Merge pull request #2622 from joejstuart/appsnapshot-refactor

refactor: migrate application snapshot VSA to per-image implementatio…

Author: joejstuart

cmd/validate/image.go

@@ -26,6 +26,7 @@ import (
 	"strings"
 
 	hd "github.com/MakeNowJust/heredoc"
+	"github.com/google/go-containerregistry/pkg/name"
 	app "github.com/konflux-ci/application-api/api/v1alpha1"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	log "github.com/sirupsen/logrus"
@@ -39,6 +40,7 @@ import (
 	"github.com/conforma/cli/internal/policy"
 	"github.com/conforma/cli/internal/policy/source"
 	"github.com/conforma/cli/internal/utils"
+	"github.com/conforma/cli/internal/utils/oci"
 	validate_utils "github.com/conforma/cli/internal/validate"
 	"github.com/conforma/cli/internal/validate/vsa"
 )
@@ -458,40 +460,45 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 			}
 
 			if data.vsaEnabled {
-				generator := vsa.NewGenerator(report)
-				writer := vsa.NewWriter()
-				for _, comp := range components {
-					writtenPath, err := vsa.GenerateAndWriteVSA(cmd.Context(), generator, writer, comp)
-					if err != nil {
-						log.Error(err)
-						continue
-					}
+				signer, err := vsa.NewSigner(data.vsaSigningKey, utils.FS(cmd.Context()))
+				if err != nil {
+					log.Error(err)
+					return err
+				}
 
-					signer, err := vsa.NewSigner(data.vsaSigningKey, utils.FS(cmd.Context()))
-					if err != nil {
-						log.Error(err)
-						continue
-					}
+				// Create VSA service
+				vsaService := vsa.NewServiceWithFS(signer, utils.FS(cmd.Context()))
 
-					// Get the git URL safely, defaulting to empty string if GitSource is nil
-					var gitURL string
+				// Define helper functions for getting git URL and digest
+				getGitURL := func(comp applicationsnapshot.Component) string {
 					if comp.Source.GitSource != nil {
-						gitURL = comp.Source.GitSource.URL
+						return comp.Source.GitSource.URL
 					}
+					return ""
+				}
 
-					attestor, err := vsa.NewAttestor(writtenPath, gitURL, comp.ContainerImage, signer)
+				getDigest := func(comp applicationsnapshot.Component) (string, error) {
+					imageRef, err := name.ParseReference(comp.ContainerImage)
 					if err != nil {
-						log.Error(err)
-						continue
+						return "", fmt.Errorf("failed to parse image reference %s: %v", comp.ContainerImage, err)
 					}
-					envelope, err := vsa.AttestVSA(cmd.Context(), attestor, comp)
+
+					digest, err := oci.NewClient(cmd.Context()).ResolveDigest(imageRef)
 					if err != nil {
-						log.Error(err)
-						continue
+						return "", fmt.Errorf("failed to resolve digest for image %s: %v", comp.ContainerImage, err)
 					}
-					log.Infof("[VSA] VSA attested and envelope written to %s", envelope)
+
+					return digest, nil
+				}
+
+				// Process all VSAs using the service
+				err = vsaService.ProcessAllVSAs(cmd.Context(), report, getGitURL, getDigest)
+				if err != nil {
+					log.Errorf("Failed to process VSAs: %v", err)
+					// Don't return error here, continue with the rest of the command
 				}
 			}
+
 			if data.strict && !report.Success {
 				return errors.New("success criteria not met")
 			}

internal/applicationsnapshot/digest.go

@@ -0,0 +1,33 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package applicationsnapshot
+
+import (
+	"crypto/sha256"
+	"fmt"
+
+	"github.com/spf13/afero"
+)
+
+// GetVSAPredicateDigest calculates the sha256 digest of the given file path.
+func GetVSAPredicateDigest(fs afero.Fs, path string) (string, error) {
+	data, err := afero.ReadFile(fs, path)
+	if err != nil {
+		return "", err
+	}
+	return fmt.Sprintf("sha256:%x", sha256.Sum256(data)), nil
+}

internal/applicationsnapshot/report.go

@@ -18,6 +18,7 @@ package applicationsnapshot
 
 import (
 	"bytes"
+	"context"
 	"embed"
 	"encoding/json"
 	"encoding/xml"
@@ -219,11 +220,12 @@ func (r *Report) toFormat(format string) (data []byte, err error) {
 }
 
 func (r *Report) toVSA() ([]byte, error) {
-	vsa, err := NewVSA(*r)
+	generator := NewSnapshotVSAGenerator(*r)
+	predicate, err := generator.GeneratePredicate(context.Background())
 	if err != nil {
 		return []byte{}, err
 	}
-	return json.Marshal(vsa)
+	return json.Marshal(predicate)
 }
 
