Add support for SLSA Build Provenance (#55)

* Add SLSA Build Provenance generators

Signed-off-by: Marcela Melara <[email protected]>

* Debug SLSA provenance generation

Signed-off-by: Marcela Melara <[email protected]>

* Fix compiler errors

Signed-off-by: Marcela Melara <[email protected]>

* Remove SLSA test script

Signed-off-by: Marcela Melara <[email protected]>

* Add key path checking to SLSA cli generator

Signed-off-by: Marcela Melara <[email protected]>

* Use encoding flag in every command

Signed-off-by: Marcela Melara <[email protected]>

* Fix error

Signed-off-by: Marcela Melara <[email protected]>

---------

Signed-off-by: Marcela Melara <[email protected]>

Author: marcelamelara

src/cli/commands.rs

@@ -61,9 +61,9 @@ pub enum DatasetCommands {
         #[arg(long = "print")]
         print: bool,
 
-        /// Output format (json or cbor)
-        #[arg(long = "format", default_value = "json")]
-        format: String,
+        /// Output encoding (json or cbor)
+        #[arg(long = "encoding", default_value = "json")]
+        encoding: String,
 
         /// Storage backend (local or rekor)
         #[arg(long = "storage-type", default_value = "database")]
@@ -289,9 +289,9 @@ pub enum ManifestCommands {
         #[arg(long = "storage-url", default_value = "http://localhost:8080")]
         storage_url: Box<String>,
 
-        /// Output format (json or yaml)
-        #[arg(long = "format", default_value = "json")]
-        format: String,
+        /// Output encoding (json or yaml)
+        #[arg(long = "encoding", default_value = "json")]
+        encoding: String,
 
         /// Output file path (defaults to stdout if not provided)
         #[arg(short, long)]
@@ -351,9 +351,9 @@ pub enum EvaluationCommands {
         #[arg(long = "print")]
         print: bool,
 
-        /// Output format (json or cbor)
-        #[arg(long = "format", default_value = "json")]
-        format: String,
+        /// Output encoding (json or cbor)
+        #[arg(long = "encoding", default_value = "json")]
+        encoding: String,
 
         /// Storage backend (local or rekor)
         #[arg(long = "storage-type", default_value = "database")]
@@ -458,9 +458,9 @@ pub enum SoftwareCommands {
         #[arg(long = "print")]
         print: bool,
 
-        /// Output format (json or cbor)
-        #[arg(long = "format", default_value = "json")]
-        format: String,
+        /// Output encoding (json or cbor)
+        #[arg(long = "encoding", default_value = "json")]
+        encoding: String,
 
         /// Storage backend (local or rekor)
         #[arg(long = "storage-type", default_value = "database")]
@@ -534,3 +534,49 @@ pub enum SoftwareCommands {
         storage_url: Box<String>,
     },
 }
+
+#[derive(Debug, Subcommand)]
+pub enum PipelineCommands {
+    /// Generate SLSA Build Provenance v1 for the given pipeline
+    GenerateProvenance {
+        /// Paths to any pipeline inputs and other external parameters
+        #[arg(long = "inputs", num_args = 1.., value_delimiter = ',')]
+        inputs: Vec<PathBuf>,
+
+        /// Path to pipeline script or configuration
+        #[arg(long = "pipeline")]
+        pipeline: PathBuf,
+
+        /// Paths to any pipeline products
+        #[arg(long = "products", num_args = 1.., value_delimiter = ',')]
+        products: Vec<PathBuf>,
+
+        /// Path to private key file for signing (PEM format)
+        #[arg(long = "key")]
+        key: Option<PathBuf>,
+
+        /// Hash algorithm to use for signing (default: sha384)
+        #[arg(long = "hash-alg", value_enum, default_value = "sha384")]
+        hash_alg: HashAlgorithmChoice,
+
+        /// Only print SLSA Provenance without storing
+        #[arg(long = "print")]
+        print: bool,
+
+        /// Output encoding (json or cbor)
+        #[arg(long = "encoding", default_value = "json")]
+        encoding: String,
+
+        /// Storage backend (only local supported)
+        #[arg(long = "storage-type", default_value = "local-fs")]
+        storage_type: Box<String>,
+
+        /// Storage URL
+        #[arg(long = "storage-url", default_value = "http://localhost:8080")]
+        storage_url: Box<String>,
+
+        /// Collect the underlying TDX attestation, if available
+        #[arg(long = "with-tdx", default_value = "false")]
+        with_tdx: bool,
+    },
+}

