Consolidate vsa processing.

- remove signing in cmd/validate/image.go
- improve testability by creating interfaces
  for writer and generator.

Author: joejstuart

cmd/validate/image.go

@@ -32,15 +32,15 @@ import (
 	"github.com/spf13/cobra"
 	extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
-	"github.com/enterprise-contract/ec-cli/internal/applicationsnapshot"
-	"github.com/enterprise-contract/ec-cli/internal/evaluator"
-	"github.com/enterprise-contract/ec-cli/internal/format"
-	"github.com/enterprise-contract/ec-cli/internal/output"
-	"github.com/enterprise-contract/ec-cli/internal/policy"
-	"github.com/enterprise-contract/ec-cli/internal/policy/source"
-	"github.com/enterprise-contract/ec-cli/internal/utils"
-	validate_utils "github.com/enterprise-contract/ec-cli/internal/validate"
-	"github.com/enterprise-contract/ec-cli/internal/validate/vsa"
+	"github.com/conforma/cli/internal/applicationsnapshot"
+	"github.com/conforma/cli/internal/evaluator"
+	"github.com/conforma/cli/internal/format"
+	"github.com/conforma/cli/internal/output"
+	"github.com/conforma/cli/internal/policy"
+	"github.com/conforma/cli/internal/policy/source"
+	"github.com/conforma/cli/internal/utils"
+	validate_utils "github.com/conforma/cli/internal/validate"
+	"github.com/conforma/cli/internal/validate/vsa"
 )
 
 type imageValidationFunc func(context.Context, app.SnapshotComponent, *app.SnapshotSpec, policy.Policy, []evaluator.Evaluator, bool) (*output.Output, error)
@@ -249,12 +249,12 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 						if src.RuleData != nil {
 							rule_data_raw, err = src.RuleData.MarshalJSON()
 							if err != nil {
-								allErrors = errors.Join(allErrors, fmt.Errorf("Unable to parse ruledata to raw data"))
+								allErrors = errors.Join(allErrors, fmt.Errorf("unable to parse ruledata to raw data"))
 								continue
 							}
 							err = json.Unmarshal(rule_data_raw, &unmarshaled)
 							if err != nil {
-								allErrors = errors.Join(allErrors, fmt.Errorf("Unable to parse ruledata into standard JSON object"))
+								allErrors = errors.Join(allErrors, fmt.Errorf("unable to parse ruledata into standard JSON object"))
 								continue
 							}
 						} else {
@@ -264,30 +264,30 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 						for j := range data.extraRuleData {
 							parts := strings.SplitN(data.extraRuleData[j], "=", 2)
 							if len(parts) < 2 {
-								allErrors = errors.Join(allErrors, fmt.Errorf("Incorrect syntax for --extra-rule-data %d", j))
+								allErrors = errors.Join(allErrors, fmt.Errorf("incorrect syntax for --extra-rule-data %d", j))
 								continue
 							}
 							extraRuleDataPolicyConfig, err := validate_utils.GetPolicyConfig(ctx, parts[1])
 							if err != nil {
-								allErrors = errors.Join(allErrors, fmt.Errorf("Unable to load data from extraRuleData: %s", err.Error()))
+								allErrors = errors.Join(allErrors, fmt.Errorf("unable to load data from extraRuleData: %s", err.Error()))
 								continue
 							}
 							unmarshaled[parts[0]] = extraRuleDataPolicyConfig
 						}
 						rule_data_raw, err = json.Marshal(unmarshaled)
 						if err != nil {
-							allErrors = errors.Join(allErrors, fmt.Errorf("Unable to parse updated ruledata: %s", err.Error()))
+							allErrors = errors.Join(allErrors, fmt.Errorf("unable to parse updated ruledata: %s", err.Error()))
 							continue
 						}
 
 						if rule_data_raw == nil {
-							allErrors = errors.Join(allErrors, fmt.Errorf("Invalid rule data JSON"))
+							allErrors = errors.Join(allErrors, fmt.Errorf("invalid rule data JSON"))
 							continue
 						}
 
 						err = sources[i].RuleData.UnmarshalJSON(rule_data_raw)
 						if err != nil {
-							allErrors = errors.Join(allErrors, fmt.Errorf("Unable to marshal updated JSON: %s", err.Error()))
+							allErrors = errors.Join(allErrors, fmt.Errorf("unable to marshal updated JSON: %s", err.Error()))
 							continue
 						}
 					}
@@ -458,58 +458,11 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 			}
 
