feat(materials): support zipped junit XML files (#1640)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

pkg/attestation/crafter/api/attestation/v1/crafting_state.go

@@ -26,8 +26,8 @@ import (
 
 	v1 "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 	"github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/jacoco"
+	materialsjunit "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/junit"
 	intoto "github.com/in-toto/attestation/go/v1"
-	"github.com/joshdk/go-junit"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"google.golang.org/protobuf/types/known/structpb"
 )
@@ -85,7 +85,8 @@ func (m *Attestation_Material) GetEvaluableContent(value string) ([]byte, error)
 			rawMaterial = m.GetArtifact().GetContent()
 		} else if value == "" {
 			return nil, errors.New("artifact path required")
-		} else if m.MaterialType != v1.CraftingSchema_Material_HELM_CHART {
+		} else if m.MaterialType != v1.CraftingSchema_Material_HELM_CHART &&
+			m.MaterialType != v1.CraftingSchema_Material_JUNIT_XML {
 			// read content from local filesystem (except for tgz charts)
 			rawMaterial, err = os.ReadFile(value)
 			if err != nil {
@@ -110,7 +111,7 @@ func (m *Attestation_Material) GetEvaluableContent(value string) ([]byte, error)
 	// For XML based materials, we need to ingest them and read as json-like structure
 	switch m.MaterialType {
 	case v1.CraftingSchema_Material_JUNIT_XML:
-		suites, err := junit.Ingest(rawMaterial)
+		suites, err := materialsjunit.Ingest(value)
 		if err != nil {
 			return nil, fmt.Errorf("failed to ingest junit xml: %w", err)
 		}

pkg/attestation/crafter/materials/junit/junit.go

@@ -0,0 +1,121 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package junit
+
+import (
+	"archive/zip"
+	"bufio"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/joshdk/go-junit"
+)
+
+func Ingest(filePath string) ([]junit.Suite, error) {
+	var suites []junit.Suite
+
+	// read first chunk
+	f, err := os.Open(filePath)
+	if err != nil {
+		return nil, fmt.Errorf("opening file %q: %w", filePath, err)
+	}
+	r := bufio.NewReader(f)
+
+	buf := make([]byte, 512)
+	_, err = io.ReadFull(r, buf)
+	if err != nil && !errors.Is(err, io.ErrUnexpectedEOF) {
+		return nil, fmt.Errorf("reading file %q: %w", filePath, err)
+	}
+	_ = f.Close()
+
+	// check if it's a zip file and try to ingest all its contents
+	mime := http.DetectContentType(buf)
+	switch strings.Split(mime, ";")[0] {
+	case "application/zip":
+		suites, err = ingestArchive(filePath)
+		if err != nil {
+			return nil, fmt.Errorf("could not ingest JUnit XML: %w", err)
+		}
+	case "text/xml", "application/xml":
+		suites, err = junit.IngestFile(filePath)
+		if err != nil {
+			if errors.Is(err, fs.ErrNotExist) {
+				return nil, fmt.Errorf("invalid file path: %w", err)
+			}
+			return nil, fmt.Errorf("invalid JUnit XML file: %w", err)
+		}
+	default:
+		return nil, fmt.Errorf("invalid JUnit XML file: %s", filePath)
+	}
+
+	return suites, nil
+}
+
+func ingestArchive(filename string) ([]junit.Suite, error) {
+	archive, err := zip.OpenReader(filename)
+	if err != nil {
+		return nil, fmt.Errorf("could not open zip archive: %w", err)
+	}
+	defer archive.Close()
+	dir, err := os.MkdirTemp("", "junit")
+	if err != nil {
+		return nil, fmt.Errorf("could not create temporary directory: %w", err)
+	}
+	for _, zf := range archive.File {
+		if zf.FileInfo().IsDir() {
+			continue
+		}
+		// extract file to dir
+		// nolint: gosec
+		path := filepath.Join(dir, zf.Name)
+
+		// Check for ZipSlip (Directory traversal)
+		if !strings.HasPrefix(path, filepath.Clean(dir)+string(os.PathSeparator)) {
+			return nil, fmt.Errorf("illegal file path: %s", path)
+		}
+
+		f, err := os.Create(path)
+		if err != nil {
+			return nil, fmt.Errorf("could not open file %s: %w", path, err)
+		}
+
+		rc, err := zf.Open()
+		if err != nil {
+			return nil, fmt.Errorf("could not open file %s: %w", path, err)
+		}
+
+		_, err = f.ReadFrom(rc)
+		if err != nil {
+			return nil, fmt.Errorf("could not read file %s: %w", path, err)
+		}
+
+		rc.Close()
+		f.Close()
+	}
+
+	suites, err := junit.IngestDir(dir)
+	if err != nil {
+		return nil, fmt.Errorf("could not ingest JUnit XML: %w", err)
+	}
+
+	return suites, nil
+}

