feat(cli): remote attestation state support (#499)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/cli/cmd/attestation.go

@@ -24,8 +24,12 @@ import (
 )
 
 var (
-	robotAccount string
-	GracefulExit bool
+	robotAccount              string
+	useAttestationRemoteState bool
+	GracefulExit              bool
+	// attestationID is the unique identifier of the in-progress attestation
+	// this is required when use-attestation-remote-state is enabled
+	attestationID string
 )
 
 const robotAccountEnvVarName = "CHAINLOOP_ROBOT_ACCOUNT"
@@ -36,6 +40,22 @@ func newAttestationCmd() *cobra.Command {
 		Aliases: []string{"att"},
 		Short:   "Craft Software Supply Chain Attestations",
 		Example: "Refer to https://docs.chainloop.dev/getting-started/attestation-crafting",
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			// run the initialization of the root command plus the new logic
+			// specific to this attestation command
+			rootCmd := cmd.Parent().Parent()
+			if err := rootCmd.PersistentPreRunE(cmd, args); err != nil {
+				return err
+			}
+
+			// If the subcommand has the attestation-id flag,
+			// we need to make sure that it's set if the remote-state flag is enabled
+			if useAttestationRemoteState && cmd.Flags().Lookup("attestation-id") != nil {
+				return cmd.MarkFlagRequired("attestation-id")
+			}
+
+			return nil
+		},
 	}
 
 	cmd.PersistentFlags().StringVarP(&robotAccount, "token", "t", "", fmt.Sprintf("robot account token. NOTE: You can also use the env variable %s", robotAccountEnvVarName))
@@ -44,13 +64,19 @@ func newAttestationCmd() *cobra.Command {
 	if robotAccount == "" {
 		robotAccount = os.Getenv(robotAccountEnvVarName)
 	}
+
 	cmd.PersistentFlags().BoolVar(&GracefulExit, "graceful-exit", false, "exit 0 in case of error. NOTE: this flag will be removed once Chainloop reaches 1.0")
+	cmd.PersistentFlags().BoolVar(&useAttestationRemoteState, "remote-state", false, "Store the attestation state remotely (preview feature)")
 
 	cmd.AddCommand(newAttestationInitCmd(), newAttestationAddCmd(), newAttestationStatusCmd(), newAttestationPushCmd(), newAttestationResetCmd())
 
 	return cmd
 }
 
+func flagAttestationID(cmd *cobra.Command) {
+	cmd.Flags().StringVar(&attestationID, "attestation-id", "", "Unique identifier of the in-progress attestation")
+}
+
 // extractAnnotations extracts the annotations from the flag and returns a map
 // the expected input format is key=value
 func extractAnnotations(annotationsFlag []string) (map[string]string, error) {

app/cli/cmd/attestation_add.go

@@ -55,7 +55,7 @@ func newAttestationAddCmd() *cobra.Command {
 				return err
 			}
 
-			if err := a.Run(cmd.Context(), "", name, value, annotations); err != nil {
+			if err := a.Run(cmd.Context(), attestationID, name, value, annotations); err != nil {
 				if errors.Is(err, action.ErrAttestationNotInitialized) {
 					return err
 				}
@@ -83,6 +83,7 @@ func newAttestationAddCmd() *cobra.Command {
 	err = cmd.MarkFlagRequired("value")
 	cobra.CheckErr(err)
 	cmd.Flags().StringSliceVar(&annotationsFlag, "annotation", nil, "additional annotation in the format of key=value")
+	flagAttestationID(cmd)
 
 	return cmd
 }

app/cli/cmd/attestation_init.go

@@ -48,7 +48,7 @@ func newAttestationInitCmd() *cobra.Command {
 			}
 
 			// Initialize it
-			err = a.Run(cmd.Context(), contractRevision)
+			attestationID, err := a.Run(cmd.Context(), contractRevision)
 			if err != nil {
 				if errors.Is(err, action.ErrAttestationAlreadyExist) {
 					return err
@@ -67,7 +67,7 @@ func newAttestationInitCmd() *cobra.Command {
 				return newGracefulError(err)
 			}
 
-			res, err := statusAction.Run(cmd.Context(), "")
+			res, err := statusAction.Run(cmd.Context(), attestationID)
 			if err != nil {
 				return newGracefulError(err)
 			}

app/cli/cmd/attestation_push.go

@@ -73,7 +73,7 @@ func newAttestationPushCmd() *cobra.Command {
 				return err
 			}
 
