Skip to content

Commit

Permalink
Remove extraneous policy input
Browse files Browse the repository at this point in the history
Signed-off-by: Mark Bestavros <mbestavr@redhat.com>
  • Loading branch information
mbestavros committed Nov 14, 2023
1 parent 5121ceb commit 0d2e4fb
Show file tree
Hide file tree
Showing 5 changed files with 8 additions and 268 deletions.
10 changes: 0 additions & 10 deletions docs/modules/ROOT/pages/policy_input.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -61,16 +61,6 @@ attributes. `.statement` represents a SLSA Provenance v0.2 statement. See
https://slsa.dev/provenance/v0.2#schema[schema] for details. `.signatures` contains information
about the signatures associated with the statement.

NOTE: The information from `.attestations[].statement` is accessible directly via `.attestations[]`.
However, this limits the amount of information that can be provided for each attestation. As a
result, `.attestations[].extra` was introduced as a workaround to hold additional information such
as signatures. This created potential collisions with attributes from the statement. For this
reason, the old format is now marked as deprecated and it will be removed soon.

An additional attribute, `.extra`, is
added to provide additional information about the statements. Currently, this means the signatures
associated with the statement.

`.image` is an object representing the image being validated.

`.image.config` holds the OCI config for the image. It may contain various attributes, such as
Expand Down
81 changes: 0 additions & 81 deletions features/__snapshots__/validate_image.snap
Original file line number Diff line number Diff line change
Expand Up @@ -2321,33 +2321,6 @@ Error: success criteria not met
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "acceptance/policy-input-output",
"digest": {
"sha256": "${REGISTRY_acceptance/policy-input-output:latest_DIGEST}"
}
}
],
"predicate": {
"builder": {
"id": "https://tekton.dev/chains/v2"
},
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"invocation": {
"configSource": {}
}
},
"extra": {
"signatures": [
{
"keyid": "",
"sig": "${ATTESTATION_SIGNATURE_acceptance/policy-input-output}"
}
]
},
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
Expand Down Expand Up @@ -2512,33 +2485,6 @@ Error: success criteria not met
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "acceptance/image",
"digest": {
"sha256": "${REGISTRY_acceptance/image:latest_DIGEST}"
}
}
],
"predicate": {
"builder": {
"id": "https://tekton.dev/chains/v2"
},
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"invocation": {
"configSource": {}
}
},
"extra": {
"signatures": [
{
"keyid": "",
"sig": "${ATTESTATION_SIGNATURE_acceptance/image}"
}
]
},
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
Expand Down Expand Up @@ -2940,33 +2886,6 @@ Error: success criteria not met
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": [
{
"name": "acceptance/image",
"digest": {
"sha256": "${REGISTRY_acceptance/image:latest_DIGEST}"
}
}
],
"predicate": {
"builder": {
"id": "https://tekton.dev/chains/v2"
},
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"invocation": {
"configSource": {}
}
},
"extra": {
"signatures": [
{
"keyid": "",
"sig": "${ATTESTATION_SIGNATURE_acceptance/image}"
}
]
},
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "https://slsa.dev/provenance/v0.2",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,18 +15,6 @@
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"extra": {},
"predicate": {
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"builder": {
"id": ""
},
"invocation": {
"configSource": {}
}
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicate": {
Expand All @@ -40,8 +28,7 @@
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": null
},
"subject": null
}
}
],
"image": {
Expand All @@ -55,18 +42,6 @@
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"extra": {},
"predicate": {
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"builder": {
"id": ""
},
"invocation": {
"configSource": {}
}
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicate": {
Expand All @@ -80,22 +55,9 @@
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": null
},
"subject": null
}
},
{
"_type": "https://in-toto.io/Statement/v0.1",
"extra": {},
"predicate": {
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"builder": {
"id": ""
},
"invocation": {
"configSource": {}
}
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicate": {
Expand All @@ -109,8 +71,7 @@
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": null
},
"subject": null
}
}
],
"image": {
Expand All @@ -124,18 +85,6 @@
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"extra": {},
"predicate": {
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"builder": {
"id": ""
},
"invocation": {
"configSource": {}
}
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicate": {
Expand All @@ -149,8 +98,7 @@
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": null
},
"subject": null
}
}
],
"image": {
Expand Down Expand Up @@ -211,35 +159,6 @@
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"extra": {
"signatures": [
{
"certificate": "certificate",
"chain": [
"a",
"b",
"c"
],
"keyid": "keyId",
"metadata": {
"k1": "v1",
"k2": "v2"
},
"sig": "signature"
}
]
},
"predicate": {
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"builder": {
"id": ""
},
"invocation": {
"configSource": {}
}
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"signatures": [
{
"certificate": "certificate",
Expand Down Expand Up @@ -269,8 +188,7 @@
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": null
},
"subject": null
}
}
],
"image": {
Expand All @@ -284,18 +202,6 @@
{
"attestations": [
{
"_type": "https://in-toto.io/Statement/v0.1",
"extra": {},
"predicate": {
"buildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
"builder": {
"id": ""
},
"invocation": {
"configSource": {}
}
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"statement": {
"_type": "https://in-toto.io/Statement/v0.1",
"predicate": {
Expand All @@ -309,8 +215,7 @@
},
"predicateType": "https://slsa.dev/provenance/v0.2",
"subject": null
},
"subject": null
}
}
],
"image": {
Expand All @@ -320,31 +225,6 @@
}
---

