[attest] Use google APIs, refactor client, verify signatures

I finally figured out how to make the APIs work. I still don't have
permission to access the container notes, and presumably the service
account doesn't either.

Bug: b/432211966
Change-Id: I701d7690ab65211e1ca03dd2cb8683fbdd72a9b4
Reviewed-on: https://skia-review.googlesource.com/c/buildbot/+/1024840
Commit-Queue: Eric Boren <borenet@google.com>
Reviewed-by: Kaylee Lubick <kjlubick@google.com>

Author: erock2112

.mockery.yaml

@@ -8,6 +8,9 @@ packages:
   go.skia.org/infra/am/go/alertclient:
     interfaces:
       APIClient:
+  go.skia.org/infra/attest/go/types:
+    interfaces:
+      Client:
   go.skia.org/infra/autoroll/go/config/db:
     interfaces:
       DB:

WORKSPACE

@@ -102,11 +102,11 @@ go_googleapis_compatibility_hack(
 # Needed by @com_github_bazelbuild_remote_apis.
 http_archive(
     name = "com_google_protobuf",
-    sha256 = "b8ab9bbdf0c6968cf20060794bc61e231fae82aaf69d6e3577c154181991f576",
-    strip_prefix = "protobuf-3.18.1",
+    sha256 = "da288bf1daa6c04d03a9051781caa52aceb9163586bff9aa6cfb12f69b9395aa",
+    strip_prefix = "protobuf-27.0",
     urls = gcs_mirror_url(
         sha256 = "b8ab9bbdf0c6968cf20060794bc61e231fae82aaf69d6e3577c154181991f576",
-        url = "https://github.com/protocolbuffers/protobuf/releases/download/v3.18.1/protobuf-all-3.18.1.tar.gz",
+        url = "https://github.com/protocolbuffers/protobuf/releases/download/v27.0/protobuf-27.0.tar.gz",
     ),
 )
 
@@ -118,6 +118,15 @@ http_archive(
 # The protobuf_deps() macro brings in a bunch of dependencies, but by copying the macro body here
 # and removing dependencies one by one, "rules_proto" was identified as the only dependency that is
 # required to build this repository.
+
+http_archive(
+    name = "com_google_absl",
+    sha256 = "f49929d22751bf70dd61922fb1fd05eb7aec5e7a7f870beece79a6e28f0a06c1",
+    strip_prefix = "abseil-cpp-4a2c63365eff8823a5221db86ef490e828306f9d",
+    # Abseil LTS 20240116.0
+    urls = ["https://github.com/abseil/abseil-cpp/archive/4a2c63365eff8823a5221db86ef490e828306f9d.zip"],
+)
+
 http_archive(
     name = "rules_proto",
     sha256 = "6fb6767d1bef535310547e03247f7518b03487740c11b6c6adb7952033fe1295",
@@ -137,6 +146,10 @@ load("@rules_proto//proto:toolchains.bzl", "rules_proto_toolchains")
 
 rules_proto_toolchains()
 
+load("@com_google_protobuf//:protobuf_deps.bzl", "protobuf_deps")
+
+protobuf_deps()
+
 # Needed by @com_github_bazelbuild_remote_apis for the googleapis protos.
 http_archive(
     name = "googleapis",
@@ -320,10 +333,10 @@ esbuild_register_toolchains(
 # See https://github.com/bazelbuild/rules_pkg/tree/main/pkg.
 http_archive(
     name = "rules_pkg",
-    sha256 = "038f1caa773a7e35b3663865ffb003169c6a71dc995e39bf4815792f385d837d",
+    sha256 = "8a298e832762eda1830597d64fe7db58178aa84cd5926d76d5b744d6558941c2",
     urls = [
-        "https://mirror.bazel.build/github.com/bazelbuild/rules_pkg/releases/download/0.4.0/rules_pkg-0.4.0.tar.gz",
-        "https://github.com/bazelbuild/rules_pkg/releases/download/0.4.0/rules_pkg-0.4.0.tar.gz",
+        "https://mirror.bazel.build/github.com/bazelbuild/rules_pkg/releases/download/0.7.0/rules_pkg-0.7.0.tar.gz",
+        "https://github.com/bazelbuild/rules_pkg/releases/download/0.7.0/rules_pkg-0.7.0.tar.gz",
     ],
 )
 

attest/go/attest/BUILD.bazel

@@ -1,18 +1,16 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-load("//bazel/go:go_test.bzl", "go_test")
 
 go_library(
     name = "attest_lib",
     srcs = ["main.go"],
     importpath = "go.skia.org/infra/attest/go/attest",
     visibility = ["//visibility:private"],
     deps = [
+        "//attest/go/attestation",
+        "//attest/go/types",
         "//go/common",
-        "//go/gcloud/binaryauthorization",
         "//go/httputils",
-        "//go/skerr",
         "//go/sklog",
-        "@org_golang_x_oauth2//google",
     ],
 )
 
@@ -21,10 +19,3 @@ go_binary(
     embed = [":attest_lib"],
     visibility = ["//visibility:public"],
 )
-
-go_test(
-    name = "attest_test",
-    srcs = ["main_test.go"],
-    embed = [":attest_lib"],
-    deps = ["@com_github_stretchr_testify//require"],
-)

attest/go/attest/main.go

@@ -3,102 +3,44 @@ package main
 import (
 	"context"
 	"flag"
-	"fmt"
 	"net/http"
-	"regexp"
-	"strings"
 
