Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix handling of verify-attestation types for URIs #2159

Merged
merged 3 commits into from Aug 16, 2022
Merged

fix handling of verify-attestation types for URIs #2159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
34a009e
fix handling of verify-attestation types for URIs
otms61 Aug 13, 2022
339b889
test: add a test to verify URI-type attestation
otms61 Aug 16, 2022
fee1370
test: fix cue used in verify-attstation
otms61 Aug 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 8 additions & 3 deletions pkg/policy/attestation.go
View file
Open in desktop
Expand Up @@ -39,8 +39,9 @@ import (
// match the attestation.
func AttestationToPayloadJSON(ctx context.Context, predicateType string, verifiedAttestation oci.Signature) ([]byte, error) {
// Check the predicate up front, no point in wasting time if it's invalid.
predicateURI, ok := options.PredicateTypeMap[predicateType]
if !ok {
predicateURI, err := options.ParsePredicateType(predicateType)

if err != nil {
return nil, fmt.Errorf("invalid predicate type: %s", predicateType)
}

Expand Down Expand Up @@ -132,7 +133,11 @@ func AttestationToPayloadJSON(ctx context.Context, predicateType string, verifie
return nil, fmt.Errorf("marshaling CosignVulnStatement: %w", err)
}
default:
return nil, fmt.Errorf("unsupported predicate type: %s", predicateType)
// Valid URI type reaches here.
payload, err = json.Marshal(statement)
if err != nil {
return nil, fmt.Errorf("generating Statement: %w", err)
}
}
return payload, nil
}
39 changes: 30 additions & 9 deletions test/e2e_test.go
View file
Open in desktop
Expand Up @@ -212,8 +212,8 @@ func TestAttestVerify(t *testing.T) {
attestVerify(t,
"slsaprovenance",
`{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }`,
`builder: id: "1"`,
`builder: id: "2"`,
`predicate: builder: id: "2"`,
`predicate: builder: id: "1"`,
)
}

Expand All @@ -225,8 +225,8 @@ func TestAttestVerifySPDXJSON(t *testing.T) {
attestVerify(t,
"spdxjson",
string(attestationBytes),
`Data: spdxVersion: "SPDX-9.9"`,
`Data: spdxVersion: "SPDX-2.2"`,
`predicate: Data: spdxVersion: "SPDX-2.2"`,
`predicate: Data: spdxVersion: "SPDX-9.9"`,
)
}

Expand All @@ -238,8 +238,21 @@ func TestAttestVerifyCycloneDXJSON(t *testing.T) {
attestVerify(t,
"cyclonedx",
string(attestationBytes),
`Data: specVersion: "7.7"`,
`Data: specVersion: "1.4"`,
`predicate: Data: specVersion: "1.4"`,
`predicate: Data: specVersion: "7.7"`,
)
}

func TestAttestVerifyURI(t *testing.T) {
attestationBytes, err := os.ReadFile("./testdata/test-result.json")
if err != nil {
t.Fatal(err)
}
attestVerify(t,
"https://example.com/TestResult/v1",
string(attestationBytes),
`predicate: passed: true`,
`predicate: passed: false"`,
)
}

Expand All @@ -248,7 +261,15 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri
defer stop()
td := t.TempDir()

imgName := path.Join(repo, fmt.Sprintf("cosign-attest-%s-e2e-image", predicateType))
var imgName, attestationPath string
if _, err := url.ParseRequestURI(predicateType); err == nil {
// If the predicate type is URI, it cannot be included as image name and path.
imgName = path.Join(repo, "cosign-attest-uri-e2e-image")
attestationPath = filepath.Join(td, "cosign-attest-uri-e2e-attestation")
} else {
imgName = path.Join(repo, fmt.Sprintf("cosign-attest-%s-e2e-image", predicateType))
attestationPath = filepath.Join(td, fmt.Sprintf("cosign-attest-%s-e2e-attestation", predicateType))
}

_, _, cleanup := mkimage(t, imgName)
defer cleanup()
Expand All @@ -265,7 +286,6 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri
// Fail case when using without type and policy flag
mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t)

attestationPath := filepath.Join(td, fmt.Sprintf("cosign-attest-%s-e2e-attestation", predicateType))
if err := os.WriteFile(attestationPath, []byte(attestation), 0600); err != nil {
t.Fatal(err)
}
Expand All @@ -284,6 +304,7 @@ func attestVerify(t *testing.T, predicateType, attestation, goodCue, badCue stri
if err := os.WriteFile(policyPath, []byte(badCue), 0600); err != nil {
t.Fatal(err)
}
mustErr(verifyAttestation.Exec(ctx, []string{imgName}), t)

// Success case
if err := os.WriteFile(policyPath, []byte(goodCue), 0600); err != nil {
Expand Down Expand Up @@ -1019,7 +1040,7 @@ func TestSaveLoadAttestation(t *testing.T) {
verifyAttestation.PredicateType = "slsaprovenance"
verifyAttestation.Policies = []string{policyPath}
// Success case (remote)
cuePolicy := `builder: id: "2"`
cuePolicy := `predicate: builder: id: "2"`
if err := os.WriteFile(policyPath, []byte(cuePolicy), 0600); err != nil {
t.Fatal(err)
}
Expand Down
1 change: 1 addition & 0 deletions test/testdata/test-result.json
View file
Open in desktop
@@ -0,0 +1 @@
{"passed": true}