diff --git a/cmd/verifier/main.go b/cmd/verifier/main.go index 7febd355..b1723cf8 100644 --- a/cmd/verifier/main.go +++ b/cmd/verifier/main.go @@ -22,7 +22,7 @@ import ( "github.com/project-oak/transparent-release/internal/model" "github.com/project-oak/transparent-release/internal/verifier" - prover "github.com/project-oak/transparent-release/pkg/proto/verification" + pb "github.com/project-oak/transparent-release/pkg/proto/verification" ) func main() { @@ -47,7 +47,7 @@ func main() { provenanceVerifier := verifier.ProvenanceIRVerifier{ Got: provenanceIR, - Want: &prover.ProvenanceReferenceValues{}, + Want: &pb.ProvenanceReferenceValues{}, } if err := provenanceVerifier.Verify(); err != nil { diff --git a/internal/endorser/endorser.go b/internal/endorser/endorser.go index 7c1242ab..fb189875 100644 --- a/internal/endorser/endorser.go +++ b/internal/endorser/endorser.go @@ -33,7 +33,7 @@ import ( "github.com/project-oak/transparent-release/internal/verifier" "github.com/project-oak/transparent-release/pkg/claims" "github.com/project-oak/transparent-release/pkg/intoto" - prover "github.com/project-oak/transparent-release/pkg/proto/verification" + pb "github.com/project-oak/transparent-release/pkg/proto/verification" ) // ParsedProvenance contains a provenance in the internal ProvenanceIR format, @@ -57,7 +57,7 @@ type ParsedProvenance struct { // provided, a provenance-less endorsement is generated, only if the input // VerificationOptions has the EndorseProvenanceLess field set. An error is // returned in all other cases. -func GenerateEndorsement(binaryName, binaryDigest string, verOpt *prover.VerificationOptions, validityDuration claims.ClaimValidity, provenances []ParsedProvenance) (*intoto.Statement, error) { +func GenerateEndorsement(binaryName, binaryDigest string, verOpt *pb.VerificationOptions, validityDuration claims.ClaimValidity, provenances []ParsedProvenance) (*intoto.Statement, error) { if (verOpt.GetEndorseProvenanceLess() == nil) && (verOpt.GetReferenceProvenance() == nil) { return nil, fmt.Errorf("invalid VerificationOptions: exactly one of EndorseProvenanceLess and ReferenceProvenance must be set") } @@ -77,7 +77,7 @@ func GenerateEndorsement(binaryName, binaryDigest string, verOpt *prover.Verific // (2) Any of the provenances is invalid (see verifyProvenances for details), // (3) Provenances do not match (e.g., have different binary names). // (4) Provenances match but don't match the input binary name or digest. -func verifyAndSummarizeProvenances(binaryName, binaryDigest string, verOpt *prover.VerificationOptions, provenances []ParsedProvenance) (*claims.VerifiedProvenanceSet, error) { +func verifyAndSummarizeProvenances(binaryName, binaryDigest string, verOpt *pb.VerificationOptions, provenances []ParsedProvenance) (*claims.VerifiedProvenanceSet, error) { if len(provenances) == 0 && verOpt.GetEndorseProvenanceLess() == nil { return nil, fmt.Errorf("at least one provenance file must be provided") } @@ -120,7 +120,7 @@ func verifyAndSummarizeProvenances(binaryName, binaryDigest string, verOpt *prov // ProvenanceReferenceValues. An error is returned if verification fails for // one of them. No verification is performed if the provided // ProvenanceReferenceValues is nil. -func verifyProvenances(referenceValues *prover.ProvenanceReferenceValues, provenances []model.ProvenanceIR) error { +func verifyProvenances(referenceValues *pb.ProvenanceReferenceValues, provenances []model.ProvenanceIR) error { var errs error if referenceValues == nil { return nil @@ -235,12 +235,12 @@ func GetProvenanceBytes(provenanceURI string) ([]byte, error) { // LoadTextprotoVerificationOptions loads VerificationOptions from a .textproto // file in the given path. -func LoadTextprotoVerificationOptions(path string) (*prover.VerificationOptions, error) { +func LoadTextprotoVerificationOptions(path string) (*pb.VerificationOptions, error) { bytes, err := os.ReadFile(path) if err != nil { return nil, fmt.Errorf("reading provenance verification options from %q: %v", path, err) } - var opt prover.VerificationOptions + var opt pb.VerificationOptions if err := prototext.Unmarshal(bytes, &opt); err != nil { return nil, fmt.Errorf("unmarshal bytes to VerificationOptions: %v", err) } diff --git a/internal/endorser/endorser_test.go b/internal/endorser/endorser_test.go index 480c2ab6..60e0e12d 100644 --- a/internal/endorser/endorser_test.go +++ b/internal/endorser/endorser_test.go @@ -23,7 +23,7 @@ import ( "github.com/project-oak/transparent-release/internal/testutil" "github.com/project-oak/transparent-release/pkg/claims" - prover "github.com/project-oak/transparent-release/pkg/proto/verification" + pb "github.com/project-oak/transparent-release/pkg/proto/verification" ) const ( @@ -59,7 +59,7 @@ func createProvenanceList(t *testing.T, paths []string) []ParsedProvenance { } func TestGenerateEndorsement_InvalidVerificationOptions(t *testing.T) { - verOpts := &prover.VerificationOptions{} + verOpts := &pb.VerificationOptions{} _, err := GenerateEndorsement(binaryName, binaryDigestSha256, verOpts, createClaimValidity(7), []ParsedProvenance{}) if err == nil || !strings.Contains(err.Error(), "invalid VerificationOptions") { t.Fatalf("got %q, want error message containing %q,", err, "invalid VerificationOptions:") @@ -67,10 +67,10 @@ func TestGenerateEndorsement_InvalidVerificationOptions(t *testing.T) { } func TestGenerateEndorsement_NoProvenance_EndorseProvenanceLess(t *testing.T) { - verOpts := &prover.VerificationOptions{ + verOpts := &pb.VerificationOptions{ // Allow provenance-less endorsement generation. - Option: &prover.VerificationOptions_EndorseProvenanceLess{ - EndorseProvenanceLess: &prover.EndorseProvenanceLess{}, + Option: &pb.VerificationOptions_EndorseProvenanceLess{ + EndorseProvenanceLess: &pb.EndorseProvenanceLess{}, }, } statement, err := GenerateEndorsement(binaryName, binaryDigestSha256, verOpts, createClaimValidity(7), []ParsedProvenance{}) @@ -96,9 +96,9 @@ func TestGenerateEndorsement_NoProvenance_EndorseProvenanceLess(t *testing.T) { } func TestGenerateEndorsement_SingleProvenance_EndorseProvenanceLess(t *testing.T) { - verOpts := &prover.VerificationOptions{ - Option: &prover.VerificationOptions_EndorseProvenanceLess{ - EndorseProvenanceLess: &prover.EndorseProvenanceLess{}, + verOpts := &pb.VerificationOptions{ + Option: &pb.VerificationOptions_EndorseProvenanceLess{ + EndorseProvenanceLess: &pb.EndorseProvenanceLess{}, }, } provenances := createProvenanceList(t, []string{"../../testdata/slsa_v02_provenance.json"}) @@ -116,9 +116,9 @@ func TestGenerateEndorsement_SingleProvenance_EndorseProvenanceLess(t *testing.T } func TestGenerateEndorsement_SingleInvalidProvenance_EndorseProvenanceLess(t *testing.T) { - verOpts := &prover.VerificationOptions{ - Option: &prover.VerificationOptions_EndorseProvenanceLess{ - EndorseProvenanceLess: &prover.EndorseProvenanceLess{}, + verOpts := &pb.VerificationOptions{ + Option: &pb.VerificationOptions_EndorseProvenanceLess{ + EndorseProvenanceLess: &pb.EndorseProvenanceLess{}, }, } @@ -132,9 +132,9 @@ func TestGenerateEndorsement_SingleInvalidProvenance_EndorseProvenanceLess(t *te func TestLoadAndVerifyProvenances_MultipleValidProvenances_EndorseProvenanceLess(t *testing.T) { provenances := createProvenanceList(t, []string{"../../testdata/slsa_v02_provenance.json", "../../testdata/slsa_v02_provenance.json"}) - verOpts := &prover.VerificationOptions{ - Option: &prover.VerificationOptions_EndorseProvenanceLess{ - EndorseProvenanceLess: &prover.EndorseProvenanceLess{}, + verOpts := &pb.VerificationOptions{ + Option: &pb.VerificationOptions_EndorseProvenanceLess{ + EndorseProvenanceLess: &pb.EndorseProvenanceLess{}, }, } statement, err := GenerateEndorsement(binaryName, binaryDigestSha256, verOpts, createClaimValidity(7), provenances) @@ -152,9 +152,9 @@ func TestLoadAndVerifyProvenances_MultipleValidProvenances_EndorseProvenanceLess func TestLoadAndVerify_MultipleInconsistentProvenances_EndorseProvenanceLess(t *testing.T) { provenances := createProvenanceList(t, []string{"../../testdata/slsa_v02_provenance.json", "../../testdata/different_slsa_v02_provenance.json"}) - verOpts := &prover.VerificationOptions{ - Option: &prover.VerificationOptions_EndorseProvenanceLess{ - EndorseProvenanceLess: &prover.EndorseProvenanceLess{}, + verOpts := &pb.VerificationOptions{ + Option: &pb.VerificationOptions_EndorseProvenanceLess{ + EndorseProvenanceLess: &pb.EndorseProvenanceLess{}, }, } @@ -191,9 +191,9 @@ func TestGenerateEndorsement_SingleValidProvenance(t *testing.T) { func TestLoadAndVerifyProvenances_MultipleValidProvenances(t *testing.T) { provenances := createProvenanceList(t, []string{"../../testdata/slsa_v02_provenance.json", "../../testdata/slsa_v02_provenance.json"}) - verOpts := &prover.VerificationOptions{ - Option: &prover.VerificationOptions_ReferenceProvenance{ - ReferenceProvenance: &prover.ProvenanceReferenceValues{}, + verOpts := &pb.VerificationOptions{ + Option: &pb.VerificationOptions_ReferenceProvenance{ + ReferenceProvenance: &pb.ProvenanceReferenceValues{}, }, } provenanceSet, err := verifyAndSummarizeProvenances(binaryName, binaryDigestSha256, verOpts, provenances) @@ -216,9 +216,9 @@ func TestLoadProvenances_FailingSingleRemoteProvenanceEndorsement(t *testing.T) func TestLoadAndVerifyProvenances_ConsistentNotVerified(t *testing.T) { provenances := createProvenanceList(t, []string{"../../testdata/slsa_v02_provenance.json", "../../testdata/slsa_v02_provenance.json"}) - verOpts := &prover.VerificationOptions{ - Option: &prover.VerificationOptions_ReferenceProvenance{ - ReferenceProvenance: &prover.ProvenanceReferenceValues{}, + verOpts := &pb.VerificationOptions{ + Option: &pb.VerificationOptions_ReferenceProvenance{ + ReferenceProvenance: &pb.ProvenanceReferenceValues{}, }, } @@ -232,9 +232,9 @@ func TestLoadAndVerifyProvenances_ConsistentNotVerified(t *testing.T) { func TestLoadAndVerify_InconsistentVerified(t *testing.T) { provenances := createProvenanceList(t, []string{"../../testdata/slsa_v02_provenance.json", "../../testdata/different_slsa_v02_provenance.json"}) - verOpt := prover.VerificationOptions{ - Option: &prover.VerificationOptions_ReferenceProvenance{ - ReferenceProvenance: &prover.ProvenanceReferenceValues{}, + verOpt := pb.VerificationOptions{ + Option: &pb.VerificationOptions_ReferenceProvenance{ + ReferenceProvenance: &pb.ProvenanceReferenceValues{}, }, } @@ -248,9 +248,9 @@ func TestLoadAndVerify_InconsistentVerified(t *testing.T) { func TestLoadAndVerify_InconsistentNotVerified(t *testing.T) { provenances := createProvenanceList(t, []string{"../../testdata/slsa_v02_provenance.json", "../../testdata/different_slsa_v02_provenance.json"}) - verOpt := &prover.VerificationOptions{ - Option: &prover.VerificationOptions_ReferenceProvenance{ - ReferenceProvenance: &prover.ProvenanceReferenceValues{}, + verOpt := &pb.VerificationOptions{ + Option: &pb.VerificationOptions_ReferenceProvenance{ + ReferenceProvenance: &pb.ProvenanceReferenceValues{}, }, } diff --git a/internal/verifier/verifier.go b/internal/verifier/verifier.go index 65b58f8c..0e6a7af2 100644 --- a/internal/verifier/verifier.go +++ b/internal/verifier/verifier.go @@ -19,7 +19,7 @@ import ( "fmt" "github.com/project-oak/transparent-release/internal/model" - prover "github.com/project-oak/transparent-release/pkg/proto/verification" + pb "github.com/project-oak/transparent-release/pkg/proto/verification" "go.uber.org/multierr" ) @@ -27,7 +27,7 @@ import ( // all non-empty fields in got using fields in the reference values. Empty fields will not be verified. type ProvenanceIRVerifier struct { Got *model.ProvenanceIR - Want *prover.ProvenanceReferenceValues + Want *pb.ProvenanceReferenceValues } // Verify verifies an instance of ProvenanceIRVerifier by comparing its Got and Want fields. @@ -128,7 +128,7 @@ func (v *ProvenanceIRVerifier) verifyTrustedBuilder() error { } // verifySHA256Digest verifies that a given SHA256 is among the given digests. -func verifySHA256Digest(got string, want *prover.Digests) error { +func verifySHA256Digest(got string, want *pb.Digests) error { if want == nil { return nil } diff --git a/internal/verifier/verifier_test.go b/internal/verifier/verifier_test.go index 6ecb7f14..b5c747bf 100644 --- a/internal/verifier/verifier_test.go +++ b/internal/verifier/verifier_test.go @@ -21,7 +21,7 @@ import ( "github.com/project-oak/transparent-release/internal/model" slsav02 "github.com/project-oak/transparent-release/pkg/intoto/slsa_provenance/v0.2" - prover "github.com/project-oak/transparent-release/pkg/proto/verification" + pb "github.com/project-oak/transparent-release/pkg/proto/verification" ) const ( @@ -35,7 +35,7 @@ func TestVerify_HasNoValues(t *testing.T) { verifier := ProvenanceIRVerifier{ Got: got, - Want: &prover.ProvenanceReferenceValues{}, + Want: &pb.ProvenanceReferenceValues{}, } // We don't expect any verification to happen. @@ -47,7 +47,7 @@ func TestVerify_HasNoValues(t *testing.T) { func TestVerify_NeedsCanHaveHasBuildCmd(t *testing.T) { got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithBuildCmd([]string{"build cmd"})) - want := prover.ProvenanceReferenceValues{ + want := pb.ProvenanceReferenceValues{ MustHaveBuildCommand: true, } @@ -65,7 +65,7 @@ func TestVerify_NeedsCannotHaveDoesNotHaveBuildCmd(t *testing.T) { // No buildCmd is set in the provenance. got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName) - want := prover.ProvenanceReferenceValues{ + want := pb.ProvenanceReferenceValues{ MustHaveBuildCommand: true, } @@ -83,7 +83,7 @@ func TestVerify_NeedsCannotHaveHasEmptyBuildCmd(t *testing.T) { // The build command is empty. got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithBuildCmd([]string{})) // And the reference values ask for a build cmd. - want := prover.ProvenanceReferenceValues{ + want := pb.ProvenanceReferenceValues{ MustHaveBuildCommand: true, } @@ -102,7 +102,7 @@ func TestVerify_DoesNotNeedCannotHaveHasEmptyBuildCmd(t *testing.T) { // The build command is empty. got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithBuildCmd([]string{})) // But the reference values do not ask for a build cmd. - want := prover.ProvenanceReferenceValues{ + want := pb.ProvenanceReferenceValues{ MustHaveBuildCommand: false, } @@ -120,9 +120,9 @@ func TestVerify_DoesNotNeedCannotHaveHasEmptyBuildCmd(t *testing.T) { func TestVerify_NeedsHasBuilderImageDigest(t *testing.T) { builderDigest := "9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9" got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithBuilderImageSHA256Digest(builderDigest)) - want := prover.ProvenanceReferenceValues{ - ReferenceBuilderImageDigests: &prover.Digests{ - Digests: map[string]*prover.StringAllowList{"sha256": {Values: []string{"some_other_digest", builderDigest}}}, + want := pb.ProvenanceReferenceValues{ + ReferenceBuilderImageDigests: &pb.Digests{ + Digests: map[string]*pb.StringAllowList{"sha256": {Values: []string{"some_other_digest", builderDigest}}}, }, } @@ -139,9 +139,9 @@ func TestVerify_NeedsHasBuilderImageDigest(t *testing.T) { func TestVerify_NeedsDoesNotHaveBuilderImageDigest(t *testing.T) { builderDigest := "9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9" got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithBuilderImageSHA256Digest(builderDigest)) - want := prover.ProvenanceReferenceValues{ - ReferenceBuilderImageDigests: &prover.Digests{ - Digests: map[string]*prover.StringAllowList{"sha256": {Values: []string{"some_other_digest", "and_some_other"}}}, + want := pb.ProvenanceReferenceValues{ + ReferenceBuilderImageDigests: &pb.Digests{ + Digests: map[string]*pb.StringAllowList{"sha256": {Values: []string{"some_other_digest", "and_some_other"}}}, }, } @@ -160,9 +160,9 @@ func TestVerify_NeedsDoesNotHaveBuilderImageDigest(t *testing.T) { func TestVerify_NeedsHasEmptyBuilderImageDigest(t *testing.T) { got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithBuilderImageSHA256Digest("")) - want := prover.ProvenanceReferenceValues{ - ReferenceBuilderImageDigests: &prover.Digests{ - Digests: map[string]*prover.StringAllowList{"sha256": {Values: []string{"some_digest"}}}, + want := pb.ProvenanceReferenceValues{ + ReferenceBuilderImageDigests: &pb.Digests{ + Digests: map[string]*pb.StringAllowList{"sha256": {Values: []string{"some_digest"}}}, }, } @@ -186,7 +186,7 @@ func TestVerify_DoesNotNeedHasEmptyBuilderImageDigest(t *testing.T) { verifier := ProvenanceIRVerifier{ Got: got, // We do not check for the builder image digest. - Want: &prover.ProvenanceReferenceValues{}, + Want: &pb.ProvenanceReferenceValues{}, } if err := verifier.Verify(); err != nil { @@ -197,7 +197,7 @@ func TestVerify_DoesNotNeedHasEmptyBuilderImageDigest(t *testing.T) { func TestVerify_HasWantedRepoURI(t *testing.T) { got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithRepoURI("https://github.com/project-oak/transparent-release")) - want := prover.ProvenanceReferenceValues{ + want := pb.ProvenanceReferenceValues{ ReferenceRepoUri: "https://github.com/project-oak/transparent-release", } @@ -217,7 +217,7 @@ func TestVerify_HasWrongRepoURI(t *testing.T) { got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithRepoURI(wrongURI)) - want := prover.ProvenanceReferenceValues{ + want := pb.ProvenanceReferenceValues{ ReferenceRepoUri: "github.com/project-oak/transparent-release", } @@ -238,7 +238,7 @@ func TestVerify_HasWrongRepoURI(t *testing.T) { func TestVerify_HasNoRepoURIs(t *testing.T) { // We have no repo URIs in the provenance. got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName) - want := prover.ProvenanceReferenceValues{ + want := pb.ProvenanceReferenceValues{ ReferenceRepoUri: "github.com/project-oak/transparent-release", } @@ -259,8 +259,8 @@ func TestVerify_NeedsHasTrustedBuilder(t *testing.T) { trustedBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.0" got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithTrustedBuilder(trustedBuilder)) - want := prover.ProvenanceReferenceValues{ - ReferenceBuilders: &prover.StringAllowList{ + want := pb.ProvenanceReferenceValues{ + ReferenceBuilders: &pb.StringAllowList{ Values: []string{trustedBuilder}, }, } @@ -279,8 +279,8 @@ func TestVerify_NeedsDoesNotHaveTrustedBuilder(t *testing.T) { trustedBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.0" got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithTrustedBuilder(trustedBuilder)) - want := prover.ProvenanceReferenceValues{ - ReferenceBuilders: &prover.StringAllowList{ + want := pb.ProvenanceReferenceValues{ + ReferenceBuilders: &pb.StringAllowList{ Values: []string{"other_" + trustedBuilder, "another_" + trustedBuilder}, }, } @@ -301,8 +301,8 @@ func TestVerify_NeedsDoesNotHaveTrustedBuilder(t *testing.T) { func TestVerify_NeedsHasEmptyTrustedBuilder(t *testing.T) { got := model.NewProvenanceIR(binarySHA256Digest, slsav02.GenericSLSABuildType, binaryName, model.WithTrustedBuilder("")) - want := prover.ProvenanceReferenceValues{ - ReferenceBuilders: &prover.StringAllowList{ + want := pb.ProvenanceReferenceValues{ + ReferenceBuilders: &pb.StringAllowList{ Values: []string{"other_trusted_builder", "another_trusted_builder"}, }, } @@ -326,7 +326,7 @@ func TestVerify_DoesNotNeedHasEmptyTrustedBuilder(t *testing.T) { verifier := ProvenanceIRVerifier{ Got: got, // We do not check the trusted builder. - Want: &prover.ProvenanceReferenceValues{}, + Want: &pb.ProvenanceReferenceValues{}, } if err := verifier.Verify(); err != nil {