chore: validate dependent attestation in referrer endpoint (#745)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/internal/biz/referrer.go

@@ -72,6 +72,9 @@ type ReferrerRepo interface {
 	// For example if sha:deadbeef represents an attestation, the result will contain the attestation + materials associated to it
 	// OrgIDs represent an allowList of organizations where the referrers should be looked for
 	GetFromRoot(ctx context.Context, digest string, orgIDS []uuid.UUID, filters ...GetFromRootFilter) (*StoredReferrer, error)
+	// Check if a given referrer by digest exist.
+	// The query can be scoped further down if needed by providing the kind or visibility status
+	Exist(ctx context.Context, digest string, filters ...GetFromRootFilter) (bool, error)
 }
 
 type Referrer struct {
@@ -132,7 +135,7 @@ func (s *ReferrerUseCase) ExtractAndPersist(ctx context.Context, att *dsse.Envel
 		return NewErrNotFound("workflow")
 	}
 
-	referrers, err := extractReferrers(att)
+	referrers, err := extractReferrers(att, s.repo)
 	if err != nil {
 		return fmt.Errorf("extracting referrers: %w", err)
 	}
@@ -247,7 +250,7 @@ func (r *Referrer) MapID() string {
 // 3 - and the subjects (some of them)
 // 4 - creating link between the attestation and the materials/subjects as needed
 // see tests for examples
-func extractReferrers(att *dsse.Envelope) ([]*Referrer, error) {
+func extractReferrers(att *dsse.Envelope, repo ReferrerRepo) ([]*Referrer, error) {
 	_, h, err := attestation.JSONEnvelopeWithDigest(att)
 	if err != nil {
 		return nil, fmt.Errorf("marshaling attestation: %w", err)
@@ -290,6 +293,17 @@ func extractReferrers(att *dsse.Envelope) ([]*Referrer, error) {
 			continue
 		}
 
+		// If we are inserting an attestation as a dependent, we want to make sure it already exists
+		// stored in the system. This is so we can ensure that the attestations nodes are created through
+		// an attestation process, not as a referenced provided by the user
+		if material.Type == referrerAttestationType {
+			if exists, err := repo.Exist(context.Background(), material.Hash.String(), WithKind(referrerAttestationType)); err != nil {
+				return nil, fmt.Errorf("checking if attestation exists: %w", err)
+			} else if !exists {
+				return nil, fmt.Errorf("attestation material does not exist %q", material.Hash.String())
+			}
+		}
+
 		// Create its referrer entry if it doesn't exist yet
 		// the reason it might exist is because you might be attaching the same material twice
 		// i.e the same SBOM twice, in that case we don't want to create a new referrer

app/controlplane/internal/biz/referrer_integration_test.go

@@ -24,8 +24,11 @@ import (
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz/testhelpers"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/conf"
+	"github.com/chainloop-dev/chainloop/internal/credentials"
+	creds "github.com/chainloop-dev/chainloop/internal/credentials/mocks"
 	"github.com/google/uuid"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
 )
@@ -108,12 +111,39 @@ func (s *referrerIntegrationTestSuite) TestGetFromRootInPublicSharedIndex() {
 	})
 }
 
+func (s *referrerIntegrationTestSuite) TestExtractAndPersistsDependentAttestation() {
+	envelope := testEnvelope(s.T(), "testdata/attestations/with-dependent-attestation.json")
+	ctx := context.Background()
+
+	const (
+		wantReferrerAtt  = "sha256:950c7b4c65447a3b86b6f769515005e7c44a67c8193bff790750eadf13207fbb"
+		wantDependentAtt = "sha256:2dc17f7c933d20e06b49250a582a3d19bdfbadba9c4e5f3f856af6f261db79d4"
+	)
+
+	s.Run("creation fails because the dependent attestation doesn't exist yet", func() {
+		err := s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow1.ID.String())
+		s.ErrorContains(err, "attestation material does not exist")
+	})
+
+	s.Run("if the dependent attestation exists we ingest it", func() {
+		// We store the dependent attestation
+		dependentAtt := testEnvelope(s.T(), "testdata/attestations/dependent-attestation.json")
+		err := s.Referrer.ExtractAndPersist(ctx, dependentAtt, s.workflow1.ID.String())
+		require.NoError(s.T(), err)
+
+		err = s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow1.ID.String())
+		s.NoError(err)
+		got, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt, "ATTESTATION", s.user.ID)
+		s.NoError(err)
+		// It has a commit and an attestation
+		require.Len(s.T(), got.References, 2)
+		s.Equal(wantDependentAtt, got.References[1].Digest)
+	})
+}
+
 func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 	// Load attestation
-	attJSON, err := os.ReadFile("testdata/attestations/with-git-subject.json")
-	require.NoError(s.T(), err)
-	var envelope *dsse.Envelope
-	require.NoError(s.T(), json.Unmarshal(attJSON, &envelope))
+	envelope := testEnvelope(s.T(), "testdata/attestations/with-git-subject.json")
 
