Generate predicates from protobuf (#239)

* Add provenance predicate proto definition

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Generate protos

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Use new proto generated predicates

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Update tests for new proto predicates

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

proto/v1/provenance.proto

@@ -0,0 +1,50 @@
+// SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
+// SPDX-License-Identifier: Apache-2.0
+
+syntax = "proto3";
+package ampel.v1;
+
+import "google/protobuf/timestamp.proto";
+
+option go_package = "github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/provenance";
+
+// The predicate that encodes source provenance data.
+// The git commit this corresponds to is encoded in the surrounding statement.
+message SourceProvenancePred {
+	// The commit preceding 'Commit' in the current context.
+	string prev_commit = 1;
+	string repo_uri = 2;
+    string activity_type = 3;
+    string actor = 4;
+    string branch = 5;
+    optional google.protobuf.Timestamp created_on = 6;
+	// TODO: get the author of the PR (if this was from a PR).
+
+	// The controls enabled at the time this commit was pushed.
+    repeated Control controls = 7;
+}
+
+message Control  {
+	// The name of the control
+	string name = 1;
+	// The time from which this control has been continuously enforced/observed.
+    google.protobuf.Timestamp since = 2;
+}
+
+message TagProvenancePred {
+	string repo_uri = 1;
+	string actor = 2;
+	string tag = 3;
+	optional google.protobuf.Timestamp created_on = 4;
+
+	// The tag related controls enabled at the time this tag was created/updated.
+	repeated Control controls = 7;
+	repeated VsaSummary vsa_summaries = 8;
+}
+
+// Summary of a summary
+message VsaSummary {
+	repeated string source_refs = 1;
+	repeated string verifiedLevels = 2;
+}
+

sourcetool/internal/cmd/audit.go

@@ -140,11 +140,11 @@ func printResult(ghc *ghcontrol.GitHubConnection, ar *audit.AuditCommitResult, m
 	}
 	if ar.ProvPred != nil {
 		fmt.Print("\tprov:\n")
-		fmt.Printf("\t\tcontrols: %v\n", ar.ProvPred.Controls)
-		if ar.ProvPred.PrevCommit == ar.GhPriorCommit {
+		fmt.Printf("\t\tcontrols: %v\n", ar.ProvPred.GetControls())
+		if ar.ProvPred.GetPrevCommit() == ar.GhPriorCommit {
 			fmt.Printf("\t\tPrevCommit matches GH commit: true\n")
 		} else {
-			fmt.Printf("\t\tPrevCommit matches GH commit: false: %s != %s\n", ar.ProvPred.PrevCommit, ar.GhPriorCommit)
+			fmt.Printf("\t\tPrevCommit matches GH commit: false: %s != %s\n", ar.ProvPred.GetPrevCommit(), ar.GhPriorCommit)
 		}
 	} else {
 		fmt.Printf("\tprov: none\n")

sourcetool/pkg/attest/provenance.go

@@ -3,7 +3,6 @@ package attest
 import (
 	"bufio"
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"log"
@@ -13,7 +12,9 @@ import (
 
 	spb "github.com/in-toto/attestation/go/v1"
 	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/structpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/ghcontrol"
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/provenance"
@@ -46,7 +47,7 @@ func GetSourceProvPred(statement *spb.Statement) (*provenance.SourceProvenancePr
 
 	var predStruct provenance.SourceProvenancePred
 	// Using regular json.Unmarshal because this is just a regular struct.
-	err = json.Unmarshal(predJson, &predStruct)
+	err = protojson.Unmarshal(predJson, &predStruct)
 	if err != nil {
 		return nil, fmt.Errorf("unmarshaling predicate: %w", err)
 	}
@@ -73,7 +74,7 @@ func GetTagProvPred(statement *spb.Statement) (*provenance.TagProvenancePred, er
 
 	var predStruct provenance.TagProvenancePred
 	// Using regular json.Unmarshal because this is just a regular struct.
-	err = json.Unmarshal(predJson, &predStruct)
+	err = protojson.Unmarshal(predJson, &predStruct)
 	if err != nil {
 		return nil, fmt.Errorf("unmarshaling predicate: %w", err)
 	}
@@ -84,10 +85,16 @@ func GetTagProvPred(statement *spb.Statement) (*provenance.TagProvenancePred, er
 }
 
 func addPredToStatement(provPred any, predicateType, commit string) (*spb.Statement, error) {
-	// Using regular json.Marshal because this is just a regular struct and not from a proto.
-	predJson, err := json.Marshal(provPred)
+	msg, ok := provPred.(proto.Message)
+	if !ok {
+		return nil, fmt.Errorf("unable to serialize predicate as proto message")
+	}
+	predJson, err := protojson.MarshalOptions{
+		Multiline: true,
+		Indent:    "  ",
+	}.Marshal(msg)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("marshaling predicate proto: %w", err)
 	}
 
 	sub := []*spb.ResourceDescriptor{{
@@ -125,11 +132,11 @@ func (pa ProvenanceAttestor) createCurrentProvenance(ctx context.Context, commit
 	curProvPred.Actor = controlStatus.ActorLogin
 	curProvPred.ActivityType = controlStatus.ActivityType
 	curProvPred.Branch = ref
-	curProvPred.CreatedOn = curTime
+	curProvPred.CreatedOn = timestamppb.New(curTime)
 	curProvPred.Controls = controlStatus.Controls
 
