Merge branch 'main' into fix-product-glob

matglas · May 10, 2024 · 4c21b2f · 4c21b2f
2 parents c850d5b + f346f85
commit 4c21b2f
Show file tree

Hide file tree

Showing 66 changed files with 6,327 additions and 278 deletions.
diff --git a/.github/workflows/verify-schemagen.yaml b/.github/workflows/verify-schemagen.yaml
@@ -0,0 +1,20 @@
+name: Docgen
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main", "release-*"]
+  pull_request:
+permissions:
+  contents: read
+
+jobs:
+  docgen:
+    name: Verify Docgen
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version: "1.21.x"
+      - run: ./schemagen/verify.sh
diff --git a/Makefile b/Makefile
@@ -23,5 +23,9 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 test: ## Run the go unit tests
 	go test -v -coverprofile=profile.cov -covermode=atomic ./...
 
+.PHONY: schema
+schema: ## Generate the attestor schema json files
+	go run ./schemagen/schema.go
+
 help: ## Display this help screen
 	@grep -h -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
diff --git a/attestation/aws-iid/aws-iid.go b/attestation/aws-iid/aws-iid.go
@@ -30,6 +30,7 @@ import (
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/log"
+	"github.com/invopop/jsonschema"
 )
 
 const (
@@ -99,7 +100,6 @@ func New() *Attestor {
 		session: *sess,
 		conf:    conf,
 	}
-
 }
 
 func (a *Attestor) Name() string {
@@ -114,6 +114,10 @@ func (a *Attestor) RunType() attestation.RunType {
 	return RunType
 }
 
+func (a *Attestor) Schema() *jsonschema.Schema {
+	return jsonschema.Reflect(&a)
+}
+
 func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	a.hashes = ctx.Hashes()
 

diff --git a/attestation/aws-iid/aws-iid_test.go b/attestation/aws-iid/aws-iid_test.go
@@ -112,11 +112,10 @@ func TestAttestor_Attest(t *testing.T) {
 		conf:    conf,
 	}
 
-	ctx, err := attestation.NewContext([]attestation.Attestor{a})
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{a})
 	require.NoError(t, err)
 	err = a.Attest(ctx)
 	require.NoError(t, err)
-
 }
 
 func TestAttestor_getIID(t *testing.T) {
@@ -154,7 +153,7 @@ func TestAttestor_Subjects(t *testing.T) {
 		conf:    conf,
 	}
 
-	ctx, err := attestation.NewContext([]attestation.Attestor{a})
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{a})
 	require.NoError(t, err)
 	err = a.Attest(ctx)
 	require.NoError(t, err)

diff --git a/attestation/commandrun/commandrun.go b/attestation/commandrun/commandrun.go
@@ -23,6 +23,7 @@ import (
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/attestation/environment"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/invopop/jsonschema"
 )
 
 const (
@@ -35,8 +36,18 @@ const (
 // doesn't implement the expected interfaces.
 var (
 	_ attestation.Attestor = &CommandRun{}
+	_ CommandRunAttestor   = &CommandRun{}
 )
 
+type CommandRunAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *CommandRun
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
@@ -113,6 +124,10 @@ type CommandRun struct {
 	environmentBlockList map[string]struct{}
 }
 
+func (a *CommandRun) Schema() *jsonschema.Schema {
+	return jsonschema.Reflect(&a)
+}
+
 func (rc *CommandRun) Attest(ctx *attestation.AttestationContext) error {
 	if len(rc.Cmd) == 0 {
 		return attestation.ErrAttestor{
@@ -129,6 +144,10 @@ func (rc *CommandRun) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (rc *CommandRun) Data() *CommandRun {
+	return rc
+}
+
 func (rc *CommandRun) Name() string {
 	return Name
 }

diff --git a/attestation/context.go b/attestation/context.go
@@ -33,12 +33,17 @@ const (
 	ExecuteRunType     RunType = "execute"
 	ProductRunType     RunType = "product"
 	PostProductRunType RunType = "postproduct"
+	VerifyRunType      RunType = "verify"
 )
 
 func runTypeOrder() []RunType {
 	return []RunType{PreMaterialRunType, MaterialRunType, ExecuteRunType, ProductRunType, PostProductRunType}
 }
 
+func verifyTypeOrder() []RunType {
+	return []RunType{VerifyRunType}
+}
+
 func (r RunType) String() string {
 	return string(r)
 }
@@ -92,14 +97,15 @@ type AttestationContext struct {
 	completedAttestors []CompletedAttestor
 	products           map[string]Product
 	materials          map[string]cryptoutil.DigestSet
+	stepName           string
 }
 
 type Product struct {
 	MimeType string               `json:"mime_type"`
 	Digest   cryptoutil.DigestSet `json:"digest"`
 }
 
-func NewContext(attestors []Attestor, opts ...AttestationContextOption) (*AttestationContext, error) {
+func NewContext(stepName string, attestors []Attestor, opts ...AttestationContextOption) (*AttestationContext, error) {
 	wd, err := os.Getwd()
 	if err != nil {
 		return nil, err
@@ -112,6 +118,7 @@ func NewContext(attestors []Attestor, opts ...AttestationContextOption) (*Attest
 		hashes:     []cryptoutil.DigestValue{{Hash: crypto.SHA256}, {Hash: crypto.SHA256, GitOID: true}, {Hash: crypto.SHA1, GitOID: true}},
 		materials:  make(map[string]cryptoutil.DigestSet),
 		products:   make(map[string]Product),
+		stepName:   stepName,
 	}
 
 	for _, opt := range opts {
@@ -131,11 +138,16 @@ func (ctx *AttestationContext) RunAttestors() error {
 				Reason:  "attestor run type not set",
 			}
 		}
-
 		attestors[attestor.RunType()] = append(attestors[attestor.RunType()], attestor)
 	}
 
 	order := runTypeOrder()
+	if attestors[VerifyRunType] != nil && len(attestors) > 1 {
+		return fmt.Errorf("attestors of type %s cannot be run in conjunction with other attestor types", VerifyRunType)
+	} else if attestors[VerifyRunType] != nil {
+		order = verifyTypeOrder()
+	}
+
 	for _, k := range order {
 		log.Debugf("Starting %s attestors...", k.String())
 		for _, att := range attestors[k] {
@@ -209,6 +221,10 @@ func (ctx *AttestationContext) Products() map[string]Product {
 	return out
 }
 
