Merge pull request #6210 from tonistiigi/provenance-custom-env

provenance: add custom fields support

Author: tonistiigi

client/client_test.go

@@ -11323,14 +11323,14 @@ func (s *server) run(a agent.Agent) error {
 
 type secModeSandbox struct{}
 
-func (*secModeSandbox) UpdateConfigFile(in string) string {
-	return in
+func (*secModeSandbox) UpdateConfigFile(in string) (string, func() error) {
+	return in, nil
 }
 
 type secModeInsecure struct{}
 
-func (*secModeInsecure) UpdateConfigFile(in string) string {
-	return in + "\n\ninsecure-entitlements = [\"security.insecure\"]\n"
+func (*secModeInsecure) UpdateConfigFile(in string) (string, func() error) {
+	return in + "\n\ninsecure-entitlements = [\"security.insecure\"]\n", nil
 }
 
 var (
@@ -11340,19 +11340,19 @@ var (
 
 type netModeHost struct{}
 
-func (*netModeHost) UpdateConfigFile(in string) string {
-	return in + "\n\ninsecure-entitlements = [\"network.host\"]\n"
+func (*netModeHost) UpdateConfigFile(in string) (string, func() error) {
+	return in + "\n\ninsecure-entitlements = [\"network.host\"]\n", nil
 }
 
 type netModeDefault struct{}
 
-func (*netModeDefault) UpdateConfigFile(in string) string {
-	return in
+func (*netModeDefault) UpdateConfigFile(in string) (string, func() error) {
+	return in, nil
 }
 
 type netModeBridgeDNS struct{}
 
-func (*netModeBridgeDNS) UpdateConfigFile(in string) string {
+func (*netModeBridgeDNS) UpdateConfigFile(in string) (string, func() error) {
 	return in + `
 # configure bridge networking
 [worker.oci]
@@ -11365,7 +11365,7 @@ cniConfigPath = "/etc/buildkit/dns-cni.conflist"
 
 [dns]
 nameservers = ["10.11.0.1"]
-`
+`, nil
 }
 
 var (

cmd/buildkitd/config/config.go

@@ -42,6 +42,10 @@ type Config struct {
 	} `toml:"frontend"`
 
 	System *SystemConfig `toml:"system"`
+
+	// ProvenanceEnvDir is the directory where extra config is loaded
+	// that is added to the provenance of builds. Defaults to /etc/buildkit/provenance.d/ ,
+	ProvenanceEnvDir string `toml:"provenanceEnvDir"`
 }
 
 type SystemConfig struct {

cmd/buildkitd/main.go

@@ -860,6 +860,11 @@ func newController(ctx context.Context, c *cli.Context, cfg *config.Config) (*co
 		cfg.Entitlements = append(cfg.Entitlements, "device")
 	}
 
+	provenanceEnv, err := loadProvenanceEnv(cfg.ProvenanceEnvDir)
+	if err != nil {
+		return nil, err
+	}
+
 	return control.NewController(control.Opt{
 		SessionManager:            sessionManager,
 		WorkerController:          wc,
@@ -876,6 +881,7 @@ func newController(ctx context.Context, c *cli.Context, cfg *config.Config) (*co
 		HistoryConfig:             cfg.History,
 		GarbageCollect:            w.GarbageCollect,
 		GracefulStop:              ctx.Done(),
+		ProvenanceEnv:             provenanceEnv,
 	})
 }
 

cmd/buildkitd/util.go

@@ -1,10 +1,14 @@
 package main
 
 import (
+	"encoding/json"
+	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 
 	"github.com/moby/buildkit/cmd/buildkitd/config"
+	"github.com/moby/buildkit/util/appdefaults"
 	"github.com/moby/buildkit/util/disk"
 	"github.com/pkg/errors"
 )
@@ -66,3 +70,33 @@ func stringToGCConfig(in string) (config.GCConfig, error) {
 	cfg.GCMaxUsedSpace = config.DiskSpace{Bytes: max * 1e6}
 	return cfg, nil
 }
+
+func loadProvenanceEnv(dir string) (map[string]any, error) {
+	if dir == "" {
+		dir = filepath.Join(appdefaults.ConfigDir, "provenance.d")
+	}
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	env := make(map[string]any)
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		if !strings.HasSuffix(entry.Name(), ".json") {
+			continue
+		}
+		data, err := os.ReadFile(filepath.Join(dir, entry.Name()))
+		if err != nil {
+			return nil, err
+		}
+		if err := json.Unmarshal(data, &env); err != nil {
+			return nil, errors.Wrapf(err, "failed to parse %s", entry.Name())
+		}
+	}
+	return env, nil
+}

control/control.go

@@ -74,6 +74,7 @@ type Opt struct {
 	HistoryConfig             *config.HistoryConfig
 	GarbageCollect            func(context.Context) error
 	GracefulStop              <-chan struct{}
+	ProvenanceEnv             map[string]any
 }
 
