feature(controlplane): upload attestations through CAS instead (#45)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/api/controlplane/v1/integrations.proto

@@ -39,7 +39,7 @@ service IntegrationsService {
 }
 
 message AddDependencyTrackRequest {
-	IntegrationConfig.DependencyTrack config = 1 [(validate.rules).message.required = true];;
+	IntegrationConfig.DependencyTrack config = 1 [(validate.rules).message.required = true];
 	string api_key = 2 [(validate.rules).string.min_len = 1];
 }
 
@@ -55,7 +55,7 @@ message IntegrationsServiceListResponse{
 message IntegrationsServiceAttachRequest{
   string workflow_id = 1 [(validate.rules).string.uuid = true];
   string integration_id = 2 [(validate.rules).string.uuid = true];
-  IntegrationAttachmentConfig config = 3 [(validate.rules).message.required = true];;
+  IntegrationAttachmentConfig config = 3 [(validate.rules).message.required = true];
 }
 
 message IntegrationsServiceAttachResponse{

app/controlplane/cmd/main.go

@@ -109,7 +109,7 @@ func main() {
 		panic(err)
 	}
 
-	app, cleanup, err := wireApp(bc.Server, bc.Auth, bc.Data, credsWriter, logger)
+	app, cleanup, err := wireApp(&bc, credsWriter, logger)
 	if err != nil {
 		panic(err)
 	}

app/controlplane/cmd/wire.go

@@ -33,8 +33,7 @@ import (
 	"github.com/google/wire"
 )
 
-// wireApp init kratos application.
-func wireApp(*conf.Server, *conf.Auth, *conf.Data, credentials.ReaderWriter, log.Logger) (*app, func(), error) {
+func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger) (*app, func(), error) {
 	panic(
 		wire.Build(
 			wire.Bind(new(credentials.Reader), new(credentials.ReaderWriter)),
@@ -43,8 +42,10 @@ func wireApp(*conf.Server, *conf.Auth, *conf.Data, credentials.ReaderWriter, log
 			biz.ProviderSet,
 			service.ProviderSet,
 			wire.Bind(new(backend.Provider), new(*oci.BackendProvider)),
+			wire.Bind(new(biz.CASUploader), new(*biz.CASClientUseCase)),
 			oci.NewBackendProvider,
 			serviceOpts,
+			wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer"),
 			newApp,
 		),
 	)

app/controlplane/cmd/wire_gen.go

@@ -16,7 +16,9 @@ server:
 
 # Local CAS server for development
 cas_server:
-  addr: 0.0.0.0:9001
+  grpc:
+    addr: 0.0.0.0:9001
+  insecure: true
 
 credentials_service:
   vault:

app/controlplane/configs/config.devel.yaml

@@ -12,6 +12,10 @@ auth:
   # allow_list:
   #   - [email protected]
 
+# CAS server where the controlplane will push artifacts to
+cas_server:
+  addr: 0.0.0.0:9001
+
 # Where to store credentials such as OCI registries or third party integrations secrets
 credentials_service:
   # You can use either vault or aws secret manager

app/controlplane/configs/samples/config.yaml

@@ -26,6 +26,7 @@ import (
 	casAPI "github.com/chainloop-dev/chainloop/app/artifact-cas/api/cas/v1"
 
 	backend "github.com/chainloop-dev/chainloop/internal/blobmanager"
+	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
@@ -36,6 +37,11 @@ type Attestation struct {
 
 type AttestationUseCase struct {
 	logger *log.Helper
+	CASUploader
+
+	// DEPRECATED
+	// We will remove it once we force all the clients to use the CAS instead
+	backendProvider backend.Provider
 }
 
 type AttestationRef struct {
@@ -45,13 +51,15 @@ type AttestationRef struct {
 	SecretRef string
 }
 
-func NewAttestationUseCase(logger log.Logger) *AttestationUseCase {
+func NewAttestationUseCase(uploader CASUploader, p backend.Provider, logger log.Logger) *AttestationUseCase {
 	if logger == nil {
 		logger = log.NewStdLogger(io.Discard)
 	}
 
 	return &AttestationUseCase{
-		logger: log.NewHelper(logger),
+		logger:          servicelogger.ScopedHelper(logger, "biz/attestation"),
+		CASUploader:     uploader,
+		backendProvider: p,
 	}
 }
 
