TEP 0122: complete build instuctions: adding taskspec to buildConfig

This PR introduces a new format `slsa/v2` which contains the complete
build instructions as designed in TEP0122.

docs/config.md

@@ -51,7 +51,7 @@ Supported keys include:
 
 | Key | Description | Supported Values | Default |
 | :--- | :--- | :--- | :--- |
-| `artifacts.taskrun.format` | The format to store `TaskRun` payloads in. | `in-toto`, `slsa/v1`| `in-toto` |
+| `artifacts.taskrun.format` | The format to store `TaskRun` payloads in. | `in-toto`, `slsa/v1`, `slsa/v2`| `in-toto` |
 | `artifacts.taskrun.storage` | The storage backend to store `TaskRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `TaskRun` artifact input an empty string (""). | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton` |
 | `artifacts.taskrun.signer` | The signature backend to sign `TaskRun` payloads with. | `x509`, `kms` | `x509` |
 
@@ -61,7 +61,7 @@ Supported keys include:
 
 | Key | Description | Supported Values | Default |
 | :--- | :--- | :--- | :--- |
-| `artifacts.pipelinerun.format` | The format to store `PipelineRun` payloads in. | `in-toto`, `slsa/v1`| `in-toto` |
+| `artifacts.pipelinerun.format` | The format to store `PipelineRun` payloads in. | `in-toto`, `slsa/v1`, `slsa/v2`| `in-toto` |
 | `artifacts.pipelinerun.storage` | The storage backend to store `PipelineRun` signatures in. Multiple backends can be specified with comma-separated list ("tekton,oci"). To disable the `PipelineRun` artifact input an empty string (""). | `tekton`, `oci`, `gcs`, `docdb`, `grafeas` | `tekton` |
 | `artifacts.pipelinerun.signer` | The signature backend to sign `PipelineRun` payloads with. | `x509`, `kms` | `x509` |
 

examples/taskruns/task-output-image.yaml

@@ -62,4 +62,4 @@ spec:
  type: image
  params:
  - name: url
- value: gcr.io/foo/bar
+ value: gcr.io/foo/bar

pkg/chains/formats/all/all.go

@@ -17,4 +17,5 @@ package all
 import (
  _ "github.com/tektoncd/chains/pkg/chains/formats/simple"
  _ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v1"
+ _ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2"
 )

pkg/chains/formats/format.go

@@ -32,6 +32,7 @@ const (
  PayloadTypeSimpleSigning config.PayloadType = "simplesigning"
  PayloadTypeInTotoIte6 config.PayloadType = "in-toto"
  PayloadTypeSlsav1 config.PayloadType = "slsa/v1"
+ PayloadTypeSlsav2 config.PayloadType = "slsa/v2"
 )
 
 var (

pkg/chains/formats/slsa/v1/taskrun/material.go

@@ -78,8 +78,8 @@ func AddImageIDToMaterials(imageID string, mats *[]slsa.ProvenanceMaterial) erro
  return nil
 }
 
-// materials constructs `predicate.materials` section by collecting all the artifacts that influence a taskrun such as source code repo and step&sidecar base images.
-func materials(tro *objects.TaskRunObject, logger *zap.SugaredLogger) ([]slsa.ProvenanceMaterial, error) {
+// Materials constructs `predicate.materials` section by collecting all the artifacts that influence a taskrun such as source code repo and step&sidecar base images.
+func Materials(tro *objects.TaskRunObject, logger *zap.SugaredLogger) ([]slsa.ProvenanceMaterial, error) {
  var mats []slsa.ProvenanceMaterial
 
  // add step images

pkg/chains/formats/slsa/v1/taskrun/material_test.go

@@ -64,7 +64,7 @@ status:
  },
  }
 
- got, err := materials(objects.NewTaskRunObject(taskRun), logtesting.TestLogger(t))
+ got, err := Materials(objects.NewTaskRunObject(taskRun), logtesting.TestLogger(t))
  if err != nil {
  t.Fatalf("Did not expect an error but got %v", err)
  }
@@ -236,7 +236,7 @@ func TestMaterials(t *testing.T) {
  },
  }}
  for _, tc := range tests {
- mat, err := materials(objects.NewTaskRunObject(tc.taskRun), logtesting.TestLogger(t))
+ mat, err := Materials(objects.NewTaskRunObject(tc.taskRun), logtesting.TestLogger(t))
  if err != nil {
  t.Fatalf("Did not expect an error but got %v", err)
  }
@@ -310,7 +310,7 @@ func TestAddStepImagesToMaterials(t *testing.T) {
  }
  if tc.wantError == nil {
  if diff := cmp.Diff(tc.want, mat, test.OptSortMaterial); diff != "" {
- t.Errorf("materials(): -want +got: %s", diff)
+ t.Errorf("Materials(): -want +got: %s", diff)
  }
  }
  }
@@ -380,7 +380,7 @@ func TestAddSidecarImagesToMaterials(t *testing.T) {
  }
  if tc.wantError == nil {
  if diff := cmp.Diff(tc.want, mat, test.OptSortMaterial); diff != "" {
- t.Errorf("materials(): -want +got: %s", diff)
+ t.Errorf("Materials(): -want +got: %s", diff)
  }
  }
  }
@@ -418,7 +418,7 @@ func TestAddImageIDToMaterials(t *testing.T) {
  }
  if tc.wantError == nil {
  if diff := cmp.Diff(tc.want, mat, test.OptSortMaterial); diff != "" {
- t.Errorf("materials(): -want +got: %s", diff)
+ t.Errorf("Materials(): -want +got: %s", diff)
  }
  }
  }

