From 7028400d321c5a360acbf1c1fe9555242783f07b Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Wed, 15 Nov 2023 16:35:07 +0100 Subject: [PATCH 1/9] fix: Fix missing checks on product include/exclude glob for attestation. Signed-off-by: Matthias Glastra --- attestation/file/file.go | 25 ++++++++++++++++++++----- attestation/material/material.go | 2 +- attestation/product/product.go | 15 +++++++++------ 3 files changed, 30 insertions(+), 12 deletions(-) diff --git a/attestation/file/file.go b/attestation/file/file.go index 14065d6f..5c610e7c 100644 --- a/attestation/file/file.go +++ b/attestation/file/file.go @@ -19,6 +19,7 @@ import ( "os" "path/filepath" + "github.com/gobwas/glob" "github.com/in-toto/go-witness/cryptoutil" "github.com/in-toto/go-witness/log" ) @@ -26,7 +27,7 @@ import ( // recordArtifacts will walk basePath and record the digests of each file with each of the functions in hashes. // If file already exists in baseArtifacts and the two artifacts are equal the artifact will not be in the // returned map of artifacts. -func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.DigestSet, hashes []cryptoutil.DigestValue, visitedSymlinks map[string]struct{}, processWasTraced bool, openedFiles map[string]bool) (map[string]cryptoutil.DigestSet, error) { +func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.DigestSet, hashes []cryptoutil.DigestValue, visitedSymlinks map[string]struct{}, processWasTraced bool, openedFiles map[string]bool, includeGlob glob.Glob, excludeGlob glob.Glob) (map[string]cryptoutil.DigestSet, error) { artifacts := make(map[string]cryptoutil.DigestSet) err := filepath.Walk(basePath, func(path string, info fs.FileInfo, err error) error { if err != nil { @@ -57,7 +58,7 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest } visitedSymlinks[linkedPath] = struct{}{} - symlinkedArtifacts, err := RecordArtifacts(linkedPath, baseArtifacts, hashes, visitedSymlinks, processWasTraced, openedFiles) + symlinkedArtifacts, err := RecordArtifacts(linkedPath, baseArtifacts, hashes, visitedSymlinks, processWasTraced, openedFiles, includeGlob, excludeGlob) if err != nil { return err } @@ -65,7 +66,8 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest for artifactPath, artifact := range symlinkedArtifacts { // all artifacts in the symlink should be recorded relative to our basepath joinedPath := filepath.Join(relPath, artifactPath) - if shouldRecord(joinedPath, artifact, baseArtifacts, processWasTraced, openedFiles) { + + if shouldRecord(joinedPath, artifact, baseArtifacts, processWasTraced, openedFiles, includeGlob, excludeGlob) { artifacts[filepath.Join(relPath, artifactPath)] = artifact } } @@ -78,7 +80,7 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest return err } - if shouldRecord(relPath, artifact, baseArtifacts, processWasTraced, openedFiles) { + if shouldRecord(relPath, artifact, baseArtifacts, processWasTraced, openedFiles, includeGlob, excludeGlob) { artifacts[relPath] = artifact } @@ -92,10 +94,23 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest // if the process was traced and the artifact was not one of the opened files, return false // if the artifact is already in baseArtifacts, check if it's changed // if it is not equal to the existing artifact, return true, otherwise return false -func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[string]cryptoutil.DigestSet, processWasTraced bool, openedFiles map[string]bool) bool { +func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[string]cryptoutil.DigestSet, processWasTraced bool, openedFiles map[string]bool, includeGlob glob.Glob, excludeGlob glob.Glob) bool { + includePath := true + if excludeGlob != nil && excludeGlob.Match(path) { + includePath = false + } + if includeGlob != nil && includeGlob.Match(path) { + includePath = true + } + + if !includePath { + return false + } + if _, ok := openedFiles[path]; !ok && processWasTraced { return false } + if previous, ok := baseArtifacts[path]; ok && artifact.Equal(previous) { return false } diff --git a/attestation/material/material.go b/attestation/material/material.go