in-toto · ChaosInTheCRD · May 9, 2024 · Feb 3, 2024 · Jan 29, 2024 · Jan 29, 2024
diff --git a/attestation/link/link.go b/attestation/link/link.go
@@ -0,0 +1,154 @@
+// Copyright 2024 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package link
+
+import (
+	"encoding/json"
+	"fmt"
+
+	v0 "github.com/in-toto/attestation/go/predicates/link/v0"
+	v1 "github.com/in-toto/attestation/go/v1"
+	"github.com/in-toto/go-witness/attestation"
+	"github.com/in-toto/go-witness/attestation/commandrun"
+	"github.com/in-toto/go-witness/attestation/environment"
+	"github.com/in-toto/go-witness/attestation/material"
+	"github.com/in-toto/go-witness/attestation/product"
+	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/registry"
+	"google.golang.org/protobuf/types/known/structpb"
+)
+
+const (
+	Name    = "link"
+	Type    = "https://in-toto.io/attestation/link/v0.3"
+	RunType = attestation.PostProductRunType
+
+	defaultExport = false
+)
+
+// This is a hacky way to create a compile time error in case the attestor
+// doesn't implement the expected interfaces.
+var (
+	_ attestation.Attestor  = &Link{}
+	_ attestation.Subjecter = &Link{}
+)
+
+func init() {
+	attestation.RegisterAttestation(Name, Type, RunType,
+		func() attestation.Attestor { return New() },
+		registry.BoolConfigOption(
+			"export",
+			"Export the link attestation to its own file",
+			defaultExport,
+			func(a attestation.Attestor, export bool) (attestation.Attestor, error) {
+				linkAttestor, ok := a.(*Link)
+				if !ok {
+					return a, fmt.Errorf("unexpected attestor type: %T is not a link attestor", a)
+				}
+				WithExport(export)(linkAttestor)
+				return linkAttestor, nil
+			},
+		),
+	)
+}
+
+type Option func(*Link)
+
+func WithExport(export bool) Option {
+	return func(l *Link) {
+		l.export = export
+	}
+}
+
+type Link struct {
+	PbLink   v0.Link
+	products map[string]attestation.Product
+	export   bool
+}
+
+func New() *Link {
+	return &Link{}
+}
+
+func (l *Link) Name() string {
+	return Name
+}
+
+func (l *Link) Type() string {
+	return Type
+}
+
+func (l *Link) RunType() attestation.RunType {
+	return RunType
+}
+
+func (l *Link) Export() bool {
+	return l.export
+}
+
+func (l *Link) Attest(ctx *attestation.AttestationContext) error {
+	l.PbLink.Name = "stepNameHere"
+	for _, attestor := range ctx.CompletedAttestors() {
+		switch name := attestor.Attestor.Name(); name {
+		case commandrun.Name:
+			l.PbLink.Command = attestor.Attestor.(*commandrun.CommandRun).Cmd
+		case material.Name:
+			mats := attestor.Attestor.(*material.Attestor).Materials()
+			for name, digestSet := range mats {
+				digests, _ := digestSet.ToNameMap()
+				l.PbLink.Materials = append(l.PbLink.Materials, &v1.ResourceDescriptor{
+					Name:   name,
+					Digest: digests,
+				})
+			}
+		case environment.Name:
+			envs := attestor.Attestor.(*environment.Attestor).Variables
+			pbEnvs := make(map[string]interface{}, len(envs))
+			for name, value := range envs {
+				pbEnvs[name] = value
+			}
+
+			var err error
+			l.PbLink.Environment, err = structpb.NewStruct(pbEnvs)
+			if err != nil {
+				return err
+			}
+		case product.Name:
+			l.products = attestor.Attestor.(*product.Attestor).Products()
+		}
+	}
+	return nil
+}
+
+func (l *Link) MarshalJSON() ([]byte, error) {
+	return json.Marshal(&l.PbLink)
+}
+
+func (l *Link) UnmarshalJSON(data []byte) error {
+	if err := json.Unmarshal(data, &l.PbLink); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (l *Link) Subjects() map[string]cryptoutil.DigestSet {
+	subjects := make(map[string]cryptoutil.DigestSet)
+	for productName, product := range l.products {
+		subjects[fmt.Sprintf("file:%v", productName)] = product.Digest
+	}
+
+	return subjects
+}
diff --git a/attestation/link/link_test.go b/attestation/link/link_test.go
@@ -0,0 +1,15 @@
+// Copyright 2022 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package link
diff --git a/go.mod b/go.mod
@@ -8,6 +8,7 @@ require (
 	github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d
 	github.com/go-git/go-git/v5 v5.11.0
 	github.com/in-toto/archivista v0.2.0
+	github.com/in-toto/attestation v1.0.1
 	github.com/mattn/go-isatty v0.0.20
 	github.com/open-policy-agent/opa v0.49.2
 	github.com/owenrumney/go-sarif v1.1.1
@@ -93,7 +94,7 @@ require (
 	golang.org/x/term v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto v0.0.0-20231012201019-e917dd12ba7a // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	google.golang.org/protobuf v1.32.0
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

diff --git a/go.sum b/go.sum
@@ -128,6 +128,8 @@ github.com/honeycombio/libhoney-go v1.16.0 h1:kPpqoz6vbOzgp7jC6SR7SkNj7rua7rgxvz
 github.com/honeycombio/libhoney-go v1.16.0/go.mod h1:izP4fbREuZ3vqC4HlCAmPrcPT9gxyxejRjGtCYpmBn0=
 github.com/in-toto/archivista v0.2.0 h1:FViuHMVVETborvOqlmSYdROY8RmX3CO0V0MOhU/Rl20=
 github.com/in-toto/archivista v0.2.0/go.mod h1:qt9uN4TkHWUgR5A2wxRqQIBizSl32P2nI2AjESskkr0=
+github.com/in-toto/attestation v1.0.1 h1:DgX1XuBkryTpj1Piq8AiMK3CMfEcec3Qv6+Ku+uI3WY=
+github.com/in-toto/attestation v1.0.1/go.mod h1:hCR5COCuENh5+VfojEkJnt7caOymbEgvyZdKifD6pOw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=