src/cli/handlers.rs

@@ -2,12 +2,13 @@ use crate::error::{Error, Result};
 
 use super::commands::{
     CCAttestationCommands, DatasetCommands, EvaluationCommands, ManifestCommands, ModelCommands,
-    SoftwareCommands,
+    PipelineCommands, SoftwareCommands,
 };
 use crate::cc_attestation;
 use crate::manifest;
 use crate::manifest::config::ManifestCreationConfig;
 use crate::manifest::dataset::list_dataset_manifests;
+use crate::slsa;
 use crate::storage::database::DatabaseStorage;
 use crate::storage::filesystem::FilesystemStorage;
 use crate::storage::rekor::RekorStorage;
@@ -28,7 +29,7 @@ pub fn handle_dataset_command(cmd: DatasetCommands) -> Result<()> {
             storage_type,
             storage_url,
             print,
-            format,
+            encoding,
             key,
             hash_alg,
             with_tdx,
@@ -59,7 +60,7 @@ pub fn handle_dataset_command(cmd: DatasetCommands) -> Result<()> {
                 linked_manifests,
                 storage,
                 print,
-                output_encoding: format,
+                output_encoding: encoding,
                 key_path: key,
                 hash_alg: hash_alg.to_cose_algorithm(),
                 with_cc: with_tdx,
@@ -286,7 +287,7 @@ pub fn handle_manifest_command(cmd: ManifestCommands) -> Result<()> {
             id,
             storage_type,
             storage_url,
-            format,
+            encoding,
             output,
             max_depth,
         } => {
@@ -300,7 +301,7 @@ pub fn handle_manifest_command(cmd: ManifestCommands) -> Result<()> {
             manifest::export_provenance(
                 &id,
                 &*storage,
-                format.as_str(),
+                encoding.as_str(),
                 output.as_deref(),
                 max_depth,
             )
@@ -322,7 +323,7 @@ pub fn handle_evaluation_command(cmd: EvaluationCommands) -> Result<()> {
             storage_type,
             storage_url,
             print,
-            format,
+            encoding,
             key,
             hash_alg,
         } => {
@@ -352,7 +353,7 @@ pub fn handle_evaluation_command(cmd: EvaluationCommands) -> Result<()> {
                 linked_manifests: None, // Will be populated by create_manifest
                 storage,
                 print,
-                output_encoding: format,
+                output_encoding: encoding,
                 key_path: key,
                 hash_alg: hash_alg.to_cose_algorithm(),
                 with_cc: false,
@@ -437,7 +438,7 @@ pub fn handle_software_command(cmd: SoftwareCommands) -> Result<()> {
             storage_type,
             storage_url,
             print,
-            format,
+            encoding,
             key,
             hash_alg,
             with_tdx,
@@ -468,7 +469,7 @@ pub fn handle_software_command(cmd: SoftwareCommands) -> Result<()> {
                 linked_manifests,
                 storage,
                 print,
-                output_encoding: format,
+                output_encoding: encoding,
                 key_path: key,
                 hash_alg: hash_alg.to_cose_algorithm(),
                 with_cc: with_tdx,
@@ -540,3 +541,40 @@ pub fn handle_software_command(cmd: SoftwareCommands) -> Result<()> {
         }
     }
 }
+
+pub fn handle_pipeline_command(cmd: PipelineCommands) -> Result<()> {
+    match cmd {
+        PipelineCommands::GenerateProvenance {
+            inputs,
+            pipeline,
+            products,
+            key,
+            hash_alg,
+            encoding,
+            print,
+            storage_type,
+            storage_url,
+            with_tdx,
+        } => {
+            let storage: Option<&'static dyn StorageBackend> = match storage_type.as_str() {
+                "local-fs" => {
+                    let fs_storage = Box::new(FilesystemStorage::new(storage_url.as_str())?);
+                    Some(Box::leak(fs_storage))
+                }
+                _ => None,
+            };
+
+            slsa::cli::generate_build_provenance(
+                inputs,
+                pipeline,
+                products,
+                key,
+                hash_alg.to_cose_algorithm(),
+                encoding,
+                print,
+                storage,
+                with_tdx,
+            )
+        }
+    }
+}

src/cli/mod.rs

@@ -4,16 +4,17 @@ use crate::error::Error;
 
