refactor: migrate to intoto/attestations go library -> in-toto 1.0 bump (#397)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/cli/internal/action/attestation_push.go

@@ -19,12 +19,14 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"time"
 
 	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/internal/attestation/crafter"
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"google.golang.org/grpc"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 type AttestationPushOpts struct {
@@ -107,6 +109,9 @@ func (action *AttestationPush) Run(runtimeAnnotations map[string]string) (*Attes
 
 	action.Logger.Debug().Msg("validation completed")
 
+	// Indicate that we are done with the attestation
+	action.c.CraftingState.Attestation.FinishedAt = timestamppb.New(time.Now())
+
 	renderer, err := renderer.NewAttestationRenderer(action.c.CraftingState, action.keyPath, action.cliVersion, action.cliDigest, renderer.WithLogger(action.Logger))
 	if err != nil {
 		return nil, err

app/cli/internal/action/workflow_run_describe.go

@@ -26,7 +26,7 @@ import (
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
 
-	"github.com/in-toto/in-toto-golang/in_toto"
+	intoto "github.com/in-toto/attestation/go/v1"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	sigdsee "github.com/sigstore/sigstore/pkg/signature/dsse"
 )
@@ -46,7 +46,7 @@ type WorkflowRunAttestationItem struct {
 	ID          string         `json:"id"`
 	CreatedAt   *time.Time     `json:"createdAt"`
 	Envelope    *dsse.Envelope `json:"envelope"`
-	statement   *in_toto.Statement
+	statement   *intoto.Statement
 	Materials   []*Material   `json:"materials,omitempty"`
 	EnvVars     []*EnvVar     `json:"envvars,omitempty"`
 	Annotations []*Annotation `json:"annotations,omitempty"`
@@ -75,7 +75,7 @@ type Annotation struct {
 	Value string `json:"value"`
 }
 
-func (i *WorkflowRunAttestationItem) Statement() *in_toto.Statement {
+func (i *WorkflowRunAttestationItem) Statement() *intoto.Statement {
 	return i.statement
 }
 

app/controlplane/plugins/sdk/v1/fanout.go

@@ -31,7 +31,7 @@ import (
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 	"github.com/go-kratos/kratos/v2/log"
-	"github.com/in-toto/in-toto-golang/in_toto"
+	intoto "github.com/in-toto/attestation/go/v1"
 	"github.com/invopop/jsonschema"
 	schema_validator "github.com/santhosh-tekuri/jsonschema/v5"
 
@@ -152,7 +152,7 @@ type ExecuteAttestation struct {
 	Envelope *dsse.Envelope
 	// Hash of the envelope
 	Hash      crv1.Hash
-	Statement *in_toto.Statement
+	Statement *intoto.Statement
 	Predicate chainloop.NormalizablePredicate
 }
 

go.mod

@@ -35,7 +35,7 @@ require (
 	github.com/hashicorp/vault/api v1.9.2
 	github.com/hedwigz/entviz v0.0.0-20221011080911-9d47f6f1d818
 	github.com/improbable-eng/grpc-web v0.15.0
-	github.com/in-toto/in-toto-golang v0.9.0
+	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/jedib0t/go-pretty/v6 v6.4.7
 	github.com/joshdk/go-junit v1.0.0
 	github.com/lib/pq v1.10.9
@@ -69,6 +69,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0
+	github.com/in-toto/attestation v0.1.1-0.20231010121940-09a03152c04a
 	github.com/invopop/jsonschema v0.7.0
 	github.com/jackc/pgx/v5 v5.4.3
 	github.com/muesli/reflow v0.3.0

go.sum

@@ -742,6 +742,8 @@ github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/improbable-eng/grpc-web v0.15.0 h1:BN+7z6uNXZ1tQGcNAuaU1YjsLTApzkjt2tzCixLaUPQ=
 github.com/improbable-eng/grpc-web v0.15.0/go.mod h1:1sy9HKV4Jt9aEs9JSnkWlRJPuPtwNr0l57L4f878wP8=
+github.com/in-toto/attestation v0.1.1-0.20231010121940-09a03152c04a h1:y4ZRSC/GJWAFi+u9t7sNxjNsQKQvFKca1qc3Wr1ZX6Q=
+github.com/in-toto/attestation v0.1.1-0.20231010121940-09a03152c04a/go.mod h1:hCR5COCuENh5+VfojEkJnt7caOymbEgvyZdKifD6pOw=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=

internal/attestation/renderer/chainloop/chainloop.go

@@ -22,10 +22,10 @@ import (
 
 	v1 "github.com/chainloop-dev/chainloop/app/cli/api/attestation/v1"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"google.golang.org/protobuf/encoding/protojson"
 
 	crv1 "github.com/google/go-containerregistry/pkg/v1"
-	"github.com/in-toto/in-toto-golang/in_toto"
-	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
+	intoto "github.com/in-toto/attestation/go/v1"
 )
 
