Embed Ref types directly into attestations

client/client_test.go

@@ -7086,18 +7086,20 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 			if err != nil {
 				return nil, err
 			}
-			res.AddAttestation(pk, result.Attestation{
+			res.AddAttestation(pk, gateway.Attestation{
 				Kind: gatewaypb.AttestationKindInToto,
+				Ref:  refAttest,
 				Path: "/attestation.json",
 				InToto: result.InTotoAttestation{
 					PredicateType: "https://example.com/attestations/v1.0",
 					Subjects: []result.InTotoSubject{{
 						Kind: gatewaypb.InTotoSubjectKindSelf,
 					}},
 				},
-			}, refAttest)
-			res.AddAttestation(pk, result.Attestation{
+			})
+			res.AddAttestation(pk, gateway.Attestation{
 				Kind: gatewaypb.AttestationKindInToto,
+				Ref:  refAttest,
 				Path: "/attestation2.json",
 				InToto: result.InTotoAttestation{
 					PredicateType: "https://example.com/attestations2/v1.0",
@@ -7107,7 +7109,7 @@ func testExportAttestations(t *testing.T, sb integration.Sandbox) {
 						Digest: []digest.Digest{successDigest},
 					}},
 				},
-			}, refAttest)
+			})
 		}
 
 		dt, err := json.Marshal(expPlatforms)
@@ -7400,13 +7402,14 @@ func testAttestationDefaultSubject(t *testing.T, sb integration.Sandbox) {
 			if err != nil {
 				return nil, err
 			}
-			res.AddAttestation(pk, result.Attestation{
+			res.AddAttestation(pk, gateway.Attestation{
 				Kind: gatewaypb.AttestationKindInToto,
+				Ref:  refAttest,
 				Path: "/attestation.json",
 				InToto: result.InTotoAttestation{
 					PredicateType: "https://example.com/attestations/v1.0",
 				},
-			}, refAttest)
+			})
 		}
 
 		dt, err := json.Marshal(expPlatforms)
@@ -7553,10 +7556,11 @@ func testAttestationBundle(t *testing.T, sb integration.Sandbox) {
 			if err != nil {
 				return nil, err
 			}
-			res.AddAttestation(pk, result.Attestation{
+			res.AddAttestation(pk, gateway.Attestation{
 				Kind: gatewaypb.AttestationKindBundle,
+				Ref:  refAttest,
 				Path: "/bundle",
-			}, refAttest)
+			})
 		}
 
 		dt, err := json.Marshal(expPlatforms)
@@ -7755,13 +7759,14 @@ EOF
 					return nil, err
 				}
 
-				res.AddAttestation(pk, result.Attestation{
+				res.AddAttestation(pk, gateway.Attestation{
 					Kind: gatewaypb.AttestationKindInToto,
+					Ref:  refAttest,
 					Path: "/result.spdx",
 					InToto: result.InTotoAttestation{
 						PredicateType: intoto.PredicateSPDX,
 					},
-				}, refAttest)
+				})
 			}
 
 			return res, nil
@@ -8005,6 +8010,15 @@ EOF
 		}
 		res.AddMeta(exptypes.ExporterImageConfigKey, config)
 
+		expPlatforms := &exptypes.Platforms{
+			Platforms: []exptypes.Platform{{ID: pk, Platform: p}},
+		}
+		dt, err := json.Marshal(expPlatforms)
+		if err != nil {
+			return nil, err
+		}
+		res.AddMeta(exptypes.ExporterPlatformsKey, dt)
+
 		return res, nil
 	}
 

control/control.go

@@ -17,7 +17,6 @@ import (
 	controlgateway "github.com/moby/buildkit/control/gateway"
 	"github.com/moby/buildkit/exporter"
 	"github.com/moby/buildkit/exporter/util/epoch"
-	"github.com/moby/buildkit/exporter/util/multiplatform"
 	"github.com/moby/buildkit/frontend"
 	"github.com/moby/buildkit/frontend/attestations"
 	"github.com/moby/buildkit/session"
@@ -305,16 +304,6 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
 		}
 	}
 
-	// if multi-platform is set, enable it for the exporter
-	if v, ok := multiplatform.ParseBuildArgs(req.FrontendAttrs); ok {
-		if _, ok := req.ExporterAttrs[multiplatform.KeyMultiPlatform]; !ok {
-			if req.ExporterAttrs == nil {
-				req.ExporterAttrs = make(map[string]string)
-			}
-			req.ExporterAttrs[multiplatform.KeyMultiPlatform] = v
-		}
-	}
-
 	if req.Exporter != "" {
 		exp, err := w.Exporter(req.Exporter, c.opt.SessionManager)
 		if err != nil {
@@ -369,10 +358,6 @@ func (c *Controller) Solve(ctx context.Context, req *controlapi.SolveRequest) (*
 
 	var procs []llbsolver.Processor
 
-	if len(attests) > 0 {
-		procs = append(procs, proc.ForceRefsProcessor)
-	}
-
 	if attrs, ok := attests["sbom"]; ok {
 		src := attrs["generator"]
 		if src == "" {

exporter/attestation/filter.go

@@ -3,15 +3,15 @@ package attestation
 import (
 	"bytes"
 