diff --git a/imports.go b/imports.go
@@ -25,6 +25,7 @@ import (
 	_ "github.com/in-toto/go-witness/attestation/github"
 	_ "github.com/in-toto/go-witness/attestation/gitlab"
 	_ "github.com/in-toto/go-witness/attestation/jwt"
+	_ "github.com/in-toto/go-witness/attestation/link"
 	_ "github.com/in-toto/go-witness/attestation/maven"
 	_ "github.com/in-toto/go-witness/attestation/oci"
 	_ "github.com/in-toto/go-witness/attestation/sarif"

diff --git a/run.go b/run.go
@@ -23,6 +23,7 @@ import (
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/attestation/environment"
 	"github.com/in-toto/go-witness/attestation/git"
+	"github.com/in-toto/go-witness/attestation/link"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/dsse"
 	"github.com/in-toto/go-witness/intoto"
@@ -60,9 +61,24 @@ func RunWithTimestampers(ts ...timestamp.Timestamper) RunOption {
 type RunResult struct {
 	Collection     attestation.Collection
 	SignedEnvelope dsse.Envelope
+	AttestorName   string
 }
 
+// Should this be deprecated?
+// Deprecated: Use RunWithExports instead
 func Run(stepName string, signer cryptoutil.Signer, opts ...RunOption) (RunResult, error) {
+	results, err := run(stepName, signer, opts)
+	if len(results) > 1 {
+		return RunResult{}, errors.New("expected a single result, got multiple")
+	}
+	return results[0], err
+}
+
+func RunWithExports(stepName string, signer cryptoutil.Signer, opts ...RunOption) ([]RunResult, error) {
+	return run(stepName, signer, opts)
+}
+
+func run(stepName string, signer cryptoutil.Signer, opts []RunOption) ([]RunResult, error) {
 	ro := runOptions{
 		stepName:  stepName,
 		signer:    signer,
@@ -73,7 +89,7 @@ func Run(stepName string, signer cryptoutil.Signer, opts ...RunOption) (RunResul
 		opt(&ro)
 	}
 
-	result := RunResult{}
+	result := []RunResult{}
 	if err := validateRunOpts(ro); err != nil {
 		return result, err
 	}
@@ -91,6 +107,20 @@ func Run(stepName string, signer cryptoutil.Signer, opts ...RunOption) (RunResul
 	for _, r := range runCtx.CompletedAttestors() {
 		if r.Error != nil {
 			errs = append(errs, r.Error)
+		} else if r.Attestor.Name() == link.Name {
+			// TODO: Find a better way to set stepName
+			r.Attestor.(*link.Link).PbLink.Name = ro.stepName
+
+			// TODO: Add Exporter interface to attestors
+			if r.Attestor.(*link.Link).Export() {
+				if subjecter, ok := r.Attestor.(attestation.Subjecter); ok {
+					linkEnvelope, err := createAndSignEnvelope(r.Attestor, r.Attestor.Type(), subjecter.Subjects(), dsse.SignWithSigners(ro.signer), dsse.SignWithTimestampers(ro.timestampers...))
+					if err != nil {
+						return result, fmt.Errorf("failed to sign envelope: %w", err)
+					}
+					result = append(result, RunResult{SignedEnvelope: linkEnvelope, AttestorName: r.Attestor.Name()})
+				}
+			}
 		}
 	}
 
@@ -99,11 +129,13 @@ func Run(stepName string, signer cryptoutil.Signer, opts ...RunOption) (RunResul
 		return result, errors.Join(errs...)
 	}
 
-	result.Collection = attestation.NewCollection(ro.stepName, runCtx.CompletedAttestors())
-	result.SignedEnvelope, err = signCollection(result.Collection, dsse.SignWithSigners(ro.signer), dsse.SignWithTimestampers(ro.timestampers...))
+	var collectionResult RunResult
+	collectionResult.Collection = attestation.NewCollection(ro.stepName, runCtx.CompletedAttestors())
+	collectionResult.SignedEnvelope, err = createAndSignEnvelope(collectionResult.Collection, attestation.CollectionType, collectionResult.Collection.Subjects(), dsse.SignWithSigners(ro.signer), dsse.SignWithTimestampers(ro.timestampers...))
 	if err != nil {
 		return result, fmt.Errorf("failed to sign collection: %w", err)
 	}
+	result = append(result, collectionResult)
 
 	return result, nil
 }
@@ -120,13 +152,13 @@ func validateRunOpts(ro runOptions) error {
 	return nil
 }
 
-func signCollection(collection attestation.Collection, opts ...dsse.SignOption) (dsse.Envelope, error) {
+func createAndSignEnvelope(collection interface{}, predType string, subjects map[string]cryptoutil.DigestSet, opts ...dsse.SignOption) (dsse.Envelope, error) {
 	data, err := json.Marshal(&collection)
 	if err != nil {
 		return dsse.Envelope{}, err
 	}
 
-	stmt, err := intoto.NewStatement(attestation.CollectionType, data, collection.Subjects())
+	stmt, err := intoto.NewStatement(predType, data, subjects)
 	if err != nil {
 		return dsse.Envelope{}, err
 	}