Link & SLSA attestor

attestation/aws-iid/aws-iid_test.go

@@ -112,11 +112,10 @@ func TestAttestor_Attest(t *testing.T) {
 		conf:    conf,
 	}
 
-	ctx, err := attestation.NewContext([]attestation.Attestor{a})
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{a})
 	require.NoError(t, err)
 	err = a.Attest(ctx)
 	require.NoError(t, err)
-
 }
 
 func TestAttestor_getIID(t *testing.T) {
@@ -154,7 +153,7 @@ func TestAttestor_Subjects(t *testing.T) {
 		conf:    conf,
 	}
 
-	ctx, err := attestation.NewContext([]attestation.Attestor{a})
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{a})
 	require.NoError(t, err)
 	err = a.Attest(ctx)
 	require.NoError(t, err)

attestation/commandrun/commandrun.go

@@ -35,8 +35,18 @@ const (
 // doesn't implement the expected interfaces.
 var (
 	_ attestation.Attestor = &CommandRun{}
+	_ CommandRunAttestor   = &CommandRun{}
 )
 
+type CommandRunAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *CommandRun
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
@@ -129,6 +139,10 @@ func (rc *CommandRun) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (rc *CommandRun) Data() *CommandRun {
+	return rc
+}
+
 func (rc *CommandRun) Name() string {
 	return Name
 }

attestation/context.go

@@ -92,14 +92,15 @@ type AttestationContext struct {
 	completedAttestors []CompletedAttestor
 	products           map[string]Product
 	materials          map[string]cryptoutil.DigestSet
+	stepName           string
 }
 
 type Product struct {
 	MimeType string               `json:"mime_type"`
 	Digest   cryptoutil.DigestSet `json:"digest"`
 }
 
-func NewContext(attestors []Attestor, opts ...AttestationContextOption) (*AttestationContext, error) {
+func NewContext(stepName string, attestors []Attestor, opts ...AttestationContextOption) (*AttestationContext, error) {
 	wd, err := os.Getwd()
 	if err != nil {
 		return nil, err
@@ -112,6 +113,7 @@ func NewContext(attestors []Attestor, opts ...AttestationContextOption) (*Attest
 		hashes:     []cryptoutil.DigestValue{{Hash: crypto.SHA256}, {Hash: crypto.SHA256, GitOID: true}, {Hash: crypto.SHA1, GitOID: true}},
 		materials:  make(map[string]cryptoutil.DigestSet),
 		products:   make(map[string]Product),
+		stepName:   stepName,
 	}
 
 	for _, opt := range opts {
@@ -209,6 +211,10 @@ func (ctx *AttestationContext) Products() map[string]Product {
 	return out
 }
 
+func (ctx *AttestationContext) StepName() string {
+	return ctx.stepName
+}
+
 func (ctx *AttestationContext) addMaterials(materialer Materialer) {
 	newMats := materialer.Materials()
 	for k, v := range newMats {

attestation/environment/environment.go

@@ -33,8 +33,18 @@ const (
 // doesn't implement the expected interfaces.
 var (
 	_ attestation.Attestor = &Attestor{}
+	_ EnvironmentAttestor  = &Attestor{}
 )
 
+type EnvironmentAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *Attestor
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
@@ -101,6 +111,10 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (a *Attestor) Data() *Attestor {
+	return a
+}
+
 // splitVariable splits a string representing an environment variable in the format of
 // "KEY=VAL" and returns the key and val separately.
 func splitVariable(v string) (key, val string) {

attestation/environment/environment_test.go

@@ -24,7 +24,7 @@ import (
 
 func TestEnvironment(t *testing.T) {
 	attestor := New()
-	ctx, err := attestation.NewContext([]attestation.Attestor{attestor})
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor})
 	require.NoError(t, err)
 
 	t.Setenv("AWS_ACCESS_KEY_ID", "super secret")

attestation/factory.go

@@ -56,6 +56,11 @@ type Producer interface {
 	Products() map[string]Product
 }
 
+// Exporter allows attestors to export their attestations for separation from the collection.
+type Exporter interface {
+	Export() bool
+}
+
 // BackReffer allows attestors to indicate which of their subjects are good candidates
 // to find related attestations.  For example the git attestor's commit hash subject
 // is a good candidate to find all attestation collections that also refer to a specific

attestation/git/git.go

@@ -39,8 +39,24 @@ var (
 	_ attestation.Attestor   = &Attestor{}
 	_ attestation.Subjecter  = &Attestor{}
 	_ attestation.BackReffer = &Attestor{}
+	_ GitAttestor            = &Attestor{}
 )
 
+type GitAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *Attestor
+
+	// Subjecter
+	Subjects() map[string]cryptoutil.DigestSet
+
+	// Backreffer
+	BackRefs() map[string]cryptoutil.DigestSet
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
@@ -75,6 +91,7 @@ type Attestor struct {
 	ParentHashes   []string             `json:"parenthashes,omitempty"`
 	TreeHash       string               `json:"treehash,omitempty"`
 	Refs           []string             `json:"refs,omitempty"`
+	Remotes        []string             `json:"remotes,omitempty"`
 	Tags           []Tag                `json:"tags,omitempty"`
 }
 
@@ -125,6 +142,15 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 		}: commit.Hash.String(),
 	}
 
