Skip to content

Commit

Permalink
fix mapping between Status.Steps and Status.TaskSpec.Steps (#1188)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jkhelil
jkhelil committed Sep 16, 2024
1 parent 7fd8992 commit 9d7d110
Show file tree
Hide file tree
Showing 4 changed files with 532 additions and 4 deletions.
136 changes: 136 additions & 0 deletions pkg/chains/formats/slsa/testdata/pipeline-v1beta1/taskrun4.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
{
"metadata": {
"name": "mismatch Status.Step.Name and Status.TaskSpec.Step.Name",
"labels": {
"tekton.dev/pipelineTask": "build"
}
},
"spec": {
"params": [
{
"name": "IMAGE",
"value": "test.io/test/image"
},
{
"name": "CHAINS-GIT_COMMIT",
"value": "sha:taskrun"
},
{
"name": "CHAINS-GIT_URL",
"value": "https://git.test.com"
}
],
"taskRef": {
"name": "build",
"kind": "Task"
},
"serviceAccountName": "default"
},
"status": {
"startTime": "2021-03-29T09:50:00Z",
"completionTime": "2021-03-29T09:50:15Z",
"conditions": [
{
"type": "Succeeded",
"status": "True",
"lastTransitionTime": "2021-03-29T09:50:15Z",
"reason": "Succeeded",
"message": "All Steps have completed executing"
}
],
"podName": "test-pod-name",
"steps": [
{
"name": "unnamed-",
"container": "step-step1",
"imageID": "docker-pullable://gcr.io/test7/test7@sha256:d4b63d3e24d6eef04a6dc0795cf8a73470688803d97c52cffa3c8d4efd3397b6"
},
{
"name": "step2",
"container": "step-step2",
"imageID": "docker-pullable://gcr.io/test8/test8@sha256:4d6dd704ef58cb214dd826519929e92a978a57cdee43693006139c0080fd6fac"
},
{
"name": "step3",
"container": "step-step3",
"imageID": "docker-pullable://gcr.io/test9/test9@sha256:f1a8b8549c179f41e27ff3db0fe1a1793e4b109da46586501a8343637b1d0478"
}
],
"taskResults": [
{
"name": "IMAGE_DIGEST",
"value": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
},
{
"name": "IMAGE_URL",
"value": "gcr.io/my/image"
}
],
"taskSpec": {
"params": [
{
"name": "IMAGE",
"type": "string"
},
{
"name": "filename",
"type": "string"
},
{
"name": "DOCKERFILE",
"type": "string"
},
{
"name": "CONTEXT",
"type": "string"
},
{
"name": "EXTRA_ARGS",
"type": "string"
},
{
"name": "BUILDER_IMAGE",
"type": "string"
}, {
"name": "CHAINS-GIT_COMMIT",
"type": "string",
"default": "sha:task"
}, {
"name": "CHAINS-GIT_URL",
"type": "string",
"default": "https://defaultgit.test.com"
}
],
"steps": [
{
"name": "step1"
},
{
"name": "step2"
},
{
"name": "step3"
}
],
"results": [
{
"name": "IMAGE_DIGEST",
"description": "Digest of the image just built."
},
{
"name": "filename_DIGEST",
"description": "Digest of the file just built."
}
]
},
"provenance": {
"refSource": {
"uri": "github.com/test",
"digest": {
"sha1": "ab123"
},
"entryPoint": "build.yaml"
}
}
}
}
141 changes: 141 additions & 0 deletions pkg/chains/formats/slsa/testdata/pipeline-v1beta1/taskrun5.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
{
"metadata": {
"name": "mismatch size between Status.Steps and Status.TaskSpec.Steps",
"labels": {
"tekton.dev/pipelineTask": "build"
}
},
"spec": {
"params": [
{
"name": "IMAGE",
"value": "test.io/test/image"
},
{
"name": "CHAINS-GIT_COMMIT",
"value": "sha:taskrun"
},
{
"name": "CHAINS-GIT_URL",
"value": "https://git.test.com"
}
],
"taskRef": {
"name": "build",
"kind": "Task"
},
"serviceAccountName": "default"
},
"status": {
"startTime": "2021-03-29T09:50:00Z",
"completionTime": "2021-03-29T09:50:15Z",
"conditions": [
{
"type": "Succeeded",
"status": "True",
"lastTransitionTime": "2021-03-29T09:50:15Z",
"reason": "Succeeded",
"message": "All Steps have completed executing"
}
],
"podName": "test-pod-name",
"steps": [
{
"name": "step1",
"container": "step-step1",
"imageID": "docker-pullable://gcr.io/test10/test10@sha256:d4b63d3e24d6eef04a6dc0795cf8a73470688803d97c52cffa3c8d4efd3397b6"
},
{
"name": "step2",
"container": "step-step2",
"imageID": "docker-pullable://gcr.io/test11/test11@sha256:4d6dd704ef58cb214dd826519929e92a978a57cdee43693006139c0080fd6fac"
},
{
"name": "step3",
"container": "step-step3",
"imageID": "docker-pullable://gcr.io/test12/test12@sha256:f1a8b8549c179f41e27ff3db0fe1a1793e4b109da46586501a8343637b1d0478"
},
{
"name": "step4",
"container": "step-step3",
"imageID": "docker-pullable://gcr.io/test13/test13@sha256:f1a8b8549c179f41e27ff3db0fe1a1793e4b109da46586501a8343637b1d0478"
}
],
"taskResults": [
{
"name": "IMAGE_DIGEST",
"value": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
},
{
"name": "IMAGE_URL",
"value": "gcr.io/my/image"
}
],
"taskSpec": {
"params": [
{
"name": "IMAGE",
"type": "string"
},
{
"name": "filename",
"type": "string"
},
{
"name": "DOCKERFILE",
"type": "string"
},
{
"name": "CONTEXT",
"type": "string"
},
{
"name": "EXTRA_ARGS",
"type": "string"
},
{
"name": "BUILDER_IMAGE",
"type": "string"
}, {
"name": "CHAINS-GIT_COMMIT",
"type": "string",
"default": "sha:task"
}, {
"name": "CHAINS-GIT_URL",
"type": "string",
"default": "https://defaultgit.test.com"
}
],
"steps": [
{
"name": "step1"
},
{
"name": "step2"
},
{
"name": "step3"
}
],
"results": [
{
"name": "IMAGE_DIGEST",
"description": "Digest of the image just built."
},
{
"name": "filename_DIGEST",
"description": "Digest of the file just built."
}
]
},
"provenance": {
"refSource": {
"uri": "github.com/test",
"digest": {
"sha1": "ab123"
},
"entryPoint": "build.yaml"
}
}
}
}
34 changes: 30 additions & 4 deletions pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package pipelinerun

