feat(controlplane): store attestation in DB (#180)

* feat(controlplane): store attestation in DB

Signed-off-by: Miguel Martinez Trivino <[email protected]>

* wrap attestation

Signed-off-by: Miguel Martinez Trivino <[email protected]>

* update docs

Signed-off-by: Miguel Martinez Trivino <[email protected]>

* update docs

Signed-off-by: Miguel Martinez Trivino <[email protected]>

* update docs

Signed-off-by: Miguel Martinez Trivino <[email protected]>

---------

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/README.md

@@ -23,7 +23,7 @@ The control plane has 4 main dependencies
 - Sensitive information provided by the user such as OCI registry credentials is sent to a secret storage backend. Currently we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) and [GCP Secret Manager](https://cloud.google.com/secret-manager).
 - In addition to those third party dependencies, the control plane also has a dependency on Chainloop own [Artifact CAS](../artifact-cas). It is used to upload the received attestation to the end-user storage backend.
 
-> NOTE: The control plane does not store attestation or artifact data, these get forwarded to the user storage backend through the Artifact CAS.
+> NOTE: The control plane does not store artifacts, these get forwarded to the user storage backend (i.e OCI registry) through the Artifact CAS.
 
 ## Runbook
 

app/controlplane/cmd/wire_gen.go

@@ -24,7 +24,6 @@ var ProviderSet = wire.NewSet(
 	NewRootAccountUseCase,
 	NewWorkflowRunUseCase,
 	NewOrganizationUseCase,
-	NewAttestationUseCase,
 	NewWorkflowContractUseCase,
 	NewCASCredentialsUseCase,
 	NewOCIRepositoryUseCase,

app/controlplane/internal/biz/attestation.go

@@ -17,11 +17,11 @@ package biz
 
 import (
 	"context"
-	"errors"
 	"io"
 	"time"
 
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/pagination"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/uuid"
@@ -35,7 +35,11 @@ type WorkflowRun struct {
 	AttestationID         uuid.UUID
 	RunURL, RunnerType    string
 	ContractVersionID     uuid.UUID
-	AttestationRef        *AttestationRef
+	Attestation           *Attestation
+}
+
+type Attestation struct {
+	Envelope *dsse.Envelope
 }
 
 type WorkflowRunWithContract struct {
@@ -58,7 +62,7 @@ type WorkflowRunRepo interface {
 	FindByID(ctx context.Context, ID uuid.UUID) (*WorkflowRun, error)
 	FindByIDInOrg(ctx context.Context, orgID, ID uuid.UUID) (*WorkflowRun, error)
 	MarkAsFinished(ctx context.Context, ID uuid.UUID, status WorkflowRunStatus, reason string) error
-	SaveAttestationRef(ctx context.Context, ID uuid.UUID, ref *AttestationRef) error
+	SaveAttestation(ctx context.Context, ID uuid.UUID, att *dsse.Envelope) error
 	List(ctx context.Context, orgID, workflowID uuid.UUID, p *pagination.Options) ([]*WorkflowRun, string, error)
 	// List the runs that have not finished and are older than a given time
 	ListNotFinishedOlderThan(ctx context.Context, olderThan time.Time) ([]*WorkflowRun, error)
@@ -198,18 +202,13 @@ func (uc *WorkflowRunUseCase) MarkAsFinished(ctx context.Context, id string, sta
 	return uc.wfRunRepo.MarkAsFinished(ctx, runID, status, reason)
 }
 
-// Store the attestation digest for the workflowrun
-func (uc *WorkflowRunUseCase) AssociateAttestation(ctx context.Context, id string, ref *AttestationRef) error {
-	if ref == nil || ref.SecretRef == "" || ref.Sha256 == "" {
-		return NewErrValidation(errors.New("attestation ref is nil or invalid"))
-	}
-
+func (uc *WorkflowRunUseCase) SaveAttestation(ctx context.Context, id string, envelope *dsse.Envelope) error {
 	runID, err := uuid.Parse(id)
 	if err != nil {
 		return NewErrInvalidUUID(err)
 	}
 
-	return uc.wfRunRepo.SaveAttestationRef(ctx, runID, ref)
+	return uc.wfRunRepo.SaveAttestation(ctx, runID, envelope)
 }
 
 // List the workflowruns associated with an org and optionally filtered by a workflow

app/controlplane/internal/biz/attestation_test.go

@@ -22,27 +22,23 @@ import (
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz/testhelpers"
 	"github.com/google/uuid"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 )
 
-func (s *workflowRunIntegrationTestSuite) TestAssociateAttestation() {
+func (s *workflowRunIntegrationTestSuite) TestSaveAttestation() {
 	assert := assert.New(s.T())
 	ctx := context.Background()
-	validRef := &biz.AttestationRef{Sha256: "deadbeef", SecretRef: "secret-ref"}
+
+	validEnvelope := &dsse.Envelope{}
 
 	s.T().Run("non existing workflowRun", func(t *testing.T) {
-		err := s.WorkflowRun.AssociateAttestation(ctx, uuid.NewString(), validRef)
+		err := s.WorkflowRun.SaveAttestation(ctx, uuid.NewString(), validEnvelope)
 		assert.Error(err)
 		assert.True(biz.IsNotFound(err))
 	})
 
-	s.T().Run("empty attestation ref", func(t *testing.T) {
-		err := s.WorkflowRun.AssociateAttestation(ctx, uuid.NewString(), nil)
-		assert.Error(err)
-		assert.True(biz.IsErrValidation(err))
-	})
-
 	s.T().Run("valid workflowrun", func(t *testing.T) {
 		org, err := s.Organization.Create(ctx, "testing org")
 		assert.NoError(err)
@@ -64,13 +60,13 @@ func (s *workflowRunIntegrationTestSuite) TestAssociateAttestation() {
 		})
 		assert.NoError(err)
 
-		err = s.WorkflowRun.AssociateAttestation(ctx, run.ID.String(), validRef)
+		err = s.WorkflowRun.SaveAttestation(ctx, run.ID.String(), validEnvelope)
 		assert.NoError(err)
 
 		// Retrieve attestation ref from storage and compare
 		r, err := s.WorkflowRun.View(ctx, org.ID, run.ID.String())
 		assert.NoError(err)
-		assert.Equal(r.AttestationRef, validRef)
+		assert.Equal(r.Attestation, &biz.Attestation{Envelope: validEnvelope})
 	})
 }