feat(controlplane): store and show the digest in CAS of the attestation (#329)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/cli/cmd/workflow_workflow_run_describe.go

@@ -116,6 +116,7 @@ func workflowRunDescribeTableOutput(run *action.WorkflowRunItemFull) error {
 	gt.AppendRow(table.Row{"Statement"})
 	gt.AppendSeparator()
 	gt.AppendRow(table.Row{"Payload Type", att.Envelope.PayloadType})
+	gt.AppendRow(table.Row{"Digest", att.Digest})
 	color := text.FgHiRed
 	if run.Verified {
 		color = text.FgHiGreen

app/cli/internal/action/workflow_run_describe.go

@@ -50,6 +50,8 @@ type WorkflowRunAttestationItem struct {
 	Materials   []*Material   `json:"materials,omitempty"`
 	EnvVars     []*EnvVar     `json:"envvars,omitempty"`
 	Annotations []*Annotation `json:"annotations,omitempty"`
+	// Digest in CAS backend
+	Digest string `json:"digest"`
 }
 
 type Material struct {
@@ -153,6 +155,7 @@ func (action *WorkflowRunDescribe) Run(runID string, verify bool, publicKey stri
 		EnvVars:     envVars,
 		Materials:   materials,
 		Annotations: annotations,
+		Digest:      attestation.DigestInCasBackend,
 	}
 
 	return item, nil

app/controlplane/api/controlplane/v1/response_messages.pb.go

@@ -53,6 +53,8 @@ message AttestationItem {
   google.protobuf.Timestamp created_at = 2;
   // encoded DSEE envelope
   bytes envelope = 3;
+  // sha256sum of the envelope in json format, used as a key in the CAS backend
+  string digest_in_cas_backend = 7;
 
   // denormalized envelope/statement content
   repeated EnvVariable env_vars = 4;

app/controlplane/api/controlplane/v1/response_messages.pb.validate.go

@@ -16,15 +16,19 @@
 package biz
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"time"
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/pagination"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 
 	"github.com/go-kratos/kratos/v2/log"
+	cr_v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/uuid"
 )
 
@@ -41,6 +45,7 @@ type WorkflowRun struct {
 
 type Attestation struct {
 	Envelope *dsse.Envelope
+	Digest   string
 }
 
 type WorkflowRunWithContract struct {
@@ -63,7 +68,7 @@ type WorkflowRunRepo interface {
 	FindByID(ctx context.Context, ID uuid.UUID) (*WorkflowRun, error)
 	FindByIDInOrg(ctx context.Context, orgID, ID uuid.UUID) (*WorkflowRun, error)
 	MarkAsFinished(ctx context.Context, ID uuid.UUID, status WorkflowRunStatus, reason string) error
-	SaveAttestation(ctx context.Context, ID uuid.UUID, att *dsse.Envelope) error
+	SaveAttestation(ctx context.Context, ID uuid.UUID, att *dsse.Envelope, digest string) error
 	List(ctx context.Context, orgID, workflowID uuid.UUID, p *pagination.Options) ([]*WorkflowRun, string, error)
 	// List the runs that have not finished and are older than a given time
 	ListNotFinishedOlderThan(ctx context.Context, olderThan time.Time) ([]*WorkflowRun, error)
@@ -217,7 +222,18 @@ func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, en
 		return NewErrInvalidUUID(err)
 	}
 
-	return uc.wfRunRepo.SaveAttestation(ctx, runID, envelope)
+	// Calculate the attestation hash of the json representation of the envelope
+	jsonAtt, err := json.Marshal(envelope)
+	if err != nil {
+		return NewErrValidation(fmt.Errorf("marshaling attestation: %w", err))
+	}
+
+	h, _, err := cr_v1.SHA256(bytes.NewBuffer(jsonAtt))
+	if err != nil {
+		return fmt.Errorf("calculating attestation hash: %w", err)
+	}
+
+	return uc.wfRunRepo.SaveAttestation(ctx, runID, envelope, h.String())
 }
 
 // List the workflowruns associated with an org and optionally filtered by a workflow

app/controlplane/api/controlplane/v1/response_messages.proto

@@ -56,7 +56,7 @@ func (s *workflowRunIntegrationTestSuite) TestSaveAttestation() {
 		// Retrieve attestation ref from storage and compare
 		r, err := s.WorkflowRun.View(ctx, s.org.ID, run.ID.String())
 		assert.NoError(err)
-		assert.Equal(r.Attestation, &biz.Attestation{Envelope: validEnvelope})
+		assert.Equal(r.Attestation, &biz.Attestation{Envelope: validEnvelope, Digest: "sha256:f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"})
 	})
 }