@@ -71,18 +79,8 @@ func (uc *AttestationUseCase) FetchFromStore(ctx context.Context, downloader bac
 	return &Attestation{Envelope: &envelope}, nil
 }
 
-// UploadAttestationToOCI uploads the attestation to the OCI CAS returning the reference to the attestation
-func (uc *AttestationUseCase) UploadAttestationToOCI(ctx context.Context, envelope *dsse.Envelope, uploader backend.Uploader, workflowRunID string) (string, error) {
-	digest, err := doUploadToOCI(ctx, uploader, workflowRunID, envelope, uc.logger)
-	if err != nil {
-		return "", err
-	}
-
-	return digest, nil
-}
-
-func doUploadToOCI(ctx context.Context, backend backend.Uploader, runID string, envelope *dsse.Envelope, logger *log.Helper) (string, error) {
-	fileName := fmt.Sprintf("attestation-%s.json", runID)
+func (uc *AttestationUseCase) UploadToCAS(ctx context.Context, envelope *dsse.Envelope, secretID, workflowRunID string) (string, error) {
+	filename := fmt.Sprintf("attestation-%s.json", workflowRunID)
 	jsonContent, err := json.Marshal(envelope)
 	if err != nil {
 		return "", fmt.Errorf("marshaling the envelope: %w", err)
@@ -92,13 +90,28 @@ func doUploadToOCI(ctx context.Context, backend backend.Uploader, runID string,
 	hash.Write(jsonContent)
 	digest := fmt.Sprintf("%x", hash.Sum(nil))
 
-	if err := backend.Upload(ctx, bytes.NewBuffer(jsonContent), &casAPI.CASResource{
-		FileName: fileName, Digest: digest,
+	if uc.CASUploader.Configured() {
+		if err := uc.CASUploader.Upload(ctx, secretID, bytes.NewBuffer(jsonContent), filename, digest); err != nil {
+			return "", fmt.Errorf("uploading to CAS: %w", err)
+		}
+
+		return digest, nil
+	}
+
+	uc.logger.Warnw("msg", "no CAS configured, falling back to old mechanism")
+
+	// fallback to old mechanism, this will be removed once we force all the clients to use the CAS
+	// TODO: remove
+	uploader, err := uc.backendProvider.FromCredentials(ctx, secretID)
+	if err != nil {
+		return "", err
+	}
+
+	if err := uploader.Upload(ctx, bytes.NewBuffer(jsonContent), &casAPI.CASResource{
+		FileName: filename, Digest: digest,
 	}); err != nil {
 		return "", fmt.Errorf("uploading to OCI: %w", err)
 	}
 
-	logger.Infow("msg", "attestation uploaded to OCI", "digest", digest, "filename", fileName, "runID", runID)
-
 	return digest, nil
 }

app/controlplane/internal/biz/attestation.go

@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package biz
+package biz_test
 
 import (
 	"context"
@@ -23,7 +23,9 @@ import (
 	"testing"
 
 	casAPI "github.com/chainloop-dev/chainloop/app/artifact-cas/api/cas/v1"
-	"github.com/chainloop-dev/chainloop/internal/blobmanager/mocks"
+	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
+	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz/mocks"
+	blobmock "github.com/chainloop-dev/chainloop/internal/blobmanager/mocks"
 	"github.com/google/uuid"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/stretchr/testify/assert"
@@ -32,7 +34,8 @@ import (
 	"github.com/stretchr/testify/suite"
 )
 
-func (s *attestationTestSuite) TestUploadToOCI() {
+// Deprecated method
+func (s *attestationTestSuite) TestUploadToCASFallbackOCI() {
 	runID := uuid.NewString()
 	envelope := &dsse.Envelope{}
 	const expectedDigest = "f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
@@ -42,14 +45,34 @@ func (s *attestationTestSuite) TestUploadToOCI() {
 		FileName: fmt.Sprintf("attestation-%s.json", runID), Digest: expectedDigest,
 	}).Return(nil)
 