 	wantReferrerAtt := &biz.Referrer{
 		Digest:       "sha256:de36d470d792499b1489fc0e6623300fc8822b8f0d2981bb5ec563f8dde723c7",
@@ -218,7 +248,7 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 	})
 
 	s.T().Run("but another workflow can be attached", func(t *testing.T) {
-		err = s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow2.ID.String())
+		err := s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow2.ID.String())
 		s.NoError(err)
 		got, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID)
 		s.NoError(err)
@@ -232,12 +262,12 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 		got, err = s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID)
 		s.NoError(err)
 		require.Len(t, got.OrgIDs, 2)
-		s.Equal([]uuid.UUID{s.org1UUID, s.org2UUID}, got.OrgIDs)
-		s.Equal([]uuid.UUID{s.workflow1.ID, s.workflow2.ID}, got.WorkflowIDs)
+		s.Equal([]uuid.UUID{s.org2UUID, s.org1UUID}, got.OrgIDs)
+		s.Equal([]uuid.UUID{s.workflow2.ID, s.workflow1.ID}, got.WorkflowIDs)
 	})
 
 	s.T().Run("and now user2 has access to it since it has access to workflow2 in org2", func(t *testing.T) {
-		err = s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow2.ID.String())
+		err := s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow2.ID.String())
 		s.NoError(err)
 		got, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user2.ID)
 		s.NoError(err)
@@ -274,19 +304,14 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 	})
 
 	s.T().Run("it should NOT fail storing the attestation with the same material twice with different types", func(t *testing.T) {
-		attJSON, err = os.ReadFile("testdata/attestations/with-duplicated-sha.json")
-		require.NoError(s.T(), err)
-		require.NoError(s.T(), json.Unmarshal(attJSON, &envelope))
+		envelope := testEnvelope(s.T(), "testdata/attestations/with-duplicated-sha.json")
 
 		err := s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow1.ID.String())
 		s.NoError(err)
 	})
 
 	s.T().Run("it should fail on retrieval if we have stored two referrers with same digest (for two different types)", func(t *testing.T) {
-		// this attestation contains a material with same digest than the container image from git-subject.json
-		attJSON, err = os.ReadFile("testdata/attestations/same-digest-than-git-subject.json")
-		require.NoError(s.T(), err)
-		require.NoError(s.T(), json.Unmarshal(attJSON, &envelope))
+		envelope := testEnvelope(s.T(), "testdata/attestations/same-digest-than-git-subject.json")
 
 		// storing will not fail since it's the a different artifact type
 		err := s.Referrer.ExtractAndPersist(ctx, envelope, s.workflow1.ID.String())
@@ -329,7 +354,7 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 		got, err := s.Referrer.GetFromRootUser(ctx, wantReferrerAtt.Digest, "", s.user.ID)
 		s.NoError(err)
 		s.False(got.InPublicWorkflow)
-		s.Equal([]uuid.UUID{s.workflow1.ID, s.workflow2.ID}, got.WorkflowIDs)
+		s.Equal([]uuid.UUID{s.workflow2.ID, s.workflow1.ID}, got.WorkflowIDs)
 		for _, r := range got.References {
 			s.False(r.InPublicWorkflow)
 		}
@@ -356,11 +381,15 @@ type referrerIntegrationTestSuite struct {
 	org1UUID, org2UUID   uuid.UUID
 	user, user2          *biz.User
 	sharedEnabledUC      *biz.ReferrerUseCase
+	run                  *biz.WorkflowRun
 }
 
 func (s *referrerIntegrationTestSuite) SetupTest() {
-	s.TestingUseCases = testhelpers.NewTestingUseCases(s.T())
+	credsWriter := creds.NewReaderWriter(s.T())
 	ctx := context.Background()
+	credsWriter.On("SaveCredentials", ctx, mock.Anything, &credentials.OCIKeypair{Repo: "repo", Username: "username", Password: "pass"}).Return("stored-OCI-secret", nil)
+
+	s.TestingUseCases = testhelpers.NewTestingUseCases(s.T(), testhelpers.WithCredsReaderWriter(credsWriter))
 
