feat(chainloop): add EVIDENCE material type (#702)

Signed-off-by: Jose I. Paris <[email protected]>
Signed-off-by: Javier Rodriguez <[email protected]>
Signed-off-by: Miguel Martinez Trivino <[email protected]>
Co-authored-by: Javier Rodriguez <[email protected]>
Co-authored-by: Miguel Martinez Trivino <[email protected]>

Author: 3 people

README.md

@@ -131,7 +131,8 @@ Chainloop supports the collection of the following pieces of evidence types:
 - [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/)
 - [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format)
 - [Helm Chart](https://helm.sh/docs/topics/charts/)
-- Generic Artifact Types
+- Artifact Type: It represents a software artifact.
+- Custom Evidence Type: Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc.
 - Key-Value metadata pairs
 
 During the attestation process, these pieces of evidence will get uploaded to the [Content Addressable Storage](https://docs.chainloop.dev/reference/operator/cas-backend/) (if applicable) and referenced in a [SLSA](https://slsa.dev) attestation.

app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts

@@ -84,6 +84,10 @@ message CraftingSchema {
       // https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md
       SARIF = 9;
       HELM_CHART = 10;
+
+      // Pieces of evidences represent generic, additional context that don't fit
+      // into one of the well known material types. For example, a custom approval report (in json), ...
+      EVIDENCE = 11;
     }
   }
 }

app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go

@@ -56,7 +56,8 @@ Chainloop supports the collection of the following pieces of evidence types:
 - [SARIF](https://docs.oasis-open.org/sarif/sarif/v2.1.0/)
 - [JUnit](https://www.ibm.com/docs/en/developer-for-zos/14.1?topic=formats-junit-xml-format)
 - [Helm Chart](https://helm.sh/docs/topics/charts/)
-- Generic Artifact Types
+- Artifact Type: It represents a software artifact.
+- Custom Evidence Type: Custom piece of evidence that doesn't fit in any other category, for instance, an approval report in json format, etc.
 - Key-Value metadata pairs
 
 To learn more on how to add them to your contract, refer to the `type` section below.

app/controlplane/api/workflowcontract/v1/crafting_schema.proto

@@ -13,6 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//nolint:dupl
 package materials_test
 
 import (

docs/docs/reference/operator/contract.mdx

@@ -0,0 +1,48 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package materials
+
+import (
+	"context"
+	"fmt"
+
+	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	api "github.com/chainloop-dev/chainloop/internal/attestation/crafter/api/attestation/v1"
+	"github.com/chainloop-dev/chainloop/internal/casclient"
+	"github.com/rs/zerolog"
+)
+
+type EvidenceCrafter struct {
+	*crafterCommon
+	backend *casclient.CASBackend
+}
+
+// NewEvidenceCrafter generates a new Evidence material.
+// Pieces of evidences represent generic, additional context that don't fit
+// into one of the well known material types. For example, a custom approval report (in json), ...
+func NewEvidenceCrafter(schema *schemaapi.CraftingSchema_Material, backend *casclient.CASBackend, l *zerolog.Logger) (*EvidenceCrafter, error) {
+	if schema.Type != schemaapi.CraftingSchema_Material_EVIDENCE {
+		return nil, fmt.Errorf("material type is not evidence")
+	}
+
+	craftCommon := &crafterCommon{logger: l, input: schema}
+	return &EvidenceCrafter{backend: backend, crafterCommon: craftCommon}, nil
+}
+
+// Craft will calculate the digest of the artifact, simulate an upload and return the material definition
+func (i *EvidenceCrafter) Craft(ctx context.Context, artifactPath string) (*api.Attestation_Material, error) {
+	return uploadAndCraft(ctx, i.input, i.backend, artifactPath, i.logger)
+}

