fix: address review feedback for in-toto-golang removal

Signed-off-by: Abhishek <abhishekup082@gmail.com>

Author: Abhishek9639

pkg/handler/processor/guesser/type_ite6.go

@@ -35,19 +35,32 @@ type ite6Statement struct {
 }
 
 // getType returns the statement type from whichever format was used.
+// in-toto v1 is the current standard; v0.1 is supported for backwards
+// compatibility. A document that populates both _type and type is malformed.
 func (s *ite6Statement) getType() string {
-	if s.TypeV01 != "" {
-		return s.TypeV01
+	if s.TypeV1 != "" && s.TypeV01 != "" {
+		// Both fields set: reject the ambiguous/malformed document.
+		return ""
 	}
-	return s.TypeV1
+	if s.TypeV1 != "" {
+		return s.TypeV1
+	}
+	return s.TypeV01
 }
 
 // getPredicateType returns the predicate type from whichever format was used.
+// in-toto v1 is the current standard; v0.1 is supported for backwards
+// compatibility. A document that populates both predicateType and predicate_type
+// is malformed.
 func (s *ite6Statement) getPredicateType() string {
-	if s.PredicateTypeV01 != "" {
-		return s.PredicateTypeV01
+	if s.PredicateTypeV1 != "" && s.PredicateTypeV01 != "" {
+		// Both fields set: reject the ambiguous/malformed document.
+		return ""
+	}
+	if s.PredicateTypeV1 != "" {
+		return s.PredicateTypeV1
 	}
-	return s.PredicateTypeV1
+	return s.PredicateTypeV01
 }
 
 type ite6TypeGuesser struct{}

pkg/handler/processor/guesser/type_ite6_test.go

@@ -35,14 +35,29 @@ func Test_Ite6TypeGuesser(t *testing.T) {
 		name:     "valid ITE6 Document",
 		blob:     []byte(`{"_type": "https://in-toto.io/Statement/v0.1"}`),
 		expected: processor.DocumentITE6Generic,
+	}, {
+		name:     "valid ITE6 v1 Document",
+		blob:     []byte(`{"type": "https://in-toto.io/Statement/v1"}`),
+		expected: processor.DocumentITE6Generic,
 	}, {
 		name:     "valid SLSA ITE6 Document",
 		blob:     []byte(`{"_type": "https://in-toto.io/Statement/v0.1", "predicateType": "https://slsa.dev/provenance/v0.2"}`),
 		expected: processor.DocumentITE6SLSA,
+	}, {
+		name:     "valid SLSA ITE6 v1 Document",
+		blob:     []byte(`{"type": "https://in-toto.io/Statement/v1", "predicate_type": "https://slsa.dev/provenance/v0.2"}`),
+		expected: processor.DocumentITE6SLSA,
 	}, {
 		name:     "valid SLSA ITE6 Document with different versions",
 		blob:     []byte(`{"_type": "https://in-toto.io/Statement/v1.1", "predicateType": "https://slsa.dev/provenance/v1.0"}`),
 		expected: processor.DocumentITE6SLSA,
+	}, {
+		// A document that populates both v0.1 and v1 type fields is malformed and
+		// must be rejected (returns DocumentUnknown) rather than silently
+		// preferring one format over the other.
+		name:     "ambiguous ITE6 Document with both _type and type fields",
+		blob:     []byte(`{"_type": "https://in-toto.io/Statement/v0.1", "type": "https://in-toto.io/Statement/v1", "predicateType": "https://slsa.dev/provenance/v0.2", "predicate_type": "https://slsa.dev/provenance/v0.2"}`),
+		expected: processor.DocumentUnknown,
 	}, {
 		name:     "valid CREV ITE6 Document",
 		blob:     testdata.ITE6CREVExample,

pkg/handler/processor/ite6/ite6.go

@@ -26,9 +26,14 @@ import (
 var json = jsoniter.ConfigCompatibleWithStandardLibrary
 
 // ite6Statement is used for unmarshalling in-toto statement headers.
+// It handles both v0.1 (_type/predicateType) and v1 (type/predicate_type)
+// in-toto statement formats. Exactly one set of fields should be populated;
+// if neither is set after unmarshalling, the document is rejected with an error.
 type ite6Statement struct {
-	Type          string `json:"_type"`
-	PredicateType string `json:"predicateType"`
+	TypeV01          string `json:"_type"`
+	PredicateTypeV01 string `json:"predicateType"`
+	TypeV1           string `json:"type"`
+	PredicateTypeV1  string `json:"predicate_type"`
 }
 
 type ITE6Processor struct {
@@ -63,5 +68,9 @@ func parseStatement(p []byte) (*ite6Statement, error) {
 	if err := json.Unmarshal(p, &ps); err != nil {
 		return nil, err
 	}
+	// Reject documents where neither format's fields are populated.
+	if ps.TypeV01 == "" && ps.TypeV1 == "" {
+		return nil, fmt.Errorf("in-toto statement has neither v0.1 (_type) nor v1 (type) statement type field")
+	}
 	return &ps, nil
 }

pkg/ingestor/parser/slsa/parser_slsa.go

@@ -19,9 +19,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-
 	"strings"
-	"time"
 
 	jsoniter "github.com/json-iterator/go"
 