pkg/attestation/crafter/materials/junit_xml.go

@@ -17,14 +17,12 @@ package materials
 
 import (
 	"context"
-	"errors"
 	"fmt"
-	"io/fs"
 
 	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 	"github.com/chainloop-dev/chainloop/internal/casclient"
 	api "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/api/attestation/v1"
-	junit "github.com/joshdk/go-junit"
+	materialsjunit "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/materials/junit"
 	"github.com/rs/zerolog"
 )
 
@@ -50,13 +48,9 @@ func (i *JUnitXMLCrafter) Craft(ctx context.Context, filePath string) (*api.Atte
 }
 
 func (i *JUnitXMLCrafter) validate(filePath string) error {
-	suites, err := junit.IngestFile(filePath)
+	suites, err := materialsjunit.Ingest(filePath)
 	if err != nil {
-		if errors.Is(err, fs.ErrNotExist) {
-			return fmt.Errorf("invalid file path: %w", err)
-		}
-		i.logger.Debug().Err(err).Msgf("error decoding file: %s", filePath)
-		return fmt.Errorf("invalid JUnit XML file: %w", ErrInvalidMaterialType)
+		return fmt.Errorf("failed to ingest JUnit XML: %w", err)
 	}
 
 	if len(suites) == 0 {

pkg/attestation/crafter/materials/junit_xml_test.go

@@ -18,6 +18,7 @@ package materials_test
 
 import (
 	"context"
+	"path/filepath"
 	"testing"
 
 	contractAPI "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
@@ -69,6 +70,7 @@ func TestJUnitXMLCraft(t *testing.T) {
 		name     string
 		filePath string
 		wantErr  string
+		digest   string
 	}{
 		{
 			name:     "invalid path",
@@ -78,16 +80,22 @@ func TestJUnitXMLCraft(t *testing.T) {
 		{
 			name:     "invalid artifact type",
 			filePath: "./testdata/simple.txt",
-			wantErr:  "unexpected material type",
+			wantErr:  "invalid JUnit XML file",
 		},
 		{
 			name:     "invalid artifact type",
 			filePath: "./testdata/junit-invalid.xml",
-			wantErr:  "unexpected material type",
+			wantErr:  "invalid JUnit XML file",
 		},
 		{
 			name:     "valid artifact type",
 			filePath: "./testdata/junit.xml",
+			digest:   "sha256:e9c941b25c06d8bd98205122cbc827504c6d03d37b7f4afd7ed03b3eeec789e2",
+		},
+		{
+			name:     "valid artifact type zip",
+			filePath: "./testdata/tests.zip",
+			digest:   "sha256:1b00f89a6f23f2e99c207ce90e11dcd41ac4e754d44e81f50f295e858692e96b",
 		},
 	}
 
@@ -125,9 +133,9 @@ func TestJUnitXMLCraft(t *testing.T) {
 			assert.True(got.UploadedToCas)
 
 			// The result includes the digest reference
-			assert.Equal(got.GetArtifact(), &attestationApi.Attestation_Material_Artifact{
-				Id: "test", Digest: "sha256:e9c941b25c06d8bd98205122cbc827504c6d03d37b7f4afd7ed03b3eeec789e2", Name: "junit.xml",
-			})
+			assert.Equal(&attestationApi.Attestation_Material_Artifact{
+				Id: "test", Digest: tc.digest, Name: filepath.Base(tc.filePath),
+			}, got.GetArtifact())
 		})
 	}
 }