 			if data.vsaEnabled {
-				// For each validated component, generate and write a VSA
-				vsaPkgOpts := vsa.Options{
-					OutputDir:      "./", // TODO: Make configurable or use temp dir
-					SigningKeyPath: data.vsaSigningKey,
-				}
 				for _, comp := range components {
-					// VSA generation
-					log.Debugf("[VSA] Generating predicate for image: %s", comp.ContainerImage)
-					pred, err := vsa.GeneratePredicate(cmd.Context(), report, comp, vsaPkgOpts)
-					if err != nil {
-						log.Errorf("[VSA] Failed to generate predicate for image %s: %v", comp.ContainerImage, err)
-						continue
-					}
-					log.Debugf("[VSA] Predicate generated for image: %s", comp.ContainerImage)
-
-					vsaPath := fmt.Sprintf("%s.vsa.json", comp.ContainerImage) // TODO: sanitize filename
-					log.Debugf("[VSA] Writing VSA to %s", vsaPath)
-					err = vsa.WriteVSA(pred, vsaPath)
-					if err != nil {
-						log.Errorf("[VSA] Failed to write VSA for image %s: %v", comp.ContainerImage, err)
+					if err := processVSA(cmd.Context(), report, comp); err != nil {
+						log.Errorf("[VSA] Error processing VSA for image %s: %v", comp.ContainerImage, err)
 						continue
 					}
-					log.Debugf("[VSA] VSA written to %s", vsaPath)
-
-					if data.vsaSigningKey != "" {
-						log.Debugf("[VSA] Signing VSA for image: %s", comp.ContainerImage)
-						att, err := vsa.SignVSA(cmd.Context(), vsaPath, data.vsaSigningKey, comp.ContainerImage)
-						if err != nil {
-							log.Errorf("[VSA] Failed to sign VSA for image %s: %v", comp.ContainerImage, err)
-							continue
-						}
-						log.Infof("[VSA] Signed attestation for %s", comp.ContainerImage)
-						var uploader vsa.AttestationUploader
-						switch data.vsaUpload {
-						case "oci":
-							uploader = vsa.OCIUploader
-						case "rekor":
-							uploader = vsa.RekorUploader
-						case "none":
-							uploader = vsa.NoopUploader
-						default:
-							log.Errorf("[VSA] Unknown vsa-upload type: %s", data.vsaUpload)
-							continue
-						}
-						uploadResult, err := uploader(cmd.Context(), att, comp.ContainerImage)
-						if err != nil {
-							log.Errorf("[VSA] Failed to upload VSA attestation for image %s: %v", comp.ContainerImage, err)
-							continue
-						}
-						log.Infof("[VSA] VSA attestation uploaded for %s: %s", comp.ContainerImage, uploadResult)
-					}
-					// Rekor upload is skipped for now
 				}
 			}
 			if data.strict && !report.Success {
@@ -627,3 +580,51 @@ func containsOutput(data []string, value string) bool {
 	}
 	return false
 }
+
+// PredicateGenerator defines the interface for generating VSA predicates
+type PredicateGenerator interface {
+	GeneratePredicate(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component) (*vsa.Predicate, error)
+}
+
+// VSAWriter defines the interface for writing VSA files
+type VSAWriter interface {
+	WriteVSA(predicate *vsa.Predicate) (string, error)
+}
+
+// generateAndWriteVSA generates a VSA predicate and writes it to a file
+func generateAndWriteVSA(
+	ctx context.Context,
+	report applicationsnapshot.Report,
+	comp applicationsnapshot.Component,
+	generator PredicateGenerator,
+	writer VSAWriter,
+) (string, error) {
+	log.Debugf("[VSA] Generating predicate for image: %s", comp.ContainerImage)
+	pred, err := generator.GeneratePredicate(ctx, report, comp)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate predicate for image %s: %w", comp.ContainerImage, err)
+	}
+	log.Debugf("[VSA] Predicate generated for image: %s", comp.ContainerImage)
+
+	log.Debugf("[VSA] Writing VSA for image: %s", comp.ContainerImage)
+	writtenPath, err := writer.WriteVSA(pred)
+	if err != nil {
+		return "", fmt.Errorf("failed to write VSA for image %s: %w", comp.ContainerImage, err)
+	}
+	log.Debugf("[VSA] VSA written to %s", writtenPath)
+
+	return writtenPath, nil
+}
+
+// processVSA handles the complete VSA generation, signing and upload process for a component
+func processVSA(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component) error {
+	generator := vsa.NewGenerator()
+	writer := vsa.NewWriter()
+
+	vsaPath, err := generateAndWriteVSA(ctx, report, comp, generator, writer)
+	log.Infof("[VSA] VSA written to %s", vsaPath)
+	if err != nil {
+		return err
+	}
+	return nil
+}

internal/validate/vsa/vsa.go

@@ -20,6 +20,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"os"
 	"path/filepath"
 	"time"
 