import (
"context"
"strings"
"time"

intoto "github.com/in-toto/attestation/go/v1"
Expand Down Expand Up @@ -112,14 +113,39 @@ func buildConfig(ctx context.Context, pro *objects.PipelineRunObjectV1Beta1) Bui
for _, tr := range taskRuns {
// Ignore Tasks that did not execute during the PipelineRun.
if tr.Status.CompletionTime == nil {
logger.Infof("taskrun status not complete for task %s", tr.Name)
logger.Warnf("taskrun status not complete for task %s", tr.Name)
continue
}

steps := []attest.StepAttestation{}
for i, stepState := range tr.Status.Steps {
step := tr.Status.TaskSpec.Steps[i]
steps = append(steps, attest.Step(&step, &stepState))
// tr.Status.TaskSpec.Steps and tr.Status.Steps should be sime size
if len(tr.Status.TaskSpec.Steps) != len(tr.Status.Steps) {
logger.Errorf("Mismatch in number of steps for task run %s. TaskSpec steps: %d, Status steps: %d",
tr.Name, len(tr.Status.TaskSpec.Steps), len(tr.Status.Steps))
continue // Skip this task run entirely
}

// Validate and process steps
valid := true
for i, step := range tr.Status.TaskSpec.Steps {
stepState := tr.Status.Steps[i]

// Check if unnamed step matches empty name in the other list
if strings.HasPrefix(stepState.Name, "unnamed-") && step.Name != "" {
logger.Errorf("Mismatch in step names for task run %s. Step %d: %s, StepState %d: %s",
tr.Name, i, step.Name, i, stepState.Name)
valid = false
break
}

if valid {
steps = append(steps, attest.Step(&step, &stepState))
}
}

if !valid {
logger.Errorf("Skipping task run %s due to step name mismatch", tr.Name)
continue
}

after := t.RunAfter
Expand Down
Loading

0 comments on commit 9d7d110

Please sign in to comment.