feat(verification): Store attestation bundles in Chainloop database (#1777)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/cli/internal/action/attestation_push.go

@@ -26,7 +26,9 @@ import (
 	"github.com/chainloop-dev/chainloop/pkg/attestation/renderer"
 	"github.com/chainloop-dev/chainloop/pkg/attestation/signer"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
 	"google.golang.org/grpc"
+	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
@@ -174,7 +176,7 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
 	}
 
 	// render final attestation with all the evaluated policies inside
-	envelope, err := renderer.Render(ctx)
+	envelope, bundle, err := renderer.Render(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -194,7 +196,7 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
 
 	workflow := crafter.CraftingState.Attestation.GetWorkflow()
 
-	attestationResult.Digest, err = pushToControlPlane(ctx, action.ActionsOpts.CPConnection, envelope, workflow.GetWorkflowRunId(), workflow.GetVersion().GetMarkAsReleased())
+	attestationResult.Digest, err = pushToControlPlane(ctx, action.ActionsOpts.CPConnection, envelope, bundle, workflow.GetWorkflowRunId(), workflow.GetVersion().GetMarkAsReleased())
 	if err != nil {
 		return nil, fmt.Errorf("pushing to control plane: %w", err)
 	}
@@ -209,21 +211,29 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
 	return attestationResult, nil
 }
 
-func pushToControlPlane(ctx context.Context, conn *grpc.ClientConn, envelope *dsse.Envelope, workflowRunID string, markVersionAsReleased bool) (string, error) {
-	encodedAttestation, err := encodeEnvelope(envelope)
+func pushToControlPlane(ctx context.Context, conn *grpc.ClientConn, envelope *dsse.Envelope, bundle *protobundle.Bundle, workflowRunID string, markVersionAsReleased bool) (string, error) {
+	encodedBundle, err := encodeBundle(bundle)
 	if err != nil {
 		return "", fmt.Errorf("encoding attestation: %w", err)
 	}
 
 	client := pb.NewAttestationServiceClient(conn)
+
+	// if endpoint doesn't accept the bundle, we still send the plain attestation for backwards compatibility
+	encodedAttestation, err := encodeEnvelope(envelope)
+	if err != nil {
+		return "", fmt.Errorf("encoding attestation: %w", err)
+	}
+
+	// Store bundle next versions will perform this in a single call)
 	resp, err := client.Store(ctx, &pb.AttestationServiceStoreRequest{
 		Attestation:           encodedAttestation,
+		Bundle:                encodedBundle,
 		WorkflowRunId:         workflowRunID,
 		MarkVersionAsReleased: &markVersionAsReleased,
 	})
-
 	if err != nil {
-		return "", fmt.Errorf("contacting the control plane: %w", err)
+		return "", fmt.Errorf("storing attestation: %w", err)
 	}
 
 	return resp.Result.Digest, nil
@@ -233,6 +243,10 @@ func encodeEnvelope(e *dsse.Envelope) ([]byte, error) {
 	return json.Marshal(e)
 }
 
+func encodeBundle(b *protobundle.Bundle) ([]byte, error) {
+	return protojson.Marshal(b)
+}
+
 func decodeEnvelope(rawEnvelope []byte) (*dsse.Envelope, error) {
 	envelope := &dsse.Envelope{}
 	if err := json.Unmarshal(rawEnvelope, envelope); err != nil {

app/controlplane/api/controlplane/v1/workflow_run.pb.go

@@ -136,7 +136,10 @@ message AttestationServiceInitResponse {
 
 message AttestationServiceStoreRequest {
   // encoded DSEE envelope
-  bytes attestation = 1 [(buf.validate.field).bytes.min_len = 1];
+  bytes attestation = 1 [deprecated=true];
+  // encoded Sigstore attestation bundle
+  // TODO. Add min_len constraint
+  bytes bundle = 4;
   string workflow_run_id = 2 [(buf.validate.field).string = {min_len: 1}];
   // mark the associated version as released
   optional bool mark_version_as_released = 3;