index 6b99a4e3..20c9ad3a 100644 --- a/attestation/material/material.go +++ b/attestation/material/material.go @@ -90,7 +90,7 @@ func (a *Attestor) Schema() *jsonschema.Schema { } func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { - materials, err := file.RecordArtifacts(ctx.WorkingDir(), nil, ctx.Hashes(), map[string]struct{}{}, false, map[string]bool{}) + materials, err := file.RecordArtifacts(ctx.WorkingDir(), nil, ctx.Hashes(), map[string]struct{}{}, false, map[string]bool{}, nil, nil) if err != nil { return err } diff --git a/attestation/product/product.go b/attestation/product/product.go index 8c9d6c34..0f6fea7f 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -199,7 +199,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { } } - products, err := file.RecordArtifacts(ctx.WorkingDir(), a.baseArtifacts, ctx.Hashes(), map[string]struct{}{}, processWasTraced, openedFileSet) + products, err := file.RecordArtifacts(ctx.WorkingDir(), a.baseArtifacts, ctx.Hashes(), map[string]struct{}{}, processWasTraced, openedFileSet, compiledIncludeGlob, compiledExcludeGlob) if err != nil { return err } @@ -229,15 +229,18 @@ func (a *Attestor) Products() map[string]attestation.Product { func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { subjects := make(map[string]cryptoutil.DigestSet) for productName, product := range a.products { + + includeSubject := true if a.compiledExcludeGlob != nil && a.compiledExcludeGlob.Match(productName) { - continue + includeSubject = false } - - if a.compiledIncludeGlob != nil && !a.compiledIncludeGlob.Match(productName) { - continue + if a.compiledIncludeGlob != nil && a.compiledIncludeGlob.Match(productName) { + includeSubject = true } - subjects[fmt.Sprintf("file:%v", productName)] = product.Digest + if includeSubject { + subjects[fmt.Sprintf("file:%v", productName)] = product.Digest + } } return subjects From 0e2edf554ab73c29f4539b0d56864f91bc4464cc Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Fri, 12 Apr 2024 11:54:42 +0200 Subject: [PATCH 2/9] fix: Fix issue with super match and exclude combined. When not adding a include it would always catch every file and the exclude would be of no benefit. Signed-off-by: Matthias Glastra --- attestation/file/file.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/attestation/file/file.go b/attestation/file/file.go index 5c610e7c..d12801c6 100644 --- a/attestation/file/file.go +++ b/attestation/file/file.go @@ -20,6 +20,7 @@ import ( "path/filepath" "github.com/gobwas/glob" + "github.com/gobwas/glob/match" "github.com/in-toto/go-witness/cryptoutil" "github.com/in-toto/go-witness/log" ) @@ -95,11 +96,16 @@ func RecordArtifacts(basePath string, baseArtifacts map[string]cryptoutil.Digest // if the artifact is already in baseArtifacts, check if it's changed // if it is not equal to the existing artifact, return true, otherwise return false func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[string]cryptoutil.DigestSet, processWasTraced bool, openedFiles map[string]bool, includeGlob glob.Glob, excludeGlob glob.Glob) bool { + superInclude := false + if _, ok := includeGlob.(match.Super); ok { + superInclude = true + } + includePath := true if excludeGlob != nil && excludeGlob.Match(path) { includePath = false } - if includeGlob != nil && includeGlob.Match(path) { + if !(superInclude && !includePath) && includeGlob != nil && includeGlob.Match(path) { includePath = true } From 5ab78e64f1f7291a0446217a0658a824bdbddd75 Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Fri, 12 Apr 2024 11:55:32 +0200 Subject: [PATCH 3/9] fix: Adjust attestation output to include attestor configuration. Signed-off-by: Matthias Glastra --- attestation/product/product.go | 40 ++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/attestation/product/product.go b/attestation/product/product.go index 0f6fea7f..7d279711 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -31,9 +31,9 @@ import ( ) const ( - ProductName = "product" - ProductType = "https://witness.dev/attestations/product/v0.1" - ProductRunType = attestation.ProductRunType + Name = "product" + Type = "https://witness.dev/attestations/product/v0.2" + RunType = attestation.ProductRunType defaultIncludeGlob = "*" defaultExcludeGlob = "" @@ -117,7 +117,21 @@ type Attestor struct { compiledExcludeGlob glob.Glob } +<<<<<<< HEAD func fromDigestMap(workingDir string, digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product { +======= +type attestorJson struct { + Products map[string]attestation.Product `json:"products"` + Configuration attestorConfiguration `json:"configuration"` +} + +type attestorConfiguration struct { + IncludeGlob string `json:"includeGlob"` + ExcludeGlob string `json:"excludeGlob"` +} + +func fromDigestMap(digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product { +>>>>>>> 3ae6278 (fix: Adjust attestation output to include attestor configuration.) products := make(map[string]attestation.Product) for fileName, digestSet := range digestMap { filePath := filepath.Join(workingDir, fileName) @@ -209,16 +223,28 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { } func (a *Attestor) MarshalJSON() ([]byte, error) { - return json.Marshal(a.products) + output := attestorJson{ + Products: a.products, + Configuration: attestorConfiguration{ + IncludeGlob: a.includeGlob, + ExcludeGlob: a.excludeGlob, + }, + } + + return json.Marshal(output) } func (a *Attestor) UnmarshalJSON(data []byte) error { - prods := make(map[string]attestation.Product) - if err := json.Unmarshal(data, &prods); err != nil { + attestation := attestorJson{ + Products: make(map[string]attestation.Product), + } + if err := json.Unmarshal(data, &attestation); err != nil { return err } - a.products = prods + a.products = attestation.Products + a.includeGlob = attestation.Configuration.IncludeGlob + a.excludeGlob = attestation.Configuration.ExcludeGlob return nil } From eca3b8fafca903af14c86a1730414e9ac360393b Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Mon, 15 Apr 2024 16:19:23 +0200 Subject: [PATCH 4/9] feat: Add material incl/excl glob Signed-off-by: Matthias Glastra --- attestation/material/material.go | 107 ++++++++++++++++++++++++++++--- 1 file changed, 97 insertions(+), 10 deletions(-) diff --git a/attestation/material/material.go b/attestation/material/material.go index 20c9ad3a..7806d299 100644 --- a/attestation/material/material.go +++ b/attestation/material/material.go @@ -16,17 +16,26 @@ package material import ( "encoding/json" + "fmt" + "github.com/gobwas/glob" "github.com/in-toto/go-witness/attestation" "github.com/in-toto/go-witness/attestation/file" "github.com/in-toto/go-witness/cryptoutil" +<<<<<<< HEAD "github.com/invopop/jsonschema" +======= + "github.com/in-toto/go-witness/registry" +>>>>>>> 4797229 (feat: Add material incl/excl glob) ) const ( Name = "material" - Type = "https://witness.dev/attestations/material/v0.1" + Type = "https://witness.dev/attestations/material/v0.2" RunType = attestation.MaterialRunType + + defaultIncludeGlob = "*" + defaultExcludeGlob = "" ) // This is a hacky way to create a compile time error in case the attestor @@ -49,15 +58,68 @@ type MaterialAttestor interface { } func init() { - attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor { - return New() - }) + attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor { return New() }, + registry.StringConfigOption( + "include-glob", + "Pattern to use when recording materials. Files that match this pattern will be included as materials in the material attestation.", + defaultIncludeGlob, + func(a attestation.Attestor, includeGlob string) (attestation.Attestor, error) { + prodAttestor, ok := a.(*Attestor) + if !ok { + return a, fmt.Errorf("unexpected attestor type: %T is not a material attestor", a) + } + + WithIncludeGlob(includeGlob)(prodAttestor) + return prodAttestor, nil + }, + ), + registry.StringConfigOption( + "exclude-glob", + "Pattern to use when recording materials. Files that match this pattern will be excluded as materials on the material attestation.", + defaultExcludeGlob, + func(a attestation.Attestor, excludeGlob string) (attestation.Attestor, error) { + prodAttestor, ok := a.