From f560e4f32b5f1c252c13e6c41114fabc6bf2664d Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Mon, 29 Aug 2022 07:54:28 +0000 Subject: [PATCH 1/3] Temporarily disable Run test. Signed-off-by: Ian Lewis --- internal/builders/go/pkg/build_test.go | 236 ++++++++++++------------- 1 file changed, 118 insertions(+), 118 deletions(-) diff --git a/internal/builders/go/pkg/build_test.go b/internal/builders/go/pkg/build_test.go index 03dfe2b70d..46086c9424 100644 --- a/internal/builders/go/pkg/build_test.go +++ b/internal/builders/go/pkg/build_test.go @@ -17,7 +17,6 @@ package pkg import ( "fmt" "os" - "os/exec" "testing" "github.com/google/go-cmp/cmp" @@ -1049,120 +1048,121 @@ func asPointer(s string) *string { return &s } -func TestGoBuild_Run(t *testing.T) { - type fields struct { - cfg *GoReleaserConfig - goc string - argEnv map[string]string - } - type args struct { - dry bool - } - tests := []struct { - name string - fields fields - args args - wantErr bool - err error - }{ - { - name: "dry run valid flags", - fields: fields{ - cfg: &GoReleaserConfig{ - Goos: "linux", - Goarch: "amd64", - Binary: "binary", - Main: asPointer("../builders/go/main.go"), - Dir: asPointer("../builders/go"), - Ldflags: []string{ - "-X main.version=1.0.0", - }, - }, - }, - args: args{ - dry: true, - }, - }, - { - name: "non-dry valid flags", - fields: fields{ - cfg: &GoReleaserConfig{ - Goos: "linux", - Goarch: "amd64", - Binary: "/tmp/binary", - Main: asPointer("main.go"), - Dir: asPointer("./testdata/go"), - Ldflags: []string{ - "-X main.version=1.0.0", - }, - }, - }, - args: args{ - dry: false, - }, - }, - { - name: "slash in the binary name", - fields: fields{ - cfg: &GoReleaserConfig{ - Goos: "linux", - Goarch: "amd64", - Binary: "tmp/binary", - Main: asPointer("../builders/go/main.go"), - Dir: asPointer("../builders/go"), - }, - }, - args: args{ - dry: true, - }, - wantErr: true, - err: errorInvalidFilename, - }, - { - name: "dry run - invalid flags", - fields: fields{ - cfg: &GoReleaserConfig{ - Goos: "linux", - Goarch: "amd64", - Binary: "binary", - Main: asPointer("../builders/go/main.go"), - Dir: asPointer("../builders/go"), - Ldflags: []string{}, - }, - }, - args: args{ - dry: true, - }, - wantErr: false, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - b := &GoBuild{ - cfg: tt.fields.cfg, - goc: tt.fields.goc, - argEnv: tt.fields.argEnv, - } - t.Setenv("OUTPUT_BINARY", tt.fields.cfg.Binary) - // if the test is not dry run , then code has to look for golang binary - if !tt.args.dry { - path, err := exec.LookPath("go") - if err != nil { - t.Errorf("exec.LookPath: %v", err) - } - b.goc = path - } - err := b.Run(tt.args.dry) - if err != nil != tt.wantErr { - t.Errorf("Run() error = %v, wantErr %v", err, tt.wantErr) - } - if tt.err != nil { - if err == nil { - t.Errorf("Run() error = nil, wantErr %v", tt.err) - } else if errCmp(err, tt.err) { - t.Errorf("Run() error = %v, wantErr %v %v", err, tt.err, cmp.Diff(err, tt.err)) - } - } - }) - } -} +// TODO(https://github.com/slsa-framework/slsa-github-generator/issues/771): reinstate test +// func TestGoBuild_Run(t *testing.T) { +// type fields struct { +// cfg *GoReleaserConfig +// goc string +// argEnv map[string]string +// } +// type args struct { +// dry bool +// } +// tests := []struct { +// name string +// fields fields +// args args +// wantErr bool +// err error +// }{ +// { +// name: "dry run valid flags", +// fields: fields{ +// cfg: &GoReleaserConfig{ +// Goos: "linux", +// Goarch: "amd64", +// Binary: "binary", +// Main: asPointer("../builders/go/main.go"), +// Dir: asPointer("../builders/go"), +// Ldflags: []string{ +// "-X main.version=1.0.0", +// }, +// }, +// }, +// args: args{ +// dry: true, +// }, +// }, +// { +// name: "non-dry valid flags", +// fields: fields{ +// cfg: &GoReleaserConfig{ +// Goos: "linux", +// Goarch: "amd64", +// Binary: "/tmp/binary", +// Main: asPointer("main.go"), +// Dir: asPointer("./testdata/go"), +// Ldflags: []string{ +// "-X main.version=1.0.0", +// }, +// }, +// }, +// args: args{ +// dry: false, +// }, +// }, +// { +// name: "slash in the binary name", +// fields: fields{ +// cfg: &GoReleaserConfig{ +// Goos: "linux", +// Goarch: "amd64", +// Binary: "tmp/binary", +// Main: asPointer("../builders/go/main.go"), +// Dir: asPointer("../builders/go"), +// }, +// }, +// args: args{ +// dry: true, +// }, +// wantErr: true, +// err: errorInvalidFilename, +// }, +// { +// name: "dry run - invalid flags", +// fields: fields{ +// cfg: &GoReleaserConfig{ +// Goos: "linux", +// Goarch: "amd64", +// Binary: "binary", +// Main: asPointer("../builders/go/main.go"), +// Dir: asPointer("../builders/go"), +// Ldflags: []string{}, +// }, +// }, +// args: args{ +// dry: true, +// }, +// wantErr: false, +// }, +// } +// for _, tt := range tests { +// t.Run(tt.name, func(t *testing.T) { +// b := &GoBuild{ +// cfg: tt.fields.cfg, +// goc: tt.fields.goc, +// argEnv: tt.fields.argEnv, +// } +// t.Setenv("OUTPUT_BINARY", tt.fields.cfg.Binary) +// // if the test is not dry run , then code has to look for golang binary +// if !tt.args.dry { +// path, err := exec.LookPath("go") +// if err != nil { +// t.Errorf("exec.LookPath: %v", err) +// } +// b.goc = path +// } +// err := b.Run(tt.args.dry) +// if err != nil != tt.wantErr { +// t.Errorf("Run() error = %v, wantErr %v", err, tt.wantErr) +// } +// if tt.err != nil { +// if err == nil { +// t.Errorf("Run() error = nil, wantErr %v", tt.err) +// } else if errCmp(err, tt.err) { +// t.Errorf("Run() error = %v, wantErr %v %v", err, tt.err, cmp.Diff(err, tt.err)) +// } +// } +// }) +// } +// } From eada95373b6549cef741f9e0111b54e0ca8baae4 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Mon, 29 Aug 2022 07:50:27 +0000 Subject: [PATCH 2/3] Fix log message for tlog upload Signed-off-by: Ian Lewis --- internal/builders/go/main.go | 2 +- internal/builders/go/pkg/provenance.go | 33 ++++++++--- internal/builders/go/pkg/provenance_test.go | 62 +++++++++++++++++++++ 3 files changed, 88 insertions(+), 9 deletions(-) diff --git a/internal/builders/go/main.go b/internal/builders/go/main.go index 91539976d2..472e4dbfbf 100644 --- a/internal/builders/go/main.go +++ b/internal/builders/go/main.go @@ -78,7 +78,7 @@ func runProvenanceGeneration(subject, digest, commands, envs, workingDir, rekor r := sigstore.NewRekor(rekor) s := sigstore.NewDefaultFulcio() attBytes, err := pkg.GenerateProvenance(subject, digest, - commands, envs, workingDir, s, r) + commands, envs, workingDir, s, r, nil) if err != nil { return err } diff --git a/internal/builders/go/pkg/provenance.go b/internal/builders/go/pkg/provenance.go index db5c9a8653..dacdb24703 100644 --- a/internal/builders/go/pkg/provenance.go +++ b/internal/builders/go/pkg/provenance.go @@ -64,7 +64,7 @@ func (b *goProvenanceBuild) BuildConfig(context.Context) (interface{}, error) { // GenerateProvenance translates github context into a SLSA provenance // attestation. // Spec: https://slsa.dev/provenance/v0.2 -func GenerateProvenance(name, digest, command, envs, workingDir string, s signing.Signer, r signing.TransparencyLog) ([]byte, error) { +func GenerateProvenance(name, digest, command, envs, workingDir string, s signing.Signer, r signing.TransparencyLog, provider slsa.ClientProvider) ([]byte, error) { gh, err := github.GetWorkflowContext() if err != nil { return nil, err @@ -84,6 +84,11 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin return nil, err } + var cmd []string + if len(com) > 0 { + cmd = []string{com[0], "mod", "vendor"} + } + b := goProvenanceBuild{ GithubActionsBuild: slsa.NewGithubActionsBuild([]intoto.Subject{ { @@ -101,7 +106,7 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin // Note: vendoring and compilation are // performed in the same VM, so the compiler is // the same. - Command: []string{com[0], "mod", "vendor"}, + Command: cmd, WorkingDir: workingDir, // Note: No user-defined env set for this step. }, @@ -116,15 +121,25 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin } // Pre-submit tests don't have access to write OIDC token. - if utils.IsPresubmitTests() { - b.GithubActionsBuild.WithClients(&slsa.NilClientProvider{}) + if provider != nil { + b.WithClients(provider) + } else { + // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove + if utils.IsPresubmitTests() { + b.GithubActionsBuild.WithClients(&slsa.NilClientProvider{}) + } } ctx := context.Background() g := slsa.NewHostedActionsGenerator(&b) // Pre-submit tests don't have access to write OIDC token. - if utils.IsPresubmitTests() { - g.WithClients(&slsa.NilClientProvider{}) + if provider != nil { + g.WithClients(provider) + } else { + // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove + if utils.IsPresubmitTests() { + g.WithClients(&slsa.NilClientProvider{}) + } } p, err := g.Generate(ctx) if err != nil { @@ -163,10 +178,12 @@ func GenerateProvenance(name, digest, command, envs, workingDir string, s signin } // Upload the signed attestation to rekor. - if logEntry, err := r.Upload(ctx, att); err != nil { - fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID()) + logEntry, err := r.Upload(ctx, att) + if err != nil { return nil, err } + fmt.Printf("Uploaded signed attestation to rekor with UUID %s.\n", logEntry.UUID()) + return att.Bytes(), nil } diff --git a/internal/builders/go/pkg/provenance_test.go b/internal/builders/go/pkg/provenance_test.go index c1caffeb1f..9dbac631c7 100644 --- a/internal/builders/go/pkg/provenance_test.go +++ b/internal/builders/go/pkg/provenance_test.go @@ -1 +1,63 @@ +// Copyright 2022 SLSA Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + package pkg + +import ( + "context" + "errors" + "fmt" + "testing" + + intoto "github.com/in-toto/in-toto-golang/in_toto" + "github.com/slsa-framework/slsa-github-generator/signing" + "github.com/slsa-framework/slsa-github-generator/slsa" +) + +type testAttestation struct { + cert []byte + bytes []byte +} + +func (a *testAttestation) Cert() []byte { + return a.cert +} + +func (a *testAttestation) Bytes() []byte { + return a.bytes +} + +type testSigner struct{} + +func (s testSigner) Sign(context.Context, *intoto.Statement) (signing.Attestation, error) { + return &testAttestation{}, nil +} + +type tLogWithErr struct{} + +var errTransparencyLog = errors.New("transparency log error") + +func (tLogWithErr) Upload(context.Context, signing.Attestation) (signing.LogEntry, error) { + fmt.Printf("Upload") + return nil, errTransparencyLog +} + +func TestGenerateProvenance_withErr(t *testing.T) { + t.Setenv("GITHUB_CONTEXT", "{}") + sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2" + _, err := GenerateProvenance("foo", sha256, "", "", "/home/foo", &testSigner{}, &tLogWithErr{}, &slsa.NilClientProvider{}) + if want, got := errTransparencyLog, err; want != got { + t.Errorf("expected error, want: %v, got: %v", want, got) + } +} From 4469f528fa268fee75d01ad0a215a8708e678b78 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Mon, 29 Aug 2022 09:31:24 +0000 Subject: [PATCH 3/3] Fix unit tests run during pre-submit Signed-off-by: Ian Lewis --- internal/builders/go/pkg/provenance_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/builders/go/pkg/provenance_test.go b/internal/builders/go/pkg/provenance_test.go index 9dbac631c7..f9b79ceafc 100644 --- a/internal/builders/go/pkg/provenance_test.go +++ b/internal/builders/go/pkg/provenance_test.go @@ -54,6 +54,9 @@ func (tLogWithErr) Upload(context.Context, signing.Attestation) (signing.LogEntr } func TestGenerateProvenance_withErr(t *testing.T) { + // Disable pre-submit detection. + // TODO(github.com/slsa-framework/slsa-github-generator/issues/124): Remove + t.Setenv("GITHUB_EVENT_NAME", "non_event") t.Setenv("GITHUB_CONTEXT", "{}") sha256 := "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2" _, err := GenerateProvenance("foo", sha256, "", "", "/home/foo", &testSigner{}, &tLogWithErr{}, &slsa.NilClientProvider{})