feat(backend): ATTESTATION material type (#727)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

README.md

@@ -131,6 +131,7 @@ Chainloop supports the collection of the following pieces of evidence types:
 - [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/)
 - [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format)
 - [Helm Chart](https://helm.sh/docs/topics/charts/)
+- Attestation: existing Chainloop attestations.
 - Artifact Type: It represents a software artifact.
 - Custom Evidence Type: Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc.
 - Key-Value metadata pairs

app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts

@@ -88,6 +88,9 @@ message CraftingSchema {
       // Pieces of evidences represent generic, additional context that don't fit
       // into one of the well known material types. For example, a custom approval report (in json), ...
       EVIDENCE = 11;
+
+      // Chainloop attestation coming from a different workflow.
+      ATTESTATION = 12;
     }
   }
 }

app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go

@@ -18,10 +18,10 @@ package biz
 import (
 	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
 	"io"
 
+	"github.com/chainloop-dev/chainloop/internal/attestation"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 	"github.com/go-kratos/kratos/v2/log"
 
@@ -47,7 +47,7 @@ func NewAttestationUseCase(client CASClient, logger log.Logger) *AttestationUseC
 
 func (uc *AttestationUseCase) UploadToCAS(ctx context.Context, envelope *dsse.Envelope, backend *CASBackend, workflowRunID string) (*cr_v1.Hash, error) {
 	filename := fmt.Sprintf("attestation-%s.json", workflowRunID)
-	jsonContent, h, err := jsonEnvelopeWithDigest(envelope)
+	jsonContent, h, err := attestation.JSONEnvelopeWithDigest(envelope)
 	if err != nil {
 		return nil, fmt.Errorf("marshaling the envelope: %w", err)
 	}
@@ -58,18 +58,3 @@ func (uc *AttestationUseCase) UploadToCAS(ctx context.Context, envelope *dsse.En
 
 	return &h, nil
 }
-
-// jsonEnvelopeWithDigest returns the JSON content of the envelope and its digest.
-func jsonEnvelopeWithDigest(envelope *dsse.Envelope) ([]byte, cr_v1.Hash, error) {
-	jsonContent, err := json.Marshal(envelope)
-	if err != nil {
-		return nil, cr_v1.Hash{}, fmt.Errorf("marshaling the envelope: %w", err)
-	}
-
-	h, _, err := cr_v1.SHA256(bytes.NewBuffer(jsonContent))
-	if err != nil {
-		return nil, cr_v1.Hash{}, fmt.Errorf("calculating the digest: %w", err)
-	}
-
-	return jsonContent, h, nil
-}

app/controlplane/api/workflowcontract/v1/crafting_schema.proto

@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/conf"
+	"github.com/chainloop-dev/chainloop/internal/attestation"
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
 	"github.com/chainloop-dev/chainloop/internal/servicelogger"
 	"github.com/go-kratos/kratos/v2/log"
@@ -247,7 +248,7 @@ func (r *Referrer) MapID() string {
 // 4 - creating link between the attestation and the materials/subjects as needed
 // see tests for examples
 func extractReferrers(att *dsse.Envelope) ([]*Referrer, error) {
-	_, h, err := jsonEnvelopeWithDigest(att)
+	_, h, err := attestation.JSONEnvelopeWithDigest(att)
 	if err != nil {
 		return nil, fmt.Errorf("marshaling attestation: %w", err)
 	}

app/controlplane/internal/biz/attestation.go

@@ -23,6 +23,7 @@ import (
 	"time"
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/pagination"
+	"github.com/chainloop-dev/chainloop/internal/attestation"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 
 	"github.com/go-kratos/kratos/v2/log"
@@ -248,7 +249,7 @@ func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, en
 	}
 
