Add SLSA assertion check example

Signed-off-by: Marcela Melara <[email protected]>
in-toto · Aug 26, 2023 · c79d345 · c79d345
1 parent 19afada
commit c79d345
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 17 deletions.
diff --git a/examples/hermetic-evidence/metadata/attestations/build.452e628a.json b/examples/hermetic-evidence/metadata/attestations/build.452e628a.json
diff --git a/examples/run-container-examples-e2e.sh b/examples/run-container-examples-e2e.sh
@@ -12,6 +12,14 @@ echo CHECK PDO CLIENT CONTAINER IN-TOTO LAYOUT
 
 scai-gen check layout -l layouts/pdo_client_wawaka.yml examples/sbom+slsa/metadata/attestations/build.452e628a.json examples/sbom+slsa/metadata/attestations/evidence-collection.1f575092.json
 
-echo CHECK PDO CLIENT CONTAINER SCAI EVIDENCE
+echo CHECK PDO CLIENT CONTAINER HERMETIC BUILD ASSERTION
 
 scai-gen check evidence -p policies/hermetic-evidence.yml -e examples/hermetic-evidence/metadata/ examples/hermetic-evidence/metadata/attestations/build.1f575092.json
+
+echo CHECK PDO CLIENT CONTAINER HAS-SLSA ASSERTION
+
+scai-gen check evidence -p policies/has-slsa.yml -e examples/sbom+slsa/metadata examples/sbom+slsa/metadata/attestations/evidence-collection.1f575092.json
+
+echo NEGATIVE TEST: CHECK BAD PDO CLIENT CONTAINER SCAI ASSERTION
+
+scai-gen check evidence -p policies/hermetic-evidence-fail.yml -e examples/hermetic-evidence/metadata/ examples/hermetic-evidence/metadata/attestations/bad-build.1f575092.json
diff --git a/go/cmd/check.go b/go/cmd/check.go
@@ -145,15 +145,10 @@ func checkEvidence(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	stBytes, err := envelope.DecodeB64Payload()
+	statement, err := getStatementDSSEPayload(envelope)
 	if err != nil {
 		return err
 	}
-
-	statement := &ita.Statement{}
-	if err = protojson.Unmarshal(stBytes, statement); err != nil {
-		return err
-	}
 
 	fmt.Println("Collecting all evidence files")
 
@@ -220,12 +215,17 @@ func checkEvidence(cmd *cobra.Command, args []string) error {
 			}
 
 		case "application/vnd.in-toto+dsse":
-			evStatement := &ita.Statement{}
-			if err = protojson.Unmarshal(evContent, evStatement); err != nil {
-				return fmt.Errorf("Failed to unmarshal evidence Statement: %w", err)
+			evEnv := &dsse.Envelope{}
+			if err := json.Unmarshal(evContent, evEnv); err != nil {
+				return err
 			}
 
-			err := policy.ApplyAttestationRules(evStatement, rules)
+			evStatement, err := getStatementDSSEPayload(evEnv)
+			if err != nil {
+				return err
+			}
+
+			err = policy.ApplyAttestationRules(evStatement, attrAssertion, rules)
 			if err != nil {
 				return fmt.Errorf("Attestation policy check failed: %w", err)
 			}
@@ -256,6 +256,20 @@ func pbStructToSCAI(s *structpb.Struct) (*scai.AttributeReport, error) {
 	return report, nil
 }
 
+func getStatementDSSEPayload(envelope *dsse.Envelope) (*ita.Statement, error) {
+	stBytes, err := envelope.DecodeB64Payload()
+	if err != nil {
+		return nil, fmt.Errorf("Failed to decode DSSE payload: %w", err)
+	}
+
+	statement := &ita.Statement{}
+	if err = protojson.Unmarshal(stBytes, statement); err != nil {
+		return nil, fmt.Errorf("Failed to unmarshal Statement: %w", err)
+	}
+
+	return statement, nil
+}
+
 func getAllEvidenceFiles(evidenceDir string) (map[string][]byte, error) {
 	evidenceMap := map[string][]byte{}
 	err := filepath.Walk(evidenceDir, func(path string, info fs.FileInfo, err error) error {