From c79d345c764e3477ef03adbfd0f2a7aaeffba78f Mon Sep 17 00:00:00 2001 From: Marcela Melara Date: Fri, 25 Aug 2023 18:01:55 -0700 Subject: [PATCH] Add SLSA assertion check example Signed-off-by: Marcela Melara --- .../metadata/attestations/build.452e628a.json | 1 - examples/run-container-examples-e2e.sh | 10 +++++- go/cmd/check.go | 34 +++++++++++++------ go/policy/attestation.go | 10 ++++-- go/policy/plaintext.go | 1 - layouts/pdo_client_wawaka.yml | 1 - policies/has-slsa.yml | 6 ++++ 7 files changed, 46 insertions(+), 17 deletions(-) delete mode 100644 examples/hermetic-evidence/metadata/attestations/build.452e628a.json create mode 100644 policies/has-slsa.yml diff --git a/examples/hermetic-evidence/metadata/attestations/build.452e628a.json b/examples/hermetic-evidence/metadata/attestations/build.452e628a.json deleted file mode 100644 index 5eaa780..0000000 --- a/examples/hermetic-evidence/metadata/attestations/build.452e628a.json +++ /dev/null @@ -1 +0,0 @@ -{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI5ZmI3ZWY1NTIyOThmOGZiYWQ4NDYwNGQwNjEwMGU3NjBiN2I4YzRjYjRkNmM0YjcyNzg2NWYxZjI4NWQwNmFjIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2dlbmVyYXRvcl9nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNy4wIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZ2VuZXJpY0B2MSIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0c0ByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEiLCJkaWdlc3QiOnsic2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL2NpLXN3c2MueWFtbCJ9LCJwYXJhbWV0ZXJzIjp7fSwiZW52aXJvbm1lbnQiOnsiZ2l0aHViX2FjdG9yIjoibWFyY2VsYW1lbGFyYSIsImdpdGh1Yl9hY3Rvcl9pZCI6IjkzNzk3ODk4IiwiZ2l0aHViX2Jhc2VfcmVmIjoiIiwiZ2l0aHViX2V2ZW50X25hbWUiOiJwdXNoIiwiZ2l0aHViX2V2ZW50X3BheWxvYWQiOnsiYWZ0ZXIiOiI4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIiwiYmFzZV9yZWYiOm51bGwsImJlZm9yZSI6Ijg5ZWE1M2I4ODM1NzNjNjI5NWQ4ZWU2M2VkN2FhMWUwZDE0Yzc4ZTEiLCJjb21taXRzIjpbeyJhdXRob3IiOnsiZW1haWwiOiJtYXJjZWxhLm1lbGFyYUBpbnRlbC5jb20iLCJuYW1lIjoiTWFyY2VsYSBNZWxhcmEiLCJ1c2VybmFtZSI6Im1hcmNlbGFtZWxhcmEifSwiY29tbWl0dGVyIjp7ImVtYWlsIjoibWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tIiwibmFtZSI6Ik1hcmNlbGEgTWVsYXJhIiwidXNlcm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sImRpc3RpbmN0Ijp0cnVlLCJpZCI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUiLCJtZXNzYWdlIjoiTWVyZ2Ugc3dzYyBtZXRhZGF0YSB3b3JrZmxvd3NcblxuU2lnbmVkLW9mZi1ieTogTWFyY2VsYSBNZWxhcmEgXHUwMDNjbWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tXHUwMDNlIiwidGltZXN0YW1wIjoiMjAyMy0wOC0yM1QxNjo1NToyMC0wNzowMCIsInRyZWVfaWQiOiIzNDY5OWE1NTQyMTBmZjkzZmM4NjBmNzBlNGExODNlNjY0YjM3MjVlIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tbWl0Lzg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifV0sImNvbXBhcmUiOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9jb21wYXJlLzg5ZWE1M2I4ODM1Ny4uLjg3Yjc0Mzc4ZThjOSIsImNyZWF0ZWQiOmZhbHNlLCJkZWxldGVkIjpmYWxzZSwiZm9yY2VkIjpmYWxzZSwiaGVhZF9jb21taXQiOnsiYXV0aG9yIjp7ImVtYWlsIjoibWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tIiwibmFtZSI6Ik1hcmNlbGEgTWVsYXJhIiwidXNlcm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sImNvbW1pdHRlciI6eyJlbWFpbCI6Im1hcmNlbGEubWVsYXJhQGludGVsLmNvbSIsIm5hbWUiOiJNYXJjZWxhIE1lbGFyYSIsInVzZXJuYW1lIjoibWFyY2VsYW1lbGFyYSJ9LCJkaXN0aW5jdCI6dHJ1ZSwiaWQiOiI4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIiwibWVzc2FnZSI6Ik1lcmdlIHN3c2MgbWV0YWRhdGEgd29ya2Zsb3dzXG5cblNpZ25lZC1vZmYtYnk6IE1hcmNlbGEgTWVsYXJhIFx1MDAzY21hcmNlbGEubWVsYXJhQGludGVsLmNvbVx1MDAzZSIsInRpbWVzdGFtcCI6IjIwMjMtMDgtMjNUMTY6NTU6MjAtMDc6MDAiLCJ0cmVlX2lkIjoiMzQ2OTlhNTU0MjEwZmY5M2ZjODYwZjcwZTRhMTgzZTY2NGIzNzI1ZSIsInVybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2NvbW1pdC84N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIn0sInB1c2hlciI6eyJlbWFpbCI6Im1hcmNlbGEubWVsYXJhQGludGVsLmNvbSIsIm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sInJlZiI6InJlZnMvaGVhZHMvZ2VuZXJhdGUtc3dzYy1idWlsZC1tZXRhZGF0YSIsInJlcG9zaXRvcnkiOnsiYWxsb3dfZm9ya2luZyI6dHJ1ZSwiYXJjaGl2ZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2dpdC9ibG9ic3svc2hhfSIsImJyYW5jaGVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2NvbGxhYm9yYXRvcnN7L2NvbGxhYm9yYXRvcn0iLCJjb21tZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tcGFyZS97YmFzZX0uLi57aGVhZH0iLCJjb250ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6MTU4MDE1ODUzNCwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2RlcGxveW1lbnRzIiwiZGVzY3JpcHRpb24iOiJUaGUgUHJpdmF0ZSBEYXRhIE9iamVjdHMgbGFiIHByb3ZpZGVzIHRlY2hub2xvZ3kgZm9yIGNvbmZpZGVudGlhbGl0eS1wcmVzZXJ2aW5nLCBvZmYtY2hhaW4gc21hcnQgY29udHJhY3RzLiIsImRpc2FibGVkIjpmYWxzZSwiZG93bmxvYWRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2V2ZW50cyIsImZvcmsiOnRydWUsImZvcmtzIjoxLCJmb3Jrc19jb3VudCI6MSwiZm9ya3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2ZvcmtzIiwiZnVsbF9uYW1lIjoibWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cyIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvY29tbWl0c3svc2hhfSIsImdpdF9yZWZzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMuZ2l0IiwiaGFzX2Rpc2N1c3Npb25zIjpmYWxzZSwiaGFzX2Rvd25sb2FkcyI6dHJ1ZSwiaGFzX2lzc3VlcyI6ZmFsc2UsImhhc19wYWdlcyI6ZmFsc2UsImhhc19wcm9qZWN0cyI6dHJ1ZSwiaGFzX3dpa2kiOnRydWUsImhvbWVwYWdlIjpudWxsLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvaG9va3MiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzIiwiaWQiOjIzNjU5MjkwOCwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2lzc3Vlcy9ldmVudHN7L251bWJlcn0iLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2xhYmVsc3svbmFtZX0iLCJsYW5ndWFnZSI6IkMrKyIsImxhbmd1YWdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvbGFuZ3VhZ2VzIiwibGljZW5zZSI6eyJrZXkiOiJhcGFjaGUtMi4wIiwibmFtZSI6IkFwYWNoZSBMaWNlbnNlIDIuMCIsIm5vZGVfaWQiOiJNRGM2VEdsalpXNXpaVEk9Iiwic3BkeF9pZCI6IkFwYWNoZS0yLjAiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL2xpY2Vuc2VzL2FwYWNoZS0yLjAifSwibWFzdGVyX2JyYW5jaCI6Im1haW4iLCJtZXJnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL21pbGVzdG9uZXN7L251bWJlcn0iLCJtaXJyb3JfdXJsIjpudWxsLCJuYW1lIjoicHJpdmF0ZS1kYXRhLW9iamVjdHMiLCJub2RlX2lkIjoiTURFd09sSmxjRzl6YVhSdmNua3lNelkxT1RJNU1EZz0iLCJub3RpZmljYXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9ub3RpZmljYXRpb25zez9zaW5jZSxhbGwscGFydGljaXBhdGluZ30iLCJvcGVuX2lzc3VlcyI6MCwib3Blbl9pc3N1ZXNfY291bnQiOjAsIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvOTM3OTc4OTg/dj00IiwiZW1haWwiOiJtYXJjZWxhLm1lbGFyYUBpbnRlbC5jb20iLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEiLCJpZCI6OTM3OTc4OTgsImxvZ2luIjoibWFyY2VsYW1lbGFyYSIsIm5hbWUiOiJtYXJjZWxhbWVsYXJhIiwibm9kZV9pZCI6IlVfa2dET0JaYy1DZyIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL29yZ3MiLCJyZWNlaXZlZF9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9zdGFycmVkey9vd25lcn17L3JlcG99Iiwic3Vic2NyaXB0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvcHVsbHN7L251bWJlcn0iLCJwdXNoZWRfYXQiOjE2OTI4MzQ5MjMsInJlbGVhc2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9yZWxlYXNlc3svaWR9Iiwic2l6ZSI6MzQzNiwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOm1hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMuZ2l0Iiwic3RhcmdhemVycyI6MCwic3RhcmdhemVyc19jb3VudCI6MCwic3RhcmdhemVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWJzY3JpYmVycyIsInN1YnNjcmlwdGlvbl91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzIiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvdGFncyIsInRlYW1zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy90ZWFtcyIsInRvcGljcyI6W10sInRyZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMi0wMS0xMVQwMTowNDozNFoiLCJ1cmwiOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cyIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MCwid2F0Y2hlcnNfY291bnQiOjAsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS85Mzc5Nzg5OD92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEiLCJpZCI6OTM3OTc4OTgsImxvZ2luIjoibWFyY2VsYW1lbGFyYSIsIm5vZGVfaWQiOiJVX2tnRE9CWmMtQ2ciLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYSJ9fSwiZ2l0aHViX2hlYWRfcmVmIjoiIiwiZ2l0aHViX3JlZiI6InJlZnMvaGVhZHMvZ2VuZXJhdGUtc3dzYy1idWlsZC1tZXRhZGF0YSIsImdpdGh1Yl9yZWZfdHlwZSI6ImJyYW5jaCIsImdpdGh1Yl9yZXBvc2l0b3J5X2lkIjoiMjM2NTkyOTA4IiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXIiOiJtYXJjZWxhbWVsYXJhIiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXJfaWQiOiI5Mzc5Nzg5OCIsImdpdGh1Yl9ydW5fYXR0ZW1wdCI6IjEiLCJnaXRodWJfcnVuX2lkIjoiNTk1NzY3MjU4MCIsImdpdGh1Yl9ydW5fbnVtYmVyIjoiMTAiLCJnaXRodWJfc2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifX0sIm1ldGFkYXRhIjp7ImJ1aWxkSW52b2NhdGlvbklEIjoiNTk1NzY3MjU4MC0xIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWUsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0c0ByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEiLCJkaWdlc3QiOnsic2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifX1dfX0=","signatures":[{"keyid":"","sig":"MEUCIBtd37BUemlRGSAtupB5MUNpuoY3M8sjizO8vNoF/XRzAiEA6MbwPr+GkoQ7O/gAzGqMO3YVRfnOn2CSrme14Y/Vq7g=","cert":"-----BEGIN