 // Re-export commonly used items
 pub use commands::{
-    CCAttestationCommands, DatasetCommands, ManifestCommands, ModelCommands, SoftwareCommands,
+    CCAttestationCommands, DatasetCommands, ManifestCommands, ModelCommands, PipelineCommands,
+    SoftwareCommands,
 };
 pub use handlers::{
     handle_cc_attestation_command, handle_dataset_command, handle_manifest_command,
-    handle_model_command, handle_software_command,
+    handle_model_command, handle_pipeline_command, handle_software_command,
 };
 
 // Optional: Add any CLI-specific constants or shared utilities
 pub const CLI_VERSION: &str = env!("CARGO_PKG_VERSION");
-pub const CLI_NAME: &str = "c2pa-cli";
+pub const CLI_NAME: &str = "atlas-cli";
 
 pub fn format_error(error: &Error) -> String {
     match error {

src/in_toto/mod.rs

@@ -1,4 +1,5 @@
 use crate::error::{Error, Result};
+use crate::hash;
 use crate::signing::signable::Signable;
 
 use atlas_c2pa_lib::cose::HashAlgorithm;
@@ -7,7 +8,7 @@ use in_toto_attestation::v1::resource_descriptor::ResourceDescriptor;
 use protobuf::well_known_types::struct_::Struct;
 use protobuf_json_mapping::{parse_from_str, print_to_string};
 use std::collections::HashMap;
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 
 pub mod dsse;
 
@@ -33,6 +34,21 @@ pub fn make_minimal_resource_descriptor(name: &str, alg: &str, digest: &str) ->
     rd
 }
 
+pub fn generate_file_resource_descriptor_from_path(
+    path: &Path,
+    algorithm: &HashAlgorithm,
+) -> Result<ResourceDescriptor> {
+    let file_hash = hash::calculate_file_hash_with_algorithm(path, algorithm)?;
+
+    let digest_set = HashMap::from([(algorithm.as_str().to_string(), file_hash.to_string())]);
+
+    let mut rd = ResourceDescriptor::new();
+    rd.name = String::from(path.to_string_lossy());
+    rd.digest = digest_set;
+
+    Ok(rd)
+}
+
 pub fn generate_signed_statement_v1(
     subject: &[ResourceDescriptor],
     predicate_type: &str,

src/lib.rs

@@ -38,6 +38,7 @@ pub mod hash;
 pub mod in_toto;
 pub mod manifest;
 pub mod signing;
+pub mod slsa;
 pub mod storage;
 #[cfg(test)]
 mod tests;

src/main.rs

@@ -3,7 +3,7 @@ use atlas_cli::{
         self,
         commands::{
             CCAttestationCommands, DatasetCommands, EvaluationCommands, ManifestCommands,
-            ModelCommands, SoftwareCommands,
+            ModelCommands, PipelineCommands, SoftwareCommands,
         },
     },
     error::Result,
@@ -44,6 +44,11 @@ enum Commands {
         #[command(subcommand)]
         command: EvaluationCommands,
     },
+    /// Pipeline-related commands
+    Pipeline {
+        #[command(subcommand)]
+        command: PipelineCommands,
+    },
     /// CC Attestation-related commands
     CCAttestation {
         #[command(subcommand)]
@@ -66,6 +71,7 @@ fn main() -> Result<()> {
 
         Commands::Manifest { command } => cli::handlers::handle_manifest_command(command),
         Commands::Evaluation { command } => cli::handlers::handle_evaluation_command(command),
+        Commands::Pipeline { command } => cli::handlers::handle_pipeline_command(command),
         Commands::CCAttestation { command } => {
             cli::handlers::handle_cc_attestation_command(command)
         }