Merge pull request #3240 from tonistiigi/attestations-provenance

Support for provenance attestations
moby · Nov 16, 2022 · abae584 · abae584
2 parents 8270cab + fb917b9
commit abae584
Show file tree

Hide file tree

Showing 79 changed files with 5,961 additions and 1,378 deletions.
diff --git a/cache/remotecache/v1/chains.go b/cache/remotecache/v1/chains.go
@@ -146,7 +146,7 @@ func (c *item) removeLink(src *item) bool {
 	return found
 }
 
-func (c *item) AddResult(createdAt time.Time, result *solver.Remote) {
+func (c *item) AddResult(_ digest.Digest, _ int, createdAt time.Time, result *solver.Remote) {
 	c.resultTime = createdAt
 	c.result = result
 }
@@ -214,7 +214,7 @@ func (c *item) walkAllResults(fn func(i *item) error, visited map[*item]struct{}
 type nopRecord struct {
 }
 
-func (c *nopRecord) AddResult(createdAt time.Time, result *solver.Remote) {
+func (c *nopRecord) AddResult(_ digest.Digest, _ int, createdAt time.Time, result *solver.Remote) {
 }
 
 func (c *nopRecord) LinkFrom(rec solver.CacheExporterRecord, index int, selector string) {

diff --git a/cache/remotecache/v1/chains_test.go b/cache/remotecache/v1/chains_test.go
@@ -29,7 +29,7 @@ func TestSimpleMarshal(t *testing.T) {
 				Digest: dgst("d1"),
 			}},
 		}
-		baz.AddResult(time.Now(), r0)
+		baz.AddResult("", 0, time.Now(), r0)
 	}
 
 	addRecords()

diff --git a/cache/remotecache/v1/parse.go b/cache/remotecache/v1/parse.go
@@ -61,7 +61,7 @@ func parseRecord(cc CacheConfig, idx int, provider DescriptorProvider, t solver.
 			return nil, err
 		}
 		if remote != nil {
-			r.AddResult(res.CreatedAt, remote)
+			r.AddResult("", 0, res.CreatedAt, remote)
 		}
 	}
 
@@ -86,7 +86,7 @@ func parseRecord(cc CacheConfig, idx int, provider DescriptorProvider, t solver.
 		}
 		if remote != nil {
 			remote.Provider = mp
-			r.AddResult(res.CreatedAt, remote)
+			r.AddResult("", 0, res.CreatedAt, remote)
 		}
 	}
 

diff --git a/client/build_test.go b/client/build_test.go
@@ -3,8 +3,6 @@ package client
 import (
 	"bytes"
 	"context"
-	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"io"
 	"os"
@@ -16,7 +14,6 @@ import (
 	"time"
 
 	"github.com/moby/buildkit/client/llb"
-	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/frontend/gateway/client"
 	gatewayapi "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/identity"
@@ -25,7 +22,6 @@ import (
 	"github.com/moby/buildkit/session/sshforward/sshprovider"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/solver/pb"
-	binfotypes "github.com/moby/buildkit/util/buildinfo/types"
 	"github.com/moby/buildkit/util/entitlements"
 	utilsystem "github.com/moby/buildkit/util/system"
 	"github.com/moby/buildkit/util/testutil/echoserver"
@@ -58,7 +54,6 @@ func TestClientGatewayIntegration(t *testing.T) {
 		testClientGatewayContainerExtraHosts,
 		testClientGatewayContainerSignal,
 		testWarnings,
-		testClientGatewayFrontendAttrs,
 		testClientGatewayNilResult,
 		testClientGatewayEmptyImageExec,
 	), integration.WithMirroredImages(integration.OfficialImages("busybox:latest")))
@@ -1995,64 +1990,6 @@ func testClientGatewayContainerSignal(t *testing.T, sb integration.Sandbox) {
 	checkAllReleasable(t, c, sb, true)
 }
 