 	// At the very least provenance is available starting now. :)
-	curProvPred.Controls.AddControl(&slsa.Control{Name: slsa.ProvenanceAvailable, Since: curTime})
+	curProvPred.AddControl(&provenance.Control{Name: slsa.ProvenanceAvailable.String(), Since: timestamppb.New(curTime)})
 
 	return addPredToStatement(&curProvPred, provenance.SourceProvPredicateType, commit)
 }
@@ -170,7 +177,7 @@ func (pa ProvenanceAttestor) getProvFromReader(reader *BundleReader, commit, ref
 		if err != nil {
 			return nil, nil, err
 		}
-		if pa.gh_connection.GetRepoUri() == provPred.RepoUri && (ref == ghcontrol.AnyReference || provPred.Branch == ref) {
+		if pa.gh_connection.GetRepoUri() == provPred.GetRepoUri() && (ref == ghcontrol.AnyReference || provPred.GetBranch() == ref) {
 			// Should be good!
 			return stmt, provPred, nil
 		} else {
@@ -223,13 +230,13 @@ func (pa ProvenanceAttestor) CreateSourceProvenance(ctx context.Context, prevAtt
 
 	// There was prior provenance, so update the Since field for each property
 	// to the oldest encountered.
-	for i, curControl := range curProvPred.Controls {
-		prevControl := prevProvPred.Controls.GetControl(curControl.Name)
+	for i, curControl := range curProvPred.GetControls() {
+		prevControl := prevProvPred.GetControl(curControl.GetName())
 		// No prior version of this control
 		if prevControl == nil {
 			continue
 		}
-		curControl.Since = slsa.EarlierTime(curControl.Since, prevControl.Since)
+		curControl.Since = timestamppb.New(slsa.EarlierTime(curControl.GetSince().AsTime(), prevControl.GetSince().AsTime()))
 		// Update the value.
 		curProvPred.Controls[i] = curControl
 	}
@@ -259,8 +266,6 @@ func (pa ProvenanceAttestor) CreateTagProvenance(ctx context.Context, commit, re
 		return nil, nil
 	}
 
-	curTime := time.Now()
-
 	vsaRefs, err := GetSourceRefsForCommit(vsaStatement, commit)
 	if err != nil {
 		return nil, fmt.Errorf("error getting source refs from vsa %w", err)
@@ -270,12 +275,12 @@ func (pa ProvenanceAttestor) CreateTagProvenance(ctx context.Context, commit, re
 		RepoUri:   pa.gh_connection.GetRepoUri(),
 		Actor:     actor,
 		Tag:       ref,
-		CreatedOn: curTime,
+		CreatedOn: timestamppb.Now(),
 		Controls:  controlStatus.Controls,
-		VsaSummaries: []provenance.VsaSummary{
+		VsaSummaries: []*provenance.VsaSummary{
 			{
 				SourceRefs:     vsaRefs,
-				VerifiedLevels: slsa.StringsToControlNames(vsaPred.GetVerifiedLevels()),
+				VerifiedLevels: vsaPred.GetVerifiedLevels(),
 			},
 		},
 	}

sourcetool/pkg/attest/provenance_test.go

@@ -2,13 +2,14 @@ package attest
 
 import (
 	"encoding/json"
-	"reflect"
 	"testing"
 	"time"
 
 	"github.com/google/go-github/v69/github"
 	"github.com/migueleliasweb/go-github-mock/src/mock"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/ghcontrol"
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/provenance"
@@ -36,7 +37,7 @@ func conditionsForTagImmutability() *github.RepositoryRulesetConditions {
 
 func createTestProv(t *testing.T, repoUri, ref, commit string) string {
 	provPred := provenance.SourceProvenancePred{RepoUri: repoUri, Branch: ref, ActivityType: "pr_merge", Actor: "test actor"}
-	stmt, err := addPredToStatement(provPred, provenance.SourceProvPredicateType, commit)
+	stmt, err := addPredToStatement(&provPred, provenance.SourceProvPredicateType, commit)
 	if err != nil {
 		t.Fatalf("failure creating test prov: %v", err)
 	}
@@ -98,34 +99,38 @@ func timesEqualWithinMargin(t1, t2 time.Time, margin time.Duration) bool {
 }
 
 func assertTagProvPredsEqual(t *testing.T, actual, expected *provenance.TagProvenancePred) {
-	if actual.Actor != expected.Actor {
-		t.Errorf("Actor %v does not match expected value %v", actual.Actor, expected.Actor)
+	if actual.GetActor() != expected.GetActor() {
+		t.Errorf("Actor %v does not match expected value %v", actual.GetActor(), expected.GetActor())
 	}
 