pkg/chains/formats/slsa/v1/taskrun/provenance_test.go

@@ -66,7 +66,7 @@ func TestMetadata(t *testing.T) {
  BuildStartedOn: &start,
  BuildFinishedOn: &end,
  }
- got := metadata(objects.NewTaskRunObject(tr))
+ got := Metadata(objects.NewTaskRunObject(tr))
  if !reflect.DeepEqual(expected, got) {
  t.Fatalf("expected %v got %v", expected, got)
  }
@@ -95,7 +95,7 @@ func TestMetadataInTimeZone(t *testing.T) {
  BuildStartedOn: &start,
  BuildFinishedOn: &end,
  }
- got := metadata(objects.NewTaskRunObject(tr))
+ got := Metadata(objects.NewTaskRunObject(tr))
  if !reflect.DeepEqual(expected, got) {
  t.Fatalf("expected %v got %v", expected, got)
  }

pkg/chains/formats/slsa/v1/taskrun/taskrun.go

@@ -26,7 +26,7 @@ import (
 func GenerateAttestation(builderID string, tro *objects.TaskRunObject, logger *zap.SugaredLogger) (interface{}, error) {
  subjects := extract.SubjectDigests(tro, logger)
 
- mat, err := materials(tro, logger)
+ mat, err := Materials(tro, logger)
  if err != nil {
  return nil, err
  }
@@ -43,7 +43,7 @@ func GenerateAttestation(builderID string, tro *objects.TaskRunObject, logger *z
  BuildType: tro.GetGVK(),
  Invocation: invocation(tro),
  BuildConfig: buildConfig(tro),
- Metadata: metadata(tro),
+ Metadata: Metadata(tro),
  Materials: mat,
  },
  }
@@ -65,7 +65,9 @@ func invocation(tro *objects.TaskRunObject) slsa.ProvenanceInvocation {
  return attest.Invocation(source, tro.Spec.Params, paramSpecs)
 }
 
-func metadata(tro *objects.TaskRunObject) *slsa.ProvenanceMetadata {
+// Metadata adds taskrun's start time, completion time and reproducibility labels
+// to the metadata section of the generated provenance.
+func Metadata(tro *objects.TaskRunObject) *slsa.ProvenanceMetadata {
  m := &slsa.ProvenanceMetadata{}
  if tro.Status.StartTime != nil {
  utc := tro.Status.StartTime.Time.UTC()

pkg/chains/formats/slsa/v2/intotoite6v2.go

@@ -0,0 +1,62 @@
+/*
+Copyright 2021 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+ "context"
+ "fmt"
+
+ "github.com/tektoncd/chains/pkg/chains/formats"
+ "github.com/tektoncd/chains/pkg/chains/formats/slsa/v2/taskrun"
+ "github.com/tektoncd/chains/pkg/chains/objects"
+ "github.com/tektoncd/chains/pkg/config"
+)
+
+const (
+ PayloadTypeSlsav2 = formats.PayloadTypeSlsav2
+)
+
+func init() {
+ formats.RegisterPayloader(PayloadTypeSlsav2, NewFormatter)
+}
+
+type InTotoIte6V2 struct {
+ builderID string
+}
+
+func NewFormatter(cfg config.Config) (formats.Payloader, error) {
+ return &InTotoIte6V2{
+ builderID: cfg.Builder.ID,
+ }, nil
+}
+
+func (i *InTotoIte6V2) Wrap() bool {
+ return true
+}
+
+func (i *InTotoIte6V2) CreatePayload(ctx context.Context, obj interface{}) (interface{}, error) {
+ switch v := obj.(type) {
+ case *objects.TaskRunObject:
+ return taskrun.GenerateAttestation(i.builderID, v, ctx)
+ default:
+ return nil, fmt.Errorf("intoto does not support type: %s", v)
+ }
+}
+
+func (i *InTotoIte6V2) Type() config.PayloadType {
+ return formats.PayloadTypeSlsav2
+}