From 023c6acc63e2023c14b046644cd86ab00151f69f Mon Sep 17 00:00:00 2001
From: Nicholas Allen <nicholas.allen@oracle.com>
Date: Tue, 10 Oct 2023 11:20:38 +1000
Subject: [PATCH] feat: support gzipped provenance files (#504)

Signed-off-by: Nicholas Allen <nicholas.allen@oracle.com>
---
 src/macaron/config/defaults.ini                 |   1 +
 src/macaron/slsa_analyzer/provenance/loader.py  |  13 ++++++++++---
 .../checks/test_provenance_l3_content_check.py  |  16 ++++++++++++++++
 .../slsa-verifier-linux-amd64.intoto.jsonl.gz   | Bin 0 -> 5222 bytes
 4 files changed, 27 insertions(+), 3 deletions(-)
 create mode 100644 tests/slsa_analyzer/provenance/resources/valid_provenances/slsa-verifier-linux-amd64.intoto.jsonl.gz

diff --git a/src/macaron/config/defaults.ini b/src/macaron/config/defaults.ini
index a58d375c3..4b56dac48 100644
--- a/src/macaron/config/defaults.ini
+++ b/src/macaron/config/defaults.ini
@@ -429,6 +429,7 @@ entry_conf =
 [slsa.verifier]
 provenance_extensions =
     intoto.jsonl
+    intoto.jsonl.gz
 # This is the acceptable maximum size (in bytes) to download an asset.
 max_download_size = 70000000
 # This is the timeout (in seconds) to run the SLSA verifier.
diff --git a/src/macaron/slsa_analyzer/provenance/loader.py b/src/macaron/slsa_analyzer/provenance/loader.py
index 34c4b88f7..329daa9f0 100644
--- a/src/macaron/slsa_analyzer/provenance/loader.py
+++ b/src/macaron/slsa_analyzer/provenance/loader.py
@@ -4,7 +4,9 @@
 """This module contains the loaders for SLSA provenances."""
 
 import base64
+import gzip
 import json
+import zlib
 
 from macaron.slsa_analyzer.provenance.intoto import InTotoPayload, validate_intoto_payload
 from macaron.slsa_analyzer.provenance.intoto.errors import LoadIntotoAttestationError, ValidateInTotoPayloadError
@@ -16,6 +18,7 @@ def load_provenance_file(filepath: str) -> dict[str, JsonType]:
 
     Inside a provenance file is a DSSE envelope containing a base64-encoded
     provenance JSON payload. See: https://github.com/secure-systems-lab/dsse.
+    If the file is gzipped, it will be transparently decompressed.
 
     Parameters
     ----------
@@ -33,9 +36,13 @@ def load_provenance_file(filepath: str) -> dict[str, JsonType]:
         If there is an error loading the provenance JSON payload.
     """
     try:
-        with open(filepath, encoding="utf-8") as file:
-            provenance = json.load(file)
-    except (json.JSONDecodeError, TypeError) as error:
+        try:
+            with gzip.open(filepath, mode="rt", encoding="utf-8") as file:
+                provenance = json.load(file)
+        except (gzip.BadGzipFile, EOFError, zlib.error):
+            with open(filepath, encoding="utf-8") as file:
+                provenance = json.load(file)
+    except (OSError, json.JSONDecodeError, TypeError) as error:
         raise LoadIntotoAttestationError(
             "Cannot deserialize the file content as JSON.",
         ) from error
diff --git a/tests/slsa_analyzer/checks/test_provenance_l3_content_check.py b/tests/slsa_analyzer/checks/test_provenance_l3_content_check.py
index 296d2dac2..a49cdf3f4 100644
--- a/tests/slsa_analyzer/checks/test_provenance_l3_content_check.py
+++ b/tests/slsa_analyzer/checks/test_provenance_l3_content_check.py
@@ -133,3 +133,19 @@ def test_expectation_check(self) -> None:
         # Test GitLab CI.
         ci_info["service"] = gitlab_ci
         assert check.run_check(ctx, check_result) == CheckResultType.PASSED
+
+        # Repo has a (gzipped) provenance and valid expectation, and expectation passes.