 	var err error
 	s.org1, err = s.Organization.CreateWithRandomName(ctx)
@@ -398,6 +427,24 @@ func (s *referrerIntegrationTestSuite) SetupTest() {
 			AllowedOrgs: []string{s.org1.ID},
 		}, nil)
 	require.NoError(s.T(), err)
+
+	// Robot account
+	robotAccount, err := s.RobotAccount.Create(ctx, "name", s.org1.ID, s.workflow1.ID.String())
+	require.NoError(s.T(), err)
+
+	// Find contract revision
+	contractVersion, err := s.WorkflowContract.Describe(ctx, s.org1.ID, s.workflow1.ContractID.String(), 0)
+	require.NoError(s.T(), err)
+
+	casBackend, err := s.CASBackend.CreateOrUpdate(ctx, s.org1.ID, "repo", "username", "pass", backendType, true)
+	require.NoError(s.T(), err)
+
+	s.run, err = s.WorkflowRun.Create(ctx,
+		&biz.WorkflowRunCreateOpts{
+			WorkflowID: s.workflow1.ID.String(), RobotaccountID: robotAccount.ID.String(), ContractRevision: contractVersion, CASBackendID: casBackend.ID,
+		})
+
+	require.NoError(s.T(), err)
 }
 
 func TestReferrerIntegration(t *testing.T) {

app/controlplane/internal/biz/referrer_test.go

@@ -331,7 +331,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 			var envelope *dsse.Envelope
 			require.NoError(s.T(), json.Unmarshal(attJSON, &envelope))
 
-			got, err := extractReferrers(envelope)
+			got, err := extractReferrers(envelope, nil)
 			if tc.expectErr {
 				s.Error(err)
 				return

app/controlplane/internal/biz/testdata/attestations/dependent-attestation.json

@@ -0,0 +1,10 @@
+{
+  "payloadType": "application/vnd.in-toto+json",
+  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiY2hhaW5sb29wLndvcmtmbG93LnRlc3QyIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjE1MTAwMzA1OWJmOTRiMTViZTMzNTBiZTc5MGM5MGEyYzE5MzBjOWU0Y2ZkYzQwOTEyYmMxY2UzM2Y3YzFmZGQifX0seyJuYW1lIjoiZ2l0LmhlYWQiLCJkaWdlc3QiOnsic2hhMSI6IjM1MTBkZDE1YzJiYTRmMWFkMDk0YjVlNTI3ZjNjYTAxNjVhNjk2MDAifSwiYW5ub3RhdGlvbnMiOnsiYXV0aG9yLmVtYWlsIjoibWlndWVsQGNoYWlubG9vcC5kZXYiLCJhdXRob3IubmFtZSI6Ik1pZ3VlbCBNYXJ0aW5leiBUcml2aW5vIiwiZGF0ZSI6IjIwMjQtMDQtMzBUMDY6Mjg6NDZaIiwibWVzc2FnZSI6ImZlYXQoY2xpKTogYWRkIGpzb24gb3V0cHV0IHRvIGF0dGVzdGF0aW9uIHB1c2hcblxuU2lnbmVkLW9mZi1ieTogTWlndWVsIE1hcnRpbmV6IFRyaXZpbm8gPG1pZ3VlbEBjaGFpbmxvb3AuZGV2PlxuIiwicmVtb3RlcyI6W3sibmFtZSI6Im9yaWdpbiIsInVybCI6ImdpdEBnaXRodWIuY29tOm1pZ21hcnRyaS9jaGFpbmxvb3AuZ2l0In0seyJuYW1lIjoidXBzdHJlYW0iLCJ1cmwiOiJnaXRAZ2l0aHViLmNvbTpjaGFpbmxvb3AtZGV2L2NoYWlubG9vcC5naXQifSx7Im5hbWUiOiJ0ZXN0LXRva2VuIiwidXJsIjoiaHR0cHM6Ly9naXRsYWItY2ktdG9rZW46Z2xjYnQtNjVfNVg2dUR6SlZSeDlyU3pnZFdES1pAZ2l0aHViLmNvbS9jaGFpbmxvb3AtZGV2L2NoYWlubG9vcC5naXQifV19fV0sInByZWRpY2F0ZVR5cGUiOiJjaGFpbmxvb3AuZGV2L2F0dGVzdGF0aW9uL3YwLjIiLCJwcmVkaWNhdGUiOnsiYnVpbGRUeXBlIjoiY2hhaW5sb29wLmRldi93b3JrZmxvd3J1bi92MC4xIiwiYnVpbGRlciI6eyJpZCI6ImNoYWlubG9vcC5kZXYvY2xpL2RldkBzaGEyNTY6MmE0ZGE4MGU5Y2IzZDJkZTU5YmVjZTAwNmEwOWZlOGNlN2RiZmJmYWQ3MDQ2MTcyMDIzYzY5N2VjMTc4MDcyMCJ9LCJtZXRhZGF0YSI6eyJmaW5pc2hlZEF0IjoiMjAyNC0wNC0zMFQwNjozMjoxOC41NjEwOTA2MzhaIiwiaW5pdGlhbGl6ZWRBdCI6IjIwMjQtMDQtMzBUMDY6MzI6MTEuNjkyOTUyOTk0WiIsIm5hbWUiOiJ0ZXN0MiIsIm9yZ2FuaXphdGlvbiI6ImZvbyIsInByb2plY3QiOiJiYXIiLCJ0ZWFtIjoiIiwid29ya2Zsb3dJRCI6IjY1MmRkMmExLTE0NjItNGFhMC05OTVmLTFlMjg2NWFkMjY3NiIsIndvcmtmbG93UnVuSUQiOiJiYzE2NzhlYy1iMGIzLTQxYWYtYmVhZC1lNzViYzBjNTRiMmMifSwicnVubmVyVHlwZSI6IlJVTk5FUl9UWVBFX1VOU1BFQ0lGSUVEIn19",
+  "signatures": [
+    {
+      "keyid": "",
+      "sig": "MEUCIDGBc8J4tpGaSyTcdHecnZOa725Tja4tozwtXNr6jSz7AiEA8xOts32aCmDs3TaUTyV8Tiv461gblt+ysfCT2OH9DFU="
+    }
+  ]
+}

