From 34a009e95ffb7a4985da61cf913da33931a11d2f Mon Sep 17 00:00:00 2001 From: Akira Saso Date: Sat, 13 Aug 2022 14:24:45 +0900 Subject: [PATCH 1/3] fix handling of verify-attestation types for URIs Signed-off-by: Akira Saso --- pkg/policy/attestation.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pkg/policy/attestation.go b/pkg/policy/attestation.go index 740e03e4848..8620a8c5654 100644 --- a/pkg/policy/attestation.go +++ b/pkg/policy/attestation.go @@ -39,8 +39,9 @@ import ( // match the attestation. func AttestationToPayloadJSON(ctx context.Context, predicateType string, verifiedAttestation oci.Signature) ([]byte, error) { // Check the predicate up front, no point in wasting time if it's invalid. - predicateURI, ok := options.PredicateTypeMap[predicateType] - if !ok { + predicateURI, err := options.ParsePredicateType(predicateType) + + if err != nil { return nil, fmt.Errorf("invalid predicate type: %s", predicateType) } @@ -132,7 +133,11 @@ func AttestationToPayloadJSON(ctx context.Context, predicateType string, verifie return nil, fmt.Errorf("marshaling CosignVulnStatement: %w", err) } default: - return nil, fmt.Errorf("unsupported predicate type: %s", predicateType) + // Valid URI type reaches here. + payload, err = json.Marshal(statement) + if err != nil { + return nil, fmt.Errorf("generating Statement: %w", err) + } } return payload, nil } From 339b8895338561960df9d6fb850c458569d00ba9 Mon Sep 17 00:00:00 2001 From: Akira Saso Date: Tue, 16 Aug 2022 12:26:51 +0900 Subject: [PATCH 2/3] test: add a test to verify URI-type attestation Signed-off-by: Akira Saso --- test/e2e_test.go | 24 ++++++++++++++++++++++-- test/testdata/test-result.json | 1 + 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 test/testdata/test-result.json diff --git a/test/e2e_test.go b/test/e2e_test.go index 1f97cd8f59a..379886ef798 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -243,12 +243,33 @@ func TestAttestVerifyCycloneDXJSON(t *testing.T) { ) } +func TestAttestVerifyURI(t *testing.T) { + attestationBytes, err := os.ReadFile("./testdata/test-result.json") + if err != nil { + t.Fatal(err) + } + attestVerify(t, + "https://example.com/TestResult/v1", + string(attestationBytes), + `predicate: passed: true`, + `predicate: passed: false"`, + ) +} + func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue string) { repo, stop := reg(t) defer stop() td := t.TempDir() - imgName := path.Join(repo, fmt.Sprintf("cosign-attest-%s-e2e-image", predicateType)) + var imgName, attestationPath string + if _, err := url.ParseRequestURI(predicateType); err == nil { + // If the predicate type is URI, it cannot be included as image name and path. + imgName = path.Join(repo, "cosign-attest-uri-e2e-image") + attestationPath = filepath.Join(td, "cosign-attest-uri-e2e-attestation") + } else { + imgName = path.Join(repo, fmt.Sprintf("cosign-attest-%s-e2e-image", predicateType)) + attestationPath = filepath.Join(td, fmt.Sprintf("cosign-attest-%s-e2e-attestation", predicateType)) + } _, _, cleanup := mkimage(t, imgName) defer cleanup() @@ -265,7 +286,6 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri // Fail case when using without type and policy flag mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t) - attestationPath := filepath.Join(td, fmt.Sprintf("cosign-attest-%s-e2e-attestation", predicateType)) if err := os.WriteFile(attestationPath, []byte(attestation), 0600); err != nil { t.Fatal(err) } diff --git a/test/testdata/test-result.json b/test/testdata/test-result.json new file mode 100644 index 00000000000..037e18c8187 --- /dev/null +++ b/test/testdata/test-result.json @@ -0,0 +1 @@ +{"passed": true} From fee13709de7b798acc1d274a82b4f446feff42fb Mon Sep 17 00:00:00 2001 From: Akira Saso Date: Tue, 16 Aug 2022 13:07:05 +0900 Subject: [PATCH 3/3] test: fix cue used in verify-attstation Signed-off-by: Akira Saso --- test/e2e_test.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/test/e2e_test.go b/test/e2e_test.go index 379886ef798..a56948cb341 100644 --- a/test/e2e_test.go +++ b/test/e2e_test.go @@ -212,8 +212,8 @@ func TestAttestVerify(t *testing.T) { attestVerify(t, "slsaprovenance", `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }`, - `builder: id: "1"`, - `builder: id: "2"`, + `predicate: builder: id: "2"`, + `predicate: builder: id: "1"`, ) } @@ -225,8 +225,8 @@ func TestAttestVerifySPDXJSON(t *testing.T) { attestVerify(t, "spdxjson", string(attestationBytes), - `Data: spdxVersion: "SPDX-9.9"`, - `Data: spdxVersion: "SPDX-2.2"`, + `predicate: Data: spdxVersion: "SPDX-2.2"`, + `predicate: Data: spdxVersion: "SPDX-9.9"`, ) } @@ -238,8 +238,8 @@ func TestAttestVerifyCycloneDXJSON(t *testing.T) { attestVerify(t, "cyclonedx", string(attestationBytes), - `Data: specVersion: "7.7"`, - `Data: specVersion: "1.4"`, + `predicate: Data: specVersion: "1.4"`, + `predicate: Data: specVersion: "7.7"`, ) } @@ -304,6 +304,7 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri if err := os.WriteFile(policyPath, []byte(badCue), 0600); err != nil { t.Fatal(err) } + mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t) // Success case if err := os.WriteFile(policyPath, []byte(goodCue), 0600); err != nil { @@ -1039,7 +1040,7 @@ func TestSaveLoadAttestation(t *testing.T) { verifyAttestation.PredicateType = "slsaprovenance" verifyAttestation.Policies = []string{policyPath} // Success case (remote) - cuePolicy := `builder: id: "2"` + cuePolicy := `predicate: builder: id: "2"` if err := os.WriteFile(policyPath, []byte(cuePolicy), 0600); err != nil { t.Fatal(err) }