 type Controller struct { // TODO: ControlService
@@ -114,6 +115,7 @@ func NewController(opt Opt) (*Controller, error) {
 		SessionManager:   opt.SessionManager,
 		Entitlements:     opt.Entitlements,
 		HistoryQueue:     hq,
+		ProvenanceEnv:    opt.ProvenanceEnv,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to create solver")
@@ -524,7 +526,7 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
 				params[k] = v
 			}
 		}
-		procs = append(procs, proc.ProvenanceProcessor(slsaVersion, params))
+		procs = append(procs, proc.ProvenanceProcessor(slsaVersion, params, c.opt.ProvenanceEnv))
 	}
 
 	resp, err := c.solver.Solve(ctx, req.Ref, req.Session, frontend.SolveRequest{

frontend/dockerfile/dockerfile_provenance_test.go

@@ -44,7 +44,6 @@ import (
 )
 
 var provenanceTests = integration.TestFuncs(
-	testProvenanceAttestation,
 	testGitProvenanceAttestationSHA1,
 	testGitProvenanceAttestationSHA256,
 	testMultiPlatformProvenance,
@@ -180,6 +179,11 @@ RUN echo ok> /foo
 				_, isClient := f.(*clientFrontend)
 				_, isGateway := f.(*gatewayFrontend)
 
+				expCustom := provenancetypes.ProvenanceCustomEnv{
+					"foo":     "bar",
+					"numbers": []any{1.0, 2.0, 3.0},
+				}
+
 				if slsaVersion == "v1" {
 					type stmtT struct {
 						Predicate provenancetypes.ProvenancePredicateSLSA1 `json:"predicate"`
@@ -193,6 +197,8 @@ RUN echo ok> /foo
 
 					require.Equal(t, "", pred.BuildDefinition.ExternalParameters.ConfigSource.URI)
 
+					require.Equal(t, expCustom, pred.BuildDefinition.InternalParameters.ProvenanceCustomEnv)
+
 					args := pred.BuildDefinition.ExternalParameters.Request.Args
 					if isClient {
 						require.Equal(t, "", pred.BuildDefinition.ExternalParameters.Request.Frontend)
@@ -294,6 +300,8 @@ RUN echo ok> /foo
 
 					require.Equal(t, "", pred.Invocation.ConfigSource.URI)
 
+					require.Equal(t, expCustom, pred.Invocation.Environment.ProvenanceCustomEnv)
+
 					args := pred.Invocation.Parameters.Args
 					if isClient {
 						require.Equal(t, "", pred.Invocation.Parameters.Frontend)
@@ -2007,3 +2015,51 @@ COPY --from=base /out /
 		require.NoError(t, json.Unmarshal(dt, &pred))
 	}
 }
+
+type provenanceEnvSimple struct{}
+
+func (*provenanceEnvSimple) UpdateConfigFile(in string) (string, func() error) {
+	dir, err := os.MkdirTemp("", "provenanceenv")
+	if err != nil {
+		panic(err)
+	}
+	dt, err := json.Marshal(map[string]any{
+		"foo": "bar",
+	})
+	if err != nil {
+		panic(err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "foo.json"), dt, 0600); err != nil {
+		panic(err)
+	}
+	dt, err = json.Marshal(map[string]any{
+		"numbers": []int{1, 2, 3},
+	})
+	if err != nil {
+		panic(err)
+	}
+	if err := os.WriteFile(filepath.Join(dir, "numbers.json"), dt, 0600); err != nil {
+		panic(err)
+	}
+
+	// make all paths readable for the rootless user
+	if err := os.Chmod(dir, 0755); err != nil {
+		panic(err)
+	}
+	if err := os.Chmod(filepath.Join(dir, "foo.json"), 0644); err != nil {
+		panic(err)
+	}
+	if err := os.Chmod(filepath.Join(dir, "numbers.json"), 0644); err != nil {
+		panic(err)
+	}
+
+	in = in + fmt.Sprintf("\n\nprovenanceEnvDir = %q\n", dir)
+
+	return in, func() error {
+		return os.RemoveAll(dir)
+	}
+}
+
+var (
+	provenanceEnvSimpleConfig integration.ConfigUpdater = &provenanceEnvSimple{}
+)

frontend/dockerfile/dockerfile_test.go

@@ -298,6 +298,11 @@ func TestIntegration(t *testing.T) {
 			"granted": networkHostGranted,
 			"denied":  networkHostDenied,
 		}))...)
+
+	integration.Run(t, integration.TestFuncs(testProvenanceAttestation), append(opts,
+		integration.WithMatrix("env", map[string]any{
+			"simple": provenanceEnvSimpleConfig,
+		}))...)
 }
 
 func testEmptyStringArgInEnv(t *testing.T, sb integration.Sandbox) {
@@ -10386,14 +10391,14 @@ func (nopWriteCloser) Close() error { return nil }
 