[TestAttestationDataJSONMarshal - 1]
{
"extra": {
"signatures": [
{
"certificate": "certificate",
"chain": [
"c1",
"c2",
"c3"
],
"keyid": "key-id",
"metadata": {
"m1": "v1",
"m2": "v2"
},
"sig": "signature"
}
]
},
"json": "here",
"statement": null
}
---

[TestWriteInputFile/component_with_source - 1]
{
"attestations": null,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -334,13 +334,7 @@ func (a *ApplicationSnapshotImage) Signatures() []signature.EntitySignature {
}

type attestationData struct {
json.RawMessage // Deprecated
Extra attestationExtraData `json:"extra"` // Deprecated
Statement json.RawMessage `json:"statement"`
Signatures []signature.EntitySignature `json:"signatures,omitempty"`
}

type attestationExtraData struct {
Statement json.RawMessage `json:"statement"`
Signatures []signature.EntitySignature `json:"signatures,omitempty"`
}

Expand All @@ -352,27 +346,8 @@ type attestationExtraData struct {
// a standard process for Marshaling the JSON can be used, thus removing the need for this method.
func (a attestationData) MarshalJSON() ([]byte, error) {
buffy := bytes.Buffer{}
raw, err := a.RawMessage.MarshalJSON()
if err != nil {
return nil, err
}

if _, err = buffy.Write(raw[0 : len(raw)-1]); err != nil {
return nil, err
}

if _, err = buffy.WriteString(`,"extra":`); err != nil {
return nil, fmt.Errorf("write extra key: %w", err)
}
extra, err := json.Marshal(a.Extra)
if err != nil {
return nil, fmt.Errorf("marshal json extra: %w", err)
}
if _, err := buffy.Write(extra); err != nil {
return nil, fmt.Errorf("write extra value: %w", err)
}

_, err = buffy.WriteString(`, "statement":`)
_, err := buffy.WriteString(`{"statement":`)
if err != nil {
return nil, fmt.Errorf("write statement key: %w", err)
}
Expand Down Expand Up @@ -426,8 +401,6 @@ func (a *ApplicationSnapshotImage) WriteInputFile(ctx context.Context) (string,
var attestations []attestationData
for _, a := range a.attestations {
attestations = append(attestations, attestationData{
RawMessage: a.Statement(), // Deprecated, remove soon
Extra: attestationExtraData{Signatures: a.Signatures()}, // Deprecated, remove soon
Statement: a.Statement(),
Signatures: a.Signatures(),
})
Expand Down
Loading

0 comments on commit 0d2e4fb

Please sign in to comment.