, ok := formats.IntotoAttestationSet[opts.PayloadFormat]; ok {