fix handling of verify-attestation types for URIs (#2159)

* fix handling of verify-attestation types for URIs Signed-off-by: Akira Saso <sasoakira6114@gmail.com> * test: add a test to verify URI-type attestation Signed-off-by: Akira Saso <sasoakira6114@gmail.com> * test: fix cue used in verify-attstation Signed-off-by: Akira Saso <sasoakira6114@gmail.com> Signed-off-by: Akira Saso <sasoakira6114@gmail.com>
sigstore · Aug 16, 2022 · c61504d · c61504d
1 parent 734869c
commit c61504d
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 12 deletions.
diff --git a/pkg/policy/attestation.go b/pkg/policy/attestation.go
@@ -39,8 +39,9 @@ import (
 // match the attestation.
 func AttestationToPayloadJSON(ctx context.Context, predicateType string, verifiedAttestation oci.Signature) ([]byte, error) {
 	// Check the predicate up front, no point in wasting time if it's invalid.
-	predicateURI, ok := options.PredicateTypeMap[predicateType]
-	if !ok {
+	predicateURI, err := options.ParsePredicateType(predicateType)
+
+	if err != nil {
 		return nil, fmt.Errorf("invalid predicate type: %s", predicateType)
 	}
 
@@ -132,7 +133,11 @@ func AttestationToPayloadJSON(ctx context.Context, predicateType string, verifie
 			return nil, fmt.Errorf("marshaling CosignVulnStatement: %w", err)
 		}
 	default:
-		return nil, fmt.Errorf("unsupported predicate type: %s", predicateType)
+		// Valid URI type reaches here.
+		payload, err = json.Marshal(statement)
+		if err != nil {
+			return nil, fmt.Errorf("generating Statement: %w", err)
+		}
 	}
 	return payload, nil
 }
diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -212,8 +212,8 @@ func TestAttestVerify(t *testing.T) {
 	attestVerify(t,
 		"slsaprovenance",
 		`{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }`,
-		`builder: id: "1"`,
-		`builder: id: "2"`,
+		`predicate: builder: id: "2"`,
+		`predicate: builder: id: "1"`,
 	)
 }
 
@@ -225,8 +225,8 @@ func TestAttestVerifySPDXJSON(t *testing.T) {
 	attestVerify(t,
 		"spdxjson",
 		string(attestationBytes),
-		`Data: spdxVersion: "SPDX-9.9"`,
-		`Data: spdxVersion: "SPDX-2.2"`,
+		`predicate: Data: spdxVersion: "SPDX-2.2"`,
+		`predicate: Data: spdxVersion: "SPDX-9.9"`,
 	)
 }
 
@@ -238,8 +238,21 @@ func TestAttestVerifyCycloneDXJSON(t *testing.T) {
 	attestVerify(t,
 		"cyclonedx",
 		string(attestationBytes),
-		`Data: specVersion: "7.7"`,
-		`Data: specVersion: "1.4"`,
+		`predicate: Data: specVersion: "1.4"`,
+		`predicate: Data: specVersion: "7.7"`,
+	)
+}
+
+func TestAttestVerifyURI(t *testing.T) {
+	attestationBytes, err := os.ReadFile("./testdata/test-result.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	attestVerify(t,
+		"https://example.com/TestResult/v1",
+		string(attestationBytes),
+		`predicate: passed: true`,
+		`predicate: passed: false"`,
 	)
 }
 
@@ -248,7 +261,15 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri
 	defer stop()
 	td := t.TempDir()
 
-	imgName := path.Join(repo, fmt.Sprintf("cosign-attest-%s-e2e-image", predicateType))
+	var imgName, attestationPath string
+	if _, err := url.ParseRequestURI(predicateType); err == nil {
+		// If the predicate type is URI, it cannot be included as image name and path.
+		imgName = path.Join(repo, "cosign-attest-uri-e2e-image")
+		attestationPath = filepath.Join(td, "cosign-attest-uri-e2e-attestation")
+	} else {
+		imgName = path.Join(repo, fmt.Sprintf("cosign-attest-%s-e2e-image", predicateType))
+		attestationPath = filepath.Join(td, fmt.Sprintf("cosign-attest-%s-e2e-attestation", predicateType))
+	}
 
 	_, _, cleanup := mkimage(t, imgName)
 	defer cleanup()
@@ -265,7 +286,6 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri
 	// Fail case when using without type and policy flag
 	mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t)
 
-	attestationPath := filepath.Join(td, fmt.Sprintf("cosign-attest-%s-e2e-attestation", predicateType))
 	if err := os.WriteFile(attestationPath, []byte(attestation), 0600); err != nil {
 		t.Fatal(err)
 	}
@@ -284,6 +304,7 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri
 	if err := os.WriteFile(policyPath, []byte(badCue), 0600); err != nil {
 		t.Fatal(err)
 	}
+	mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t)
 
 	// Success case
 	if err := os.WriteFile(policyPath, []byte(goodCue), 0600); err != nil {
@@ -1019,7 +1040,7 @@ func TestSaveLoadAttestation(t *testing.T) {
 	verifyAttestation.PredicateType = "slsaprovenance"
 	verifyAttestation.Policies = []string{policyPath}
 	// Success case (remote)
-	cuePolicy := `builder: id: "2"`
+	cuePolicy := `predicate: builder: id: "2"`
 	if err := os.WriteFile(policyPath, []byte(cuePolicy), 0600); err != nil {
 		t.Fatal(err)
 	}

diff --git a/test/testdata/test-result.json b/test/testdata/test-result.json
@@ -0,0 +1 @@
+{"passed": true}