Handle inline artifacts downloads #248
Description
In #247 (part of #201), we've added inline CAS option, which means that attestation can include artifact data embedded.
The good thing is that users can get started using Chainloop for simpler use-cases without needing to set-up a CAS backend, the downside is that now we need to make some adjustments on the way we
1 - Download artifacts
Artifacts in an attestation that leverages inline cas such as the next one as shown to the user exactly the same one than referenced artifacts
{
"_type": "https://in-toto.io/Statement/v0.1",
"predicateType": "chainloop.dev/attestation/v0.2",
"subject": [
{
"name": "chainloop.dev/workflow/waps2",
"digest": {
"sha256": "2435330ef47289f3e4ac81b6eba1d679fc86588f0a91c87f5d87e845f8e2ab7f"
}
}
],
"predicate": {
"buildType": "chainloop.dev/workflowrun/v0.1",
"builder": {
"id": "chainloop.dev/cli/v0.13.0-22-g0132187@sha256:0373e4a6dbf8a52f6e113c6293ef536d0f9748487891d6249fff1e1303fed326"
},
"materials": [
{
"annotations": {
"chainloop.material.cas.inline": true,
"chainloop.material.name": "skynet-sbom",
"chainloop.material.type": "SBOM_SPDX_JSON"
},
"content": "ewogInNwZHhWZXJzaW9uIjogIlNQRFgtMi4zIiwKICJkYXRhTGljZW5zZSI6ICJDQzAtMS4wIiwKICJTUERYSUQiOiAiU1BEWFJlZi1ET0NVTUVOVCIsCiAibmFtZSI6ICJnaGNyLmlvL2NoYWlubG9vcC1kZXYvaW50ZWdyYXRpb24tZGVtbzp2MC4wLjQ2IiwKICJkb2N1bWVudE5hbWVzcGFjZSI6ICJodHRwczovL2FuY2hvcmUuY29tL3N5ZnQvaW1hZ2UvZ2hjci5pby9jaGFpbmxvb3AtZGV2L2ludGVncmF0aW9uLWRlbW8tdjAuMC40Ni0wNDUzMjMzZi03ZTc2LTQwYTYtOWE2NS0xNmQ5NDAyZDM1YTYiLAogImNyZWF0aW9uSW5mbyI6IHsKICAibGljZW5zZUxpc3RWZXJzaW9uIjogIjMuMjEiLAogICJjcmVhdG9ycyI6IFsKICAgIk9yZ2FuaXphdGlvbjogQW5jaG9yZSwgSW5jIiwKICAgIlRvb2w6IHN5ZnQtMC44NC4wIgogIF0sCiAgImNyZWF0ZWQiOiAiMjAyMy0wNy0wM1QxMTo0ODoyNVoiCiB9LAogInBhY2thZ2VzIjogWwogIHsKICAgIm5hbWUiOiAiZ2l0aHViLmNvbS9ibWl6ZXJhbnkvcGF0IiwKICAgIlNQRFhJRCI6ICJTUERYUmVmLVBhY2thZ2UtZ28tbW9kdWxlLWdpdGh1Yi5jb20tYm1pemVyYW55LXBhdC04ZWEzYjdjZjVlODQyMTY2IiwKICAgInZlcnNpb25JbmZvIjogInYwLjAuMC0yMDIxMDQwNjIxMzg0Mi1lNGI2NzYwYmRkNmYiLAogICAiZG93bmxvYWRMb2NhdGlvbiI6ICJOT0FTU0VSVElPTiIsCiAgICJmaWxlc0FuYWx5emVkIjogZmFsc2UsCiAgICJjaGVja3N1bXMiOiBbCiAgICB7CiAgICAgImFsZ29yaXRobSI6ICJTSEEyNTYiLAogICAgICJjaGVja3N1bVZhbHVlIjogIjgwZTNiZmI0ZDY0YzhlM2JkMzI5OTVhOTYzYjYyNzVjMmVmNjUwYjM0YjEyYjQ2ZGE3ZGUwYmEyZTllZDU0NGYiCiAgICB9CiAgIF0sCiAgICJzb3VyY2VJbmZvIjogImFjcXVpcmVkIHBhY2thZ2UgaW5mbyBmcm9tIGdvIG1vZHVsZSBpbmZvcm1hdGlvbjogL3NlcnZlciIsCiAgICJsaWNlbnNlQ29uY2x1ZGVkIjogIk5PQVNTRVJUSU9OIiwKICAgImxpY2Vuc2VEZWNsYXJlZCI6ICJOT0FTU0VSVElPTiIsCiAgICJjb3B5cmlnaHRUZXh0IjogIk5PQVNTRVJUSU9OIiwKICAgImV4dGVybmFsUmVmcyI6IFsKICAgIHsKICAgICAicmVmZXJlbmNlQ2F0ZWdvcnkiOiAiU0VDVVJJVFkiLAogICAgICJyZWZlcmVuY2VUeXBlIjogImNwZTIzVHlwZSIsCiAgICAgInJlZmVyZW5jZUxvY2F0b3IiOiAiY3BlOjIuMzphOmJtaXplcmFueTpwYXQ6djAuMC4wLTIwMjEwNDA2MjEzODQyLWU0YjY3NjBiZGQ2ZjoqOio6KjoqOio6KjoqIgogICAgfSwKICAgIHsKICAgICAicmVmZXJlbmNlQ2F0ZWdvcnkiOiAiUEFDS0FHRS1NQU5BR0VSIiwKICAgICAicmVmZXJlbmNlVHlwZSI6ICJwdXJsIiwKICAgICAicmVmZXJlbmNlTG9jYXRvciI6ICJwa2c6Z29sYW5nL2dpdGh1Yi5jb20vYm1pemVyYW55L3BhdEB2MC4wLjAtMjAyMTA0MDYyMTM4NDItZTRiNjc2MGJkZDZmIgogICAgfQogICBdCiAgfSwKICB7CiAgICJuYW1lIjogImdpdGh1Yi5jb20vY2hhaW5sb29wLWRldi9pbnRlZ3JhdGlvbi1kZW1vIiwKICAgIlNQRFhJRCI6ICJTUERYUmVmLVBhY2thZ2UtZ28tbW9kdWxlLWdpdGh1Yi5jb20tY2hhaW5sb29wLWRldi1pbnRlZ3JhdGlvbi1kZW1vLWFkZjk3YTAyYTlmMWI1YzkiLAogICAidmVyc2lvbkluZm8iOiAidjAuMC40NiIsCiAgICJkb3dubG9hZExvY2F0aW9uIjogIk5PQVNTRVJUSU9OIiwKICAgImZpbGVzQW5hbHl6ZWQiOiBmYWxzZSwKICAgInNvdXJjZUluZm8iOiAiYWNxdWlyZWQgcGFja2FnZSBpbmZvIGZyb20gZ28gbW9kdWxlIGluZm9ybWF0aW9uOiAvc2VydmVyIiwKICAgImxpY2Vuc2VDb25jbHVkZWQiOiAiTk9BU1NFUlRJT04iLAogICAibGljZW5zZURlY2xhcmVkIjogIk5PQVNTRVJUSU9OIiwKICAgImNvcHlyaWdodFRleHQiOiAiTk9BU1NFUlRJT04iLAogICAiZXh0ZXJuYWxSZWZzIjogWwogICAgewogICAgICJyZWZlcmVuY2VDYXRlZ29yeSI6ICJTRUNVUklUWSIsCiAgICAgInJlZmVyZW5jZVR5cGUiOiAiY3BlMjNUeXBlIiwKICAgICAicmVmZXJlbmNlTG9jYXRvciI6ICJjcGU6Mi4zOmE6Y2hhaW5sb29wLWRldjppbnRlZ3JhdGlvbi1kZW1vOnYwLjAuNDY6KjoqOio6KjoqOio6KiIKICAgIH0sCiAgICB7CiAgICAgInJlZmVyZW5jZUNhdGVnb3J5IjogIlNFQ1VSSVRZIiwKICAgICAicmVmZXJlbmNlVHlwZSI6ICJjcGUyM1R5cGUiLAogICAgICJyZWZlcmVuY2VMb2NhdG9yIjogImNwZToyLjM6YTpjaGFpbmxvb3AtZGV2OmludGVncmF0aW9uX2RlbW86djAuMC40NjoqOio6KjoqOio6KjoqIgogICAgfSwKICAgIHsKICAgICAicmVmZXJlbmNlQ2F0ZWdvcnkiOiAiU0VDVVJJVFkiLAogICAgICJyZWZlcmVuY2VUeXBlIjogImNwZTIzVHlwZSIsCiAgICAgInJlZmVyZW5jZUxvY2F0b3IiOiAiY3BlOjIuMzphOmNoYWlubG9vcF9kZXY6aW50ZWdyYXRpb24tZGVtbzp2MC4wLjQ2Oio6KjoqOio6KjoqOioiCiAgICB9LAogICAgewogICAgICJyZWZlcmVuY2VDYXRlZ29yeSI6ICJTRUNVUklUWSIsCiAgICAgInJlZmVyZW5jZVR5cGUiOiAiY3BlMjNUeXBlIiwKICAgICAicmVmZXJlbmNlTG9jYXRvciI6ICJjcGU6Mi4zOmE6Y2hhaW5sb29wX2RldjppbnRlZ3JhdGlvbl9kZW1vOnYwLjAuNDY6KjoqOio6KjoqOio6KiIKICAgIH0sCiAgICB7CiAgICAgInJlZmVyZW5jZUNhdGVnb3J5IjogIlNFQ1VSSVRZIiwKICAgICAicmVmZXJlbmNlVHlwZSI6ICJjcGUyM1R5cGUiLAogICAgICJyZWZlcmVuY2VMb2NhdG9yIjogImNwZToyLjM6YTpjaGFpbmxvb3A6aW50ZWdyYXRpb24tZGVtbzp2MC4wLjQ2Oio6KjoqOio6KjoqOioiCiAgICB9LAogICAgewogICAgICJyZWZlcmVuY2VDYXRlZ29yeSI6ICJTRUNVUklUWSIsCiAgICAgInJlZmVyZW5jZVR5cGUiOiAiY3BlMjNUeXBlIiwKICAgICAicmVmZXJlbmNlTG9jYXRvciI6ICJjcGU6Mi4zOmE6Y2hhaW5sb29wOmludGVncmF0aW9uX2RlbW86djAuMC40NjoqOio6KjoqOio6KjoqIgogICAgfSwKICAgIHsKICAgICAicmVmZXJlbmNlQ2F0ZWdvcnkiOiAiUEFDS0FHRS1NQU5BR0VSIiwKICAgICAicmVmZXJlbmNlVHlwZSI6ICJwdXJsIiwKICAgICAicmVmZXJlbmNlTG9jYXRvciI6ICJwa2c6Z29sYW5nL2dpdGh1Yi5jb20vY2hhaW5sb29wLWRldi9pbnRlZ3JhdGlvbi1kZW1vQHYwLjAuNDYiCiAgICB9CiAgIF0KICB9LAogIHsKICAgIm5hbWUiOiAiZ2l0aHViLmNvbS9tYXR0bi9nby1zcWxpdGUzIiwKICAgIlNQRFhJRCI6ICJTUERYUmVmLVBhY2thZ2UtZ28tbW9kdWxlLWdpdGh1Yi5jb20tbWF0dG4tZ28tc3FsaXRlMy0zMjU5ZDQwYTIyNjM2YTJiIiwKICAgInZlcnNpb25JbmZvIjogInYxLjE0LjE2IiwKICAgImRvd25sb2FkTG9jYXRpb24iOiAiTk9BU1NFUlRJT04iLAogICAiZmlsZXNBbmFseXplZCI6IGZhbHNlLAogICAiY2hlY2tzdW1zIjogWwogICAgewogICAgICJhbGdvcml0aG0iOiAiU0hBMjU2IiwKICAgICAiY2hlY2tzdW1WYWx1ZSI6ICJjOGU0MTEwMzQ0Njk0YjkzYzVjZmZhMjI5MDZjMDExMmFiYzA1YTE1YTBlNmU3ZDFjZjgxMTMyZTNjMjk1MzU2IgogICAgfQogICBdLAogICAic291cmNlSW5mbyI6ICJhY3F1aXJlZCBwYWNrYWdlIGluZm8gZnJvbSBnbyBtb2R1bGUgaW5mb3JtYXRpb246IC9zZXJ2ZXIiLAogICAibGljZW5zZUNvbmNsdWRlZCI6ICJOT0FTU0VSVElPTiIsCiAgICJsaWNlbnNlRGVjbGFyZWQiOiAiTk9BU1NFUlRJT04iLAogICAiY29weXJpZ2h0VGV4dCI6ICJOT0FTU0VSVElPTiIsCiAgICJleHRlcm5hbFJlZnMiOiBbCiAgICB7CiAgICAgInJlZmVyZW5jZUNhdGVnb3J5IjogIlNFQ1VSSVRZIiwKICAgICAicmVmZXJlbmNlVHlwZSI6ICJjcGUyM1R5cGUiLAogICAgICJyZWZlcmVuY2VMb2NhdG9yIjogImNwZToyLjM6YTptYXR0bjpnby1zcWxpdGUzOnYxLjE0LjE2Oio6KjoqOio6KjoqOioiCiAgICB9LAogICAgewogICAgICJyZWZlcmVuY2VDYXRlZ29yeSI6ICJTRUNVUklUWSIsCiAgICAgInJlZmVyZW5jZVR5cGUiOiAiY3BlMjNUeXBlIiwKICAgICAicmVmZXJlbmNlTG9jYXRvciI6ICJjcGU6Mi4zOmE6bWF0dG46Z29fc3FsaXRlMzp2MS4xNC4xNjoqOio6KjoqOio6KjoqIgogICAgfSwKICAgIHsKICAgICAicmVmZXJlbmNlQ2F0ZWdvcnkiOiAiUEFDS0FHRS1NQU5BR0VSIiwKICAgICAicmVmZXJlbmNlVHlwZSI6ICJwdXJsIiwKICAgICAicmVmZXJlbmNlTG9jYXRvciI6ICJwa2c6Z29sYW5nL2dpdGh1Yi5jb20vbWF0dG4vZ28tc3FsaXRlM0B2MS4xNC4xNiIKICAgIH0KICAgXQogIH0KIF0sCiAiZmlsZXMiOiBbCiAgewogICAiZmlsZU5hbWUiOiAiL3NlcnZlciIsCiAgICJTUERYSUQiOiAiU1BEWFJlZi1GaWxlLXNlcnZlci1iODAwMjk5NDQyMWE2OGNlIiwKICAgImNoZWNrc3VtcyI6IFsKICAgIHsKICAgICAiYWxnb3JpdGhtIjogIlNIQTEiLAogICAgICJjaGVja3N1bVZhbHVlIjogIjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAiCiAgICB9CiAgIF0sCiAgICJsaWNlbnNlQ29uY2x1ZGVkIjogIk5PQVNTRVJUSU9OIiwKICAgImNvcHlyaWdodFRleHQiOiAiIiwKICAgImNvbW1lbnQiOiAibGF5ZXJJRDogc2hhMjU2OmYxNmMzZWFlNjExMWU0YTkyNWVlOGFjZjY0OTUxYmI3ZTA5YTc1NjRkMDU5NDM4ZjU0NzQ5ZTY5NGIxMmM5MWUiCiAgfQogXSwKICJyZWxhdGlvbnNoaXBzIjogWwogIHsKICAgInNwZHhFbGVtZW50SWQiOiAiU1BEWFJlZi1QYWNrYWdlLWdvLW1vZHVsZS1naXRodWIuY29tLW1hdHRuLWdvLXNxbGl0ZTMtMzI1OWQ0MGEyMjYzNmEyYiIsCiAgICJyZWxhdGVkU3BkeEVsZW1lbnQiOiAiU1BEWFJlZi1GaWxlLXNlcnZlci1iODAwMjk5NDQyMWE2OGNlIiwKICAgInJlbGF0aW9uc2hpcFR5cGUiOiAiT1RIRVIiLAogICAiY29tbWVudCI6ICJldmlkZW50LWJ5OiBpbmRpY2F0ZXMgdGhlIHBhY2thZ2UncyBleGlzdGVuY2UgaXMgZXZpZGVudCBieSB0aGUgZ2l2ZW4gZmlsZSIKICB9LAogIHsKICAgInNwZHhFbGVtZW50SWQiOiAiU1BEWFJlZi1QYWNrYWdlLWdvLW1vZHVsZS1naXRodWIuY29tLWJtaXplcmFueS1wYXQtOGVhM2I3Y2Y1ZTg0MjE2NiIsCiAgICJyZWxhdGVkU3BkeEVsZW1lbnQiOiAiU1BEWFJlZi1GaWxlLXNlcnZlci1iODAwMjk5NDQyMWE2OGNlIiwKICAgInJlbGF0aW9uc2hpcFR5cGUiOiAiT1RIRVIiLAogICAiY29tbWVudCI6ICJldmlkZW50LWJ5OiBpbmRpY2F0ZXMgdGhlIHBhY2thZ2UncyBleGlzdGVuY2UgaXMgZXZpZGVudCBieSB0aGUgZ2l2ZW4gZmlsZSIKICB9LAogIHsKICAgInNwZHhFbGVtZW50SWQiOiAiU1BEWFJlZi1QYWNrYWdlLWdvLW1vZHVsZS1naXRodWIuY29tLWNoYWlubG9vcC1kZXYtaW50ZWdyYXRpb24tZGVtby1hZGY5N2EwMmE5ZjFiNWM5IiwKICAgInJlbGF0ZWRTcGR4RWxlbWVudCI6ICJTUERYUmVmLUZpbGUtc2VydmVyLWI4MDAyOTk0NDIxYTY4Y2UiLAogICAicmVsYXRpb25zaGlwVHlwZSI6ICJPVEhFUiIsCiAgICJjb21tZW50IjogImV2aWRlbnQtYnk6IGluZGljYXRlcyB0aGUgcGFja2FnZSdzIGV4aXN0ZW5jZSBpcyBldmlkZW50IGJ5IHRoZSBnaXZlbiBmaWxlIgogIH0sCiAgewogICAic3BkeEVsZW1lbnRJZCI6ICJTUERYUmVmLURPQ1VNRU5UIiwKICAgInJlbGF0ZWRTcGR4RWxlbWVudCI6ICJTUERYUmVmLURPQ1VNRU5UIiwKICAgInJlbGF0aW9uc2hpcFR5cGUiOiAiREVTQ1JJQkVTIgogIH0KIF0KfQo=",
"digest": {
"sha256": "984960100e9fd63df132760d9d8b8166c52e875ad5f60e3a191eff4f28bc3094"
},
"name": "sbom.spdx.json"
}
],
"metadata": {
"finishedAt": "2023-07-18T12:58:54.173929879+02:00",
"initializedAt": "2023-07-18T10:51:26.567380238Z",
"name": "waps2",
"project": "bar",
"team": "",
"workflowID": "c80c8789-d7a5-42a4-869f-baace169e52e",
"workflowRunID": "25dfc828-c8af-4cb5-9ec4-4dcb5379dfb1"
},
