Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix mapping between Status.Steps and Status.TaskSpec.Steps #1188

Merged
merged 1 commit into from
Sep 10, 2024
Merged

fix mapping between Status.Steps and Status.TaskSpec.Steps #1188

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
136 changes: 136 additions & 0 deletions pkg/chains/formats/slsa/testdata/pipeline-v1beta1/taskrun4.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
{
"metadata": {
"name": "mismatch Status.Step.Name and Status.TaskSpec.Step.Name",
"labels": {
"tekton.dev/pipelineTask": "build"
}
},
"spec": {
"params": [
{
"name": "IMAGE",
"value": "test.io/test/image"
},
{
"name": "CHAINS-GIT_COMMIT",
"value": "sha:taskrun"
},
{
"name": "CHAINS-GIT_URL",
"value": "https://git.test.com"
}
],
"taskRef": {
"name": "build",
"kind": "Task"
},
"serviceAccountName": "default"
},
"status": {
"startTime": "2021-03-29T09:50:00Z",
"completionTime": "2021-03-29T09:50:15Z",
"conditions": [
{
"type": "Succeeded",
"status": "True",
"lastTransitionTime": "2021-03-29T09:50:15Z",
"reason": "Succeeded",
"message": "All Steps have completed executing"
}
],
"podName": "test-pod-name",
"steps": [
{
"name": "unnamed-",
"container": "step-step1",
"imageID": "docker-pullable://gcr.io/test7/test7@sha256:d4b63d3e24d6eef04a6dc0795cf8a73470688803d97c52cffa3c8d4efd3397b6"
},
{
"name": "step2",
"container": "step-step2",
"imageID": "docker-pullable://gcr.io/test8/test8@sha256:4d6dd704ef58cb214dd826519929e92a978a57cdee43693006139c0080fd6fac"
},
{
"name": "step3",
"container": "step-step3",
"imageID": "docker-pullable://gcr.io/test9/test9@sha256:f1a8b8549c179f41e27ff3db0fe1a1793e4b109da46586501a8343637b1d0478"
}
],
"taskResults": [
{
"name": "IMAGE_DIGEST",
"value": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
},
{
"name": "IMAGE_URL",
"value": "gcr.io/my/image"
}
],
"taskSpec": {
"params": [
{
"name": "IMAGE",
"type": "string"
},
{
"name": "filename",
"type": "string"
},
{
"name": "DOCKERFILE",
"type": "string"
},
{
"name": "CONTEXT",
"type": "string"
},
{
"name": "EXTRA_ARGS",
"type": "string"
},
{
"name": "BUILDER_IMAGE",
"type": "string"
}, {
"name": "CHAINS-GIT_COMMIT",
"type": "string",
"default": "sha:task"
}, {
"name": "CHAINS-GIT_URL",
"type": "string",
"default": "https://defaultgit.test.com"
}
],
"steps": [
{
"name": "step1"
},
{
"name": "step2"
},
{
"name": "step3"
}
],
"results": [
{
"name": "IMAGE_DIGEST",
"description": "Digest of the image just built."
},
{
"name": "filename_DIGEST",
"description": "Digest of the file just built."
}
]
},
"provenance": {
"refSource": {
"uri": "github.com/test",
"digest": {
"sha1": "ab123"
},
"entryPoint": "build.yaml"
}
}
}
}
141 changes: 141 additions & 0 deletions pkg/chains/formats/slsa/testdata/pipeline-v1beta1/taskrun5.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
{
"metadata": {
"name": "mismatch size between Status.Steps and Status.TaskSpec.Steps",
"labels": {
"tekton.dev/pipelineTask": "build"
}
},
"spec": {
"params": [
{
"name": "IMAGE",
"value": "test.io/test/image"
},
{
"name": "CHAINS-GIT_COMMIT",
"value": "sha:taskrun"
},
{
"name": "CHAINS-GIT_URL",
"value": "https://git.test.com"
}
],
"taskRef": {
"name": "build",
"kind": "Task"
},
"serviceAccountName": "default"
},
"status": {
"startTime": "2021-03-29T09:50:00Z",
"completionTime": "2021-03-29T09:50:15Z",
"conditions": [
{
"type": "Succeeded",
"status": "True",
"lastTransitionTime": "2021-03-29T09:50:15Z",
"reason": "Succeeded",
"message": "All Steps have completed executing"
}
],
"podName": "test-pod-name",
"steps": [
{
"name": "step1",
"container": "step-step1",
"imageID": "docker-pullable://gcr.io/test10/test10@sha256:d4b63d3e24d6eef04a6dc0795cf8a73470688803d97c52cffa3c8d4efd3397b6"
},
{
"name": "step2",
"container": "step-step2",
"imageID": "docker-pullable://gcr.io/test11/test11@sha256:4d6dd704ef58cb214dd826519929e92a978a57cdee43693006139c0080fd6fac"
},
{
"name": "step3",
"container": "step-step3",
"imageID": "docker-pullable://gcr.io/test12/test12@sha256:f1a8b8549c179f41e27ff3db0fe1a1793e4b109da46586501a8343637b1d0478"
},
{
"name": "step4",
"container": "step-step3",
"imageID": "docker-pullable://gcr.io/test13/test13@sha256:f1a8b8549c179f41e27ff3db0fe1a1793e4b109da46586501a8343637b1d0478"
}
],
"taskResults": [
{
"name": "IMAGE_DIGEST",
"value": "sha256:827521c857fdcd4374f4da5442fbae2edb01e7fbae285c3ec15673d4c1daecb7"
},
{
"name": "IMAGE_URL",
"value": "gcr.io/my/image"
}
],
"taskSpec": {
"params": [
{
"name": "IMAGE",
"type": "string"
},
{
"name": "filename",
"type": "string"
},
{
"name": "DOCKERFILE",
"type": "string"
},
{
"name": "CONTEXT",
"type": "string"
},
{
"name": "EXTRA_ARGS",
"type": "string"
},
{
"name": "BUILDER_IMAGE",
"type": "string"
}, {
"name": "CHAINS-GIT_COMMIT",
"type": "string",
"default": "sha:task"
}, {
"name": "CHAINS-GIT_URL",
"type": "string",
"default": "https://defaultgit.test.com"
}
],
"steps": [
{
"name": "step1"
},
{
"name": "step2"
},
{
"name": "step3"
}
],
"results": [
{
"name": "IMAGE_DIGEST",
"description": "Digest of the image just built."
},
{
"name": "filename_DIGEST",
"description": "Digest of the file just built."
}
]
},
"provenance": {
"refSource": {
"uri": "github.com/test",
"digest": {
"sha1": "ab123"
},
"entryPoint": "build.yaml"
}
}
}
}
34 changes: 30 additions & 4 deletions pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package pipelinerun