CERTIFICATE-----\nMIIHnjCCBySgAwIBAgIUdt3q/jeQLjQLrp9xhKPIodrsiFEwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjMwODI0MDAxMzQxWhcNMjMwODI0MDAyMzQxWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEB0TVhLF/u/aDcn+3ncIW2lfOKFn4iCY36NC3\nk/oPa8sJ8X25H//mhY8/6fNyUh4PzjIEyHPOcr8CAi8dWyuRFaOCBkMwggY/MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUYUr0\ngD1Frvh23NrGG+OeTrkO+fgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wgYQGA1UdEQEB/wR6MHiGdmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1l\nd29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2Vu\nZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92MS43LjAwOQYKKwYB\nBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50\nLmNvbTASBgorBgEEAYO/MAECBARwdXNoMDYGCisGAQQBg78wAQMEKDg3Yjc0Mzc4\nZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUwMgYKKwYBBAGDvzABBAQk\nUERPIENJIHdpdGggU1cgc3VwcGx5IGNoYWluIG1ldGFkYXRhMDAGCisGAQQBg78w\nAQUEIm1hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMwNQYKKwYBBAGD\nvzABBgQncmVmcy9oZWFkcy9nZW5lcmF0ZS1zd3NjLWJ1aWxkLW1ldGFkYXRhMDsG\nCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJj\nb250ZW50LmNvbTCBhgYKKwYBBAGDvzABCQR4DHZodHRwczovL2dpdGh1Yi5jb20v\nc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29y\na2Zsb3dzL2dlbmVyYXRvcl9nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEu\nNy4wMDgGCisGAQQBg78wAQoEKgwoZTU1Yjc2Y2U0MjEwODJkZmE0YjM0YTZhYzNj\nNWU1OWRlMGYzYmI1ODAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwRQYK\nKwYBBAGDvzABDAQ3DDVodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9w\ncml2YXRlLWRhdGEtb2JqZWN0czA4BgorBgEEAYO/MAENBCoMKDg3Yjc0Mzc4ZThj\nOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUwNwYKKwYBBAGDvzABDgQpDCdy\nZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEwGQYKKwYBBAGD\nvzABDwQLDAkyMzY1OTI5MDgwMAYKKwYBBAGDvzABEAQiDCBodHRwczovL2dpdGh1\nYi5jb20vbWFyY2VsYW1lbGFyYTAYBgorBgEEAYO/MAERBAoMCDkzNzk3ODk4MIGM\nBgorBgEEAYO/MAESBH4MfGh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJh\nL3ByaXZhdGUtZGF0YS1vYmplY3RzLy5naXRodWIvd29ya2Zsb3dzL2NpLXN3c2Mu\neWFtbEByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEwOAYK\nKwYBBAGDvzABEwQqDCg4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkw\nMjU0ZTFlMBQGCisGAQQBg78wARQEBgwEcHVzaDBoBgorBgEEAYO/MAEVBFoMWGh0\ndHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmpl\nY3RzL2FjdGlvbnMvcnVucy81OTU3NjcyNTgwL2F0dGVtcHRzLzEwFgYKKwYBBAGD\nvzABFgQIDAZwdWJsaWMwgYsGCisGAQQB1nkCBAIEfQR7AHkAdwDdPTBqxscRMmMZ\nHhyZZzcCokpeuN48rf+HinKALynujgAAAYok48Y6AAAEAwBIMEYCIQDlB6pBRLqz\nOVzWrWDyAKjqbj/+In4R1ZIV1ZpPBOibpgIhAOD0US5lEsq/jbd6+TFuCNGAwSmT\njLX6qaZM51mil8GAMAoGCCqGSM49BAMDA2gAMGUCMQCobhDekCwGfSHneSK9wVlo\nlm+5HAzWWCXP0MqB+z3BKrlncSTvfTtLT6Ai0uylV48CMBr+qUk5b34MOr3AfkFL\nwZPYsMpbWP4k8SXbi6NaBqwAAnAl3s+w3qbR/Nt2wtoPwA==\n-----END CERTIFICATE-----\n"}]} \ No newline at end of file diff --git a/examples/run-container-examples-e2e.sh b/examples/run-container-examples-e2e.sh index f4bd7f9..4569a6d 100755 --- a/examples/run-container-examples-e2e.sh +++ b/examples/run-container-examples-e2e.sh @@ -12,6 +12,14 @@ echo CHECK PDO CLIENT CONTAINER IN-TOTO LAYOUT scai-gen check layout -l layouts/pdo_client_wawaka.yml examples/sbom+slsa/metadata/attestations/build.452e628a.json