added changes to oci attestor and git attestor for remotes in subject

Signed-off-by: chaosinthecrd <[email protected]>
ChaosInTheCRD · Aug 13, 2024 · 210e3c9 · 210e3c9
1 parent c2bf7fb
commit 210e3c9
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 9 deletions.
diff --git a/attestation/git/git.go b/attestation/git/git.go
@@ -17,6 +17,7 @@ package git
 import (
 	"crypto"
 	"fmt"
+	giturl "github.com/whilp/git-urls"
 	"strings"
 	"time"
 
@@ -25,6 +26,7 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/log"
 	"github.com/invopop/jsonschema"
 )
 
@@ -153,7 +155,15 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	}
 
 	for _, remote := range remotes {
-		a.Remotes = append(a.Remotes, remote.Config().URLs...)
+		for _, u := range remote.Config().URLs {
+			rurl, err := giturl.Parse(u)
+			if err != nil {
+				log.Debugf("failed to parse remote url: %w", err)
+			}
+
+			//NOTE: Not added the scheme to the remote so far, can add it if needed
+			a.Remotes = append(a.Remotes, fmt.Sprintf("%s/%s", rurl.Host, rurl.Path))
+		}
 	}
 
 	refs, err := repo.References()
@@ -291,6 +301,16 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 		subjects[subjectName] = ds
 	}
 
+	// add remotes
+	for _, remote := range a.Remotes {
+		subjectName = fmt.Sprintf("remote:%v", remote)
+		ds, err = cryptoutil.CalculateDigestSetFromBytes([]byte(remote), hashes)
+		if err != nil {
+			return nil
+		}
+		subjects[subjectName] = ds
+	}
+
 	// add refname short
 	subjectName = fmt.Sprintf("refnameshort:%v", a.RefNameShort)
 	ds, err = cryptoutil.CalculateDigestSetFromBytes([]byte(a.RefNameShort), hashes)

diff --git a/attestation/oci/oci.go b/attestation/oci/oci.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/in-toto/go-witness/attestation"
@@ -149,10 +150,15 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	}
 
 	if met != nil {
+		if strings.HasPrefix(met.ContainerImageDigest, "sha256:") {
+			log.Debugf("setting image digest as", met.ContainerImageDigest)
+			a.ImageDigest[cryptoutil.DigestValue{Hash: crypto.SHA256}] = met.ContainerImageDigest
+		} else {
+			log.Warnf("found metadata file does not contain image digest of expected format: '%s'", met.ContainerImageDigest)
+		}
+
 		a.ImageDigest = map[cryptoutil.DigestValue]string{}
-		a.ImageDigest[cryptoutil.DigestValue{Hash: crypto.SHA256}] = met.ContainerImageDigest
-		fmt.Println("setting image digest as", met.ContainerImageDigest)
-		fmt.Println("setting image references as", met.ImageName)
+		log.Debugf("setting image references as", met.ImageName)
 		a.ImageReferences = []string{}
 		a.ImageReferences = append(a.ImageReferences, met.ImageName)
 	}
@@ -169,12 +175,10 @@ func (a *Attestor) getDockerCandidate(ctx *attestation.AttestationContext) (*doc
 
 	//NOTE: it's not ideal to try and parse it without a mime type but the metadata file is completely different depending on how the buildx is executed
 	for path, product := range products {
-		fmt.Println("inspecting", path)
 		if strings.Contains(sha256MimeType, product.MimeType) {
-			log.Info("found image id")
-			f, err := os.ReadFile(path)
+			f, err := os.ReadFile(filepath.Join(ctx.WorkingDir(), path))
 			if err != nil {
-				return nil, fmt.Errorf("failed to read file %s", path)
+				return nil, fmt.Errorf("failed to read file %s: %w", path, err)
 			}
 
 			a.ImageID = map[cryptoutil.DigestValue]string{}
@@ -186,7 +190,7 @@ func (a *Attestor) getDockerCandidate(ctx *attestation.AttestationContext) (*doc
 
 		f, err := os.ReadFile(path)
 		if err != nil {
-			return nil, fmt.Errorf("failed to read file %s", path)
+			return nil, fmt.Errorf("failed to read file %s: %w", path, err)
 		}
 
 		err = json.Unmarshal(f, &met)

diff --git a/go.mod b/go.mod
@@ -104,6 +104,7 @@ require (
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/whilp/git-urls v1.0.0 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/zclconf/go-cty v1.14.4 // indirect
 	go.opencensus.io v0.24.0 // indirect

diff --git a/go.sum b/go.sum
@@ -341,6 +341,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
+github.com/whilp/git-urls v1.0.0 h1:95f6UMWN5FKW71ECsXRUd3FVYiXdrE7aX4NZKcPmIjU=
+github.com/whilp/git-urls v1.0.0/go.mod h1:J16SAmobsqc3Qcy98brfl5f5+e0clUvg1krgwk/qCfE=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=