+	remotes, err := repo.Remotes()
+	if err != nil {
+		return err
+	}
+
+	for _, remote := range remotes {
+		a.Remotes = append(a.Remotes, remote.Config().URLs...)
+	}
+
 	//get all the refs for the repo
 	refs, err := repo.References()
 	if err != nil {
@@ -218,6 +244,10 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (a *Attestor) Data() *Attestor {
+	return a
+}
+
 func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 	subjects := make(map[string]cryptoutil.DigestSet)
 	hashes := []cryptoutil.DigestValue{{Hash: crypto.SHA256}}

attestation/git/git_test.go

@@ -49,7 +49,7 @@ func TestRunWorksWithCommits(t *testing.T) {
 	_, dir, cleanup := createTestRepo(t, true)
 	defer cleanup()
 
-	ctx, err := attestation.NewContext([]attestation.Attestor{attestor}, attestation.WithWorkingDir(dir))
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor}, attestation.WithWorkingDir(dir))
 	require.NoError(t, err, "Expected no error from NewContext")
 
 	err = ctx.RunAttestors()
@@ -146,7 +146,7 @@ func TestRunWorksWithoutCommits(t *testing.T) {
 	_, dir, cleanup := createTestRepo(t, false)
 	defer cleanup()
 
-	ctx, err := attestation.NewContext([]attestation.Attestor{attestor}, attestation.WithWorkingDir(dir))
+	ctx, err := attestation.NewContext("test", []attestation.Attestor{attestor}, attestation.WithWorkingDir(dir))
 	require.NoError(t, err, "Expected no error from NewContext")
 
 	err = ctx.RunAttestors()

attestation/github/github.go

@@ -48,20 +48,36 @@ var (
 	_ attestation.Attestor   = &Attestor{}
 	_ attestation.Subjecter  = &Attestor{}
 	_ attestation.BackReffer = &Attestor{}
+	_ GitHubAttestor         = &Attestor{}
 )
 
+type GitHubAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *Attestor
+
+	// Subjecter
+	Subjects() map[string]cryptoutil.DigestSet
+
+	// Backreffer
+	BackRefs() map[string]cryptoutil.DigestSet
+}
+
 // init registers the github attestor.
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
 	})
 }
 
-// ErrNotGitlab is an error type that indicates the environment is not a github ci job.
-type ErrNotGitlab struct{}
+// ErrNotGitHub is an error type that indicates the environment is not a github ci job.
+type ErrNotGitHub struct{}
 
-// Error returns the error message for ErrNotGitlab.
-func (e ErrNotGitlab) Error() string {
+// Error returns the error message for ErrNotGitHub.
+func (e ErrNotGitHub) Error() string {
 	return "not in a github ci job"
 }
 
@@ -111,7 +127,7 @@ func (a *Attestor) RunType() attestation.RunType {
 // Attest performs the attestation for the github environment.
 func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	if os.Getenv("GITHUB_ACTIONS") != "true" {
-		return ErrNotGitlab{}
+		return ErrNotGitHub{}
 	}
 
 	jwtString, err := fetchToken(a.tokenURL, os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN"), "witness")
@@ -142,6 +158,10 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (a *Attestor) Data() *Attestor {
+	return a
+}
+
 // Subjects returns a map of subjects and their corresponding digest sets.
 func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 	subjects := make(map[string]cryptoutil.DigestSet)

attestation/gitlab/gitlab.go

@@ -38,8 +38,24 @@ var (
 	_ attestation.Attestor   = &Attestor{}
 	_ attestation.Subjecter  = &Attestor{}
 	_ attestation.BackReffer = &Attestor{}
+	_ GitLabAttestor         = &Attestor{}
 )
 
+type GitLabAttestor interface {
+	// Attestor
+	Name() string
+	Type() string
+	RunType() attestation.RunType
+	Attest(ctx *attestation.AttestationContext) error
+	Data() *Attestor
+
+	// Subjecter
+	Subjects() map[string]cryptoutil.DigestSet
+
+	// Backreffer
+	BackRefs() map[string]cryptoutil.DigestSet
+}
+
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
@@ -91,13 +107,15 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	}
 
 	a.CIServerUrl = os.Getenv("CI_SERVER_URL")
-	jwksUrl := fmt.Sprintf("%s/-/jwks", a.CIServerUrl)
-	jwtString := os.Getenv("CI_JOB_JWT")
+	jwksUrl := fmt.Sprintf("%s/oauth/discovery/keys", a.CIServerUrl)
+	jwtString := os.Getenv("ID_TOKEN")
 	if jwtString != "" {
 		a.JWT = jwt.New(jwt.WithToken(jwtString), jwt.WithJWKSUrl(jwksUrl))
 		if err := a.JWT.Attest(ctx); err != nil {
 			return err
 		}
+	} else {
+		log.Warn("(attestation/gitlab) no jwt token found in environment")
 	}
 
 	a.CIConfigPath = os.Getenv("CI_CONFIG_PATH")
@@ -116,6 +134,10 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	return nil
 }
 
+func (a *Attestor) Data() *Attestor {
+	return a
+}
+
 func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 	subjects := make(map[string]cryptoutil.DigestSet)
 	hashes := []cryptoutil.DigestValue{{Hash: crypto.SHA256}}