fix(attestations): add compatibility with old policy evaluations (#1756)

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Author: jiparis

app/controlplane/internal/service/attestation.go

@@ -460,7 +460,7 @@ func extractPolicyEvaluations(in map[string][]*chainloop.PolicyEvaluation) map[s
 
 			eval := &cpAPI.PolicyEvaluation{
 				Name:         ev.Name,
-				MaterialName: ev.MaterialName,
+				MaterialName: ev.GetMaterialName(),
 				Body:         ev.Body,
 				Sources:      ev.Sources,
 				Annotations:  ev.Annotations,
@@ -473,11 +473,12 @@ func extractPolicyEvaluations(in map[string][]*chainloop.PolicyEvaluation) map[s
 				Requirements: ev.Requirements,
 			}
 
-			if ev.PolicyReference != nil {
-				orgName, _ := ev.PolicyReference.GetAnnotations().AsMap()["organization"].(string)
+			if ev.GetPolicyReference() != nil {
+				r := ev.GetPolicyReference()
+				orgName, _ := r.GetAnnotations().AsMap()["organization"].(string)
 				eval.PolicyReference = &cpAPI.PolicyReference{
-					Name:         ev.PolicyReference.Name,
-					Digest:       ev.PolicyReference.Digest,
+					Name:         r.Name,
+					Digest:       r.Digest,
 					Organization: orgName,
 				}
 			}

pkg/attestation/renderer/chainloop/testdata/attestation-pe-snake.json

@@ -0,0 +1,122 @@
+{
+  "type": "https://in-toto.io/Statement/v1",
+  "subject": [
+    {
+      "name": "chainloop.workflow.skipped",
+      "digest": {
+        "sha256": "d0c4d6f5a0c8d151588aaf35658040405a44428c2486c01f1f55ef8d29ece97f"
+      }
+    },
+    {
+      "name": "index.docker.io/bitnami/nginx",
+      "digest": {
+        "sha256": "580ac09da7771920dfd0c214964e7bfe4c27903bcbe075769a4044a67c9a390a"
+      },
+      "annotations": {
+        "chainloop.material.image.is_latest_tag": false,
+        "chainloop.material.name": "skynet-control-plane",
+        "chainloop.material.type": "CONTAINER_IMAGE"
+      }
+    }
+  ],
+  "predicate_type": "chainloop.dev/attestation/v0.2",
+  "predicate": {
+    "buildType": "chainloop.dev/workflowrun/v0.1",
+    "builder": {
+      "id": "chainloop.dev/cli/dev@sha256:59e14f1a9de709cdd0e91c36b33e54fcca95f7dba1dc7169a7f81986e02108e5"
+    },
+    "materials": [
+      {
+        "annotations": {
+          "chainloop.material.name": "build-ref",
+          "chainloop.material.type": "STRING"
+        },
+        "content": "YS1zdHJpbmc="
+      },
+      {
+        "annotations": {
+          "chainloop.material.name": "rootfs",
+          "chainloop.material.type": "ARTIFACT"
+        },
+        "digest": {
+          "sha256": "cfc7d8e24d21ade921d720228ad1693de59dab45ff679606940be75b7bf660dc"
+        },
+        "name": "Makefile"
+      },
+      {
+        "annotations": {
+          "chainloop.material.image.is_latest_tag": false,
+          "chainloop.material.name": "skynet-control-plane",
+          "chainloop.material.type": "CONTAINER_IMAGE"
+        },
+        "digest": {
+          "sha256": "580ac09da7771920dfd0c214964e7bfe4c27903bcbe075769a4044a67c9a390a"
+        },
+        "name": "index.docker.io/bitnami/nginx"
+      },
+      {
+        "annotations": {
+          "chainloop.material.name": "skynet-sbom",
+          "chainloop.material.type": "SBOM_CYCLONEDX_JSON"
+        },
+        "digest": {
+          "sha256": "16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c"
+        },
+        "name": "sbom.cyclonedx.json"
+      }
+    ],
+    "metadata": {
+      "contractName": "chainloop-skipped",
+      "contractVersion": "1",
+      "finishedAt": "2023-05-03T17:25:12.743426076Z",
+      "initializedAt": "2023-05-03T17:22:12.743426076Z",
+      "name": "skipped",
+      "organization": "foobar",
+      "project": "chainloop",
+      "projectVersion": "v0.150.0",
+      "projectVersionPrerelease": true,
+      "team": "",
+      "workflowID": "94208094-b8d3-4b38-b1f1-c609c47c49ea",
+      "workflowRunID": "e4cec971-6f4f-442a-8de0-d12ddc4667f2"
+    },
+    "policyAttBlocked": false,
+    "policyBlockBypassEnabled": false,
+    "policyCheckBlockingStrategy": "ADVISORY",
+    "policy_evaluations": {
+      "sbom": [
+        {
+          "annotations": {
+            "category": "sbom"
+          },
+          "description": "Checks that the SBOM is not older than a specified threshold. Supports CycloneDX.\n",
+          "material_name": "sbom",
+          "name": "sbom-freshness",
+          "policy_reference": {
+            "annotations": {
+              "name": "sbom-freshness",
+              "organization": ""
+            },
+            "digest": {
+              "sha256": "e9b750847ba8a5439a0a43963d22cb5c5a9568de5fdcd2db21d9615c76870c2a"
+            },
+            "name": "sbom-freshness",
+            "uri": "file://policy-sbom-freshness.yaml"
+          },
+          "skipped": false,
+          "type": "SBOM_CYCLONEDX_JSON",
+          "violations": [
+            {
+              "message": "SBOM created at: 2020-08-02T21:27:04Z which is too old (freshness limit set to 5 days)",
+              "subject": "sbom-freshness"
+            }
+          ],
+          "with": {
+            "limit": "5"
+          }
+        }
+      ]
+    },
+    "policyHasViolations": true,
+    "runnerType": "GITHUB_ACTION"
+  }
+}