-	"github.com/moby/buildkit/solver/result"
+	"github.com/moby/buildkit/exporter"
 )
 
-func Filter(attestations []result.Attestation, include map[string][]byte, exclude map[string][]byte) []result.Attestation {
+func Filter(attestations []exporter.Attestation, include map[string][]byte, exclude map[string][]byte) []exporter.Attestation {
 	if len(include) == 0 && len(exclude) == 0 {
 		return attestations
 	}
 
-	result := []result.Attestation{}
+	result := []exporter.Attestation{}
 	for _, att := range attestations {
 		meta := att.Metadata
 		if meta == nil {

exporter/attestation/make.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/containerd/continuity/fs"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/exporter"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/snapshot"
@@ -17,23 +17,16 @@ import (
 )
 
 // ReadAll reads the content of an attestation.
-func ReadAll(ctx context.Context, s session.Group, refs map[string]cache.ImmutableRef, att result.Attestation) ([]byte, error) {
+func ReadAll(ctx context.Context, s session.Group, att exporter.Attestation) ([]byte, error) {
 	var content []byte
 	if att.ContentFunc != nil {
 		data, err := att.ContentFunc()
 		if err != nil {
 			return nil, err
 		}
 		content = data
-	} else {
-		if refs == nil {
-			return nil, errors.Errorf("no refs map provided to lookup attestation keys")
-		}
-		ref, ok := refs[att.Ref]
-		if !ok {
-			return nil, errors.Errorf("key %s not found in refs map", att.Ref)
-		}
-		mount, err := ref.Mount(ctx, true, s)
+	} else if att.Ref != nil {
+		mount, err := att.Ref.Mount(ctx, true, s)
 		if err != nil {
 			return nil, err
 		}
@@ -52,6 +45,8 @@ func ReadAll(ctx context.Context, s session.Group, refs map[string]cache.Immutab
 		if err != nil {
 			return nil, errors.Wrap(err, "cannot read in-toto attestation")
 		}
+	} else {
+		return nil, errors.New("no available content for attestation")
 	}
 	if len(content) == 0 {
 		content = nil
@@ -61,14 +56,14 @@ func ReadAll(ctx context.Context, s session.Group, refs map[string]cache.Immutab
 
 // MakeInTotoStatements iterates over all provided result attestations and
 // generates intoto attestation statements.
-func MakeInTotoStatements(ctx context.Context, s session.Group, refs map[string]cache.ImmutableRef, attestations []result.Attestation, defaultSubjects []intoto.Subject) ([]intoto.Statement, error) {
+func MakeInTotoStatements(ctx context.Context, s session.Group, attestations []exporter.Attestation, defaultSubjects []intoto.Subject) ([]intoto.Statement, error) {
 	eg, ctx := errgroup.WithContext(ctx)
 	statements := make([]intoto.Statement, len(attestations))
 
 	for i, att := range attestations {
 		i, att := i, att
 		eg.Go(func() error {
-			content, err := ReadAll(ctx, s, refs, att)
+			content, err := ReadAll(ctx, s, att)
 			if err != nil {
 				return err
 			}
@@ -92,7 +87,7 @@ func MakeInTotoStatements(ctx context.Context, s session.Group, refs map[string]
 	return statements, nil
 }
 
-func makeInTotoStatement(ctx context.Context, content []byte, attestation result.Attestation, defaultSubjects []intoto.Subject) (*intoto.Statement, error) {
+func makeInTotoStatement(ctx context.Context, content []byte, attestation exporter.Attestation, defaultSubjects []intoto.Subject) (*intoto.Statement, error) {
 	if len(attestation.InToto.Subjects) == 0 {
 		attestation.InToto.Subjects = []result.InTotoSubject{{
 			Kind: gatewaypb.InTotoSubjectKindSelf,

exporter/attestation/unbundle.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/containerd/continuity/fs"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/exporter"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/snapshot"
@@ -19,9 +19,9 @@ import (
 