 // toSummary returns a condensed version of the report.

internal/applicationsnapshot/vsa.go

@@ -17,45 +17,74 @@
 package applicationsnapshot
 
 import (
-	"github.com/in-toto/in-toto-golang/in_toto"
-)
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
 
-const (
-	// Make it visible elsewhere
-	PredicateVSAProvenance = "https://conforma.dev/verification_summary/v1"
-	StatmentVSA            = "https://in-toto.io/Statement/v1"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/afero"
 )
 
-type ProvenanceStatementVSA struct {
-	in_toto.StatementHeader
-	Predicate Report `json:"predicate"`
+// SnapshotVSAWriter handles writing application snapshot VSA predicates to files
+type SnapshotVSAWriter struct {
+	FS            afero.Fs    // defaults to afero.NewOsFs()
+	TempDirPrefix string      // defaults to "snapshot-vsa-"
+	FilePerm      os.FileMode // defaults to 0600
+}
+
+// NewSnapshotVSAWriter creates a new application snapshot VSA file writer
+func NewSnapshotVSAWriter() *SnapshotVSAWriter {
+	return &SnapshotVSAWriter{
+		FS:            afero.NewOsFs(),
+		TempDirPrefix: "snapshot-vsa-",
+		FilePerm:      0o600,
+	}
 }
 
-func NewVSA(report Report) (ProvenanceStatementVSA, error) {
-	subjects, err := getSubjects(report)
+// WritePredicate writes the Report as a VSA predicate to a file
+func (s *SnapshotVSAWriter) WritePredicate(report Report) (string, error) {
+	log.Infof("Writing application snapshot VSA")
+
+	// Serialize with indent
+	data, err := json.MarshalIndent(report, "", "  ")
 	if err != nil {
-		return ProvenanceStatementVSA{}, err
+		return "", fmt.Errorf("failed to marshal application snapshot VSA: %w", err)
 	}
 
-	return ProvenanceStatementVSA{
-		StatementHeader: in_toto.StatementHeader{
-			Type:          StatmentVSA,
-			PredicateType: PredicateVSAProvenance,
-			Subject:       subjects,
-		},
-		Predicate: report,
-	}, nil
-}
+	// Create temp directory
+	tempDir, err := afero.TempDir(s.FS, "", s.TempDirPrefix)
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
+	}
 
-func getSubjects(report Report) ([]in_toto.Subject, error) {
-	statements, err := report.attestations()
+	// Write to file
+	filename := "application-snapshot-vsa.json"
+	filepath := filepath.Join(tempDir, filename)
+	err = afero.WriteFile(s.FS, filepath, data, s.FilePerm)
 	if err != nil {
-		return []in_toto.Subject{}, err
+		return "", fmt.Errorf("failed to write application snapshot VSA to file: %w", err)
 	}
 
-	var subjects []in_toto.Subject
-	for _, stmt := range statements {
-		subjects = append(subjects, stmt.Subject...)
+	log.Infof("Application snapshot VSA written to: %s", filepath)
+	return filepath, nil
+}
+
+type SnapshotVSAGenerator struct {
+	Report Report
+}
+
+// NewSnapshotVSAGenerator creates a new VSA predicate generator for application snapshots
+func NewSnapshotVSAGenerator(report Report) *SnapshotVSAGenerator {
+	return &SnapshotVSAGenerator{
+		Report: report,
 	}
-	return subjects, nil
+}
+
+// GeneratePredicate creates a VSA predicate for the entire application snapshot
+func (s *SnapshotVSAGenerator) GeneratePredicate(ctx context.Context) (Report, error) {
+	log.Infof("Generating application snapshot VSA predicate with %d components", len(s.Report.Components))
+
+	return s.Report, nil
 }