+	"go.skia.org/infra/attest/go/attestation"
+	"go.skia.org/infra/attest/go/types"
 	"go.skia.org/infra/go/common"
-	"go.skia.org/infra/go/gcloud/binaryauthorization"
 	"go.skia.org/infra/go/httputils"
-	"go.skia.org/infra/go/skerr"
 	"go.skia.org/infra/go/sklog"
-	"golang.org/x/oauth2/google"
 )
 
 var (
 	// Flags.
-	attestorProject = flag.String("attestor_project", "", "ID of the project containing the attestor")
-	attestor        = flag.String("attestor", "", "ID of the attestor")
-	host            = flag.String("host", "localhost", "HTTP service host")
-	port            = flag.String("port", ":8000", "HTTP service port (e.g., ':8000')")
-	promPort        = flag.String("prom_port", ":20000", "Metrics service address (e.g., ':10110')")
-	local           = flag.Bool("local", false, "Running locally if true. As opposed to in production.")
-
-	// Global Binary Authorization API client.
-	binauthClient binaryauthorization.Client
+	attestor = flag.String("attestor", "", "Fully-qualified resource name of the attestor (e.g., 'projects/my-project/attestors/my-attestor')")
+	host     = flag.String("host", "localhost", "HTTP service host")
+	port     = flag.String("port", ":8000", "HTTP service port (e.g., ':8000')")
+	promPort = flag.String("prom_port", ":20000", "Metrics service address (e.g., ':10110')")
+	local    = flag.Bool("local", false, "Running locally if true. As opposed to in production.")
 )
 
-func checkAttestation(ctx context.Context, attestorProject, attestor, imageID string) (bool, error) {
-	split := strings.Split(imageID, "@sha256:")
-	if len(split) != 2 {
-		return false, skerr.Fmt("incorrect image format")
-	}
-	attestations, err := binauthClient.ListAttestations(ctx, attestorProject, attestor, split[1])
-	if err != nil {
-		return false, skerr.Wrap(err)
-	}
-	return len(attestations) > 0, nil
-}
-
-var validImageRegex = regexp.MustCompile(`[0-9A-Za-z_.]+\/[0-9A-Za-z_-]+\/[0-9A-Za-z_-]+@sha256:[0-9a-f]{64}`)
-
-func handler(w http.ResponseWriter, r *http.Request) {
-	values := r.URL.Query()["image"]
-	if len(values) != 1 {
-		http.Error(w, "expected a single value for `image`", http.StatusBadRequest)
-		return
-	}
-	imageID := values[0]
-	if !validImageRegex.MatchString(imageID) {
-		http.Error(w, "expected image of the form gcr.io/project/repository@sha256:digest", http.StatusBadRequest)
-		return
-	}
-	hasAttestation, err := checkAttestation(r.Context(), *attestorProject, *attestor, imageID)
-	if err != nil {
-		sklog.Errorf("Failed checking attestation of %s: %s", imageID, err)
-		http.Error(w, "internal server error", http.StatusInternalServerError)
-		return
-	}
-	if !hasAttestation {
-		// TODO(borenet): We could consider using a different status code here,
-		// for example 200 (or possibly 204 No Content) but still return
-		// "no attestation found", to differentiate from a typical 404.
-		http.Error(w, "no attestation found", http.StatusNotFound)
-		return
-	}
-	_, _ = fmt.Fprintln(w, "found valid attestation")
-}
-
 func main() {
 	common.InitWithMust(
 		"attest",
 		common.PrometheusOpt(promPort),
 	)
 	defer common.Defer()
 
-	if *attestorProject == "" {
-		sklog.Fatal("--attestor_project is required.")
-	}
-
-	if *attestor == "" {
-		sklog.Fatal("--attestor is required.")
-	}
-
 	serverURL := "https://" + *host
 	if *local {
 		serverURL = "http://" + *host + *port
 	}
 
 	ctx := context.Background()
-	ts, err := google.DefaultTokenSource(ctx, binaryauthorization.Scope)
+	client, err := attestation.NewClient(ctx, *attestor)
 	if err != nil {
 		sklog.Fatal(err)
 	}
-	httpClient := httputils.DefaultClientConfig().WithTokenSource(ts).With2xxAnd3xx().Client()
-	binauthClient = (*binaryauthorization.ApiClient)(httpClient)
+	server := types.NewServer(client)
 
-	h := httputils.LoggingRequestResponse(http.HandlerFunc(handler))
+	h := httputils.LoggingRequestResponse(server)
 	h = httputils.XFrameOptionsDeny(h)
 	if !*local {
 		h = httputils.HealthzAndHTTPS(h)

attest/go/attest/main_test.go

@@ -0,0 +1,22 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "attestation",
+    srcs = ["attestation.go"],
+    importpath = "go.skia.org/infra/attest/go/attestation",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//attest/go/types",
+        "//go/skerr",
+        "//go/sklog",
+        "//go/util",
+        "@com_google_cloud_go_binaryauthorization//apiv1",
+        "@com_google_cloud_go_binaryauthorization//apiv1/binaryauthorizationpb",
+        "@com_google_cloud_go_containeranalysis//apiv1beta1",
+        "@com_google_cloud_go_containeranalysis//apiv1beta1/grafeas/grafeaspb",
+        "@org_golang_google_api//iterator",
+        "@org_golang_google_api//option",
+        "@org_golang_google_genproto//googleapis/grafeas/v1:grafeas",
+        "@org_golang_x_oauth2//google",
+    ],
+)