+func (ctx *AttestationContext) StepName() string {
+	return ctx.stepName
+}
+
 func (ctx *AttestationContext) addMaterials(materialer Materialer) {
 	newMats := materialer.Materials()
 	for k, v := range newMats {

diff --git a/attestation/environment/environment.go b/attestation/environment/environment.go
@@ -21,6 +21,7 @@ import (
 	"strings"
 
 	"github.com/in-toto/go-witness/attestation"
+	"github.com/invopop/jsonschema"
 )
 
 const (
@@ -33,8 +34,18 @@ const (
 // doesn't implement the expected interfaces.
 var (
 	_ attestation.Attestor = &Attestor{}
+	_ EnvironmentAttestor  = &Attestor{}
 )
 
+type EnvironmentAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *Attestor
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
@@ -82,6 +93,10 @@ func (a *Attestor) RunType() attestation.RunType {
 	return RunType
 }
 
+func (a *Attestor) Schema() *jsonschema.Schema {
+	return jsonschema.Reflect(&a)
+}
+
 func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	a.OS = runtime.GOOS
 	a.Variables = make(map[string]string)
@@ -101,6 +116,10 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (a *Attestor) Data() *Attestor {
+	return a
+}
+
 // splitVariable splits a string representing an environment variable in the format of
 // "KEY=VAL" and returns the key and val separately.
 func splitVariable(v string) (key, val string) {

diff --git a/attestation/environment/environment_test.go b/attestation/environment/environment_test.go
@@ -24,7 +24,7 @@ import (
 
 func TestEnvironment(t *testing.T) {
 	attestor := New()
-	ctx, err := attestation.NewContext([]attestation.Attestor{attestor})
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
 	require.NoError(t, err)
 
 	t.Setenv("AWS_ACCESS_KEY_ID", "super secret")

diff --git a/attestation/factory.go b/attestation/factory.go
@@ -19,6 +19,7 @@ import (
 
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/registry"
+	"github.com/invopop/jsonschema"
 )
 
 var (
@@ -32,6 +33,7 @@ type Attestor interface {
 	Type() string
 	RunType() RunType
 	Attest(ctx *AttestationContext) error
+	Schema() *jsonschema.Schema
 }
 
 // Subjecter allows attestors to expose bits of information that will be added to
@@ -56,6 +58,11 @@ type Producer interface {
 	Products() map[string]Product
 }
 
+// Exporter allows attestors to export their attestations for separation from the collection.
+type Exporter interface {
+	Export() bool
+}
+
 // BackReffer allows attestors to indicate which of their subjects are good candidates
 // to find related attestations.  For example the git attestor's commit hash subject
 // is a good candidate to find all attestation collections that also refer to a specific
@@ -105,7 +112,7 @@ func GetAttestor(nameOrType string) (Attestor, error) {
 	return attestors[0], nil
 }
 
-// Deprecated: use AddAttestors instead
+// Deprecated: use GetAttestors instead
 func Attestors(nameOrTypes []string) ([]Attestor, error) {
 	return GetAttestors(nameOrTypes)
 }

diff --git a/attestation/factory_test.go b/attestation/factory_test.go
@@ -17,6 +17,7 @@ package attestation
 import (
 	"testing"
 
+	"github.com/invopop/jsonschema"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -27,7 +28,8 @@ func TestRegistry(t *testing.T) {
 			name:          "prerun",
 			predicateType: "https://witness.dev/test/prerun",
 			runType:       PreMaterialRunType,
-		}, {
+		},
+		{
 			name:          "execute",
 			predicateType: "https://witness.dev/test/execute",
 			runType:       ExecuteRunType,
@@ -70,6 +72,10 @@ func (a *dummyAttestor) RunType() RunType {
 	return a.runType
 }
 
+func (a *dummyAttestor) Schema() *jsonschema.Schema {
+	return jsonschema.Reflect(&a)
+}
+
 func (a *dummyAttestor) Attest(*AttestationContext) error {
 	return nil
 }
diff --git a/attestation/gcp-iit/gcp-iit.go b/attestation/gcp-iit/gcp-iit.go
@@ -26,6 +26,7 @@ import (
 	"github.com/in-toto/go-witness/attestation/jwt"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/log"
+	"github.com/invopop/jsonschema"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -98,6 +99,14 @@ func (a *Attestor) RunType() attestation.RunType {
 	return RunType
 }
 
+func (a *Attestor) Schema() *jsonschema.Schema {
+	// NOTE: This isn't ideal. For some reason the reflect function is return an empty schema when passing in `p`
+	// TODO: Fix this later
+	schema := jsonschema.Reflect(&a)
+	schema.Definitions["Attestor"].Properties.Set("jwt", jsonschema.Reflect(&a.JWT))
+	return schema
+}
+
 func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	tokenURL := identityTokenURL(defaultIdentityTokenHost, defaultServiceAccount)
 	identityToken, err := getMetadata(tokenURL)
@@ -171,7 +180,6 @@ func (a *Attestor) getInstanceData() {
 
 	a.ProjectID = projID
 	a.ProjectNumber = projNum
-
 }
 
 func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {