feat(referrer): store backlinks unconditionally (#712)

migmartri · web-flow · commit f8360a0140b2 · 2024-04-29T08:35:06.000+02:00
Signed-off-by: Miguel Martinez Trivino &lt;miguel@chainloop.dev&gt;
diff --git a/app/controlplane/internal/biz/referrer.go b/app/controlplane/internal/biz/referrer.go
@@ -305,7 +305,10 @@ func extractReferrers(att *dsse.Envelope) ([]*Referrer, error) {
 
 		materialReferrer := referrersMap[materialRef]
 
-		// Add the reference to the attestation
+		// We create a bidirectional link between the attestation and the material
+		// material -> attestation (1-1)
+		materialReferrer.References = []*Referrer{{Digest: attestationReferrer.Digest, Kind: attestationReferrer.Kind}}
+		// attestation -> material (1-N)
 		attestationReferrer.References = append(attestationReferrer.References, &Referrer{
 			Digest: materialReferrer.Digest, Kind: materialReferrer.Kind,
 		})
@@ -317,6 +320,8 @@ func extractReferrers(att *dsse.Envelope) ([]*Referrer, error) {
 		return nil, fmt.Errorf("extracting predicate: %w", err)
 	}
 
+	// Materials can also be subjects, but there are cases that we will have a subject that is not a material
+	// For example, a git head commit, that's why we need to also add the subjects as referrers (if needed)
 	for _, subject := range statement.Subject {
 		subjectReferrer, err := intotoSubjectToReferrer(subject)
 		if err != nil {
@@ -329,17 +334,20 @@ func extractReferrers(att *dsse.Envelope) ([]*Referrer, error) {
 
 		subjectRef := newRef(subjectReferrer.Digest, subjectReferrer.Kind)
 
-		// check if we already have a referrer for this digest and set it otherwise
-		// this is the case for example for git.Head ones
-		if _, ok := referrersMap[subjectRef]; !ok {
-			referrersMap[subjectRef] = subjectReferrer
-			// add it to the list of of attestation-referenced digests
-			attestationReferrer.References = append(attestationReferrer.References,
-				&Referrer{
-					Digest: subjectReferrer.Digest, Kind: subjectReferrer.Kind,
-				})
+		// check if we already have a referrer for this digest and skip if it's the case
+		if _, ok := referrersMap[subjectRef]; ok {
+			continue
 		}
 
+		// We are now in the case where a subject is not a material, i.e a git head commit, we need to add it to the referrers
+		// with a bidirectional link to the attestation like we did for the materials
+		referrersMap[subjectRef] = subjectReferrer
+		// add it to the list of of attestation-referenced digests
+		attestationReferrer.References = append(attestationReferrer.References,
+			&Referrer{
+				Digest: subjectReferrer.Digest, Kind: subjectReferrer.Kind,
+			})
+
 		// Update referrer to point to the attestation
 		referrersMap[subjectRef].References = []*Referrer{{Digest: attestationReferrer.Digest, Kind: attestationReferrer.Kind}}
 	}
diff --git a/app/controlplane/internal/biz/referrer_integration_test.go b/app/controlplane/internal/biz/referrer_integration_test.go
@@ -244,7 +244,7 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 		require.Len(t, got.OrgIDs, 2)
 	})
 
-	s.T().Run("you can ask for info about materials that are subjects", func(t *testing.T) {
+	s.T().Run("subject materials are returned connected to the attestation", func(t *testing.T) {
 		got, err := s.Referrer.GetFromRootUser(ctx, wantReferrerContainerImage.Digest, "", s.user.ID)
 		s.NoError(err)
 		// parent i.e attestation
@@ -258,14 +258,13 @@ func (s *referrerIntegrationTestSuite) TestExtractAndPersists() {
 		s.Equal(wantReferrerAtt.Downloadable, got.References[0].Downloadable)
 	})
 