-			res, err := a.Run(cmd.Context(), "", annotations)
+			res, err := a.Run(cmd.Context(), attestationID, annotations)
 			if err != nil {
 				if errors.Is(err, action.ErrAttestationNotInitialized) {
 					return err
@@ -96,6 +96,7 @@ func newAttestationPushCmd() *cobra.Command {
 
 	cmd.Flags().StringVarP(&pkPath, "key", "k", "", "reference (path or env variable name) to the cosign private key that will be used to sign the attestation")
 	cmd.Flags().StringSliceVar(&annotationsFlag, "annotation", nil, "additional annotation in the format of key=value")
+	flagAttestationID(cmd)
 
 	return cmd
 }

app/cli/cmd/attestation_reset.go

@@ -46,7 +46,7 @@ func newAttestationResetCmd() *cobra.Command {
 				return fmt.Errorf("failed to load action: %w", err)
 			}
 
-			if err := a.Run(cmd.Context(), "", trigger, reason); err != nil {
+			if err := a.Run(cmd.Context(), attestationID, trigger, reason); err != nil {
 				return newGracefulError(err)
 			}
 
@@ -58,6 +58,7 @@ func newAttestationResetCmd() *cobra.Command {
 
 	cmd.Flags().StringVar(&trigger, "trigger", triggerFailed, fmt.Sprintf("trigger for the reset, valid options are %q and %q", triggerFailed, triggerCanceled))
 	cmd.Flags().StringVar(&reason, "reason", "", "reset reason")
+	flagAttestationID(cmd)
 
 	return cmd
 }

app/cli/cmd/attestation_status.go

@@ -33,6 +33,9 @@ func newAttestationStatusCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "status",
 		Short: "check the status of the current attestation process",
+		Annotations: map[string]string{
+			useWorkflowRobotAccount: "true",
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			a, err := action.NewAttestationStatus(
 				&action.AttestationStatusOpts{
@@ -43,7 +46,7 @@ func newAttestationStatusCmd() *cobra.Command {
 				return fmt.Errorf("failed to load action: %w", err)
 			}
 
-			res, err := a.Run(cmd.Context(), "")
+			res, err := a.Run(cmd.Context(), attestationID)
 			if err != nil {
 				return err
 			}
@@ -53,6 +56,7 @@ func newAttestationStatusCmd() *cobra.Command {
 	}
 
 	cmd.Flags().BoolVar(&full, "full", false, "full report including current recorded values")
+	flagAttestationID(cmd)
 
 	return cmd
 }
@@ -63,7 +67,7 @@ func attestationStatusTableOutput(status *action.AttestationStatusResult) error
 	gt.AppendRow(table.Row{"Initialized At", status.InitializedAt.Format(time.RFC822)})
 	gt.AppendSeparator()
 	meta := status.WorkflowMeta
-	gt.AppendRow(table.Row{"Workflow", meta.WorkflowID})
+	gt.AppendRow(table.Row{"Attestation ID", status.AttestationID})
 	gt.AppendRow(table.Row{"Name", meta.Name})
 	gt.AppendRow(table.Row{"Team", meta.Team})
 	gt.AppendRow(table.Row{"Project", meta.Project})

app/cli/cmd/root.go

@@ -175,7 +175,7 @@ func initConfigFile() {
 }
 
 func newActionOpts(logger zerolog.Logger, conn *grpc.ClientConn) *action.ActionsOpts {
-	return &action.ActionsOpts{CPConnection: conn, Logger: logger}
+	return &action.ActionsOpts{CPConnection: conn, Logger: logger, UseAttestationRemoteState: useAttestationRemoteState}
 }
 
 func cleanup(conn *grpc.ClientConn) error {

app/cli/internal/action/action.go

@@ -21,29 +21,39 @@ import (
 	"path/filepath"
 	"time"
 
+	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/internal/attestation/crafter"
 	"github.com/chainloop-dev/chainloop/internal/attestation/crafter/statemanager/filesystem"
+	"github.com/chainloop-dev/chainloop/internal/attestation/crafter/statemanager/remote"
 	"github.com/rs/zerolog"
 	"google.golang.org/grpc"
 )
 
 type ActionsOpts struct {
-	CPConnection *grpc.ClientConn
-	Logger       zerolog.Logger
+	CPConnection              *grpc.ClientConn
+	Logger                    zerolog.Logger
+	UseAttestationRemoteState bool
 }
 
 func toTimePtr(t time.Time) *time.Time {
 	return &t
 }
 
-// load a crafter with local state manager
-// TODO: We'll enable the ability to load a crafter that relies on a remote state manager
-func newCrafter(_ *grpc.ClientConn, logger *zerolog.Logger) (*crafter.Crafter, error) {
-	statePath := filepath.Join(os.TempDir(), "chainloop-attestation.tmp.json")
-	localStateManager, err := filesystem.New(statePath)
+// load a crafter with either local or remote state
+func newCrafter(enableRemoteState bool, conn *grpc.ClientConn, logger *zerolog.Logger) (*crafter.Crafter, error) {
+	var stateManager crafter.StateManager
+	var err error
+
+	switch enableRemoteState {
+	case true:
+		stateManager, err = remote.New(pb.NewAttestationStateServiceClient(conn))
+	case false:
+		stateManager, err = filesystem.New(filepath.Join(os.TempDir(), "chainloop-attestation.tmp.json"))
+	}
+
 	if err != nil {
-		return nil, fmt.Errorf("failed to create local state manager: %w", err)
+		return nil, fmt.Errorf("failed to create state manager: %w", err)
 	}
 