(*Attestor) + if !ok { + return a, fmt.Errorf("unexpected attestor type: %T is not a product attestor", a) + } + + WithExcludeGlob(excludeGlob)(prodAttestor) + return prodAttestor, nil + }, + ), + ) } type Option func(*Attestor) +func WithIncludeGlob(glob string) Option { + return func(a *Attestor) { + a.includeGlob = glob + } +} + +func WithExcludeGlob(glob string) Option { + return func(a *Attestor) { + a.excludeGlob = glob + } +} + type Attestor struct { - materials map[string]cryptoutil.DigestSet + materials map[string]cryptoutil.DigestSet + includeGlob string + compiledIncludeGlob glob.Glob + excludeGlob string + compiledExcludeGlob glob.Glob +} + +type attestorJson struct { + Materials map[string]cryptoutil.DigestSet `json:"materials"` + Configuration attestorConfiguration `json:"configuration"` +} + +type attestorConfiguration struct { + IncludeGlob string `json:"includeGlob"` + ExcludeGlob string `json:"excludeGlob"` } func (a *Attestor) Name() string { @@ -90,7 +152,19 @@ func (a *Attestor) Schema() *jsonschema.Schema { } func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { - materials, err := file.RecordArtifacts(ctx.WorkingDir(), nil, ctx.Hashes(), map[string]struct{}{}, false, map[string]bool{}, nil, nil) + compiledIncludeGlob, err := glob.Compile(a.includeGlob) + if err != nil { + return err + } + a.compiledIncludeGlob = compiledIncludeGlob + + compiledExcludeGlob, err := glob.Compile(a.excludeGlob) + if err != nil { + return err + } + a.compiledExcludeGlob = compiledExcludeGlob + + materials, err := file.RecordArtifacts(ctx.WorkingDir(), nil, ctx.Hashes(), map[string]struct{}{}, false, map[string]bool{}, compiledIncludeGlob, compiledExcludeGlob) if err != nil { return err } @@ -100,16 +174,29 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { } func (a *Attestor) MarshalJSON() ([]byte, error) { - return json.Marshal(a.materials) + output := attestorJson{ + Materials: a.materials, + Configuration: attestorConfiguration{ + IncludeGlob: a.includeGlob, + ExcludeGlob: a.excludeGlob, + }, + } + + return json.Marshal(output) } func (a *Attestor) UnmarshalJSON(data []byte) error { - mats := make(map[string]cryptoutil.DigestSet) - if err := json.Unmarshal(data, &mats); err != nil { + attestation := attestorJson{ + Materials: make(map[string]cryptoutil.DigestSet), + } + + if err := json.Unmarshal(data, &attestation); err != nil { return err } - a.materials = mats + a.materials = attestation.Materials + a.includeGlob = attestation.Configuration.IncludeGlob + a.excludeGlob = attestation.Configuration.ExcludeGlob return nil } From 18b5e8bb5070f662f526ebbbc2c3ad3df624cd73 Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Thu, 18 Apr 2024 08:48:53 +0200 Subject: [PATCH 5/9] Fix validation after failing unit tests. Signed-off-by: Matthias Glastra --- attestation/file/file.go | 9 ++++++++- attestation/file/file_test.go | 6 +++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/attestation/file/file.go b/attestation/file/file.go index d12801c6..c8a1f12c 100644 --- a/attestation/file/file.go +++ b/attestation/file/file.go @@ -101,12 +101,19 @@ func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[ superInclude = true } + excludeGlobNothing := false + if _, ok := excludeGlob.(match.Nothing); ok { + excludeGlobNothing = true + } + includePath := true - if excludeGlob != nil && excludeGlob.Match(path) { + if (excludeGlob != nil && excludeGlob.Match(path)) { includePath = false } if !(superInclude && !includePath) && includeGlob != nil && includeGlob.Match(path) { includePath = true + } else if excludeGlobNothing { + includePath = false } if !includePath { diff --git a/attestation/file/file_test.go b/attestation/file/file_test.go index 5379a487..7140117f 100644 --- a/attestation/file/file_test.go +++ b/attestation/file/file_test.go @@ -38,13 +38,13 @@ func TestBrokenSymlink(t *testing.T) { symTestDir := filepath.Join(dir, "symTestDir") require.NoError(t, os.Symlink(testDir, symTestDir)) - _, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, false, map[string]bool{}) + _, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, false, map[string]bool{}, nil, nil) require.NoError(t, err) // remove