Calculate subjects per formatter

renzodavid9 · renzodavid9 · commit 875cbc78b158 · 2024-06-04T17:39:34.000-04:00
diff --git a/pkg/chains/formats/format.go b/pkg/chains/formats/format.go
@@ -25,6 +25,7 @@ type Payloader interface {
 	CreatePayload(ctx context.Context, obj interface{}) (interface{}, error)
 	Type() config.PayloadType
 	Wrap() bool
+	RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error)
 }
 
 const (
diff --git a/pkg/chains/formats/simple/simple.go b/pkg/chains/formats/simple/simple.go
@@ -69,3 +69,7 @@ func (i SimpleContainerImage) ImageName() string {
 func (i *SimpleSigning) Type() config.PayloadType {
 	return formats.PayloadTypeSimpleSigning
 }
+
+func (i *SimpleSigning) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
+	return nil, fmt.Errorf("RetrieveAllArtifactURIs not supported for simeplesining formatter")
+}
diff --git a/pkg/chains/formats/slsa/v1/intotoite6.go b/pkg/chains/formats/slsa/v1/intotoite6.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/tektoncd/chains/pkg/chains/formats"
+	"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/pipelinerun"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v1/taskrun"
@@ -94,3 +95,11 @@ func (i *InTotoIte6) CreatePayload(ctx context.Context, obj interface{}) (interf
 func (i *InTotoIte6) Type() config.PayloadType {
 	return formats.PayloadTypeSlsav1
 }
+
+func (i *InTotoIte6) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
+	tkObj, ok := obj.(objects.TektonObject)
+	if !ok {
+		return nil, fmt.Errorf("intoto does not support type")
+	}
+	return extract.RetrieveAllArtifactURIs(ctx, tkObj, i.slsaConfig.DeepInspectionEnabled), nil
+}
diff --git a/pkg/chains/formats/slsa/v2alpha3/slsav2.go b/pkg/chains/formats/slsa/v2alpha3/slsav2.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 
 	"github.com/tektoncd/chains/pkg/chains/formats"
+	"github.com/tektoncd/chains/pkg/chains/formats/slsa/extract"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/pipelinerun"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha3/internal/taskrun"
@@ -68,3 +69,11 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
 func (s *Slsa) Type() config.PayloadType {
 	return formats.PayloadTypeSlsav2alpha3
 }
+
+func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
+	tkObj, ok := obj.(objects.TektonObject)
+	if !ok {
+		return nil, fmt.Errorf("intoto does not support type")
+	}
+	return extract.RetrieveAllArtifactURIs(ctx, tkObj, s.slsaConfig.DeepInspectionEnabled), nil
+}
diff --git a/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun/pipelinerun.go b/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun/pipelinerun.go
@@ -46,7 +46,7 @@ func GenerateAttestation(ctx context.Context, pro *objects.PipelineRunObjectV1,
 		return nil, err
 	}
 
-	sub := subjectDigests(ctx, pro, slsaconfig)
+	sub := SubjectDigests(ctx, pro, slsaconfig)
 
 	return provenance.GetSLSA1Statement(pro, sub, &bd, bp, slsaconfig)
 }
@@ -73,7 +73,7 @@ func byproducts(pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaCon
 	return byProd, nil
 }
 
-func subjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
+func SubjectDigests(ctx context.Context, pro *objects.PipelineRunObjectV1, slsaconfig *slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {
 	subjects := extract.SubjectsFromBuildArtifact(ctx, pro.GetResults())
 
 	if !slsaconfig.DeepInspectionEnabled {
diff --git a/pkg/chains/formats/slsa/v2alpha4/slsav2.go b/pkg/chains/formats/slsa/v2alpha4/slsav2.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 
+	intoto "github.com/in-toto/attestation/go/v1"
 	"github.com/tektoncd/chains/pkg/chains/formats"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/internal/slsaconfig"
 	"github.com/tektoncd/chains/pkg/chains/formats/slsa/v2alpha4/internal/pipelinerun"
@@ -74,3 +75,24 @@ func (s *Slsa) CreatePayload(ctx context.Context, obj interface{}) (interface{},
 func (s *Slsa) Type() config.PayloadType {
 	return payloadTypeSlsav2alpha4
 }
+
+func (s *Slsa) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {
+	var subjects []*intoto.ResourceDescriptor
+	var fullURIs []string
+
+	switch v := obj.(type) {
+	case *objects.TaskRunObjectV1:
+		subjects = taskrun.SubjectDigests(ctx, v)
+	case *objects.PipelineRunObjectV1:
+		subjects = pipelinerun.SubjectDigests(ctx, v, s.slsaConfig)
+	default:
+		return nil, fmt.Errorf("intoto does not support type: %s", v)
+	}
+
+	for _, s := range subjects {
+		for algo, digest := range s.Digest {
+			fullURIs = append(fullURIs, fmt.Sprintf("%s@%s:%s", s.Name, algo, digest))
+		}
+	}
+	return fullURIs, nil
+}
diff --git a/pkg/chains/storage/grafeas/grafeas.go b/pkg/chains/storage/grafeas/grafeas.go
@@ -253,7 +253,7 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
 	}
 