import (
"context"
"strings"
"time"

intoto "github.com/in-toto/attestation/go/v1"
Expand Down Expand Up @@ -112,14 +113,39 @@ func buildConfig(ctx context.Context, pro *objects.PipelineRunObjectV1Beta1) Bui
for _, tr := range taskRuns {
// Ignore Tasks that did not execute during the PipelineRun.
if tr.Status.CompletionTime == nil {
logger.Infof("taskrun status not complete for task %s", tr.Name)
logger.Warnf("taskrun status not complete for task %s", tr.Name)
continue
}

steps := []attest.StepAttestation{}
for i, stepState := range tr.Status.Steps {
step := tr.Status.TaskSpec.Steps[i]
steps = append(steps, attest.Step(&step, &stepState))
// tr.Status.TaskSpec.Steps and tr.Status.Steps should be sime size
if len(tr.Status.TaskSpec.Steps) != len(tr.Status.Steps) {
logger.Errorf("Mismatch in number of steps for task run %s. TaskSpec steps: %d, Status steps: %d",
tr.Name, len(tr.Status.TaskSpec.Steps), len(tr.Status.Steps))
continue // Skip this task run entirely
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we mark the TaskRun as "failed to sign" or something ? (so that the controller doesn't pick it up later on).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we dont have a way to do this today, i reference a discussion here about that #979

}

// Validate and process steps
valid := true
for i, step := range tr.Status.TaskSpec.Steps {
stepState := tr.Status.Steps[i]

// Check if unnamed step matches empty name in the other list
if strings.HasPrefix(stepState.Name, "unnamed-") && step.Name != "" {
logger.Errorf("Mismatch in step names for task run %s. Step %d: %s, StepState %d: %s",
tr.Name, i, step.Name, i, stepState.Name)
valid = false
break
}

if valid {
steps = append(steps, attest.Step(&step, &stepState))
}
}

if !valid {
logger.Errorf("Skipping task run %s due to step name mismatch", tr.Name)
continue
}

after := t.RunAfter
Expand Down
Loading
Loading