feat(controlplane): download attestation with cas (#46)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/cmd/wire.go

@@ -42,7 +42,7 @@ func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger) (*app, func(
 			biz.ProviderSet,
 			service.ProviderSet,
 			wire.Bind(new(backend.Provider), new(*oci.BackendProvider)),
-			wire.Bind(new(biz.CASUploader), new(*biz.CASClientUseCase)),
+			wire.Bind(new(biz.CASClient), new(*biz.CASClientUseCase)),
 			oci.NewBackendProvider,
 			serviceOpts,
 			wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer"),

app/controlplane/internal/biz/attestation.go

@@ -37,7 +37,7 @@ type Attestation struct {
 
 type AttestationUseCase struct {
 	logger *log.Helper
-	CASUploader
+	CASClient
 
 	// DEPRECATED
 	// We will remove it once we force all the clients to use the CAS instead
@@ -51,24 +51,39 @@ type AttestationRef struct {
 	SecretRef string
 }
 
-func NewAttestationUseCase(uploader CASUploader, p backend.Provider, logger log.Logger) *AttestationUseCase {
+func NewAttestationUseCase(client CASClient, p backend.Provider, logger log.Logger) *AttestationUseCase {
 	if logger == nil {
 		logger = log.NewStdLogger(io.Discard)
 	}
 
 	return &AttestationUseCase{
 		logger:          servicelogger.ScopedHelper(logger, "biz/attestation"),
-		CASUploader:     uploader,
+		CASClient:       client,
 		backendProvider: p,
 	}
 }
 
-func (uc *AttestationUseCase) FetchFromStore(ctx context.Context, downloader backend.Downloader, digest string) (*Attestation, error) {
+func (uc *AttestationUseCase) FetchFromStore(ctx context.Context, secretID, digest string) (*Attestation, error) {
 	uc.logger.Infow("msg", "downloading attestation", "digest", digest)
 	buf := bytes.NewBuffer(nil)
 
-	if err := downloader.Download(ctx, buf, digest); err != nil {
-		return nil, err
+	if uc.CASClient.Configured() {
+		if err := uc.CASClient.Download(ctx, secretID, buf, digest); err != nil {
+			return nil, fmt.Errorf("downloading from CAS: %w", err)
+		}
+	} else {
+		uc.logger.Warnw("msg", "no CAS configured, falling back to old mechanism")
+
+		// DEPRECATED
+		// TODO: remove
+		downloader, err := uc.backendProvider.FromCredentials(ctx, secretID)
+		if err != nil {
+			return nil, err
+		}
+
+		if err := downloader.Download(ctx, buf, digest); err != nil {
+			return nil, err
+		}
 	}
 
 	var envelope dsse.Envelope
@@ -90,8 +105,8 @@ func (uc *AttestationUseCase) UploadToCAS(ctx context.Context, envelope *dsse.En
 	hash.Write(jsonContent)
 	digest := fmt.Sprintf("%x", hash.Sum(nil))
 
-	if uc.CASUploader.Configured() {
-		if err := uc.CASUploader.Upload(ctx, secretID, bytes.NewBuffer(jsonContent), filename, digest); err != nil {
+	if uc.CASClient.Configured() {
+		if err := uc.CASClient.Upload(ctx, secretID, bytes.NewBuffer(jsonContent), filename, digest); err != nil {
 			return "", fmt.Errorf("uploading to CAS: %w", err)
 		}
 

app/controlplane/internal/biz/attestation_test.go

@@ -34,44 +34,40 @@ import (
 	"github.com/stretchr/testify/suite"
 )
 
+var runID = uuid.NewString()
+var envelope = &dsse.Envelope{}
+
+const expectedDigest = "f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
+
 // Deprecated method
 func (s *attestationTestSuite) TestUploadToCASFallbackOCI() {
-	runID := uuid.NewString()
-	envelope := &dsse.Envelope{}
-	const expectedDigest = "f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
-
 	ctx := context.Background()
 	s.uploader.On("Upload", ctx, mock.Anything, &casAPI.CASResource{
 		FileName: fmt.Sprintf("attestation-%s.json", runID), Digest: expectedDigest,
 	}).Return(nil)
 
-	s.casUploader.On("Configured").Return(false)
+	s.casClient.On("Configured").Return(false)
 
 	gotDigest, err := s.uc.UploadToCAS(ctx, envelope, "my-secret", runID)
 	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), expectedDigest, gotDigest)
 }
 
 func (s *attestationTestSuite) TestUploadToCAS() {
-	runID := uuid.NewString()
-	envelope := &dsse.Envelope{}
-	const expectedDigest = "f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
-
 	ctx := context.Background()
-	s.casUploader.On(
+	s.casClient.On(
 		"Upload", ctx, "my-secret", mock.Anything,
 		fmt.Sprintf("attestation-%s.json", runID), expectedDigest,
 	).Return(nil)
 
-	s.casUploader.On("Configured").Return(true)
+	s.casClient.On("Configured").Return(true)
 
 	gotDigest, err := s.uc.UploadToCAS(ctx, envelope, "my-secret", runID)
 	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), expectedDigest, gotDigest)
 }
 
-func (s *attestationTestSuite) TestFetchFromStore() {
-	const expectedDigest = "f845058d865c3d4d491c9019f6afe9c543ad2cd11b31620cc512e341fb03d3d8"
+func (s *attestationTestSuite) TestFetchFromStoreFallbackOCI() {
 	want := &biz.Attestation{Envelope: &dsse.Envelope{}}
 
 	ctx := context.Background()
@@ -82,7 +78,27 @@ func (s *attestationTestSuite) TestFetchFromStore() {
 			require.NoError(s.T(), err)
 		})
 