@@ -42,81 +40,14 @@ import (
 // - a pkg or source depending on what is represented by the name/URI
 // - An IsOccurence input spec which will generate a predicate for each occurence
 
-// DigestSet is a set of digests keyed by algorithm name (e.g. "sha256").
-type DigestSet = map[string]string
-
-// ProvenanceMaterial represents a material used in a provenance attestation.
-type ProvenanceMaterial struct {
-	URI    string    `json:"uri"`
-	Digest DigestSet `json:"digest,omitempty"`
-}
-
-// ProvenanceBuilder identifies the entity that executed the build steps.
-type ProvenanceBuilder struct {
-	ID string `json:"id"`
-}
-
 const (
 	PredicateSLSAProvenanceV01 = "https://slsa.dev/provenance/v0.1"
 	PredicateSLSAProvenanceV02 = "https://slsa.dev/provenance/v0.2"
 
-	// PredicateSLSAProvenancev1 is the predicate type for SLSAv1.0 provenance.
-	PredicateSLSAProvenancev1 = "https://slsa.dev/provenance/v1"
+	// PredicateSLSAProvenanceV1 is the predicate type for SLSAv1.0 provenance.
+	PredicateSLSAProvenanceV1 = "https://slsa.dev/provenance/v1"
 )
 
-// ProvenancePredicateV01 is the SLSA v0.1 provenance predicate.
-type ProvenancePredicateV01 struct {
-	Builder   ProvenanceBuilder       `json:"builder"`
-	Recipe    ProvenanceRecipe        `json:"recipe"`
-	Metadata  *ProvenanceMetadataV01  `json:"metadata,omitempty"`
-	Materials []ProvenanceMaterial    `json:"materials,omitempty"`
-}
-
-// ProvenanceRecipe describes how the artifact was produced (SLSA v0.1).
-type ProvenanceRecipe struct {
-	Type              string      `json:"type"`
-	DefinedInMaterial *int        `json:"definedInMaterial,omitempty"`
-	EntryPoint        string      `json:"entryPoint,omitempty"`
-	Arguments         interface{} `json:"arguments,omitempty"`
-	Environment       interface{} `json:"environment,omitempty"`
-}
-
-// ProvenanceMetadataV01 holds build metadata for SLSA v0.1 provenance.
-type ProvenanceMetadataV01 struct {
-	BuildInvocationID string     `json:"buildInvocationId,omitempty"`
-	BuildStartedOn    *time.Time `json:"buildStartedOn,omitempty"`
-	BuildFinishedOn   *time.Time `json:"buildFinishedOn,omitempty"`
-	Completeness      struct {
-		Arguments   bool `json:"arguments"`
-		Environment bool `json:"environment"`
-		Materials   bool `json:"materials"`
-	} `json:"completeness"`
-	Reproducible bool `json:"reproducible"`
-}
-
-// ProvenancePredicateV02 is the SLSA v0.2 provenance predicate.
-type ProvenancePredicateV02 struct {
-	Builder     ProvenanceBuilder       `json:"builder"`
-	BuildType   string                  `json:"buildType"`
-	Invocation  interface{}             `json:"invocation,omitempty"`
-	BuildConfig interface{}             `json:"buildConfig,omitempty"`
-	Metadata    *ProvenanceMetadataV02  `json:"metadata,omitempty"`
-	Materials   []ProvenanceMaterial    `json:"materials,omitempty"`
-}
-
-// ProvenanceMetadataV02 holds build metadata for SLSA v0.2 provenance.
-type ProvenanceMetadataV02 struct {
-	BuildInvocationID string     `json:"buildInvocationId,omitempty"`
-	BuildStartedOn    *time.Time `json:"buildStartedOn,omitempty"`
-	BuildFinishedOn   *time.Time `json:"buildFinishedOn,omitempty"`
-	Completeness      struct {
-		Parameters  bool `json:"parameters"`
-		Environment bool `json:"environment"`
-		Materials   bool `json:"materials"`
-	} `json:"completeness"`
-	Reproducible bool `json:"reproducible"`
-}
-
 var ErrMetadataNil = errors.New("SLSA Metadata is nil")
 var ErrBuilderNil = errors.New("SLSA Builder is nil")
 var json = jsoniter.ConfigCompatibleWithStandardLibrary
@@ -209,7 +140,7 @@ func (s *slsaParser) getMaterials() error {
 		if err := s.getMaterials0(s.pred02.Materials); err != nil {
 			return err
 		}
-	case PredicateSLSAProvenancev1:
+	case PredicateSLSAProvenanceV1:
 		if s.pred1.BuildDefinition == nil {
 			return errors.New("SLSA1 buildDefinition is nil")
 		}
@@ -370,7 +301,7 @@ func (s *slsaParser) getSLSA() error {
 		if data, err = json.Marshal(s.pred02); err != nil {
 			return fmt.Errorf("could not marshal SLSA02: %w", err)
 		}
-	case PredicateSLSAProvenancev1:
+	case PredicateSLSAProvenanceV1:
 		if err := fillSLSA1(inp, s.pred1); err != nil {
 			return fmt.Errorf("could not fill SLSA1: %w", err)
 		}
@@ -409,7 +340,7 @@ func (s *slsaParser) getBuilder() error {
 		s.builder.Uri = s.pred01.Builder.ID
 	case PredicateSLSAProvenanceV02:
 		s.builder.Uri = s.pred02.Builder.ID
-	case PredicateSLSAProvenancev1:
+	case PredicateSLSAProvenanceV1:
 		if s.pred1.RunDetails == nil || s.pred1.RunDetails.Builder == nil {
 			return ErrBuilderNil
 		}
@@ -440,7 +371,7 @@ func (s *slsaParser) parseSlsaPredicate(p []byte) error {
 		if err := json.Unmarshal(predBytes, s.pred02); err != nil {
 			return fmt.Errorf("Could not unmarshal v0.2 SLSA provenance statement : %w", err)
 		}
-	case PredicateSLSAProvenancev1:
+	case PredicateSLSAProvenanceV1:
 		s.pred1 = &slsa1.Provenance{}
 		if err := protojson.Unmarshal(predBytes, s.pred1); err != nil {
 			return fmt.Errorf("Could not unmarshal v1.0 SLSA provenance statement : %w", err)

