From b0db1514cfb447dd016190b974ebe6e69ff59dcc Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 31 Aug 2022 09:25:26 +0900 Subject: [PATCH] Fix log message for tlog upload (#773) * Temporarily disable Run test. Signed-off-by: Ian Lewis * Fix log message for tlog upload Signed-off-by: Ian Lewis * Fix unit tests run during pre-submit Signed-off-by: Ian Lewis Signed-off-by: Ian Lewis --- internal/builders/go/main.go | 2 +- internal/builders/go/pkg/provenance.go | 33 ++++++++--- internal/builders/go/pkg/provenance_test.go | 65 +++++++++++++++++++++ 3 files changed, 91 insertions(+), 9 deletions(-) diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go index 91539976d2..472e4dbfbf 100644 --- a/internal/builders/go/main.go +++ b/internal/builders/go/main.go @@ -78,7 +78,7 @@ func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor r := sigstore.NewRekor(rekor) s := sigstore.NewDefaultFulcio() attBytes, err := pkg.GenerateProvenance(subject, digest, - commands, envs, workingDir, s, r) + commands, envs, workingDir, s, r, nil) if err != nil { return err } diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go index db5c9a8653..dacdb24703 100644 --- a/internal/builders/go/pkg/provenance.go +++ b/internal/builders/go/pkg/provenance.go @@ -64,7 +64,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) { // GenerateProvenance translates github context into a SLSA provenance // attestation. // Spec: https://slsa.dev/provenance/v0.2 -func GenerateProvenance(name, digest, command, envs, workingDir string, s signing.Signer, r signing.TransparencyLog) ([]byte, error) { +func GenerateProvenance(name, digest, command, envs, workingDir string, s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider) ([]byte, error) { gh, err := github.GetWorkflowContext() if err != nil { return nil, err @@ -84,6 +84,11 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin return nil, err } + var cmd []string + if len(com) > 0 { + cmd = []string{com[0], "mod", "vendor"} + } + b := goProvenanceBuild{ GithubActionsBuild: slsa.NewGithubActionsBuild([]intoto.Subject{ { @@ -101,7 +106,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin // Note: vendoring and compilation are // performed in the same VM, so the compiler is // the same. - Command: []string{com[0], "mod", "vendor"}, + Command: cmd, WorkingDir: workingDir, // Note: No user-defined env set for this step. }, @@ -116,15 +121,25 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin } // Pre-submit tests don't have access to write OIDC token. - if utils.IsPresubmitTests() { - b.GithubActionsBuild.WithClients(&slsa.NilClientProvider{}) + if provider != nil { + b.WithClients(provider) + } else { + // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove + if utils.IsPresubmitTests() { + b.GithubActionsBuild.WithClients(&slsa.NilClientProvider{}) + } } ctx := context.Background() g := slsa.NewHostedActionsGenerator(&b) // Pre-submit tests don't have access to write OIDC token. - if utils.IsPresubmitTests() { - g.WithClients(&slsa.NilClientProvider{}) + if provider != nil { + g.WithClients(provider) + } else { + // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove + if utils.IsPresubmitTests() { + g.WithClients(&slsa.NilClientProvider{}) + } } p, err := g.Generate(ctx) if err != nil { @@ -163,10 +178,12 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin } // Upload the signed attestation to rekor. - if logEntry, err := r.Upload(ctx, att); err != nil { - fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID()) + logEntry, err := r.Upload(ctx, att) + if err != nil { return nil, err } + fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID()) + return att.Bytes(), nil } diff --git a/internal/builders/go/pkg/provenance_test.go b/internal/builders/go/pkg/provenance_test.go index c1caffeb1f..f9b79ceafc 100644 --- a/internal/builders/go/pkg/provenance_test.go +++ b/internal/builders/go/pkg/provenance_test.go @@ -1 +1,66 @@ +// Copyright 2022 SLSA Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package pkg + +import ( + "context" + "errors" + "fmt" + "testing" + + intoto "github.com/in-toto/in-toto-golang/in_toto" + "github.com/slsa-framework/slsa-github-generator/signing" + "github.com/slsa-framework/slsa-github-generator/slsa" +) + +type testAttestation struct { + cert []byte + bytes []byte +} + +func (a *testAttestation) Cert() []byte { + return a.cert +} + +func (a *testAttestation) Bytes() []byte { + return a.bytes +} + +type testSigner struct{} + +func (s testSigner) Sign(context.Context, *intoto.Statement) (signing.Attestation, error) { + return &testAttestation{}, nil +} + +type tLogWithErr struct{} + +var errTransparencyLog = errors.New("transparency log error") + +func (tLogWithErr) Upload(context.Context, signing.Attestation) (signing.LogEntry, error) { + fmt.Printf("Upload") + return nil, errTransparencyLog +} + +func TestGenerateProvenance_withErr(t *testing.T) { + // Disable pre-submit detection. + // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove + t.Setenv("GITHUB_EVENT_NAME", "non_event") + t.Setenv("GITHUB_CONTEXT", "{}") + sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2" + _, err := GenerateProvenance("foo", sha256, "", "", "/home/foo", &testSigner{}, &tLogWithErr{}, &slsa.NilClientProvider{}) + if want, got := errTransparencyLog, err; want != got { + t.Errorf("expected error, want: %v, got: %v", want, got) + } +}