 	// create Occurrence_Build for TaskRun
-	allURIs := extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
+	allURIs := b.getAllArtifactURIs(ctx, opts.PayloadFormat, obj)
 	for _, uri := range allURIs {
 		occ, err := b.createBuildOccurrence(ctx, obj, payload, signature, uri)
 		if err != nil {
@@ -264,6 +264,19 @@ func (b *Backend) createOccurrence(ctx context.Context, obj objects.TektonObject
 	return occs, nil
 }
 
+func (b *Backend) getAllArtifactURIs(ctx context.Context, payloadFormat config.PayloadType, obj objects.TektonObject) []string {
+	payloader, err := formats.GetPayloader(payloadFormat, b.cfg)
+	if err != nil {
+		return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
+	}
+
+	if uris, err := payloader.RetrieveAllArtifactURIs(ctx, obj); err == nil {
+		return uris
+	}
+
+	return extract.RetrieveAllArtifactURIs(ctx, obj, b.cfg.Artifacts.PipelineRuns.DeepInspectionEnabled)
+}
+
 func (b *Backend) createAttestationOccurrence(ctx context.Context, payload []byte, signature string, uri string) (*pb.Occurrence, error) {
 	occurrenceDetails := &pb.Occurrence_Attestation{
 		Attestation: &pb.AttestationOccurrence{

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@ type Payloader interface {`
`25`	`25`	`CreatePayload(ctx context.Context, obj interface{}) (interface{}, error)`
`26`	`26`	`Type() config.PayloadType`
`27`	`27`	`Wrap() bool`
	`28`	`+ RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error)`
`28`	`29`	`}`
`29`	`30`
`30`	`31`	`const (`
Original file line number	Diff line number	Diff line change
`@@ -69,3 +69,7 @@ func (i SimpleContainerImage) ImageName() string {`
`69`	`69`	`func (i *SimpleSigning) Type() config.PayloadType {`
`70`	`70`	`return formats.PayloadTypeSimpleSigning`
`71`	`71`	`}`
	`72`	`+`
	`73`	`+func (i *SimpleSigning) RetrieveAllArtifactURIs(ctx context.Context, obj interface{}) ([]string, error) {`
	`74`	`+ return nil, fmt.Errorf("RetrieveAllArtifactURIs not supported for simeplesining formatter")`
	`75`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ func GenerateAttestation(ctx context.Context, pro *objects.PipelineRunObjectV1,`
`46`	`46`	`return nil, err`
`47`	`47`	`}`
`48`	`48`
`49`		`- sub := subjectDigests(ctx, pro, slsaconfig)`
	`49`	`+ sub := SubjectDigests(ctx, pro, slsaconfig)`
`50`	`50`
`51`	`51`	`return provenance.GetSLSA1Statement(pro, sub, &bd, bp, slsaconfig)`
`52`	`52`	`}`
`@@ -73,7 +73,7 @@ func byproducts(pro objects.PipelineRunObjectV1, slsaconfig slsaconfig.SlsaCon`
`73`	`73`	`return byProd, nil`
`74`	`74`	`}`
`75`	`75`
`76`		`-func subjectDigests(ctx context.Context, pro objects.PipelineRunObjectV1, slsaconfig slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {`
	`76`	`+func SubjectDigests(ctx context.Context, pro objects.PipelineRunObjectV1, slsaconfig slsaconfig.SlsaConfig) []*intoto.ResourceDescriptor {`
`77`	`77`	`subjects := extract.SubjectsFromBuildArtifact(ctx, pro.GetResults())`
`78`	`78`
`79`	`79`	`if !slsaconfig.DeepInspectionEnabled {`