+        ci_info["service"] = github_actions
+        ci_info["provenances"] = [
+            load_provenance_payload(os.path.join(prov_dir, "slsa-verifier-linux-amd64.intoto.jsonl.gz")),
+        ]
+        ctx.dynamic_data["expectation"] = CUEExpectation.make_expectation(
+            os.path.join(expectation_dir, "valid_expectations", "slsa_verifier_PASS.cue")
+        )
+        assert check.run_check(ctx, check_result) == CheckResultType.PASSED
+
+        # Repo has a (gzipped) provenance and valid expectation, but expectation fails.
+        ctx.dynamic_data["expectation"] = CUEExpectation.make_expectation(
+            os.path.join(expectation_dir, "valid_expectations", "slsa_verifier_FAIL.cue")
+        )
+        assert check.run_check(ctx, check_result) == CheckResultType.FAILED
diff --git a/tests/slsa_analyzer/provenance/resources/valid_provenances/slsa-verifier-linux-amd64.intoto.jsonl.gz b/tests/slsa_analyzer/provenance/resources/valid_provenances/slsa-verifier-linux-amd64.intoto.jsonl.gz
new file mode 100644
index 0000000000000000000000000000000000000000..ee19422f3ae63b299479aeb36edf84ac6511493b
GIT binary patch
literal 5222
zcmV-s6q)NEiwFovm!o6=19NP1VJ&uLa%pC1WpXWSX>N6REn#hBHZ(42Zgg*SZ!T(c
zZ*FV=v|Cw|qFT28D;@P(-CYb?nRG-ypfXv42_nP3`NE(A0@|s9(0~4}wNZ1jsw?x9
zC*nk<414Xp#%~S$_sceD@=Xxi&35tSUtfalHcz8qpKi);RT=*?E&s9K>^EPt-KPBV
z_w&Q>;G!8XV>PeIO#7}C2@|V>cADN-f!o{1iok?Te;YP}9V;?JTs99&vx+nEpwG0O
zRt_5CT3erkdydtQlzBQ$$D3HS>ZsjR6W-WGoOB?H!%g@>6Y?Yv3;E!4^KOk4*DzSW
z*ycWOrqg_XrxpDqbm=;6s2a({BY9NhMc_Kk#651q(&<fHc~3?@qos99l)NOK!D!j`
z4%XWEw#FJMoF#MCzAYUMS56Ji@9T=+5<5wziq`6i&KsjuqbnNYXYrbh#8xllg1F<H
zWN}7D>!V(bb3HQ>pVRuJ7_ap<Uc>Y0(qrSva9l@)vkqJ%iSf+kF7-=i8!A>F0d3&v
zmJDC>lW;i`s7^X5j4GT7-Pv5y_`uVc6PlnoUyHY~lCXZtmc;GD*<~i=wQ5qFuM2$0
zkDo|!tYTiTE_8FD4B2iCz3KNu_b9?1i>MJ8-;LV|?;j_bcF>1o0rsE9ZoVV(6`65o
zI{hr<m@49qtv_Q6*vFoDaTOK2^R+VYtWE4{d%`&f;*Eh9LIdwtrs^M2Hi6scLJoP9
zS7FB&ShEkZjO~zj8qfpEyVx6VwQQ3jkA85U;MofuF;$RZsaK${C7hkpXT5ro=_#BU
z<Q3-;>KV|CxFpe0=QC3HnN=9vydjF&_uFw{xF$ogIZFzuH&uMjXxE&cMLpk+Q@@Zn
z(7kjy1Ko4`OjPD($mNF^<(>A=JgMmZII;_Q<o!4g6(@<f`C;L*pz{pcPSWudWLN62
zr#;FA?2BxpLO6u3L)QeJ!E?q2`Qx5-{=^rLlQZNw-t#>J_#)vsPkR_Ieb)fp87~7D
z&YWtjZm$``_WQ5bfb}_NiMoR8yuRmfct(%A*km1hu$ODk@PlOG9xLDN`0KlbA)bbG
zIZ|lA&p6i$Ydv-KhJbAviq9G@Nv5NuFtVs`WEwwJB;GH^iBXsw((ntpC5`|-#z)%l
zFKH)SlKZaplBeKHB+zT{C1A6pfaj@P#abVI_<!Ud=qS4f9=709LJ#EZbHYAS<mRo9