"runnerType": "RUNNER_TYPE_UNSPECIFIED"
}
}
$ chainloop wf run describe --id 25dfc828-c8af-4cb5-9ec4-4dcb5379dfb1
WRN API contacted in insecure mode
┌───────────────────────────────────────────────────────┐
│ Workflow │
├────────────────┬──────────────────────────────────────┤
│ ID │ c80c8789-d7a5-42a4-869f-baace169e52e │
│ Name │ waps2 │
│ Team │ │
│ Project │ bar │
├────────────────┼──────────────────────────────────────┤
│ Workflow Run │ │
├────────────────┼──────────────────────────────────────┤
│ ID │ 25dfc828-c8af-4cb5-9ec4-4dcb5379dfb1 │
│ Initialized At │ 18 Jul 23 10:51 UTC │
│ Finished At │ 18 Jul 23 10:58 UTC │
│ State │ success │
│ Runner Link │ │
├────────────────┼──────────────────────────────────────┤
│ Statement │ │
├────────────────┼──────────────────────────────────────┤
│ Payload Type │ application/vnd.in-toto+json │
│ Verified │ false │
└────────────────┴──────────────────────────────────────┘
┌───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Materials │
├─────────────┬────────────────┬────────────────────────────────────────────────────────────────────────────────────────┤
│ NAME │ TYPE │ VALUE │
├─────────────┼────────────────┼────────────────────────────────────────────────────────────────────────────────────────┤
│ skynet-sbom │ SBOM_SPDX_JSON │ sbom.spdx.json@sha256:984960100e9fd63df132760d9d8b8166c52e875ad5f60e3a191eff4f28bc3094 │
└─────────────┴────────────────┴────────────────────────────────────────────────────────────────────────────────────────┘this might make you think that artifacts can be downloaded the regular way using the digest, i.e chainloop artifact download -d sha256:984960100e9fd63df132760d9d8b8166c52e875ad5f60e3a191eff4f28bc3094
but that's not the case, that artifact has never been uploaded and the artifact download command in fact contacts an actual CAS backend. We need to figure out a way to map the digest -> attestation so we can read from the inline attestation content
2 - Send attestations to integrations
We currently send attestations to notification engines such as Slack or Discord. This means that these inline artifacts will be sent too. We need to think about
- How to make sure we do not hit a message size limit
- If we modify or even allow attestation-based integrations with embedded content.
Refs #201