-	s.T().Run("it might not have references", func(t *testing.T) {
+	s.T().Run("non-subject materials also are connected to the attestation", func(t *testing.T) {
 		got, err := s.Referrer.GetFromRootUser(ctx, wantReferrerSarif.Digest, "", s.user.ID)
 		s.NoError(err)
-		// parent i.e attestation
-		s.Equal(wantReferrerSarif.Digest, got.Digest)
-		s.Equal(wantReferrerSarif.Downloadable, got.Downloadable)
-		s.Equal(wantReferrerSarif.Kind, got.Kind)
-		require.Len(t, got.References, 0)
+		require.Len(t, got.References, 1)
+		s.Equal(wantReferrerAtt.Digest, got.References[0].Digest)
+		s.Equal(wantReferrerAtt.Kind, got.References[0].Kind)
+		s.Equal(wantReferrerAtt.Downloadable, got.References[0].Downloadable)
 	})
 
 	s.T().Run("or it does not exist", func(t *testing.T) {
diff --git a/app/controlplane/internal/biz/referrer_test.go b/app/controlplane/internal/biz/referrer_test.go
@@ -79,18 +79,33 @@ func (s *referrerTestSuite) TestInitialization() {
 }
 
 func (s *referrerTestSuite) TestExtractReferrers() {
+	var fullAttReferrer = &Referrer{
+		Digest: "sha256:1a077137aef7ca208b80c339769d0d7eecacc2850368e56e834cda1750ce413a",
+		Kind:   "ATTESTATION",
+	}
+
+	var withDuplicatedRefferer = &Referrer{
+		Digest: "sha256:47e94045e8ffb5ea9a4939a03a21c5ad26f4ea7d463ac6ec46dac15349f45b3f",
+		Kind:   "ATTESTATION",
+	}
+
+	var withGitSubject = &Referrer{
+		Digest: "sha256:de36d470d792499b1489fc0e6623300fc8822b8f0d2981bb5ec563f8dde723c7",
+		Kind:   "ATTESTATION",
+	}
+
 	testCases := []struct {
 		name      string
 		inputPath string
 		expectErr bool
 		want      []*Referrer
 	}{
 		{
-			name:      "basic",
+			name:      "all materials linked bidirectionally to the attestation",
 			inputPath: "testdata/attestations/full.json",
 			want: []*Referrer{
 				{
-					Digest:       "sha256:1a077137aef7ca208b80c339769d0d7eecacc2850368e56e834cda1750ce413a",
+					Digest:       fullAttReferrer.Digest,
 					Kind:         "ATTESTATION",
 					Downloadable: true,
 					Metadata: map[string]string{
@@ -117,11 +132,14 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 				{
 					Digest: "sha256:264f55a6ff9cec2f4742a9faacc033b29f65c04dd4480e71e23579d484288d61",
 					Kind:   "CONTAINER_IMAGE",
+					// There is a link back to the attestation
+					References: []*Referrer{fullAttReferrer},
 				},
 				{
 					Digest:       "sha256:16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c",
 					Kind:         "SBOM_CYCLONEDX_JSON",
 					Downloadable: true,
+					References:   []*Referrer{fullAttReferrer},
 				},
 			},
 		},
@@ -167,7 +185,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 			inputPath: "testdata/attestations/with-duplicated-sha.json",
 			want: []*Referrer{
 				{
-					Digest:       "sha256:47e94045e8ffb5ea9a4939a03a21c5ad26f4ea7d463ac6ec46dac15349f45b3f",
+					Digest:       withDuplicatedRefferer.Digest,
 					Kind:         "ATTESTATION",
 					Downloadable: true,
 					Metadata: map[string]string{
@@ -196,32 +214,37 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 					},
 				},
 				{
-					Digest: "sha256:264f55a6ff9cec2f4742a9faacc033b29f65c04dd4480e71e23579d484288d61",
-					Kind:   "CONTAINER_IMAGE",