internal/attestation/crafter/materials/artifact_test.go

@@ -0,0 +1,156 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//nolint:dupl
+package materials_test
+
+import (
+	"context"
+	"testing"
+
+	"code.cloudfoundry.org/bytefmt"
+	contractAPI "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
+	attestationApi "github.com/chainloop-dev/chainloop/internal/attestation/crafter/api/attestation/v1"
+	"github.com/chainloop-dev/chainloop/internal/attestation/crafter/materials"
+	"github.com/chainloop-dev/chainloop/internal/casclient"
+	mUploader "github.com/chainloop-dev/chainloop/internal/casclient/mocks"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewEvidenceCrafter(t *testing.T) {
+	testCases := []struct {
+		name    string
+		input   *contractAPI.CraftingSchema_Material
+		wantErr bool
+	}{
+		{
+			name: "happy path",
+			input: &contractAPI.CraftingSchema_Material{
+				Type: contractAPI.CraftingSchema_Material_EVIDENCE,
+			},
+		},
+		{
+			name: "wrong type",
+			input: &contractAPI.CraftingSchema_Material{
+				Type: contractAPI.CraftingSchema_Material_CONTAINER_IMAGE,
+			},
+			wantErr: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			_, err := materials.NewEvidenceCrafter(tc.input, nil, nil)
+			if tc.wantErr {
+				assert.Error(t, err)
+				return
+			}
+
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func TestEvidenceCraft(t *testing.T) {
+	assert := assert.New(t)
+	schema := &contractAPI.CraftingSchema_Material{
+		Name: "test",
+		Type: contractAPI.CraftingSchema_Material_EVIDENCE,
+	}
+
+	l := zerolog.Nop()
+
+	// Mock uploader
+	uploader := mUploader.NewUploader(t)
+	uploader.On("UploadFile", context.TODO(), "./testdata/simple.txt").
+		Return(&casclient.UpDownStatus{
+			Digest:   "deadbeef",
+			Filename: "simple.txt",
+		}, nil)
+
+	backend := &casclient.CASBackend{Uploader: uploader}
+
+	crafter, err := materials.NewEvidenceCrafter(schema, backend, &l)
+	require.NoError(t, err)
+
+	got, err := crafter.Craft(context.TODO(), "./testdata/simple.txt")
+	assert.NoError(err)
+	assert.Equal(contractAPI.CraftingSchema_Material_EVIDENCE.String(), got.MaterialType.String())
+	assert.True(got.UploadedToCas)
+
+	// The result includes the digest reference
+	assert.Equal(got.GetArtifact(), &attestationApi.Attestation_Material_Artifact{
+		Id: "test", Digest: "sha256:54181dfe59340b318253e59f7695f547c5c10d071cb75001170a389061349918", Name: "simple.txt",
+	})
+}
+
+func TestEvidenceCraftInline(t *testing.T) {
+	assert := assert.New(t)
+	schema := &contractAPI.CraftingSchema_Material{
+		Name: "test",
+		Type: contractAPI.CraftingSchema_Material_EVIDENCE,
+	}
+	l := zerolog.Nop()
+
+	t.Run("inline without size limit", func(t *testing.T) {
+		backend := &casclient.CASBackend{}
+
+		crafter, err := materials.NewEvidenceCrafter(schema, backend, &l)
+		require.NoError(t, err)
+
+		got, err := crafter.Craft(context.TODO(), "./testdata/simple.txt")
+		assert.NoError(err)
+		assertEvidenceMaterial(t, got)
+	})
+
+	t.Run("backend with size limit", func(t *testing.T) {
+		backend := &casclient.CASBackend{
+			MaxSize: 100 * bytefmt.BYTE,
+		}
+
+		crafter, err := materials.NewEvidenceCrafter(schema, backend, &l)
+		require.NoError(t, err)
+
+		got, err := crafter.Craft(context.TODO(), "./testdata/simple.txt")
+		assert.NoError(err)
+		assertEvidenceMaterial(t, got)
+	})
+
+	t.Run("backend with size limit too small", func(t *testing.T) {
+		backend := &casclient.CASBackend{
+			MaxSize: bytefmt.BYTE,
+		}
+
+		crafter, err := materials.NewEvidenceCrafter(schema, backend, &l)
+		require.NoError(t, err)
+
+		_, err = crafter.Craft(context.TODO(), "./testdata/simple.txt")
+		assert.Error(err)
+	})
+}
+
+func assertEvidenceMaterial(t *testing.T, got *attestationApi.Attestation_Material) {
+	assert := assert.New(t)
+	// Not uploaded to CAS
+	assert.False(got.UploadedToCas)
+	// The result includes the digest and inline content
+	assert.Equal(got.GetArtifact(), &attestationApi.Attestation_Material_Artifact{
+		Id: "test", Digest: "sha256:54181dfe59340b318253e59f7695f547c5c10d071cb75001170a389061349918", Name: "simple.txt",
+		// Inline content
+		Content: []byte("txt file"),
+	})
+}

internal/attestation/crafter/materials/evidence.go

@@ -171,6 +171,8 @@ func Craft(ctx context.Context, materialSchema *schemaapi.CraftingSchema_Materia
 		crafter, err = NewSARIFCrafter(materialSchema, casBackend, logger)
 	case schemaapi.CraftingSchema_Material_HELM_CHART:
 		crafter, err = NewHelmChartCrafter(materialSchema, casBackend, logger)
+	case schemaapi.CraftingSchema_Material_EVIDENCE:
+		crafter, err = NewEvidenceCrafter(materialSchema, casBackend, logger)
 	default:
 		return nil, fmt.Errorf("material of type %q not supported yet", materialSchema.Type)
 	}