app/controlplane/internal/biz/testdata/attestations/with-dependent-attestation.json

@@ -0,0 +1,10 @@
+{
+  "payloadType": "application/vnd.in-toto+json",
+  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCAic3ViamVjdCI6W3sibmFtZSI6ImNoYWlubG9vcC53b3JrZmxvdy50ZXN0MiIsICJkaWdlc3QiOnsic2hhMjU2IjoiNjA4N2M2NWFkMzczYzU1NzA5ZmM3OTM0NGM4OTcyZDAwNjk1ODM4ODkzYWE4NWZiMzU3MTcxZDk5NjY4MjcxOCJ9fSwgeyJuYW1lIjoiZ2l0LmhlYWQiLCAiZGlnZXN0Ijp7InNoYTEiOiI2NGNjZTZiYWQ4NGI0NzI1MjUyMjc4MjdlMzNlOTNhZmI0YzUyNzhhIn0sICJhbm5vdGF0aW9ucyI6eyJhdXRob3IuZW1haWwiOiJqYXZpZXJAY2hhaW5sb29wLmRldiIsICJhdXRob3IubmFtZSI6IkphdmllciBSb2Ryw61ndWV6IiwgImRhdGUiOiIyMDI0LTA0LTMwVDE0OjM0OjU5WiIsICJtZXNzYWdlIjoiZml4KGNpKTogT25seSBydW4gY29udHJhY3Qgc3luYyBvbiBjaGFuZ2VzIGluIGNvbnRyYWN0cyBwYXRoICgjNzM4KVxuXG5TaWduZWQtb2ZmLWJ5OiBKYXZpZXIgUm9kcmlndWV6IDxqYXZpZXJAY2hhaW5sb29wLmRldj4iLCAicmVtb3RlcyI6W3sibmFtZSI6InVwc3RyZWFtIiwgInVybCI6ImdpdEBnaXRodWIuY29tOmNoYWlubG9vcC1kZXYvY2hhaW5sb29wLmdpdCJ9LCB7Im5hbWUiOiJ0ZXN0LXRva2VuIiwgInVybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9jaGFpbmxvb3AtZGV2L2NoYWlubG9vcC5naXQifSwgeyJuYW1lIjoib3JpZ2luIiwgInVybCI6ImdpdEBnaXRodWIuY29tOm1pZ21hcnRyaS9jaGFpbmxvb3AuZ2l0In1dfX1dLCAicHJlZGljYXRlVHlwZSI6ImNoYWlubG9vcC5kZXYvYXR0ZXN0YXRpb24vdjAuMiIsICJwcmVkaWNhdGUiOnsiYnVpbGRUeXBlIjoiY2hhaW5sb29wLmRldi93b3JrZmxvd3J1bi92MC4xIiwgImJ1aWxkZXIiOnsiaWQiOiJjaGFpbmxvb3AuZGV2L2NsaS9kZXZAc2hhMjU2OmYxY2NhMmEyYTAyYWVjZmZkYzljZTdiYzBmNTY4MDQ3M2Y2ZjNmNTQxZDE2ZTk1MGRkMmNiMjYxZDU0MGM3NDAifSwgIm1hdGVyaWFscyI6W3siYW5ub3RhdGlvbnMiOnsiY2hhaW5sb29wLm1hdGVyaWFsLmNhcyI6dHJ1ZSwgImNoYWlubG9vcC5tYXRlcmlhbC5uYW1lIjoiZGVwbG95bWVudCIsICJjaGFpbmxvb3AubWF0ZXJpYWwudHlwZSI6IkFUVEVTVEFUSU9OIn0sICJkaWdlc3QiOnsic2hhMjU2IjoiMmRjMTdmN2M5MzNkMjBlMDZiNDkyNTBhNTgyYTNkMTliZGZiYWRiYTljNGU1ZjNmODU2YWY2ZjI2MWRiNzlkNCJ9LCAibmFtZSI6InRlc3QyLWJjMTY3OGVjLWIwYjMtNDFhZi1iZWFkLWU3NWJjMGM1NGIyYy1hdHRlc3RhdGlvbi5qc29uIn1dLCAibWV0YWRhdGEiOnsiZmluaXNoZWRBdCI6IjIwMjQtMDUtMDNUMDk6NDQ6MDguMjY2ODM3MjYyWiIsICJpbml0aWFsaXplZEF0IjoiMjAyNC0wNS0wM1QwOTo0Mzo1Ny40MzI2MjQ1MTRaIiwgIm5hbWUiOiJ0ZXN0MiIsICJvcmdhbml6YXRpb24iOiJmb28iLCAicHJvamVjdCI6ImJhciIsICJ0ZWFtIjoiIiwgIndvcmtmbG93SUQiOiI2NTJkZDJhMS0xNDYyLTRhYTAtOTk1Zi0xZTI4NjVhZDI2NzYiLCAid29ya2Zsb3dSdW5JRCI6ImM5NmMzZWZiLWMyOTgtNGQxOC04OGM1LTc4YWRkZWFjNGE3NSJ9LCAicnVubmVyVHlwZSI6IlJVTk5FUl9UWVBFX1VOU1BFQ0lGSUVEIn19",
+  "signatures": [
+    {
+      "keyid": "",
+      "sig": "MEQCIAVsfX0IwxTll5kYtFg8dsVZWMUzFusHNgUpNfD8RMiqAiACJCCjo1hz/z3TUaw9IYsWaTkzk6YFtJClOyp0bFDanw=="
+    }
+  ]
+}

app/controlplane/internal/data/referrer.go

@@ -116,6 +116,26 @@ func (r *ReferrerRepo) Save(ctx context.Context, referrers []*biz.Referrer, work
 	return nil
 }
 
+// Check if a given referrer by digest exist. The query can be scoped further down if needed by providing the kind or visibility status
+func (r *ReferrerRepo) Exist(ctx context.Context, digest string, filters ...biz.GetFromRootFilter) (bool, error) {
+	opts := &biz.GetFromRootFilters{}
+	for _, f := range filters {
+		f(opts)
+	}
+
+	query := r.data.db.Referrer.Query().Where(referrer.DigestEQ(digest))
+	// We might be filtering by the rootKind, this will prevent ambiguity
+	if opts.RootKind != nil {
+		query = query.Where(referrer.Kind(*opts.RootKind))
+	}
+
+	if opts.Public != nil {
+		query = query.WithWorkflows(func(q *ent.WorkflowQuery) { q.Where(workflow.PublicEQ(*opts.Public)) })
+	}
+
+	return query.Exist(ctx)
+}
+
 func (r *ReferrerRepo) GetFromRoot(ctx context.Context, digest string, orgIDs []uuid.UUID, filters ...biz.GetFromRootFilter) (*biz.StoredReferrer, error) {
 	opts := &biz.GetFromRootFilters{}
 	for _, f := range filters {