-	return crafter.NewCrafter(localStateManager, crafter.WithLogger(logger))
+	return crafter.NewCrafter(stateManager, crafter.WithLogger(logger))
 }

app/cli/internal/action/attestation_add.go

@@ -42,7 +42,7 @@ type AttestationAdd struct {
 }
 
 func NewAttestationAdd(cfg *AttestationAddOpts) (*AttestationAdd, error) {
-	c, err := newCrafter(cfg.CPConnection, &cfg.Logger)
+	c, err := newCrafter(cfg.UseAttestationRemoteState, cfg.CPConnection, &cfg.Logger)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load crafter: %w", err)
 	}
@@ -58,7 +58,9 @@ func NewAttestationAdd(cfg *AttestationAddOpts) (*AttestationAdd, error) {
 var ErrAttestationNotInitialized = errors.New("attestation not yet initialized")
 
 func (action *AttestationAdd) Run(ctx context.Context, attestationID, materialName, materialValue string, annotations map[string]string) error {
-	if initialized := action.c.AlreadyInitialized(ctx, attestationID); !initialized {
+	if initialized, err := action.c.AlreadyInitialized(ctx, attestationID); err != nil {
+		return fmt.Errorf("checking if attestation is already initialized: %w", err)
+	} else if !initialized {
 		return ErrAttestationNotInitialized
 	}
 

app/cli/internal/action/attestation_init.go

@@ -49,7 +49,7 @@ func (e ErrRunnerContextNotFound) Error() string {
 }
 
 func NewAttestationInit(cfg *AttestationInitOpts) (*AttestationInit, error) {
-	c, err := newCrafter(cfg.CPConnection, &cfg.Logger)
+	c, err := newCrafter(cfg.UseAttestationRemoteState, cfg.CPConnection, &cfg.Logger)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load crafter: %w", err)
 	}
@@ -61,13 +61,18 @@ func NewAttestationInit(cfg *AttestationInitOpts) (*AttestationInit, error) {
 	}, nil
 }
 
-func (action *AttestationInit) Run(ctx context.Context, contractRevision int) error {
+// returns the attestation ID
+func (action *AttestationInit) Run(ctx context.Context, contractRevision int) (string, error) {
+	if action.dryRun && action.UseAttestationRemoteState {
+		return "", errors.New("remote state is not compatible with dry-run mode")
+	}
+
 	action.Logger.Debug().Msg("Retrieving attestation definition")
 	client := pb.NewAttestationServiceClient(action.ActionsOpts.CPConnection)
 	// get information of the workflow
 	resp, err := client.GetContract(ctx, &pb.AttestationServiceGetContractRequest{ContractRevision: int32(contractRevision)})
 	if err != nil {
-		return err
+		return "", err
 	}
 
 	workflow := resp.GetResult().GetWorkflow()
@@ -88,7 +93,7 @@ func (action *AttestationInit) Run(ctx context.Context, contractRevision int) er
 	runnerType := resp.Result.Contract.GetV1().Runner.GetType()
 	runnerContext := crafter.NewRunner(runnerType)
 	if !action.dryRun && !runnerContext.CheckEnv() {
-		return ErrRunnerContextNotFound{runnerContext.String()}
+		return "", ErrRunnerContextNotFound{runnerContext.String()}
 	}
 
 	// Identifier of this attestation instance
@@ -104,7 +109,7 @@ func (action *AttestationInit) Run(ctx context.Context, contractRevision int) er
 			},
 		)
 		if err != nil {
-			return err
+			return "", err
 		}
 
 		workflowRun := runResp.GetResult().GetWorkflowRun()
@@ -123,18 +128,18 @@ func (action *AttestationInit) Run(ctx context.Context, contractRevision int) er
 	}
 
 	if err := action.c.Init(ctx, initOpts); err != nil {
-		return err
+		return "", err
 	}
 
 	// Load the env variables both the system populated and the user predefined ones
 	if err := action.c.ResolveEnvVars(ctx, attestationID); err != nil {
 		if action.dryRun {
-			return nil
+			return "", nil
 		}
 
 		_ = action.c.Reset(ctx, attestationID)
-		return err
+		return "", err
 	}
 
-	return nil
+	return attestationID, nil
 }