From 86d4e2208397a85fe000b39baae0ec7920d870d0 Mon Sep 17 00:00:00 2001
From: chaosinthecrd <tom@tmlabs.co.uk>
Date: Wed, 8 May 2024 17:09:43 +0100
Subject: [PATCH] ensuring link and slsa attestation exporting is optional

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
---
 attestation/link/link.go | 16 +++++++++++++++-
 attestation/slsa/slsa.go |  4 ++--
 run.go                   |  7 ++++++-
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/attestation/link/link.go b/attestation/link/link.go
index 1bcc7c4a..8b9852d4 100644
--- a/attestation/link/link.go
+++ b/attestation/link/link.go
@@ -26,6 +26,7 @@ import (
 	"github.com/in-toto/go-witness/attestation/material"
 	"github.com/in-toto/go-witness/attestation/product"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/registry"
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
@@ -47,6 +48,19 @@ var (
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType,
 		func() attestation.Attestor { return New() },
+		registry.BoolConfigOption(
+			"export",
+			"Export the Link predicate in its own attestation",
+			defaultExport,
+			func(a attestation.Attestor, export bool) (attestation.Attestor, error) {
+				linkAttestor, ok := a.(*Link)
+				if !ok {
+					return a, fmt.Errorf("unexpected attestor type: %T is not a Link provenance attestor", a)
+				}
+				WithExport(export)(linkAttestor)
+				return linkAttestor, nil
+			},
+		),
 	)
 }
 
@@ -81,7 +95,7 @@ func (l *Link) RunType() attestation.RunType {
 }
 
 func (l *Link) Export() bool {
-	return true
+	return l.export
 }
 
 func (l *Link) Attest(ctx *attestation.AttestationContext) error {
diff --git a/attestation/slsa/slsa.go b/attestation/slsa/slsa.go
index e3563ddd..bbf2b9e0 100644
--- a/attestation/slsa/slsa.go
+++ b/attestation/slsa/slsa.go
@@ -61,7 +61,7 @@ func init() {
 		func() attestation.Attestor { return New() },
 		registry.BoolConfigOption(
 			"export",
-			"Export the SLSA provenance attestation to its own file",
+			"Export the SLSA provenance predicate in its own attestation",
 			defaultExport,
 			func(a attestation.Attestor, export bool) (attestation.Attestor, error) {
 				slsaAttestor, ok := a.(*Provenance)
@@ -107,7 +107,7 @@ func (p *Provenance) RunType() attestation.RunType {
 }
 
 func (p *Provenance) Export() bool {
-	return true
+	return p.export
 }
 
 func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {
diff --git a/run.go b/run.go
index 52f66a7e..fd6d0397 100644
--- a/run.go
+++ b/run.go
@@ -26,6 +26,7 @@ import (
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/dsse"
 	"github.com/in-toto/go-witness/intoto"
+	"github.com/in-toto/go-witness/log"
 	"github.com/in-toto/go-witness/timestamp"
 )
 
@@ -106,7 +107,11 @@ func run(stepName string, signer cryptoutil.Signer, opts []RunOption) ([]RunResu
 		if r.Error != nil {
 			errs = append(errs, r.Error)
 		} else {
-			if _, ok := r.Attestor.(attestation.Exporter); ok {
+			if exporter, ok := r.Attestor.(attestation.Exporter); ok {
+				if !exporter.Export() {
+					log.Debugf("%s attestor not configured to be exported as its own attestation", r.Attestor.Name())
+					continue
+				}
 				if subjecter, ok := r.Attestor.(attestation.Subjecter); ok {
 					envelope, err := createAndSignEnvelope(r.Attestor, r.Attestor.Type(), subjecter.Subjects(), dsse.SignWithSigners(ro.signer), dsse.SignWithTimestampers(ro.timestampers...))
 					if err != nil {