-// moby/buildkit#2476
-func testClientGatewayFrontendAttrs(t *testing.T, sb integration.Sandbox) {
-	requiresLinux(t)
-	c, err := New(sb.Context(), sb.Address())
-	require.NoError(t, err)
-	defer c.Close()
-
-	fooattrval := "bar"
-	bazattrval := "fuu"
-
-	b := func(ctx context.Context, c client.Client) (*client.Result, error) {
-		st := llb.Image("busybox:latest").Run(
-			llb.ReadonlyRootFS(),
-			llb.Args([]string{"/bin/sh", "-c", `echo hello`}),
-		)
-		def, err := st.Marshal(sb.Context())
-		if err != nil {
-			return nil, err
-		}
-		res, err := c.Solve(ctx, client.SolveRequest{
-			Definition: def.ToPB(),
-			FrontendOpt: map[string]string{
-				"build-arg:foo": fooattrval,
-			},
-		})
-		require.NoError(t, err)
-		require.Contains(t, res.Metadata, exptypes.ExporterBuildInfo)
-
-		var bi binfotypes.BuildInfo
-		require.NoError(t, json.Unmarshal(res.Metadata[exptypes.ExporterBuildInfo], &bi))
-		require.Contains(t, bi.Attrs, "build-arg:foo")
-		bi.Attrs["build-arg:baz"] = &bazattrval
-
-		bmbi, err := json.Marshal(bi)
-		require.NoError(t, err)
-
-		res.AddMeta(exptypes.ExporterBuildInfo, bmbi)
-		return res, err
-	}
-
-	res, err := c.Build(sb.Context(), SolveOpt{}, "", b, nil)
-	require.NoError(t, err)
-
-	require.Contains(t, res.ExporterResponse, exptypes.ExporterBuildInfo)
-	decbi, err := base64.StdEncoding.DecodeString(res.ExporterResponse[exptypes.ExporterBuildInfo])
-	require.NoError(t, err)
-
-	var bi binfotypes.BuildInfo
-	require.NoError(t, json.Unmarshal(decbi, &bi))
-
-	require.Contains(t, bi.Attrs, "build-arg:foo")
-	require.Equal(t, &fooattrval, bi.Attrs["build-arg:foo"])
-	require.Contains(t, bi.Attrs, "build-arg:baz")
-	require.Equal(t, &bazattrval, bi.Attrs["build-arg:baz"])
-
-	checkAllReleasable(t, c, sb, true)
-}
-
 func testClientGatewayNilResult(t *testing.T, sb integration.Sandbox) {
 	requiresLinux(t)
 	c, err := New(sb.Context(), sb.Address())

diff --git a/client/client_test.go b/client/client_test.go
@@ -6199,8 +6199,7 @@ func testBuildInfoExporter(t *testing.T, sb integration.Sandbox) {
 			return nil, err
 		}
 		return c.Solve(ctx, gateway.SolveRequest{
-			Definition:  def.ToPB(),
-			FrontendOpt: map[string]string{"build-arg:foo": "bar"},
+			Definition: def.ToPB(),
 		})
 	}
 
@@ -6233,8 +6232,6 @@ func testBuildInfoExporter(t *testing.T, sb integration.Sandbox) {
 	err = json.Unmarshal(decbi, &exbi)
 	require.NoError(t, err)
 
-	attrval := "bar"
-	require.Equal(t, exbi.Attrs, map[string]*string{"build-arg:foo": &attrval})
 	require.Equal(t, len(exbi.Sources), 1)
 	require.Equal(t, exbi.Sources[0].Type, binfotypes.SourceTypeDockerImage)
 	require.Equal(t, exbi.Sources[0].Ref, "docker.io/library/busybox:latest")
@@ -6271,66 +6268,42 @@ func testBuildInfoInline(t *testing.T, sb integration.Sandbox) {
 
 	ctx := namespaces.WithNamespace(sb.Context(), "buildkit")
 
-	for _, tt := range []struct {
-		name       string
-		buildAttrs bool
-	}{{
-		"attrsEnabled",
-		true,
-	}, {
-		"attrsDisabled",
-		false,
-	}} {
-		t.Run(tt.name, func(t *testing.T) {
-			target := registry + "/buildkit/test-buildinfo:latest"
-
-			_, err = c.Solve(sb.Context(), def, SolveOpt{
-				Exports: []ExportEntry{
-					{
-						Type: ExporterImage,
-						Attrs: map[string]string{
-							"name":            target,
-							"push":            "true",
-							"buildinfo-attrs": strconv.FormatBool(tt.buildAttrs),
-						},
-					},
-				},
-				FrontendAttrs: map[string]string{
-					"build-arg:foo": "bar",
+	target := registry + "/buildkit/test-buildinfo:latest"
+
+	_, err = c.Solve(sb.Context(), def, SolveOpt{
+		Exports: []ExportEntry{
+			{
+				Type: ExporterImage,
+				Attrs: map[string]string{
+					"name": target,
+					"push": "true",
 				},
-			}, nil)
-			require.NoError(t, err)
+			},
+		},
+	}, nil)
+	require.NoError(t, err)
 
-			img, err := client.GetImage(ctx, target)
-			require.NoError(t, err)
+	img, err := client.GetImage(ctx, target)
+	require.NoError(t, err)
 
-			desc, err := img.Config(ctx)
-			require.NoError(t, err)
+	desc, err := img.Config(ctx)
+	require.NoError(t, err)
 
-			dt, err := content.ReadBlob(ctx, img.ContentStore(), desc)
-			require.NoError(t, err)
+	dt, err := content.ReadBlob(ctx, img.ContentStore(), desc)
+	require.NoError(t, err)
 
-			var config binfotypes.ImageConfig
-			require.NoError(t, json.Unmarshal(dt, &config))
+	var config binfotypes.ImageConfig
+	require.NoError(t, json.Unmarshal(dt, &config))
 
-			dec, err := base64.StdEncoding.DecodeString(config.BuildInfo)
-			require.NoError(t, err)
+	dec, err := base64.StdEncoding.DecodeString(config.BuildInfo)
+	require.NoError(t, err)
 
-			var bi binfotypes.BuildInfo
-			require.NoError(t, json.Unmarshal(dec, &bi))
+	var bi binfotypes.BuildInfo
+	require.NoError(t, json.Unmarshal(dec, &bi))
 