 // TODO: Figure out a more appropriate meaning
@@ -61,12 +61,12 @@ type NormalizedMaterial struct {
 }
 
 type ProvenancePredicateCommon struct {
-	Metadata   *Metadata                     `json:"metadata"`
-	Builder    *slsacommon.ProvenanceBuilder `json:"builder"`
-	BuildType  string                        `json:"buildType"`
-	Env        map[string]string             `json:"env,omitempty"`
-	RunnerType string                        `json:"runnerType"`
-	RunnerURL  string                        `json:"runnerURL,omitempty"`
+	Metadata   *Metadata         `json:"metadata"`
+	Builder    *builder          `json:"builder"`
+	BuildType  string            `json:"buildType"`
+	Env        map[string]string `json:"env,omitempty"`
+	RunnerType string            `json:"runnerType"`
+	RunnerURL  string            `json:"runnerURL,omitempty"`
 	// Custom annotations
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
@@ -90,6 +90,10 @@ type builderInfo struct {
 	version, digest string
 }
 
+type builder struct {
+	ID string `json:"id"`
+}
+
 type RendererCommon struct {
 	predicateType string
 	att           *v1.Attestation
@@ -99,7 +103,7 @@ type RendererCommon struct {
 func predicateCommon(builderInfo *builderInfo, att *v1.Attestation) *ProvenancePredicateCommon {
 	return &ProvenancePredicateCommon{
 		BuildType:   chainloopBuildType,
-		Builder:     &slsacommon.ProvenanceBuilder{ID: fmt.Sprintf(builderIDFmt, builderInfo.version, builderInfo.digest)},
+		Builder:     &builder{ID: fmt.Sprintf(builderIDFmt, builderInfo.version, builderInfo.digest)},
 		Metadata:    getChainloopMeta(att),
 		Env:         att.EnvVars,
 		RunnerType:  att.GetRunnerType().String(),
@@ -110,11 +114,9 @@ func predicateCommon(builderInfo *builderInfo, att *v1.Attestation) *ProvenanceP
 
 func getChainloopMeta(att *v1.Attestation) *Metadata {
 	initializedAt := att.InitializedAt.AsTime()
+	finishedAt := att.GetFinishedAt().AsTime()
 	wfMeta := att.GetWorkflow()
 
-	// Finished at is set at the time of render
-	finishedAt := time.Now()
-
 	return &Metadata{
 		InitializedAt: &initializedAt,
 		FinishedAt:    &finishedAt,
@@ -126,15 +128,15 @@ func getChainloopMeta(att *v1.Attestation) *Metadata {
 	}
 }
 
-func ExtractStatement(envelope *dsse.Envelope) (*in_toto.Statement, error) {
+func ExtractStatement(envelope *dsse.Envelope) (*intoto.Statement, error) {
 	decodedPayload, err := envelope.DecodeB64Payload()
 	if err != nil {
 		return nil, err
 	}
 
 	// 1 - Extract the in-toto statement
-	statement := &in_toto.Statement{}
-	if err := json.Unmarshal(decodedPayload, statement); err != nil {
+	statement := &intoto.Statement{}
+	if err := protojson.Unmarshal(decodedPayload, statement); err != nil {
 		return nil, fmt.Errorf("un-marshaling predicate: %w", err)
 	}
 
@@ -156,13 +158,6 @@ func ExtractPredicate(envelope *dsse.Envelope) (NormalizablePredicate, error) {
 
 	// 2 - Extract the Chainloop predicate from the in-toto statement
 	switch statement.PredicateType {
-	case PredicateTypeV01:
-		var predicate *ProvenancePredicateV01
-		if err = extractPredicate(statement, &predicate); err != nil {
-			return nil, fmt.Errorf("extracting predicate: %w", err)
-		}
-
-		return predicate, nil
 	case PredicateTypeV02:
 		var predicate *ProvenancePredicateV02
 		if err = extractPredicate(statement, &predicate); err != nil {
@@ -175,8 +170,8 @@ func ExtractPredicate(envelope *dsse.Envelope) (NormalizablePredicate, error) {
 	}
 }
 
-func extractPredicate(statement *in_toto.Statement, v any) error {
-	jsonPredicate, err := json.Marshal(statement.Predicate)
+func extractPredicate(statement *intoto.Statement, v any) error {
+	jsonPredicate, err := protojson.Marshal(statement.Predicate)
 	if err != nil {
 		return fmt.Errorf("un-marshaling predicate: %w", err)
 	}