-	if actual.RepoUri != expected.RepoUri {
-		t.Errorf("RepoUri %v does not match expected value %v", actual.RepoUri, expected.RepoUri)
+	if actual.GetRepoUri() != expected.GetRepoUri() {
+		t.Errorf("RepoUri %v does not match expected value %v", actual.GetRepoUri(), expected.GetRepoUri())
 	}
 
-	if actual.Tag != expected.Tag {
-		t.Errorf("Tag %v does not match expected value %v", actual.Tag, expected.Tag)
+	if actual.GetTag() != expected.GetTag() {
+		t.Errorf("Tag %v does not match expected value %v", actual.GetTag(), expected.GetTag())
 	}
 
-	if timesEqualWithinMargin(actual.CreatedOn, expected.CreatedOn, 5*time.Second) {
-		t.Errorf("CreatedOn %v does not match expected value %v", actual.CreatedOn, expected.CreatedOn)
+	if timesEqualWithinMargin(actual.GetCreatedOn().AsTime(), expected.GetCreatedOn().AsTime(), 5*time.Second) {
+		t.Errorf("CreatedOn %v does not match expected value %v", actual.GetCreatedOn(), expected.GetCreatedOn())
 	}
 
-	if len(actual.Controls) != len(expected.Controls) {
-		t.Errorf("Control %v does not match expected value %v", actual.Controls, expected.Controls)
+	if len(actual.GetControls()) != len(expected.GetControls()) {
+		t.Errorf("Control %v does not match expected value %v", actual.GetControls(), expected.GetControls())
 	} else {
-		for ci := range actual.Controls {
-			if !timesEqualWithinMargin(actual.Controls[ci].Since, expected.Controls[ci].Since, time.Second) {
+		for ci := range actual.GetControls() {
+			if !timesEqualWithinMargin(actual.GetControls()[ci].GetSince().AsTime(), expected.GetControls()[ci].GetSince().AsTime(), time.Second) {
 				t.Errorf("control at [%d]'s time %v does not match expected time %v", ci,
-					actual.Controls[ci].Since, expected.Controls[ci].Since)
+					actual.GetControls()[ci].GetSince(), expected.GetControls()[ci].GetSince())
 			}
 		}
 	}
-	if !reflect.DeepEqual(actual.VsaSummaries, expected.VsaSummaries) {
-		t.Errorf("VsaSummaries %v does not match expected value %v", actual.VsaSummaries, expected.VsaSummaries)
+
+	require.Len(t, actual.GetVsaSummaries(), len(expected.GetVsaSummaries()))
+	for i := range actual.GetVsaSummaries() {
+		if !proto.Equal(actual.GetVsaSummaries()[i], expected.GetVsaSummaries()[i]) {
+			t.Errorf("VsaSummaries %v does not match expected value %v", actual.GetVsaSummaries(), expected.GetVsaSummaries())
+		}
 	}
 }
 
@@ -204,17 +209,17 @@ func TestCreateTagProvenance(t *testing.T) {
 		RepoUri:   "https://github.com/owner/repo",
 		Actor:     "the-tag-pusher",
 		Tag:       "refs/tags/v1",
-		CreatedOn: rulesetOldTime,
-		Controls: []slsa.Control{
+		CreatedOn: timestamppb.New(rulesetOldTime),
+		Controls: []*provenance.Control{
 			{
 				Name:  "TAG_HYGIENE",
-				Since: rulesetOldTime,
+				Since: timestamppb.New(rulesetOldTime),
 			},
 		},
-		VsaSummaries: []provenance.VsaSummary{
+		VsaSummaries: []*provenance.VsaSummary{
 			{
 				SourceRefs:     []string{"refs/some/ref"},
-				VerifiedLevels: []slsa.ControlName{"TEST_LEVEL"},
+				VerifiedLevels: []string{"TEST_LEVEL"},
 			},
 		},
 	}

sourcetool/pkg/audit/audit.go

@@ -35,7 +35,7 @@ func (ar *AuditCommitResult) IsGood() bool {
 	// Have to have provenance
 	if ar.ProvPred == nil {
 		good = false
-	} else if ar.ProvPred.PrevCommit != ar.GhPriorCommit {
+	} else if ar.ProvPred.GetPrevCommit() != ar.GhPriorCommit {
 		// Commits need to be the same.
 		good = false
 	}