the symlinks and make sure we don't get an error back require.NoError(t, os.RemoveAll(testDir)) require.NoError(t, os.RemoveAll(testFile)) - _, err = RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, false, map[string]bool{}) + _, err = RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, false, map[string]bool{}, nil, nil) require.NoError(t, err) } @@ -58,6 +58,6 @@ func TestSymlinkCycle(t *testing.T) { require.NoError(t, os.Symlink(dir, symTestDir)) // if a symlink cycle weren't properly handled this would be an infinite loop - _, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, false, map[string]bool{}) + _, err := RecordArtifacts(dir, map[string]cryptoutil.DigestSet{}, []cryptoutil.DigestValue{{Hash: crypto.SHA256}}, map[string]struct{}{}, false, map[string]bool{}, nil, nil) require.NoError(t, err) } From dfedf35f9e290f24fada46fbbfa05fbb8304b19e Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 2 May 2024 13:21:38 -0500 Subject: [PATCH 6/9] Run gofmt -s Signed-off-by: John Kjell --- attestation/file/file.go | 2 +- attestation/product/product.go | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/attestation/file/file.go b/attestation/file/file.go index c8a1f12c..4d2869dd 100644 --- a/attestation/file/file.go +++ b/attestation/file/file.go @@ -107,7 +107,7 @@ func shouldRecord(path string, artifact cryptoutil.DigestSet, baseArtifacts map[ } includePath := true - if (excludeGlob != nil && excludeGlob.Match(path)) { + if excludeGlob != nil && excludeGlob.Match(path) { includePath = false } if !(superInclude && !includePath) && includeGlob != nil && includeGlob.Match(path) { diff --git a/attestation/product/product.go b/attestation/product/product.go index 7d279711..70e7e379 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -121,13 +121,13 @@ type Attestor struct { func fromDigestMap(workingDir string, digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product { ======= type attestorJson struct { - Products map[string]attestation.Product `json:"products"` - Configuration attestorConfiguration `json:"configuration"` + Products map[string]attestation.Product `json:"products"` + Configuration attestorConfiguration `json:"configuration"` } type attestorConfiguration struct { - IncludeGlob string `json:"includeGlob"` - ExcludeGlob string `json:"excludeGlob"` + IncludeGlob string `json:"includeGlob"` + ExcludeGlob string `json:"excludeGlob"` } func fromDigestMap(digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product { From dbd93f665474379b6c5dbba96c0fd618afdf5652 Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Wed, 8 May 2024 10:44:39 +0200 Subject: [PATCH 7/9] Update attestation/product/product.go Co-authored-by: John Kjell Signed-off-by: Matthias Glastra --- attestation/product/product.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attestation/product/product.go b/attestation/product/product.go index 70e7e379..f61e3b08 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -122,7 +122,7 @@ func fromDigestMap(workingDir string, digestMap map[string]cryptoutil.DigestSet) ======= type attestorJson struct { Products map[string]attestation.Product `json:"products"` - Configuration attestorConfiguration `json:"configuration"` + Configuration *attestorConfiguration `json:"configuration,omitempty"` } type attestorConfiguration struct { From 67bd420e21d9b1bf6d798baf72b47c6a903420c0 Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Fri, 10 May 2024 21:30:53 +0200 Subject: [PATCH 8/9] chore: Add conditional configuration Signed-off-by: Matthias Glastra --- attestation/material/material.go | 15 +++++++++++---- attestation/product/product.go | 30 +++++++++++++++++------------- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/attestation/material/material.go b/attestation/material/material.go index 7806d299..8f61d117 100644 --- a/attestation/material/material.go +++ b/attestation/material/material.go @@ -176,10 +176,17 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { func (a *Attestor) MarshalJSON() ([]byte, error) { output := attestorJson{ Materials: a.materials, - Configuration: attestorConfiguration{ - IncludeGlob: a.includeGlob, - ExcludeGlob: a.excludeGlob, - }, + } + + if a.includeGlob != "" || a.excludeGlob != "" { + config := attestorConfiguration{} + + if a.includeGlob != "" { + config.IncludeGlob = a.includeGlob + } + if a.excludeGlob != "" { + config.ExcludeGlob = a.excludeGlob + } } return json.Marshal(output) diff --git a/attestation/product/product.go b/attestation/product/product.go index f61e3b08..465c003f 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -31,9 +31,9 @@ import ( ) const ( - Name = "product" - Type = "https://witness.dev/attestations/product/v0.2" - RunType = attestation.ProductRunType + ProductName = "product" + ProductType = "https://witness.dev/attestations/product/v0.2" + ProductRunType = attestation.ProductRunType defaultIncludeGlob = "*" defaultExcludeGlob = "" @@ -117,12 +117,9 @@ type Attestor struct { compiledExcludeGlob glob.Glob } -<<<<<<< HEAD -func fromDigestMap(workingDir string, digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product { -======= type attestorJson struct { Products map[string]attestation.Product `json:"products"` - Configuration *attestorConfiguration `json:"configuration,omitempty"` + Configuration *attestorConfiguration `json:"configuration,omitempty"` } type attestorConfiguration struct { @@ -130,8 +127,7 @@ type attestorConfiguration struct { ExcludeGlob string `json:"excludeGlob"` } -func fromDigestMap(digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product { ->>>>>>> 3ae6278 (fix: Adjust attestation output to include attestor configuration.) +func fromDigestMap(workingDir string, digestMap map[string]cryptoutil.DigestSet) map[string]attestation.Product { products := make(map[string]attestation.Product) for fileName, digestSet := range digestMap { filePath := filepath.Join(workingDir, fileName) @@ -225,10 +221,18 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { func (a *Attestor) MarshalJSON() ([]byte, error) { output := attestorJson{ Products: a.products, - Configuration: attestorConfiguration{ - IncludeGlob: a.includeGlob, - ExcludeGlob: a.excludeGlob, - }, + } + + if a.includeGlob != "" || a.excludeGlob != "" { + config := attestorConfiguration{} + + if a.includeGlob != "" { + config.IncludeGlob = a.includeGlob + } + if a.excludeGlob != "" { + config.ExcludeGlob = a.excludeGlob + } + output.Configuration = &config } return json.Marshal(output) From 762dc49a1b7e609a8d5b51720e7c394c8d46998e Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Fri, 10 May 2024 21:36:15 +0200 Subject: [PATCH 9/9] chore: Add changelog for attestors Signed-off-by: Matthias Glastra --- CHANGELOG-ATTESTORS.md | 22 ++++++++++++++++++++++ attestation/material/material.go | 5 +---- 2 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 CHANGELOG-ATTESTORS.md diff --git a/CHANGELOG-ATTESTORS.md b/CHANGELOG-ATTESTORS.md new file mode 100644 index 00000000..5495c052 --- /dev/null +++ b/CHANGELOG-ATTESTORS.md @@ -0,0 +1,22 @@ +# Attestor Changelog + +## Product attestor + +### `v0.2` + +Type: https://witness.dev/attestations/product +Version: `v0.2` + +- Attestor configuration has been added as `configuration`. +- Products has been put into its own `products` field. + + +## Material attestator + +### `v0.2` + +Type: https://witness.dev/attestations/product +Version: `v0.2` + +- Attestor configuration has been added as `configuration`. +- Material has been put into its own `materials` field. \ No newline at end of file diff --git a/attestation/material/material.go b/attestation/material/material.go index 8f61d117..c72f25e1 100644 --- a/attestation/material/material.go +++ b/attestation/material/material.go @@ -22,11 +22,8 @@ import ( "github.com/in-toto/go-witness/attestation" "github.com/in-toto/go-witness/attestation/file" "github.com/in-toto/go-witness/cryptoutil" -<<<<<<< HEAD - "github.com/invopop/jsonschema" -======= "github.com/in-toto/go-witness/registry" ->>>>>>> 4797229 (feat: Add material incl/excl glob) + "github.com/invopop/jsonschema" ) const (