-			if tt.buildAttrs {
-				attrval := "bar"
-				require.Contains(t, bi.Attrs, "build-arg:foo")
-				require.Equal(t, bi.Attrs["build-arg:foo"], &attrval)
-			} else {
-				require.NotContains(t, bi.Attrs, "build-arg:foo")
-			}
-			require.Equal(t, len(bi.Sources), 1)
-			require.Equal(t, bi.Sources[0].Type, binfotypes.SourceTypeDockerImage)
-			require.Equal(t, bi.Sources[0].Ref, "docker.io/library/busybox:latest")
-		})
-	}
+	require.Equal(t, len(bi.Sources), 1)
+	require.Equal(t, bi.Sources[0].Type, binfotypes.SourceTypeDockerImage)
+	require.Equal(t, bi.Sources[0].Ref, "docker.io/library/busybox:latest")
 }
 
 func testBuildInfoNoExport(t *testing.T, sb integration.Sandbox) {
@@ -6348,8 +6321,7 @@ func testBuildInfoNoExport(t *testing.T, sb integration.Sandbox) {
 			return nil, err
 		}
 		return c.Solve(ctx, gateway.SolveRequest{
-			Definition:  def.ToPB(),
-			FrontendOpt: map[string]string{"build-arg:foo": "bar"},
+			Definition: def.ToPB(),
 		})
 	}
 
@@ -6364,8 +6336,6 @@ func testBuildInfoNoExport(t *testing.T, sb integration.Sandbox) {
 	err = json.Unmarshal(decbi, &exbi)
 	require.NoError(t, err)
 
-	attrval := "bar"
-	require.Equal(t, exbi.Attrs, map[string]*string{"build-arg:foo": &attrval})
 	require.Equal(t, len(exbi.Sources), 1)
 	require.Equal(t, exbi.Sources[0].Type, binfotypes.SourceTypeDockerImage)
 	require.Equal(t, exbi.Sources[0].Ref, "docker.io/library/busybox:latest")

diff --git a/cmd/buildctl/build.go b/cmd/buildctl/build.go
@@ -277,13 +277,26 @@ func buildAction(clicontext *cli.Context) error {
 				close(w.Status())
 			}
 		}()
+
+		solveAttr := map[string]string{}
+		frontendAttr := map[string]string{}
+		for k, v := range solveOpt.FrontendAttrs {
+			if strings.HasPrefix(k, "attest:") || strings.HasPrefix(k, "build-arg:BUILDKIT_ATTEST_") {
+				frontendAttr[k] = v
+			} else {
+				solveAttr[k] = v
+			}
+		}
+
 		sreq := gateway.SolveRequest{
 			Frontend:    solveOpt.Frontend,
-			FrontendOpt: solveOpt.FrontendAttrs,
+			FrontendOpt: solveAttr,
 		}
 		if def != nil {
 			sreq.Definition = def.ToPB()
 		}
+		solveOpt.Frontend = ""
+		solveOpt.FrontendAttrs = frontendAttr
 
 		resp, err := c.Build(ctx, solveOpt, "buildctl", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
 			_, isSubRequest := sreq.FrontendOpt["requestid"]

diff --git a/control/control.go b/control/control.go
@@ -330,6 +330,11 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
 	}
 
 	var procs []llbsolver.Processor
+
+	if len(attests) > 0 {
+		procs = append(procs, proc.ForceRefsProcessor)
+	}
+
 	if attrs, ok := attests["sbom"]; ok {
 		src := attrs["generator"]
 		if src == "" {
@@ -340,7 +345,11 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
 			return nil, errors.Wrapf(err, "failed to parse sbom generator %s", src)
 		}
 		ref = reference.TagNameOnly(ref)
-		procs = append(procs, proc.ForceRefsProcessor, proc.SBOMProcessor(ref.String()))
+		procs = append(procs, proc.SBOMProcessor(ref.String()))
+	}
+
+	if attrs, ok := attests["provenance"]; ok {
+		procs = append(procs, proc.ProvenanceProcessor(attrs))
 	}
 
 	resp, err := c.solver.Solve(ctx, req.Ref, req.Session, frontend.SolveRequest{

diff --git a/examples/dockerfile2llb/main.go b/examples/dockerfile2llb/main.go
@@ -41,7 +41,7 @@ func xmain() error {
 
 	caps := pb.Caps.CapSet(pb.Caps.All())
 
-	state, img, bi, err := dockerfile2llb.Dockerfile2LLB(appcontext.Context(), df, dockerfile2llb.ConvertOpt{
+	state, img, err := dockerfile2llb.Dockerfile2LLB(appcontext.Context(), df, dockerfile2llb.ConvertOpt{
 		MetaResolver: imagemetaresolver.Default(),
 		Target:       opt.target,
 		LLBCaps:      &caps,
@@ -62,11 +62,6 @@ func xmain() error {
 			return err
 		}
 	}
-	if opt.partialMetadataFile != "" {
-		if err := writeJSON(opt.partialMetadataFile, bi); err != nil {
-			return err
-		}
-	}
 	return nil
 }