 // Unbundle iterates over all provided result attestations and un-bundles any
 // bundled attestations by loading them from the provided refs map.
-func Unbundle(ctx context.Context, s session.Group, refs map[string]cache.ImmutableRef, bundled []result.Attestation) ([]result.Attestation, error) {
+func Unbundle(ctx context.Context, s session.Group, bundled []exporter.Attestation) ([]exporter.Attestation, error) {
 	eg, ctx := errgroup.WithContext(ctx)
-	unbundled := make([][]result.Attestation, len(bundled))
+	unbundled := make([][]exporter.Attestation, len(bundled))
 
 	for i, att := range bundled {
 		i, att := i, att
@@ -33,15 +33,11 @@ func Unbundle(ctx context.Context, s session.Group, refs map[string]cache.Immuta
 				if att.ContentFunc != nil {
 					return errors.New("attestation bundle cannot have callback")
 				}
-				if refs == nil {
-					return errors.Errorf("no refs map provided to lookup attestation keys")
-				}
-				ref, ok := refs[att.Ref]
-				if !ok {
-					return errors.Errorf("key %s not found in refs map", att.Ref)
+				if att.Ref == nil {
+					return errors.Errorf("no ref provided for attestation bundle")
 				}
 
-				mount, err := ref.Mount(ctx, true, s)
+				mount, err := att.Ref.Mount(ctx, true, s)
 				if err != nil {
 					return err
 				}
@@ -65,7 +61,7 @@ func Unbundle(ctx context.Context, s session.Group, refs map[string]cache.Immuta
 		return nil, err
 	}
 
-	var joined []result.Attestation
+	var joined []exporter.Attestation
 	for _, atts := range unbundled {
 		joined = append(joined, atts...)
 	}
@@ -77,7 +73,7 @@ func Unbundle(ctx context.Context, s session.Group, refs map[string]cache.Immuta
 	return joined, nil
 }
 
-func unbundle(ctx context.Context, root string, bundle result.Attestation) ([]result.Attestation, error) {
+func unbundle(ctx context.Context, root string, bundle exporter.Attestation) ([]exporter.Attestation, error) {
 	dir, err := fs.RootPath(root, bundle.Path)
 	if err != nil {
 		return nil, err
@@ -87,7 +83,7 @@ func unbundle(ctx context.Context, root string, bundle result.Attestation) ([]re
 		return nil, err
 	}
 
-	var unbundled []result.Attestation
+	var unbundled []exporter.Attestation
 	for _, entry := range entries {
 		p, err := fs.RootPath(dir, entry.Name())
 		if err != nil {
@@ -119,7 +115,7 @@ func unbundle(ctx context.Context, root string, bundle result.Attestation) ([]re
 				Digest: result.FromDigestMap(subject.Digest),
 			}
 		}
-		unbundled = append(unbundled, result.Attestation{
+		unbundled = append(unbundled, exporter.Attestation{
 			Kind:        gatewaypb.AttestationKindInToto,
 			Path:        path.Join(bundle.Path, entry.Name()),
 			ContentFunc: func() ([]byte, error) { return predicate, nil },
@@ -132,11 +128,11 @@ func unbundle(ctx context.Context, root string, bundle result.Attestation) ([]re
 	return unbundled, nil
 }
 
-func validate(att result.Attestation) error {
+func validate(att exporter.Attestation) error {
 	if att.Path == "" {
 		return errors.New("attestation does not have set path")
 	}
-	if att.Ref == "" && att.ContentFunc == nil {
+	if att.Ref == nil && att.ContentFunc == nil {
 		return errors.New("attestation does not have available content")
 	}
 	return nil

exporter/containerimage/attestations.go

@@ -9,11 +9,11 @@ import (
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/moby/buildkit/cache"
+	"github.com/moby/buildkit/exporter"
 	"github.com/moby/buildkit/exporter/attestation"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/solver"
-	"github.com/moby/buildkit/solver/result"
 	"github.com/moby/buildkit/version"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -28,15 +28,15 @@ var intotoPlatform ocispecs.Platform = ocispecs.Platform{
 }
 
 // supplementSBOM modifies SPDX attestations to include the file layers
-func supplementSBOM(ctx context.Context, s session.Group, target cache.ImmutableRef, targetRemote *solver.Remote, refs map[string]cache.ImmutableRef, att result.Attestation) (result.Attestation, error) {
+func supplementSBOM(ctx context.Context, s session.Group, target cache.ImmutableRef, targetRemote *solver.Remote, att exporter.Attestation) (exporter.Attestation, error) {
 	if att.Kind != gatewaypb.AttestationKindInToto {
 		return att, nil
 	}
 	if att.InToto.PredicateType != intoto.PredicateSPDX {
 		return att, nil
 	}
 
-	content, err := attestation.ReadAll(ctx, s, refs, att)
+	content, err := attestation.ReadAll(ctx, s, att)
 	if err != nil {
 		return att, err
 	}
@@ -100,7 +100,7 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
 		return att, err
 	}
 
-	return result.Attestation{
+	return exporter.Attestation{
 		Kind:        att.Kind,
 		Path:        att.Path,
 		ContentFunc: func() ([]byte, error) { return content, nil },