internal/attestation/renderer/chainloop/chainloop_test.go

@@ -34,28 +34,6 @@ func TestExtractPredicate(t *testing.T) {
 		materials    []*NormalizedMaterial
 		wantErr      bool
 	}{
-		{
-			name:         "valid envelope v1",
-			envelopePath: "testdata/valid.envelope.v1.json",
-			envVars:      map[string]string{"GITHUB_ACTOR": "migmartri", "GITHUB_REF": "refs/tags/v0.0.39", "GITHUB_REPOSITORY": "chainloop-dev/integration-demo", "GITHUB_REPOSITORY_OWNER": "chainloop-dev", "GITHUB_RUN_ID": "4410543365", "GITHUB_SHA": "0accc9392fb1f9b258167c18ffa0aeb626973f1c", "RUNNER_NAME": "Hosted Agent", "RUNNER_OS": "Linux"},
-			materials: []*NormalizedMaterial{
-				{
-					Name: "binary", Type: "ARTIFACT",
-					Value: "integration-demo_0.0.39_linux_amd64.tar.gz",
-					Hash:  &crv1.Hash{Algorithm: "sha256", Hex: "b155cdfc328b273c4b741c08b3b84ac441b0562ca51893f23495b35abf89ea87"},
-				},
-				{
-					Name: "image", Type: "CONTAINER_IMAGE",
-					Value: "ghcr.io/chainloop-dev/integration-demo",
-					Hash:  &crv1.Hash{Algorithm: "sha256", Hex: "e0d8179991dd735baf0961901b33476a76a0f300bc4ea07e3d7ae7c24e147193"},
-				},
-				{
-					Name: "sbom", Type: "SBOM_CYCLONEDX_JSON",
-					Value: "sbom.cyclonedx.json",
-					Hash:  &crv1.Hash{Algorithm: "sha256", Hex: "b50f38961cc2e97d0903f4683a40e2528f7f6c9d382e8c6048b0363af95b7080"},
-				},
-			},
-		},
 		{
 			name:         "valid envelope v2",
 			envelopePath: "testdata/valid.envelope.v2.json",
@@ -114,6 +92,7 @@ func TestExtractPredicate(t *testing.T) {
 				return
 			}
 
+			require.NoError(t, err)
 			gotVars := gotPredicate.GetEnvVars()
 			assert.Equal(t, tc.envVars, gotVars)
 

internal/attestation/renderer/chainloop/testdata/attestation.output-2.v0.2.json

@@ -0,0 +1,96 @@
+{
+  "type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "chainloop.workflow.test-new-types",
+      "digest": {
+        "sha256": "f1fad10a3399754f2ea93265601bf25788d5abf6c447e08d1fc4c9ffc043c19e"
+      }
+    },
+    {
+      "name": "git.head",
+      "digest": {
+        "sha1": "78ac366c9e8a300d51808d581422ca61f7b5b721"
+      }
+    },
+    {
+      "name": "index.docker.io/bitnami/nginx",
+      "digest": {
+        "sha256": "fbd9335f55d83d8aaf9ab1a539b0f2a87b444e8c54f34c9a1ca9d7df15605db4"
+      }
+    }
+  ],
+  "predicate_type": "chainloop.dev/attestation/v0.2",
+  "predicate": {
+    "buildType": "chainloop.dev/workflowrun/v0.1",
+    "builder": {
+      "id": "chainloop.dev/cli/dev@sha256:59e14f1a9de709cdd0e91c36b33e54fcca95f7dba1dc7169a7f81986e02108e5"
+    },
+    "materials": [
+      {
+        "annotations": {
+          "chainloop.material.name": "image",
+          "chainloop.material.type": "CONTAINER_IMAGE"
+        },
+        "digest": {
+          "sha256": "fbd9335f55d83d8aaf9ab1a539b0f2a87b444e8c54f34c9a1ca9d7df15605db4"
+        },
+        "name": "index.docker.io/bitnami/nginx"
+      },
+      {
+        "annotations": {
+          "chainloop.material.cas": true,
+          "chainloop.material.name": "rootfs",
+          "chainloop.material.type": "ARTIFACT"
+        },
+        "digest": {
+          "sha256": "385c4188b9c080499413f2e0fa0b3951ed107b5f0cb35c2f2b1f07a7be9a7512"
+        },
+        "name": "download.gif"
+      },
+      {
+        "annotations": {
+          "chainloop.material.cas": true,
+          "chainloop.material.name": "sarif",
+          "chainloop.material.type": "SARIF"
+        },
+        "digest": {
+          "sha256": "c4a63494f9289dd9fd44f841efb4f5b52765c2de6332f2d86e5f6c0340b40a95"
+        },
+        "name": "report.sarif"
+      },
+      {
+        "annotations": {
+          "chainloop.material.cas": true,
+          "chainloop.material.name": "sbom",
+          "chainloop.material.type": "SBOM_CYCLONEDX_JSON"
+        },
+        "digest": {
+          "sha256": "16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c"
+        },
+        "name": "sbom.cyclonedx.json"
+      },
+      {
+        "annotations": {
+          "chainloop.material.cas": true,
+          "chainloop.material.name": "vex",
+          "chainloop.material.type": "OPENVEX"
+        },
+        "digest": {
+          "sha256": "b4bd86d5855f94bcac0a92d3100ae7b85d050bd2e5fb9037a200e5f5f0b073a2"
+        },
+        "name": "openvex_v0.2.0.json"
+      }
+    ],
+    "metadata": {
+      "finishedAt": "2023-10-20T12:58:10.562093962Z",
+      "initializedAt": "2023-10-20T12:57:10.562093962Z",
+      "name": "test-new-types",
+      "project": "test",
+      "team": "",
+      "workflowID": "ab98be70-041b-4a82-97f3-daa56f61262b",
+      "workflowRunID": "f97a0680-e64b-478a-9eea-df8864fa27f8"
+    },
+    "runnerType": "RUNNER_TYPE_UNSPECIFIED"
+  }
+}