@@ -31,98 +32,109 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/afero"
 
-	"github.com/enterprise-contract/ec-cli/internal/applicationsnapshot"
-	"github.com/enterprise-contract/ec-cli/internal/evaluator"
+	"github.com/conforma/cli/internal/applicationsnapshot"
+	"github.com/conforma/cli/internal/evaluator"
 )
 
-// FS is the filesystem used for all file operations in this package. It defaults to the OS filesystem but can be replaced for testing.
-var FS afero.Fs = afero.NewOsFs()
-
-// Predicate defines the structure of the per-image VSA predicate.
+// Predicate represents a Verification Summary Attestation (VSA) predicate.
 type Predicate struct {
 	ImageRef         string                 `json:"imageRef"`
-	ValidationResult string                 `json:"validationResult"` // "passed" or "failed"
+	ValidationResult string                 `json:"validationResult"`
 	Timestamp        string                 `json:"timestamp"`
 	Verifier         string                 `json:"verifier"`
 	PolicySource     string                 `json:"policySource"`
 	Component        map[string]interface{} `json:"component"`
 	RuleResults      []evaluator.Result     `json:"ruleResults"`
 }
 
-// Options for VSA generation
-// Extend as needed for more context
-// (e.g., output dir, signing key, etc.)
-type Options struct {
-	OutputDir      string
-	SigningKeyPath string
+// Generator handles VSA predicate generation
+type Generator struct{}
+
+// NewGenerator creates a new VSA predicate generator
+func NewGenerator() *Generator {
+	return &Generator{}
 }
 
 // GeneratePredicate creates a Predicate for a validated image/component.
-func GeneratePredicate(ctx context.Context, report applicationsnapshot.Report, component applicationsnapshot.Component, opts Options) (*Predicate, error) {
-	log.Infof("Generating VSA predicate for image: %s", component.ContainerImage)
+func (g *Generator) GeneratePredicate(ctx context.Context, report applicationsnapshot.Report, comp applicationsnapshot.Component) (*Predicate, error) {
+	log.Infof("Generating VSA predicate for image: %s", comp.ContainerImage)
 
 	// Compose the component info as a map
 	componentInfo := map[string]interface{}{
-		"name":           component.Name,
-		"containerImage": component.ContainerImage,
-		"source":         component.Source,
+		"name":           comp.Name,
+		"containerImage": comp.ContainerImage,
+		"source":         comp.Source,
 	}
 
 	// Compose rule results: combine violations, warnings, and successes
-	ruleResults := make([]evaluator.Result, 0, len(component.Violations)+len(component.Warnings)+len(component.Successes))
-	ruleResults = append(ruleResults, component.Violations...)
-	ruleResults = append(ruleResults, component.Warnings...)
-	ruleResults = append(ruleResults, component.Successes...)
+	ruleResults := make([]evaluator.Result, 0, len(comp.Violations)+len(comp.Warnings)+len(comp.Successes))
+	ruleResults = append(ruleResults, comp.Violations...)
+	ruleResults = append(ruleResults, comp.Warnings...)
+	ruleResults = append(ruleResults, comp.Successes...)
 
 	validationResult := "failed"
-	if component.Success {
+	if comp.Success {
 		validationResult = "passed"
 	}
 
 	policySource := ""
-	if report.Policy.PublicKey != "" {
+	if report.Policy.Name != "" {
 		policySource = report.Policy.Name
 	}
 
 	return &Predicate{
-		ImageRef:         component.ContainerImage,
+		ImageRef:         comp.ContainerImage,
 		ValidationResult: validationResult,
 		Timestamp:        time.Now().UTC().Format(time.RFC3339),
-		Verifier:         "Conforma",
+		Verifier:         "ec-cli",
 		PolicySource:     policySource,
 		Component:        componentInfo,
 		RuleResults:      ruleResults,
 	}, nil
 }
 