 	// Calculate the digest
-	_, digest, err := jsonEnvelopeWithDigest(envelope)
+	_, digest, err := attestation.JSONEnvelopeWithDigest(envelope)
 	if err != nil {
 		return "", NewErrValidation(fmt.Errorf("marshaling the envelope: %w", err))
 	}

app/controlplane/internal/biz/referrer.go

@@ -56,6 +56,7 @@ Chainloop supports the collection of the following pieces of evidence types:
 - [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/)
 - [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format)
 - [Helm Chart](https://helm.sh/docs/topics/charts/)
+- Attestation: existing Chainloop attestations.
 - Artifact Type: It represents a software artifact.
 - Custom Evidence Type: Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc.
 - Key-Value metadata pairs

app/controlplane/internal/biz/workflowrun.go

@@ -0,0 +1,40 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package attestation
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+
+	cr_v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+// JSONEnvelopeWithDigest returns the JSON content of the envelope and its digest.
+func JSONEnvelopeWithDigest(envelope *dsse.Envelope) ([]byte, cr_v1.Hash, error) {
+	jsonContent, err := json.Marshal(envelope)
+	if err != nil {
+		return nil, cr_v1.Hash{}, fmt.Errorf("marshaling the envelope: %w", err)
+	}
+
+	h, _, err := cr_v1.SHA256(bytes.NewBuffer(jsonContent))
+	if err != nil {
+		return nil, cr_v1.Hash{}, fmt.Errorf("calculating the digest: %w", err)
+	}
+
+	return jsonContent, h, nil
+}

docs/docs/reference/operator/contract.mdx

@@ -0,0 +1,90 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package materials
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path"
+
+	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	"github.com/chainloop-dev/chainloop/internal/attestation"
+	api "github.com/chainloop-dev/chainloop/internal/attestation/crafter/api/attestation/v1"
+	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
+	"github.com/chainloop-dev/chainloop/internal/casclient"
+	"github.com/rs/zerolog"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+type AttestationCrafter struct {
+	*crafterCommon
+	backend *casclient.CASBackend
+}
+
+// NewAttestationCrafter generates a new Attestation material.
+// Attestation materials represent a chainloop attestation submitted in a different workflow. This is useful to link
+// related workflow runs. For instance, the deployment of different microservices coming from a common build workflow.
+func NewAttestationCrafter(schema *schemaapi.CraftingSchema_Material, backend *casclient.CASBackend, l *zerolog.Logger) (*AttestationCrafter, error) {
+	if schema.Type != schemaapi.CraftingSchema_Material_ATTESTATION {
+		return nil, fmt.Errorf("material type is not attestation")
+	}
+
+	craftCommon := &crafterCommon{logger: l, input: schema}
+	return &AttestationCrafter{backend: backend, crafterCommon: craftCommon}, nil
+}
+
+// Craft will calculate the digest of the artifact, simulate an upload and return the material definition
+func (i *AttestationCrafter) Craft(ctx context.Context, artifactPath string) (*api.Attestation_Material, error) {
+	data, err := os.ReadFile(artifactPath)
+	if err != nil {
+		return nil, fmt.Errorf("artifact file cannot be read: %w", err)
+	}
+	var dsseEnvelope dsse.Envelope
+	if err := json.Unmarshal(data, &dsseEnvelope); err != nil {
+		return nil, fmt.Errorf("artifact is not a valid DSEE Envelope: %w", err)
+	}
+
+	predicate, err := chainloop.ExtractPredicate(&dsseEnvelope)
+	if err != nil {
+		return nil, fmt.Errorf("the provided file does not seem to be a chainloop-generated attestation: %w", err)
+	}
+
+	// regenerate the json from the parsed data, just to remove any formating from the incoming json and preserve
+	// the digest
+	jsonContent, _, err := attestation.JSONEnvelopeWithDigest(&dsseEnvelope)
+	if err != nil {
+		return nil, fmt.Errorf("creating CAS payload: %w", err)
+	}
+
+	// Create a temp file with this content and upload to the CAS
+	dir := os.TempDir()
+	filename := fmt.Sprintf("%s-%s-attestation.json", predicate.GetMetadata().Name, predicate.GetMetadata().WorkflowRunID)
+
+	file, err := os.Create(path.Join(dir, filename))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create temp file: %w", err)
+	}
+	defer file.Close()
+	defer os.Remove(file.Name())
+
+	if _, err := file.Write(jsonContent); err != nil {
+		return nil, fmt.Errorf("failed to write JSON payload: %w", err)
+	}
+
+	return uploadAndCraft(ctx, i.input, i.backend, file.Name(), i.logger)
+}