z{EU81IC$1W*`N2_Yw20xJU-|G`i)o}vjp`^adzZ%jTAEY(m9-wfDIaNu2G&Wai5`^
zcfPQYS+L{k<d5>umA4`FNpcH%mzYXig<QNNGiv8}?gQ@ojV`gE8%>CMI(vSX>Mx$z
zWw+or^7l0Qut%p3)m(hdBb3oamsH@f2Db8^P8sLm|B6r%_>Pvfjd*Jt7Szv!%{e)|
z)A`s>+Aq8hwr8~98|j%zk@u$Qpa{Ix3j7x6F5Ji12K?6)18mgV!ZR8Dt&${E@-_Uu
z4Y}Ux$53zd*4%nZKMHeWOSnGBhpk{|d%s+N*Cgbdv@#)nY4VW;J!>ImUXcSE#Wv_6
z=R{F{Jb3E(53M)H^D+U*7x<Wjo``nY=p(I}*kW%2G1D1I$7!bX(@d-38aoC1LA{L8
zpE|;c*FNWSPNLf+^Rr}a*r11sR0E&jx7agA5JT;G-_Ho#%M;%w=~OX0`4;tO;|vF~
zK;DC%2`Ae$E2AJO_z<4hV~F2*rWZa-MxY0_Q~36(2Rr1aw%-_Sk{H}Lg}tnel*T?-
zJ5ItP|9+BR=dU~haY}AHh)dy{*nPeiHD~|c=_}aVAy&{&cV~!a_dR`Nwz@6#j8@<t
zY<l)J=vfB#U!UWkmK$uO4t9$fn*|EkOghjB_=r%|SLnYq*{Dcq@xC|CLDmhtSD-JC
z8nmCz-$tx(g{N{I%q}tLfc{_teuw~0xW->fv$UxH2^66Ucw-5%c!%~7s1_5c`u9mA
zB$2W{yzzC&!}f&l_M{wxO*<5qfPV)4+jnbXEXY>1G18B^z2ebkBi>+vAAf*O-bTEW
zcRV?wFFxRUSI*hly33}ZN9}d_4z|zus*@$qK>Tpcr(f1uJpV1=dBZ|jUu<Q~N|u*D
z1a01Tv#}DpvL7kQ+TxBJ;N3E2`jYJ>hNDE3R}q{Ud`jkVfUyCGM&%#i5kCNIecbx&
z&-YCI^q-JB#IHyZ=vn^iS|@x2HkMq8Ex#YX5Tl)O&3h~i`3LGw+3g!_ri#k-3A-E-
zw=K~Y1JEndJjZ0PNwC?R13CYm{hj!7ooC&(xNw@lC0oEt)q<13uOwTzM(M-3nWeYG
zcv>uJ{Jh*>Lo5WpaBRDM87<)3196?-*6~jE*L}kk-<yE#cCpAa?k2p`o^=Rx4DyiQ
z)}e-YgX$-?bp<cMo`(Y1hLA=)?kh<;K8)eLKFH!`=LMa?TorT>==vx(z~LQjV+VOm
zevR&@Fd^=f;#YV_IVL{H-KY9^E1tfibNBulbHTzNiZ>tB_YSi{3{`OteYW#`%qtvz
zBl%v|2cOtN9PV`ajP-A1-_N;(a7XhSk2y@z{vGIXLe%rQ0e{|>=N)cQ^=i@VYmoO@
zuPeX<@Z6Ziyz-{>)$!IZ9n4Q(=RdNLVBV|SJ~JI@jGjrg(a>C|@I7Z2%V)b>;lB31
z3vr*;fk5_(&_C(YjqC<;9pzXpXdSG>O+dGWy>BD+ge42mVWsYJ7ET7g_1aGp$Z10K
zm+sB<dJVDb0K5QwqIHiPcz;8lobV{cVT9tXX#x3>YG965pbo%2l;`RGzV*P@#PAO6
z<!B%eG0y%z2KnIrI+|2grLzlV;er!>kDquhkcTYX+8>pe*PL_s*RhV$r}d9p(xw>c
zJza{KZb_Hc>fX~m`yPA-b>WTA`7K{Vb*Ia3WY9aSin%_-Zh0NOz;xZcOFr@XIzLDV
z=d>?v_;kGqIjmdLI?=f%vGFmt;qs?o_HrG-+#aqof8igxJn2S!-GrR*)Y)XhgzoX0
zZGDEH>ACJ=j3P$I{5mrmn%A)c_6NWR%M8|Vo@-MbU(x2n&Trnx&d>4_o-qsPR9HHD
zANJqr)p;);%%MLR-vYqmG2rlvZ~VzVZcQI>%^`k~>jj+CzZp$j8_tRUf-SAPb0VH}
zcDJGlx|R~KNjxX&#+hbV#O%4QXL0wavpdKYO31;>57Zt$sDICNPc@0H&pC(a)Z;+D
zbh+su!JJ}ZYp0s^r5-u}TnPEhd}S+n26_X&Mr<HYrMYbg*aP{BYuIxuGjdA}m2Kd(
z&UZJr#t*a~XVgSZPWArFdV4+X)gQ>qcY$kwof>FM$*VPJEtZ8mkoKFd;xLd`gZ}bH
zehu!8L5399>;w0R^~@?PZb$DWjkop$ak_~ByPRo<h%bg%2RhfWulmndvYh9_6Je}}
zndBJZXi%Q&NDMxYebvAf4mY!(w{-a3w}{KJKfA*k$V43^Soik1yr#9%BJR%35ArY<
zPPIHeon~{E)>R>=xWrKw{4n43unZgH0N4{J9|CWC=?9+q^Q!hk*N+dhcXZpj?4_o3
zmfN`=`n$Rmd)OEFb!`=NrUoCu`L5CL{1d@E8*qs8f&7ZrT7FUoeX(Bia{c^3{^<I!