examples/sbom+slsa/metadata/attestations/evidence-collection.1f575092.json -echo CHECK PDO CLIENT CONTAINER SCAI EVIDENCE +echo CHECK PDO CLIENT CONTAINER HERMETIC BUILD ASSERTION scai-gen check evidence -p policies/hermetic-evidence.yml -e examples/hermetic-evidence/metadata/ examples/hermetic-evidence/metadata/attestations/build.1f575092.json + +echo CHECK PDO CLIENT CONTAINER HAS-SLSA ASSERTION + +scai-gen check evidence -p policies/has-slsa.yml -e examples/sbom+slsa/metadata examples/sbom+slsa/metadata/attestations/evidence-collection.1f575092.json + +echo NEGATIVE TEST: CHECK BAD PDO CLIENT CONTAINER SCAI ASSERTION + +scai-gen check evidence -p policies/hermetic-evidence-fail.yml -e examples/hermetic-evidence/metadata/ examples/hermetic-evidence/metadata/attestations/bad-build.1f575092.json diff --git a/go/cmd/check.go b/go/cmd/check.go index 30d1a1b..e5b7bdb 100644 --- a/go/cmd/check.go +++ b/go/cmd/check.go @@ -145,15 +145,10 @@ func checkEvidence(cmd *cobra.Command, args []string) error { return err } - stBytes, err := envelope.DecodeB64Payload() + statement, err := getStatementDSSEPayload(envelope) if err != nil { return err } - - statement := &ita.Statement{} - if err = protojson.Unmarshal(stBytes, statement); err != nil { - return err - } fmt.Println("Collecting all evidence files") @@ -220,12 +215,17 @@ func checkEvidence(cmd *cobra.Command, args []string) error { } case "application/vnd.in-toto+dsse": - evStatement := &ita.Statement{} - if err = protojson.Unmarshal(evContent, evStatement); err != nil { - return fmt.Errorf("Failed to unmarshal evidence Statement: %w", err) + evEnv := &dsse.Envelope{} + if err := json.Unmarshal(evContent, evEnv); err != nil { + return err } - err := policy.ApplyAttestationRules(evStatement, rules) + evStatement, err := getStatementDSSEPayload(evEnv) + if err != nil { + return err + } + + err = policy.ApplyAttestationRules(evStatement, attrAssertion, rules) if err != nil { return fmt.Errorf("Attestation policy check failed: %w", err) } @@ -256,6 +256,20 @@ func pbStructToSCAI(s *structpb.Struct) (*scai.AttributeReport, error) { return report, nil } +func getStatementDSSEPayload(envelope *dsse.Envelope) (*ita.Statement, error) { + stBytes, err := envelope.DecodeB64Payload() + if err != nil { + return nil, fmt.Errorf("Failed to decode DSSE payload: %w", err) + } + + statement := &ita.Statement{} + if err = protojson.Unmarshal(stBytes, statement); err != nil { + return nil, fmt.Errorf("Failed to unmarshal Statement: %w", err) + } + + return statement, nil +} + func getAllEvidenceFiles(evidenceDir string) (map[string][]byte, error) { evidenceMap := map[string][]byte{} err := filepath.Walk(evidenceDir, func(path string, info fs.FileInfo, err error) error { diff --git a/go/policy/attestation.go b/go/policy/attestation.go index 66b75e2..198a488 100644 --- a/go/policy/attestation.go +++ b/go/policy/attestation.go @@ -5,6 +5,7 @@ import( "github.com/google/cel-go/cel" "github.com/google/cel-go/interpreter" ita "github.com/in-toto/attestation/go/v1" + scai "github.com/in-toto/attestation/go/predicates/scai/v0" ) func getAttestationCELEnv() (*cel.Env, error) { @@ -13,26 +14,29 @@ func getAttestationCELEnv() (*cel.Env, error) { cel.Variable("subject", cel.ListType(cel.ObjectType("in_toto_attestation.v1.ResourceDescriptor"))), cel.Variable("predicateType", cel.StringType), cel.Variable("predicate", cel.ObjectType("google.protobuf.Struct")), + cel.Types(&scai.AttributeAssertion{}), + cel.Variable("assertion", cel.ObjectType("in_toto_attestation.predicates.scai.v0.AttributeAssertion")), ) } -func getAttestationActivation(statement *ita.Statement) (interpreter.Activation, error) { +func getAttestationActivation(statement *ita.Statement, attrAssertion *scai.AttributeAssertion) (interpreter.Activation, error) { return interpreter.NewActivation(map[string]any{ "type": statement.Type, "subject": statement.Subject, "predicateType": statement.PredicateType, "predicate": statement.Predicate, + "assertion": attrAssertion, }) } -func ApplyAttestationRules(statement *ita.Statement, rules []verifier.Constraint) error { +func ApplyAttestationRules(statement *ita.Statement, attrAssertion *scai.AttributeAssertion, rules []verifier.Constraint) error { env, err := getAttestationCELEnv() if err != nil { return err } - input, err := getAttestationActivation(statement) + input, err := getAttestationActivation(statement, attrAssertion) if err != nil { return err } diff --git a/go/policy/plaintext.go b/go/policy/plaintext.go index 2d6acad..9f507a7 100644 --- a/go/policy/plaintext.go +++ b/go/policy/plaintext.go @@ -7,7 +7,6 @@ import( "github.com/google/cel-go/cel" "github.com/google/cel-go/interpreter" scai "github.com/in-toto/attestation/go/predicates/scai/v0" - //"google.golang.org/protobuf/types/known/structpb" ) func getPlaintextCELEnv() (*cel.Env, error) { diff --git a/layouts/pdo_client_wawaka.yml b/layouts/pdo_client_wawaka.yml index da9558f..408006c 100644 --- a/layouts/pdo_client_wawaka.yml +++ b/layouts/pdo_client_wawaka.yml @@ -30,7 +30,6 @@ steps: - predicateType: "https://slsa.dev/provenance/v0.2" expectedAttributes: - rule: "predicate.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0'" - - rule: "predicate.buildType == 'https://github.com/slsa-framework/slsa-github-generator/generic@v1'" - rule: "predicate.invocation.configSource.uri == 'git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata'" - rule: "predicate.invocation.configSource.digest.sha1 == '87b74378e8c9ccf335a27ffcdc16636990254e1e'" functionaries: diff --git a/policies/has-slsa.yml b/policies/has-slsa.yml new file mode 100644 index 0000000..8cbf348 --- /dev/null +++ b/policies/has-slsa.yml @@ -0,0 +1,6 @@ +attestationID: "f7dbd9211f8c9ee70313454ddba0ffacec91139ff325b3ef90eccf706bd06ecf" +inspections: + - name: "build.452e628a.json" + expectedAttributes: + - rule: "assertion.attribute == 'HasSLSA' && predicateType == 'https://slsa.dev/provenance/v0.2'" + - rule: "predicate.buildType == 'https://github.com/slsa-framework/slsa-github-generator/generic@v1'"