 type secModeSandbox struct{}
 
-func (*secModeSandbox) UpdateConfigFile(in string) string {
-	return in
+func (*secModeSandbox) UpdateConfigFile(in string) (string, func() error) {
+	return in, nil
 }
 
 type secModeInsecure struct{}
 
-func (*secModeInsecure) UpdateConfigFile(in string) string {
-	return in + "\n\ninsecure-entitlements = [\"security.insecure\"]\n"
+func (*secModeInsecure) UpdateConfigFile(in string) (string, func() error) {
+	return in + "\n\ninsecure-entitlements = [\"security.insecure\"]\n", nil
 }
 
 var (
@@ -10403,14 +10408,14 @@ var (
 
 type networkModeHost struct{}
 
-func (*networkModeHost) UpdateConfigFile(in string) string {
-	return in + "\n\ninsecure-entitlements = [\"network.host\"]\n"
+func (*networkModeHost) UpdateConfigFile(in string) (string, func() error) {
+	return in + "\n\ninsecure-entitlements = [\"network.host\"]\n", nil
 }
 
 type networkModeSandbox struct{}
 
-func (*networkModeSandbox) UpdateConfigFile(in string) string {
-	return in
+func (*networkModeSandbox) UpdateConfigFile(in string) (string, func() error) {
+	return in, nil
 }
 
 var (

solver/jobs_test.go

@@ -90,16 +90,16 @@ func testParallelism(t *testing.T, sb integration.Sandbox) {
 
 type parallelismSetterSingle struct{}
 
-func (*parallelismSetterSingle) UpdateConfigFile(in string) string {
-	return in + "\n\n[worker.oci]\n  max-parallelism = 1\n\n[worker.containerd]\n  max-parallelism = 1\n"
+func (*parallelismSetterSingle) UpdateConfigFile(in string) (string, func() error) {
+	return in + "\n\n[worker.oci]\n  max-parallelism = 1\n\n[worker.containerd]\n  max-parallelism = 1\n", nil
 }
 
 var maxParallelismSingle integration.ConfigUpdater = &parallelismSetterSingle{}
 
 type parallelismSetterUnlimited struct{}
 
-func (*parallelismSetterUnlimited) UpdateConfigFile(in string) string {
-	return in
+func (*parallelismSetterUnlimited) UpdateConfigFile(in string) (string, func() error) {
+	return in, nil
 }
 
 var maxParallelismUnlimited integration.ConfigUpdater = &parallelismSetterUnlimited{}

solver/llbsolver/proc/provenance.go

@@ -16,7 +16,7 @@ import (
 	"github.com/pkg/errors"
 )
 
-func ProvenanceProcessor(slsaVersion provenancetypes.ProvenanceSLSA, attrs map[string]string) llbsolver.Processor {
+func ProvenanceProcessor(slsaVersion provenancetypes.ProvenanceSLSA, attrs map[string]string, customEnv map[string]any) llbsolver.Processor {
 	return func(ctx context.Context, res *llbsolver.Result, s *llbsolver.Solver, j *solver.Job, usage *resources.SysSampler) (*llbsolver.Result, error) {
 		span, ctx := tracing.StartSpan(ctx, "create provenance attestation")
 		defer span.End()
@@ -46,7 +46,7 @@ func ProvenanceProcessor(slsaVersion provenancetypes.ProvenanceSLSA, attrs map[s
 				return nil, errors.Errorf("could not find ref %s", p.ID)
 			}
 
-			pc, err := llbsolver.NewProvenanceCreator(ctx, slsaVersion, cp, ref, attrs, j, usage)
+			pc, err := llbsolver.NewProvenanceCreator(ctx, slsaVersion, cp, ref, attrs, j, usage, customEnv)
 			if err != nil {
 				return nil, err
 			}

solver/llbsolver/provenance.go

@@ -339,7 +339,7 @@ type ProvenanceCreator struct {
 	addLayers   func(context.Context) error
 }
 
-func NewProvenanceCreator(ctx context.Context, slsaVersion provenancetypes.ProvenanceSLSA, cp *provenance.Capture, res solver.ResultProxy, attrs map[string]string, j *solver.Job, usage *resources.SysSampler) (*ProvenanceCreator, error) {
+func NewProvenanceCreator(ctx context.Context, slsaVersion provenancetypes.ProvenanceSLSA, cp *provenance.Capture, res solver.ResultProxy, attrs map[string]string, j *solver.Job, usage *resources.SysSampler, customEnv map[string]any) (*ProvenanceCreator, error) {
 	var reproducible bool
 	if v, ok := attrs["reproducible"]; ok {
 		b, err := strconv.ParseBool(v)
@@ -451,6 +451,8 @@ func NewProvenanceCreator(ctx context.Context, slsaVersion provenancetypes.Prove
 		return nil, errors.Errorf("invalid mode %q", mode)
 	}
 
+	pr.Invocation.Environment.ProvenanceCustomEnv = customEnv
+
 	pc := &ProvenanceCreator{
 		pr:          pr,
 		slsaVersion: slsaVersion,