TEP 0122: complete build instuctions: adding taskspec to buildConfig

This PR introduces a new format `slsa/v2` which contains the complete build instructions as designed in TEP0122.
tektoncd · Jan 23, 2023 · 7daf397 · 7daf397
1 parent 3ab8dfa
commit 7daf397
Show file tree

Hide file tree

Showing 15 changed files with 957 additions and 22 deletions.
diff --git a/examples/taskruns/task-output-image.yaml b/examples/taskruns/task-output-image.yaml
@@ -62,4 +62,4 @@ spec:
  type: image
  params:
  - name: url
- value: gcr.io/foo/bar
+ value: gcr.io/foo/bar
diff --git a/pkg/chains/formats/all/all.go b/pkg/chains/formats/all/all.go
@@ -17,5 +17,6 @@ package all
 import (
  _ "github.com/tektoncd/chains/pkg/chains/formats/simple"
  _ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v1"
+ _ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2"
  _ "github.com/tektoncd/chains/pkg/chains/formats/tekton"
 )
diff --git a/pkg/chains/formats/format.go b/pkg/chains/formats/format.go
@@ -31,6 +31,7 @@ const (
  PayloadTypeTekton config.PayloadType = "tekton"
  PayloadTypeSimpleSigning config.PayloadType = "simplesigning"
  PayloadTypeInTotoIte6 config.PayloadType = "in-toto"
+ PayloadTypeSlsav2 config.PayloadType = "slsa/v2"
 )
 
 var (

diff --git a/pkg/chains/formats/slsa/v1/taskrun/material.go b/pkg/chains/formats/slsa/v1/taskrun/material.go
@@ -78,8 +78,8 @@ func AddImageIDToMaterials(imageID string, mats *[]slsa.ProvenanceMaterial) erro
  return nil
 }
 
-// materials constructs `predicate.materials` section by collecting all the artifacts that influence a taskrun such as source code repo and step&sidecar base images.
-func materials(tro *objects.TaskRunObject, logger *zap.SugaredLogger) ([]slsa.ProvenanceMaterial, error) {
+// Materials constructs `predicate.materials` section by collecting all the artifacts that influence a taskrun such as source code repo and step&sidecar base images.
+func Materials(tro *objects.TaskRunObject, logger *zap.SugaredLogger) ([]slsa.ProvenanceMaterial, error) {
  var mats []slsa.ProvenanceMaterial
 
  // add step images

diff --git a/pkg/chains/formats/slsa/v1/taskrun/material_test.go b/pkg/chains/formats/slsa/v1/taskrun/material_test.go
@@ -64,7 +64,7 @@ status:
  },
  }
 
- got, err := materials(objects.NewTaskRunObject(taskRun), logtesting.TestLogger(t))
+ got, err := Materials(objects.NewTaskRunObject(taskRun), logtesting.TestLogger(t))
  if err != nil {
  t.Fatalf("Did not expect an error but got %v", err)
  }
@@ -236,7 +236,7 @@ func TestMaterials(t *testing.T) {
  },
  }}
  for _, tc := range tests {
- mat, err := materials(objects.NewTaskRunObject(tc.taskRun), logtesting.TestLogger(t))
+ mat, err := Materials(objects.NewTaskRunObject(tc.taskRun), logtesting.TestLogger(t))
  if err != nil {
  t.Fatalf("Did not expect an error but got %v", err)
  }
@@ -310,7 +310,7 @@ func TestAddStepImagesToMaterials(t *testing.T) {
  }
  if tc.wantError == nil {
  if diff := cmp.Diff(tc.want, mat, test.OptSortMaterial); diff != "" {
- t.Errorf("materials(): -want +got: %s", diff)
+ t.Errorf("Materials(): -want +got: %s", diff)
  }
  }
  }
@@ -380,7 +380,7 @@ func TestAddSidecarImagesToMaterials(t *testing.T) {
  }
  if tc.wantError == nil {
  if diff := cmp.Diff(tc.want, mat, test.OptSortMaterial); diff != "" {
- t.Errorf("materials(): -want +got: %s", diff)
+ t.Errorf("Materials(): -want +got: %s", diff)
  }
  }
  }
@@ -418,7 +418,7 @@ func TestAddImageIDToMaterials(t *testing.T) {
  }
  if tc.wantError == nil {
  if diff := cmp.Diff(tc.want, mat, test.OptSortMaterial); diff != "" {
- t.Errorf("materials(): -want +got: %s", diff)
+ t.Errorf("Materials(): -want +got: %s", diff)
  }
  }
  }

diff --git a/pkg/chains/formats/slsa/v1/taskrun/taskrun.go b/pkg/chains/formats/slsa/v1/taskrun/taskrun.go
@@ -26,7 +26,7 @@ import (
 func GenerateAttestation(builderID string, tro *objects.TaskRunObject, logger *zap.SugaredLogger) (interface{}, error) {
  subjects := extract.SubjectDigests(tro, logger)
 
- mat, err := materials(tro, logger)
+ mat, err := Materials(tro, logger)
  if err != nil {
  return nil, err
  }

diff --git a/pkg/chains/formats/slsa/v2/intotoite6v2.go b/pkg/chains/formats/slsa/v2/intotoite6v2.go
@@ -0,0 +1,64 @@
+/*
+Copyright 2021 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/tektoncd/chains/pkg/chains/formats"
+ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2/taskrun"
+ "github.com/tektoncd/chains/pkg/chains/objects"
+ "github.com/tektoncd/chains/pkg/config"
+ "knative.dev/pkg/logging"
+)
+
+const (
+ PayloadTypeSlsav2 = formats.PayloadTypeSlsav2
+)
+
+func init() {
+ formats.RegisterPayloader(PayloadTypeSlsav2, NewFormatter)
+}
+
+type InTotoIte6V2 struct {
+ builderID string
+}
+
+func NewFormatter(cfg config.Config) (formats.Payloader, error) {
+ return &InTotoIte6V2{
+ builderID: cfg.Builder.ID,
+ }, nil
+}
+
+func (i *InTotoIte6V2) Wrap() bool {
+ return true
+}
+
+func (i *InTotoIte6V2) CreatePayload(ctx context.Context, obj interface{}) (interface{}, error) {
+ logger := logging.FromContext(ctx)
+ switch v := obj.(type) {
+ case *objects.TaskRunObject:
+ return taskrun.GenerateAttestation(i.builderID, v, logger)
+ default:
+ return nil, fmt.Errorf("intoto does not support type: %s", v)
+ }
+}
+
+func (i *InTotoIte6V2) Type() config.PayloadType {
+ return formats.PayloadTypeSlsav2
+}