z9>y`=+Q75R?(EE|-)MXwmi~%XjC~&D8C~-^j>OGH4^DPN<C$vhL-`ur|Jhr(;F#%1
zWb{@#PDj!2)RBLcJ6!YA@?tJLO}#wO*M#+*qz)AD+bT(eBIfP2Wh^9iPFm{E-t;B<
ze?$+vI(Ap*gm^^jh9Ad2zmOS!W!)Eb)jx5Dlg~yTVVxHEE3ZS0H!m<b_O&9QNv`U{
zN6%z1zK8v0>u$nfz7Dv}JMV+)Jm9PGi@g8O$O`->=#|j~-k|fxl#iDgjfb~=tLuHW
zkDc{YYX_R7n`L><-Rl@)z^!6Wq=L_VU-P5$1q6H99`=qT&d4Oj7|nUZ)~QZ)J^!1<
zdyx4t_fbZOWnHW5k#PBUjOWHk=XLZGrO^hj@>A<|pWEJktnOP<eJg!$+s%SxI!AR3
z>x7*Ao%XGsYbGt$OsKwtJ}iol#E}om=p~Kjyibe0A^-8r47HI)xVzK?a7L`8J=72N
z@IFlYWYhlhdCzpa-fey>KEJkms&hO!{Hgu|#r{}hxsjf9vsTns<*<)i$%i4Xyg$(a
zteIz6t8rQMUsiL&zE@YH!Z`@q_cAuV$8^3|vA}0y+>_BRQ#}(KJ!R_YkU8qC+34*C
zaK)z8<;@?Qfxz>VE%>Aqa+7VWuDiJ`cMN$OjgdUqDE7q~T6b-Ics_=G8k=i=1aM<|
zs?A`{jrI^jjuam1fah$ZuFpv8TeP2wvwpDlX~u{HT1j->F1mZAe#tMXU3WbOoFhHy
z+PpGssSiG$o7&IV{DU=Xiu-B4%8wI&CY;~D!?{z8Z9bn<Urq{PhjT?A@gwJ$ed;S$
zFV}dvX5jYAzq%%_0r(eeD#<BdxpU2^!^WRpAM&!U$41v#o?{yUe#M21@#j1zi2UEg
z3cLFa|8wFut!W|Vz04S5%_Rg{G|xNFja`|MnA^m4rT)(6w$4Hl=5t$~2F31_XF^PL
z``bnF(LDHscTO`=rx_SL7x)Py2Yo=C_*Zr8%33EHSU39YUSG^nfQ>W2tAr>l<>RHM
zT3+z!XZKFA1==>%HLef3!rq-|cbMlb7X9>j-o((7@`zb@1DZ!UsHfDYeM+y>rN?yr
z0(>SH06WTS^j!q??%ccS?!BHP1#E+JQ7>mOFEg$9elA@0i1F?1{pXpH{A@Rj(V9mi
z(>P<Ky_&;4&Dd<Qr@C-X{QgD#<7afby2!;&pKBV;>vMvC2mEZ&dOV#=&R)+2gD*dv
zb5uQBH`9>@u_|he+52_Qb?ffgH|zYx8ETsIHpmBv4G@!JTdTE_eV$L3Kz9qk7!92P
z!Wh_6e3WgD9X@tyiUIgt+V#!k1Ns%W(ID>~FgS~bwMwE|RmdGP--Q@B6Uwl;KTa~K
zH_7JJV&ubfW3Vs0j^}49LNPghs{njY$8k58?LYT!N{r2WtcOWKH{)E<9?y*O>_9Qm
z&oKX$p2~7|ygSX)LVkzeLF`iSSs*)M19}5;w3v_+z(>+rEcoF2N}u(P(_xRD@GH(3
z3V;QAcs;%F4$qLX`;apQ^i2fk#6h<v9`^TH+VemCMmrE7$7Q<rwSCxO-?#hRhf02k