+					Digest:     "sha256:264f55a6ff9cec2f4742a9faacc033b29f65c04dd4480e71e23579d484288d61",
+					Kind:       "CONTAINER_IMAGE",
+					References: []*Referrer{withDuplicatedRefferer},
 				},
 				{
 					Digest:       "sha256:16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c",
 					Kind:         "SBOM_CYCLONEDX_JSON",
 					Downloadable: true,
+					References:   []*Referrer{withDuplicatedRefferer},
 				},
 				{
 					Digest:       "sha256:264f55a6ff9cec2f4742a9faacc033b29f65c04dd4480e71e23579d484288d61",
 					Kind:         "SBOM_CYCLONEDX_JSON",
 					Downloadable: true,
+					References:   []*Referrer{withDuplicatedRefferer},
 				},
 			},
 		},
 		{
 			name:      "with git subject",
 			inputPath: "testdata/attestations/with-git-subject.json",
 			want: []*Referrer{
+				// NOTE: the result is sorted by kind
 				{
 					Digest:       "sha256:385c4188b9c080499413f2e0fa0b3951ed107b5f0cb35c2f2b1f07a7be9a7512",
 					Kind:         "ARTIFACT",
 					Downloadable: true,
+					References:   []*Referrer{withGitSubject},
 				},
 				{
-					Digest:       "sha256:de36d470d792499b1489fc0e6623300fc8822b8f0d2981bb5ec563f8dde723c7",
+					Digest:       withGitSubject.Digest,
 					Kind:         "ATTESTATION",
 					Downloadable: true,
 					Metadata: map[string]string{
@@ -260,10 +283,9 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 				{
 					Digest: "sha256:fbd9335f55d83d8aaf9ab1a539b0f2a87b444e8c54f34c9a1ca9d7df15605db4",
 					Kind:   "CONTAINER_IMAGE",
-					// the container image is a subject in the attestation
 					References: []*Referrer{
 						{
-							Digest: "sha256:de36d470d792499b1489fc0e6623300fc8822b8f0d2981bb5ec563f8dde723c7",
+							Digest: withGitSubject.Digest,
 							Kind:   "ATTESTATION",
 						},
 					},
@@ -274,7 +296,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 					// the git commit a subject in the attestation
 					References: []*Referrer{
 						{
-							Digest: "sha256:de36d470d792499b1489fc0e6623300fc8822b8f0d2981bb5ec563f8dde723c7",
+							Digest: withGitSubject.Digest,
 							Kind:   "ATTESTATION",
 						},
 					},
@@ -283,23 +305,26 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 					Digest:       "sha256:b4bd86d5855f94bcac0a92d3100ae7b85d050bd2e5fb9037a200e5f5f0b073a2",
 					Kind:         "OPENVEX",
 					Downloadable: true,
+					References:   []*Referrer{withGitSubject},
 				},
 				{
 					Digest:       "sha256:c4a63494f9289dd9fd44f841efb4f5b52765c2de6332f2d86e5f6c0340b40a95",
 					Kind:         "SARIF",
 					Downloadable: true,
+					References:   []*Referrer{withGitSubject},
 				},
 				{
 					Digest:       "sha256:16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c",
 					Kind:         "SBOM_CYCLONEDX_JSON",
 					Downloadable: true,
+					References:   []*Referrer{withGitSubject},
 				},
 			},
 		},
 	}
 
 	for _, tc := range testCases {
-		s.T().Run(tc.name, func(t *testing.T) {
+		s.Run(tc.name, func() {
 			// Load attestation
 			attJSON, err := os.ReadFile(tc.inputPath)
 			require.NoError(s.T(), err)
@@ -313,7 +338,7 @@ func (s *referrerTestSuite) TestExtractReferrers() {
 			}
 
 			require.NoError(s.T(), err)
-			assert.Equal(s.T(), tc.want, got)
+			s.Equal(tc.want, got)
 		})
 	}
 }