-	gotDigest, err := s.uc.UploadAttestationToOCI(context.Background(), envelope, s.uploader, runID)
+	s.casUploader.On("Configured").Return(false)
+
+	gotDigest, err := s.uc.UploadToCAS(ctx, envelope, "my-secret", runID)
+	assert.NoError(s.T(), err)
+	assert.Equal(s.T(), expectedDigest, gotDigest)
+}
+
+func (s *attestationTestSuite) TestUploadToCAS() {
+	runID := uuid.NewString()
+	envelope := &dsse.Envelope{}
+	const expectedDigest = "f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
+
+	ctx := context.Background()
+	s.casUploader.On(
+		"Upload", ctx, "my-secret", mock.Anything,
+		fmt.Sprintf("attestation-%s.json", runID), expectedDigest,
+	).Return(nil)
+
+	s.casUploader.On("Configured").Return(true)
+
+	gotDigest, err := s.uc.UploadToCAS(ctx, envelope, "my-secret", runID)
 	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), expectedDigest, gotDigest)
 }
 
 func (s *attestationTestSuite) TestFetchFromStore() {
 	const expectedDigest = "f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
-	want := &Attestation{Envelope: &dsse.Envelope{}}
+	want := &biz.Attestation{Envelope: &dsse.Envelope{}}
 
 	ctx := context.Background()
 	s.downloader.On("Download", ctx, mock.Anything, expectedDigest).Return(nil).Run(
@@ -69,15 +92,22 @@ func TestAttestation(t *testing.T) {
 }
 
 func (s *attestationTestSuite) SetupTest() {
-	s.uc = NewAttestationUseCase(nil)
-	s.uploader = mocks.NewUploader(s.T())
-	s.downloader = mocks.NewDownloader(s.T())
+	backendProvider := blobmock.NewProvider(s.T())
+	ociBackend := blobmock.NewUploaderDownloader(s.T())
+	backendProvider.On("FromCredentials", mock.Anything, "my-secret").Maybe().Return(ociBackend, nil)
+
+	s.casUploader = mocks.NewCASUploader(s.T())
+	s.uc = biz.NewAttestationUseCase(s.casUploader, backendProvider, nil)
+	s.uploader = (*blobmock.Uploader)(ociBackend)
+	s.downloader = blobmock.NewDownloader(s.T())
 }
 
 // Utility struct to hold the test suite
 type attestationTestSuite struct {
 	suite.Suite
-	uc         *AttestationUseCase
-	uploader   *mocks.Uploader
-	downloader *mocks.Downloader
+	uc *biz.AttestationUseCase
+	// Deprecated: attestation should use the casclient instead of the blobmanager
+	uploader    *blobmock.Uploader
+	downloader  *blobmock.Downloader
+	casUploader *mocks.CASUploader
 }

app/controlplane/internal/biz/attestation_test.go

@@ -22,16 +22,17 @@ var ProviderSet = wire.NewSet(
 	NewWorkflowUsecase,
 	NewUserUseCase,
 	NewRootAccountUseCase,
-	NewWorkflowRunUsecase,
-	NewOrganizationUsecase,
+	NewWorkflowRunUseCase,
+	NewOrganizationUseCase,
 	NewAttestationUseCase,
-	NewWorkflowContractUsecase,
+	NewWorkflowContractUseCase,
 	NewCASCredentialsUseCase,
-	NewOCIRepositoryUsecase,
+	NewOCIRepositoryUseCase,
 	NewOrgMetricsUseCase,
-	NewIntegrationUsecase,
-	NewMembershipUsecase,
+	NewIntegrationUseCase,
+	NewMembershipUseCase,
+	NewCASClientUseCase,
 	NewWorkflowRunExpirerUseCase,
-	wire.Struct(new(NewIntegrationUsecaseOpts), "*"),
+	wire.Struct(new(NewIntegrationUseCaseOpts), "*"),
 	wire.Struct(new(NewUserUseCaseParams), "*"),
 )