pkg/ingestor/parser/slsa/types_legacy.go

@@ -0,0 +1,101 @@
+//
+// Copyright 2022 The GUAC Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package slsa
+
+import "time"
+
+// This file contains local copies of types originally defined in the deprecated
+// github.com/in-toto/in-toto-golang library. They are kept here to support
+// SLSA v0.1 and v0.2 provenance parsing until those formats are dropped.
+//
+// Original definitions can be found in:
+//   https://github.com/in-toto/in-toto-golang
+//
+// TODO: delete this file when SLSA v0.1/v0.2 support is dropped.
+
+// DigestSet is a set of digests keyed by algorithm name (e.g. "sha256").
+type DigestSet = map[string]string
+
+// ProvenanceMaterial represents a material used in a provenance attestation.
+type ProvenanceMaterial struct {
+	URI    string    `json:"uri"`
+	Digest DigestSet `json:"digest,omitempty"`
+}
+
+// ProvenanceBuilder identifies the entity that executed the build steps.
+type ProvenanceBuilder struct {
+	ID string `json:"id"`
+}
+
+// ProvenanceRecipe describes how the artifact was produced (SLSA v0.1).
+type ProvenanceRecipe struct {
+	Type              string      `json:"type"`
+	DefinedInMaterial *int        `json:"definedInMaterial,omitempty"`
+	EntryPoint        string      `json:"entryPoint,omitempty"`
+	Arguments         interface{} `json:"arguments,omitempty"`
+	Environment       interface{} `json:"environment,omitempty"`
+}
+
+// CompletenessV01 tracks which fields are complete for SLSA v0.1 metadata.
+type CompletenessV01 struct {
+	Arguments   bool `json:"arguments"`
+	Environment bool `json:"environment"`
+	Materials   bool `json:"materials"`
+}
+
+// ProvenanceMetadataV01 holds build metadata for SLSA v0.1 provenance.
+type ProvenanceMetadataV01 struct {
+	BuildInvocationID string          `json:"buildInvocationId,omitempty"`
+	BuildStartedOn    *time.Time      `json:"buildStartedOn,omitempty"`
+	BuildFinishedOn   *time.Time      `json:"buildFinishedOn,omitempty"`
+	Completeness      CompletenessV01 `json:"completeness"`
+	Reproducible      bool            `json:"reproducible"`
+}
+
+// ProvenancePredicateV01 is the SLSA v0.1 provenance predicate.
+type ProvenancePredicateV01 struct {
+	Builder   ProvenanceBuilder    `json:"builder"`
+	Recipe    ProvenanceRecipe     `json:"recipe"`
+	Metadata  *ProvenanceMetadataV01 `json:"metadata,omitempty"`
+	Materials []ProvenanceMaterial `json:"materials,omitempty"`
+}
+
+// CompletenessV02 tracks which fields are complete for SLSA v0.2 metadata.
+// Note: field set differs from CompletenessV01 (Parameters instead of Arguments).
+type CompletenessV02 struct {
+	Parameters  bool `json:"parameters"`
+	Environment bool `json:"environment"`
+	Materials   bool `json:"materials"`
+}
+
+// ProvenanceMetadataV02 holds build metadata for SLSA v0.2 provenance.
+type ProvenanceMetadataV02 struct {
+	BuildInvocationID string          `json:"buildInvocationId,omitempty"`
+	BuildStartedOn    *time.Time      `json:"buildStartedOn,omitempty"`
+	BuildFinishedOn   *time.Time      `json:"buildFinishedOn,omitempty"`
+	Completeness      CompletenessV02 `json:"completeness"`
+	Reproducible      bool            `json:"reproducible"`
+}
+
+// ProvenancePredicateV02 is the SLSA v0.2 provenance predicate.
+type ProvenancePredicateV02 struct {
+	Builder     ProvenanceBuilder    `json:"builder"`
+	BuildType   string               `json:"buildType"`
+	Invocation  interface{}          `json:"invocation,omitempty"`
+	BuildConfig interface{}          `json:"buildConfig,omitempty"`
+	Metadata    *ProvenanceMetadataV02 `json:"metadata,omitempty"`
+	Materials   []ProvenanceMaterial `json:"materials,omitempty"`
+}