-// WriteVSA writes the Predicate as a JSON file to the given path.
-func WriteVSA(predicate *Predicate, path string) error {
-	log.Infof("Writing VSA to %s", path)
+// Writer handles VSA file writing
+type Writer struct {
+	FS            afero.Fs    // defaults to the package-level FS or afero.NewOsFs()
+	TempDirPrefix string      // defaults to "vsa-"
+	FilePerm      os.FileMode // defaults to 0600
+}
+
+// NewWriter creates a new VSA file writer
+func NewWriter() *Writer {
+	return &Writer{
+		FS:            afero.NewOsFs(),
+		TempDirPrefix: "vsa-",
+		FilePerm:      0o600,
+	}
+}
+
+// WriteVSA writes the Predicate as a JSON file to a temp directory and returns the path.
+func (w *Writer) WriteVSA(predicate *Predicate) (string, error) {
+	log.Infof("Writing VSA for image: %s", predicate.ImageRef)
+
+	// Serialize with indent
 	data, err := json.MarshalIndent(predicate, "", "  ")
 	if err != nil {
-		return fmt.Errorf("failed to marshal VSA predicate: %w", err)
-	}
-	if err := FS.MkdirAll(filepath.Dir(path), 0755); err != nil {
-		return fmt.Errorf("failed to create VSA output directory: %w", err)
+		return "", fmt.Errorf("failed to marshal VSA predicate: %w", err)
 	}
-	if err := afero.WriteFile(FS, path, data, 0600); err != nil {
-		log.Errorf("Failed to write VSA file: %v", err)
-		return fmt.Errorf("failed to write VSA file: %w", err)
+
+	// Create temp directory using the injected FS and prefix
+	tempDir, err := afero.TempDir(w.FS, "", w.TempDirPrefix)
+	if err != nil {
+		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}
-	return nil
-}
 
-// For testability, allow dependency injection of key loader and sign function
-// These types match the cosign APIs
+	fullPath := filepath.Join(tempDir, "vsa.json")
 
-type PrivateKeyLoader func(key []byte, pass []byte) (signature.SignerVerifier, error)
-type AttestationSigner func(ctx context.Context, signer signature.SignerVerifier, ref name.Reference, att oci.Signature, opts *cosign.CheckOpts) (name.Digest, error)
+	log.Infof("Writing VSA file to %s", fullPath)
+	// Write file with injected FS and file-permissions
+	if err := afero.WriteFile(w.FS, fullPath, data, w.FilePerm); err != nil {
+		log.Errorf("Failed to write VSA file to %s: %v", fullPath, err)
+		return "", fmt.Errorf("failed to write VSA file: %w", err)
+	}
 
-// SignVSAOptions allows injection for testing
-// If nil, defaults to production cosign implementations
-type SignVSAOptions struct {
-	KeyLoader PrivateKeyLoader
-	SignFunc  AttestationSigner
+	return fullPath, nil
 }
 
 // AttestationUploader is a function that uploads an attestation and returns a result string or error
@@ -147,15 +159,35 @@ func NoopUploader(ctx context.Context, att oci.Signature, location string) (stri
 	return "", nil
 }
 
-// SignVSA signs the VSA file and returns an oci.Signature (does not upload)
-func SignVSA(ctx context.Context, vsaPath, keyPath, imageRef string, opts ...SignVSAOptions) (oci.Signature, error) {
+type PrivateKeyLoader func(key []byte, pass []byte) (signature.SignerVerifier, error)
+type AttestationSigner func(ctx context.Context, signer signature.SignerVerifier, ref name.Reference, att oci.Signature, opts *cosign.CheckOpts) (name.Digest, error)
+
+type Signer struct {
+	FS        afero.Fs          // for reading the VSA file
+	KeyLoader PrivateKeyLoader  // injected loader
+	SignFunc  AttestationSigner // injected cosign API
+}
+
+func NewSigner(fs afero.Fs, loader PrivateKeyLoader, signer AttestationSigner) *Signer {
+	return &Signer{
+		FS:        fs,
+		KeyLoader: loader,
+		SignFunc:  signer,
+	}
+}
+
+// Sign reads the file, loads the key, and returns the signature.
+func (s *Signer) Sign(ctx context.Context, vsaPath, keyPath, imageRef string) (oci.Signature, error) {
 	log.Infof("Signing VSA for image: %s", imageRef)
-	vsaData, err := afero.ReadFile(FS, vsaPath)
+	vsaData, err := afero.ReadFile(s.FS, vsaPath)
 	if err != nil {
 		log.Errorf("Failed to read VSA file: %v", err)
 		return nil, fmt.Errorf("failed to read VSA file: %w", err)
 	}
 	// TODO: Actually sign the attestation using cosign APIs. For now, just create the attestation object.
+	// Example:
+	// signer, err := s.KeyLoader( /* load key bytes from keyPath */ )
+	// attestationSigned, err := s.SignFunc(ctx, signer, ref, att, nil)
 	att, err := static.NewAttestation(vsaData)
 	if err != nil {
 		log.Errorf("Failed to create attestation: %v", err)