fix handling of verify-attestation types for URIs

[otms61]

Signed-off-by: Akira Saso sasoakira6114@gmail.com

Summary

Close #2158

Please feel free to close the PR if there is any requirement on verify-attestation.

I made an attestation with URI specified as the following command.

$ cat test-result.json
{"passed": true}

$ COSIGN_EXPERIMENTAL=1 cosign attest --type "https://example.com/TestResult/v1" --predicate test-result.json  otms61/test-custom-attest

Reviews can test this PR.

$ COSIGN_EXPERIMENTAL=1 cosign verify-attestation  --type "https://example.com/TestResult/v1" otms61/test-custom-attest

before

$ ./cosign-darwin-amd64 version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    v1.10.1
GitCommit:     a39ce91fadc582e0efce3321744a79ccd3c8b39c
GitTreeState:  clean
BuildDate:     2022-08-04T16:59:14Z
GoVersion:     go1.18.5
Compiler:      gc
Platform:      darwin/amd64

$ COSIGN_EXPERIMENTAL=1 ./cosign-darwin-amd64 verify-attestation  --type "https://example.com/TestResult/v1" otms61/test-custom-attest
Error: converting to consumable policy validation: invalid predicate type: https://example.com/TestResult/v1
main.go:62: error during command execution: converting to consumable policy validation: invalid predicate type: https://example.com/TestResult/v1

after

$ COSIGN_EXPERIMENTAL=1 ./cosign verify-attestation  --type "https://example.com/TestResult/v1" otms61/test-custom-attest


Verification for otms61/test-custom-attest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - Any certificates were verified against the Fulcio roots.
Certificate subject:  sasoakira6114@gmail.com
Certificate issuer URL:  https://accounts.google.com
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2V4YW1wbGUuY29tL1Rlc3RSZXN1bHQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiaW5kZXguZG9ja2VyLmlvL290bXM2MS90ZXN0LWN1c3RvbS1hdHRlc3QiLCJkaWdlc3QiOnsic2hhMjU2IjoiOTIyNTE0NTgwODhjNjM4MDYxY2RhOGZkOGI0MDNiNzZkNjYxYTRkYzZiN2VlNzFiNmFmZmNmMTg3MjU1N2IyYiJ9fV0sInByZWRpY2F0ZSI6eyJwYXNzZWQiOnRydWV9fQ==","signatures":[{"keyid":"","sig":"MEYCIQDq+COzci2fcmRHZk9P5Q9FzvfgNYJ7a/gvQbQo5tjNlQIhAMeflNARYm5HHc1QXUfayrlQVFOB7RvOjsGMl9vYMZQB"}]}

Release Note

Documentation

[codecov-commenter]

Codecov Report

Merging #2159 (fee1370) into main (128f8fb) will decrease coverage by 0.01%.
The diff coverage is 37.50%.

@@            Coverage Diff             @@
##             main    #2159      +/-   ##
==========================================
- Coverage   26.28%   26.26%   -0.02%     
==========================================
  Files         130      130              
  Lines        7602     7615      +13     
==========================================
+ Hits         1998     2000       +2     
- Misses       5347     5359      +12     
+ Partials      257      256       -1     

Impacted Files	Coverage Δ
pkg/policy/attestation.go	37.63% <37.50%> (-1.01%)	⬇️
cmd/cosign/cli/verify/verify_blob.go	9.72% <0.00%> (-0.16%)	⬇️
cmd/cosign/cli/verify/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify_attestation.go	0.00% <0.00%> (ø)
pkg/cosign/tlog.go	31.22% <0.00%> (+1.15%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[priyawadhwa]

Looks good! Maybe we could add a quick test for this? https://github.com/sigstore/cosign/blob/main/test/e2e_test.go

[otms61]

Thanks for your review! I'll try.

[otms61]

I have added a test to verify URI-type attestation.
And, I have made the following modifications. If this is unnecessary work, please feel free to point it out. I will revert the commit.

• The verify-attestation command was not executed for badCue, so I made it execute.
• The value of goodCue (maybe) unintendedly passed, so I rewrote the value.
• I rewrote the value for badCue as well.

I am not familiar with CUE, but I noticed the following behavior.
As you can see in the example below, CUE was passing through the wrong data path.

When the correct path and correct value, the command pass.

$ cat test-payload.json
{
  "predicate": {
    "Data": {
      "bomFormat": "CycloneDX",
      "specVersion": "1.4"
    }
  }
}

$ cat valid.cue
predicate: Data: specVersion: "1.4"

$ cue vet test-payload.json valid.cue

$

When the correct path and wrong value, the command don't pass.

$ cat invalid.cue
predicate: Data: specVersion: "7.4"

$ cue vet test-payload.json invalid.cue
predicate.Data.specVersion: conflicting values "7.4" and "1.4":
    ./invalid.cue:1:31
    ./test-payload.json:5:22

$

When the wrong path, the command pass.

$ cat current.cue
Data: specVersion: "7.4"

$ cue vet test-payload.json current.cue

$

The data path used in goodCue was wrong, so the test passed.
The following figure shows the json data, which CUE is applied when TestAttestVerifyCycloneDXJSON. You can see that the value is in predicate.Data.specVersion, not Data.specVersion.

payload

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://cyclonedx.org/schema",
  "subject": [
    {
      "name": "127.0.0.1:59647/cosign-attest-cyclonedx-e2e-image",
      "digest": {
        "sha256": "731a9ea8309ada1d7c57abb3cbe018c629e5202fe94c42d1a19bd70aaf6f4c8a"
      }
    }
  ],
  "predicate": {
    "Data": {
      "bomFormat": "CycloneDX",
      "components": [],
      "dependencies": [],
      "metadata": {},
      "serialNumber": "urn:uuid:9b0c2427-be94-439c-82e5-8928db124270",
      "specVersion": "1.4",
      "version": 1
    },
    "Timestamp": ""
  }
}