pkg/ingestor/verifier/sigstore_verifier/sigstore_verifier_test.go

@@ -41,38 +41,53 @@ import (
 const PayloadType = "application/vnd.in-toto+json"
 
 // StatementInTotoV01 is the in-toto v0.1 statement type.
+// Mirrors the canonical upstream type URI from github.com/in-toto/in-toto-golang.
 const StatementInTotoV01 = "https://in-toto.io/Statement/v0.1"
 
 // predicateSLSAProvenanceV02 is the predicate type for SLSAv0.2 provenance.
+// Mirrors parser_slsa.PredicateSLSAProvenanceV02.
 const predicateSLSAProvenanceV02 = "https://slsa.dev/provenance/v0.2"
 
-// digestSet is a set of digests keyed by algorithm name.
+// digestSet is a set of digests keyed by algorithm name (e.g. "sha256").
+// Mirrors the DigestSet type from github.com/in-toto/in-toto-golang/in_toto.
 type digestSet = map[string]string
 
 // provenanceBuilder identifies the entity that executed the build steps.
+// Mirrors the ProvenanceBuilder type from github.com/in-toto/in-toto-golang/in_toto
+// with the same JSON field name to ensure the test exercises the correct wire format.
 type provenanceBuilder struct {
 	ID string `json:"id"`
 }
 
 // subject describes the set of software artifacts the statement applies to.
+// Mirrors the Subject type from github.com/in-toto/in-toto-golang/in_toto
+// with the same JSON field names to ensure the test exercises the correct wire format.
 type subject struct {
 	Name   string    `json:"name"`
 	Digest digestSet `json:"digest"`
 }
 
-// statementHeader defines the common fields for all statements.
+// statementHeader defines the common fields for all in-toto v0.1 statements.
+// Mirrors the StatementHeader type from github.com/in-toto/in-toto-golang/in_toto
+// with identical JSON tags (_type, predicateType, subject) to exercise the
+// exact wire format the verifier processes in production.
 type statementHeader struct {
 	Type          string    `json:"_type"`
 	PredicateType string    `json:"predicateType"`
 	Subject       []subject `json:"subject"`
 }
 
-// provenancePredicate is the SLSA v0.2 provenance predicate (simplified for testing).
+// provenancePredicate is the SLSA v0.2 provenance predicate.
+// Mirrors the ProvenancePredicate type from github.com/in-toto/in-toto-golang/in_toto
+// (simplified to only the fields needed for signing/verification testing).
 type provenancePredicate struct {
 	Builder provenanceBuilder `json:"builder"`
 }
 
-// provenanceStatement is the definition for an entire provenance statement (for testing).
+// provenanceStatement is the complete in-toto v0.1 provenance statement.
+// Mirrors the ProvenanceStatement type from github.com/in-toto/in-toto-golang/in_toto
+// with the same embedded statementHeader and JSON field names to ensure
+// the test exercises the exact format the verifier consumes in production.
 type provenanceStatement struct {
 	statementHeader
 	Predicate provenancePredicate `json:"predicate"`