pkg/attestation/renderer/chainloop/v02.go

@@ -43,6 +43,9 @@ type ProvenancePredicateV02 struct {
 	Materials []*intoto.ResourceDescriptor `json:"materials,omitempty"`
 	// Map materials and policies
 	PolicyEvaluations map[string][]*PolicyEvaluation `json:"policyEvaluations,omitempty"`
+	// Used to read policy evaluations from old attestations
+	PolicyEvaluationsFallback map[string][]*PolicyEvaluation `json:"policy_evaluations,omitempty"`
+
 	// Whether the attestation has policy violations
 	PolicyHasViolations bool `json:"policyHasViolations"`
 	// Whether we want to block the attestation on policy violations
@@ -61,20 +64,40 @@ const (
 )
 
 type PolicyEvaluation struct {
-	Name            string                     `json:"name"`
-	MaterialName    string                     `json:"materialName,omitempty"`
-	Body            string                     `json:"body,omitempty"`
-	Sources         []string                   `json:"sources,omitempty"`
-	PolicyReference *intoto.ResourceDescriptor `json:"policyReference,omitempty"`
-	Description     string                     `json:"description,omitempty"`
-	Annotations     map[string]string          `json:"annotations,omitempty"`
-	Violations      []*PolicyViolation         `json:"violations,omitempty"`
-	With            map[string]string          `json:"with,omitempty"`
-	Type            string                     `json:"type"`
-	Skipped         bool                       `json:"skipped"`
-	SkipReasons     []string                   `json:"skipReasons,omitempty"`
-	GroupReference  *intoto.ResourceDescriptor `json:"groupReference,omitempty"`
-	Requirements    []string                   `json:"requirements,omitempty"`
+	Name         string `json:"name"`
+	MaterialName string `json:"materialName,omitempty"`
+	// Needed to read old attestations
+	MaterialNameFallback string                     `json:"material_name,omitempty"`
+	Body                 string                     `json:"body,omitempty"`
+	Sources              []string                   `json:"sources,omitempty"`
+	PolicyReference      *intoto.ResourceDescriptor `json:"policyReference,omitempty"`
+	// Support old attestations
+	PolicyReferenceFallback *intoto.ResourceDescriptor `json:"policy_reference,omitempty"`
+	Description             string                     `json:"description,omitempty"`
+	Annotations             map[string]string          `json:"annotations,omitempty"`
+	Violations              []*PolicyViolation         `json:"violations,omitempty"`
+	With                    map[string]string          `json:"with,omitempty"`
+	Type                    string                     `json:"type"`
+	Skipped                 bool                       `json:"skipped"`
+	SkipReasons             []string                   `json:"skipReasons,omitempty"`
+	GroupReference          *intoto.ResourceDescriptor `json:"groupReference,omitempty"`
+	Requirements            []string                   `json:"requirements,omitempty"`
+}
+
+func (e *PolicyEvaluation) GetPolicyReference() *intoto.ResourceDescriptor {
+	r := e.PolicyReference
+	if r == nil {
+		r = e.PolicyReferenceFallback
+	}
+	return r
+}
+
+func (e *PolicyEvaluation) GetMaterialName() string {
+	n := e.MaterialName
+	if n == "" {
+		n = e.MaterialNameFallback
+	}
+	return n
 }
 
 type PolicyViolation struct {
@@ -374,7 +397,11 @@ func (p *ProvenancePredicateV02) GetMaterials() []*NormalizedMaterial {
 }
 
 func (p *ProvenancePredicateV02) GetPolicyEvaluations() map[string][]*PolicyEvaluation {
-	return p.PolicyEvaluations
+	evs := p.PolicyEvaluations
+	if len(evs) == 0 && len(p.PolicyEvaluationsFallback) > 0 {
+		evs = p.PolicyEvaluationsFallback
+	}
+	return evs
 }
 
 func (p *ProvenancePredicateV02) HasPolicyViolations() bool {

pkg/attestation/renderer/chainloop/v02_test.go

@@ -274,3 +274,23 @@ func TestNormalizeMaterial(t *testing.T) {
 		})
 	}
 }
+
+func TestPolicyEvaluationsField(t *testing.T) {
+	raw, err := os.ReadFile("testdata/attestation-pe-snake.json")
+	require.NoError(t, err)
+
+	var st *intoto.Statement
+	err = json.Unmarshal(raw, &st)
+	require.NoError(t, err)
+
+	var predicate ProvenancePredicateV02
+	err = extractPredicate(st, &predicate)
+	require.NoError(t, err)
+
+	assert.Len(t, predicate.GetPolicyEvaluations(), 1)
+	evs := predicate.GetPolicyEvaluations()["sbom"]
+	assert.Len(t, evs, 1)
+	ev := evs[0]
+	assert.Equal(t, "sbom", ev.GetMaterialName())
+	assert.NotNil(t, ev.GetPolicyReference())
+}