intoto

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2023 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// SlsaPredicateType the predicate type for SLSA intoto statements
	SlsaPredicateType = "https://slsa.dev/provenance/v0.2"
	// StatementType the type of the intoto statement
	StatementType = "https://in-toto.io/Statement/v0.1"
)

Variables

This section is empty.

Functions

func ShaSum256HexEncoded 

func ShaSum256HexEncoded(b []byte) string

ShaSum256HexEncoded calculates a SHA256 checksum from the content

Types

type BuildConfig 

type BuildConfig struct {
}

BuildConfig Lists the steps in the build. If invocation.sourceConfig is not available, buildConfig can be used to verify information about the build.

type Builder 

type Builder struct {
	ID string `json:"id"`
}

Builder Identifies the entity that executed the recipe, which is trusted to have correctly performed the operation and populated this provenance. The identity MUST reflect the trust base that consumers care about. How detailed to be is a judgement call. For example, GitHub Actions supports both GitHub-hosted runners and self-hosted runners. The GitHub-hosted runner might be a single identity because, it's all GitHub from the consumer's perspective. Meanwhile, each self-hosted runner might have its own identity because not all runners are trusted by all consumers.

Consumers MUST accept only specific (signer, builder) pairs. For example, the "GitHub" can sign provenance for the "GitHub Actions" builder, and "Google" can sign provenance for the "Google Cloud Build" builder, but "GitHub" cannot sign for the "Google Cloud Build" builder.

Design rationale: The builder is distinct from the signer because one signer may generate attestations for more than one builder, as in the GitHub Actions example above. The field is required, even if it is implicit from the signer, to aid readability and debugging. It is an object to allow additional fields in the future, in case one URI is not sufficient.

type Completeness 

type Completeness struct {
	Parameters  bool `json:"parameters"`
	Environment bool `json:"environment"`
	Materials   bool `json:"materials"`
}

Completeness Indicates that the builder claims certain fields in this message to be complete.

type ConfigSource 

type ConfigSource struct {
	EntryPoint string    `json:"entryPoint"`
	URI        string    `json:"uri,omitempty"`
	Digest     DigestSet `json:"digest,omitempty"`
}

ConfigSource Describes where the config file that kicked off the build came from. This is effectively a pointer to the source where buildConfig came from.

type DigestSet 

type DigestSet map[string]string

DigestSet Collection of cryptographic digests for the contents of this artifact.

type Envelope 

type Envelope struct {
	PayloadType string        `json:"payloadType"`
	Payload     string        `json:"payload"`
	Signatures  []interface{} `json:"signatures"`
}

Envelope wraps an in-toto statement to be able to attach signatures to the Statement

type FilePathSubjecter 

type FilePathSubjecter struct {
	// contains filtered or unexported fields
}

FilePathSubjecter implements Subjector to retrieve Subject from filepath

func NewFilePathSubjecter 

func NewFilePathSubjecter(root string) *FilePathSubjecter

NewFilePathSubjecter walks the file or directory at "root" and hashes all files.

func (*FilePathSubjecter) Subjects 

func (f *FilePathSubjecter) Subjects() ([]Subject, error)

Subjects walks the file or directory at "root" and hashes all files.

type Invocation 

type Invocation struct {
	ConfigSource ConfigSource    `json:"configSource"`
	Parameters   json.RawMessage `json:"parameters"`
	Environment  json.RawMessage `json:"environment"`
}

Invocation Identifies the configuration used for the build. When combined with materials, this SHOULD fully describe the build, such that re-running this recipe results in bit-for-bit identical output (if the build is reproducible).

type Item 

type Item struct {
	URI    string    `json:"uri"`
	Digest DigestSet `json:"digest"`
}

Item The material used as input for producing the output artifact (subject).

func ReadMaterials 

func ReadMaterials(r io.Reader) ([]Item, error)

ReadMaterials reads the material from file

type Metadata 

type Metadata struct {
	BuildInvocationID string `json:"buildInvocationId"`
	// BuildStartedOn not defined as it's not available from a GitHub Action.
	BuildFinishedOn string `json:"buildFinishedOn"`
	Completeness    `json:"completeness"`
	Reproducible    bool `json:"reproducible"`
}

Metadata Other properties of the build.

type Predicate 

type Predicate struct {
	Builder     `json:"builder"`
	BuildType   string `json:"buildType"`
	Invocation  `json:"invocation"`
	BuildConfig *BuildConfig `json:"build_config,omitempty"`
	Metadata    `json:"metadata,omitempty"`
	Materials   []Item `json:"materials"`
}

Predicate This predicate follows the in-toto attestation parsing rules.

https://github.com/in-toto/attestation/blob/main/spec/README.md#parsing-rules

The Predicate is the innermost layer of the attestation, containing arbitrary metadata about the Statement's subject.

A predicate has a required predicateType (TypeURI) identifying what the predicate means, plus an optional predicate (object) containing additional, type-dependent parameters.

type Provenancer 

type Provenancer interface {
	GenerateProvenanceStatement(ctx context.Context, subjecter Subjecter) (*Statement, error)
	PersistProvenanceStatement(ctx context.Context, stmt *Statement, path string) error
}

Provenancer generates provenance statements for given artifacts

type Statement 

type Statement struct {
	Type          string    `json:"_type"`
	Subject       []Subject `json:"subject"`
	PredicateType string    `json:"predicateType"`
	Predicate     Predicate `json:"predicate"`
}

Statement The Statement is the middle layer of the attestation, binding it to a particular subject and unambiguously identifying the types of the predicate.

func SLSAProvenanceStatement 

func SLSAProvenanceStatement(opts ...StatementOption) *Statement

SLSAProvenanceStatement builds a in-toto statement with predicate type https://slsa.dev/provenance/v0.1

type StatementOption 

type StatementOption func(*Statement)

StatementOption option flag to build the Statement

func WithBuilder 

func WithBuilder(id string) StatementOption

WithBuilder sets the Statement builder with the given ID

func WithInvocation 

func WithInvocation(buildType, entryPoint string, environment json.RawMessage, parameters json.RawMessage, materials []Item) StatementOption

WithInvocation sets the Predicate Invocation and Materials

func WithMaterials 

func WithMaterials(materials []Item) StatementOption

WithMaterials adds additional materials to the predicate

func WithMetadata 

func WithMetadata(buildInvocationID string) StatementOption

WithMetadata sets the Predicate Metadata using the buildInvocationID and the current time

func WithSubject 

func WithSubject(s []Subject) StatementOption

WithSubject sets the Statement subject to the provided value

type Subject 

type Subject struct {
	Name   string    `json:"name"`
	Digest DigestSet `json:"digest"`
}

Subject The software artifacts that the attestation applies to.

type Subjecter 

type Subjecter interface {
	Subjects() ([]Subject, error)
}

Subjecter retrieves subjects

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.