-	got, err := s.uc.FetchFromStore(ctx, s.downloader, expectedDigest)
+	s.casClient.On("Configured").Return(false)
+
+	got, err := s.uc.FetchFromStore(ctx, "my-secret", expectedDigest)
+	assert.NoError(s.T(), err)
+	assert.Equal(s.T(), want, got)
+}
+
+func (s *attestationTestSuite) TestFetchFromStore() {
+	want := &biz.Attestation{Envelope: &dsse.Envelope{}}
+
+	ctx := context.Background()
+	s.casClient.On("Download", ctx, "my-secret", mock.Anything, expectedDigest).Return(nil).Run(
+		func(args mock.Arguments) {
+			buf := args.Get(2).(io.Writer)
+			err := json.NewEncoder(buf).Encode(want)
+			require.NoError(s.T(), err)
+		})
+
+	s.casClient.On("Configured").Return(true)
+
+	got, err := s.uc.FetchFromStore(ctx, "my-secret", expectedDigest)
 	assert.NoError(s.T(), err)
 	assert.Equal(s.T(), want, got)
 }
@@ -96,18 +112,18 @@ func (s *attestationTestSuite) SetupTest() {
 	ociBackend := blobmock.NewUploaderDownloader(s.T())
 	backendProvider.On("FromCredentials", mock.Anything, "my-secret").Maybe().Return(ociBackend, nil)
 
-	s.casUploader = mocks.NewCASUploader(s.T())
-	s.uc = biz.NewAttestationUseCase(s.casUploader, backendProvider, nil)
+	s.casClient = mocks.NewCASClient(s.T())
+	s.uc = biz.NewAttestationUseCase(s.casClient, backendProvider, nil)
 	s.uploader = (*blobmock.Uploader)(ociBackend)
-	s.downloader = blobmock.NewDownloader(s.T())
+	s.downloader = (*blobmock.Downloader)(ociBackend)
 }
 
 // Utility struct to hold the test suite
 type attestationTestSuite struct {
 	suite.Suite
 	uc *biz.AttestationUseCase
 	// Deprecated: attestation should use the casclient instead of the blobmanager
-	uploader    *blobmock.Uploader
-	downloader  *blobmock.Downloader
-	casUploader *mocks.CASUploader
+	uploader   *blobmock.Uploader
+	downloader *blobmock.Downloader
+	casClient  *mocks.CASClient
 }

app/controlplane/internal/biz/casclient.go

@@ -34,14 +34,20 @@ type CASClientUseCase struct {
 	logger        *log.Helper
 }
 
-type CASDescriber interface {
-	Configured() bool
-}
 type CASUploader interface {
-	CASDescriber
 	Upload(ctx context.Context, secretID string, content io.Reader, filename, digest string) error
 }
 
+type CASDownloader interface {
+	Download(ctx context.Context, secretID string, w io.Writer, digest string) error
+}
+
+type CASClient interface {
+	CASUploader
+	CASDownloader
+	Configured() bool
+}
+
 func NewCASClientUseCase(credsProvider *CASCredentialsUseCase, config *conf.Bootstrap_CASServer, l log.Logger) *CASClientUseCase {
 	return &CASClientUseCase{credsProvider, config, servicelogger.ScopedHelper(l, "biz/cas-client")}
 }
@@ -66,6 +72,23 @@ func (uc *CASClientUseCase) Upload(ctx context.Context, secretID string, content
 	return nil
 }
 
+func (uc *CASClientUseCase) Download(ctx context.Context, secretID string, w io.Writer, digest string) error {
+	uc.logger.Infow("msg", "download initialized", "digest", digest)
+
+	client, err := uc.casAPIClient(secretID, casJWT.Downloader)
+	if err != nil {
+		return fmt.Errorf("failed to create cas client: %w", err)
+	}
+
+	if err := client.Download(ctx, w, digest); err != nil {
+		return fmt.Errorf("failed to download content: %w", err)
+	}
+
+	uc.logger.Infow("msg", "download finalized", "digest", digest)
+
+	return nil
+}
+
 // create a client with a temporary set of credentials for a specific operation
 func (uc *CASClientUseCase) casAPIClient(secretID string, role casJWT.Role) (*casclient.Client, error) {
 	token, err := uc.credsProvider.GenerateTemporaryCredentials(secretID, role)

app/controlplane/internal/biz/mocks/CASClient.go

@@ -22,7 +22,6 @@ import (
 	craftingpb "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/pagination"
-	"github.com/chainloop-dev/chainloop/internal/blobmanager/oci"
 	"github.com/chainloop-dev/chainloop/internal/credentials"
 	sl "github.com/chainloop-dev/chainloop/internal/servicelogger"
 	errors "github.com/go-kratos/kratos/v2/errors"
@@ -116,12 +115,7 @@ func (s *WorkflowRunService) View(ctx context.Context, req *pb.WorkflowRunServic
 	var attestation *biz.Attestation
 	// Download the attestation if the workflow run is successful
 	if run.AttestationRef != nil {
-		downloader, err := oci.NewBackendProvider(s.credsReader).FromCredentials(ctx, run.AttestationRef.SecretRef)
-		if err != nil {
-			return nil, sl.LogAndMaskErr(err, s.log)
-		}
-
-		attestation, err = s.attestationUseCase.FetchFromStore(ctx, downloader, run.AttestationRef.Sha256)
+		attestation, err = s.attestationUseCase.FetchFromStore(ctx, run.AttestationRef.SecretRef, run.AttestationRef.Sha256)
 		if err != nil {
 			// NOTE: For now we don't return an error if the attestation is not found
 			// since we do not have a good error recovery in place for assets