zz11Et-rC5_)az#8Ih>Q$*71YQ!aChExDVB4<eAB=g!A+CS}Ps(Is0JAj&9j3)&Y0g
z+E8s)knOcRv?WJ+utmCdH$$Hv2xD!jz0kfEn}eTX!vbwc_&KJ2hnvQNM|}n0WJSi=
z-K4`XV-|4KdiL^Lg>^2yw+-g_JRfq*vA&4&!`*i$Z)f=}&;zV_LQE*~Cgl3GAN8_c
zfpcBBH~f9Mj{C#9i8`)`>SO_6y60Y+gLbjU841uO$kFxgdl~SX0iDgpTyp={u;qI2
zbKm&xI~(cqv;An}>hpIWKkZ4<?;B{$sF07b>LlTief^Dusw1A?f!_!Ib>DqJ47&J}
zNvqX*rqv)vwE1-Du)@;(_rJgV{mU+0mBIe-wAg+5*Z=+Z3xvWHzliGYz#qC~4z=Ot
zZfkI+z5J$FswxRvt0x~Aau<j}V)9QxTYdX_{Q8Zn{hgQ&mdmLvK3K=z$p0~7oKa-z
ztTg#5s{Ge5H13TcU=~jgYH<u!bPLhqX%CeCf&UF8MKk_3lq_45wV`NB^y*`&Yuc#J
zhC`7lR${FU#FaLeCuTohi#{9p;qv>+*mFPFeySCRFsg?uU;D8kTAMMFSnKs;X|$4~
z4|GLj=h86Ib-)!R_B5hmPQT64tzNB){>U-Sk#ux02WT-?ks06)!0L}>1XcqYfEA)z
zO(NsOQ9ye>oj!M8U5jdZEfYmuUe{9XtB>VrM?=xP>~18Q(a2nhk{#Xqaq8+jNM@#@
zSq$c1g<AVwmHidu1B<G6=MElAwlc#Y*r$cDj_&TIW5W$oulX(=zC9$P;d*fYO>S(W
zSa~pQek^B_@_jlKi&ec^jn}%^Qyxn=e>|$C!MEB3&S>gtB-(?O;i$8@G#ZIN2CLQ6
zU?s@|*q7LfF}-K@Bza}d9X0>@ST6O@>y^o(h!6eA{&1&PPfxS0UaK{5&tkH{U{%W-
zan1`5+m`j$5()eNF|zFs*-ejW&wnh*=)PW>^l3{p)o%k;uOpvSzuT98EMI!O3(9lj
z9IKRcaxcAqMt?kwRP;*<Kz}qcz#brf^SHS3x>edqneRjCitVR8kmOn!raMJ6&B5yK
zz7|bM0%^YZN((gQiMYK3PN;WP%U^b5YH8*FfE8+gFc6hd)rz3erWC25cO#J-tTreE
zN%W`RbWs`&hO4VS2DJKrco}_g|7Pc~b>}$}KbD$$sV6r2aP#KrxumMUu75n1r)X2F
zaHf|h8mvt7>cnw79Hi#?S=D_k7p5kOE9-8cuEn?>u%ei()|I%KSHi{uXC5>Qsg#^j
z`BA$Mk=|npzNm(pViZCniXzy>YVU2wM+ttIBT@4IzwI*FZ4d^4=)IrOYY!}ONjMrq
zfs{oKn1GcY2*MPJHHl4#lz)%abAMr;=4oa*K)=BVmg?F$4`zh+)U@$KV!m4BGf;*b
zX}l=2K)0W{8SjwH0h<0rg?Q%mK^ud<;~lW*HFtzk<+f$rO`uj<2BKeg38Bmh&2AC`
z(}J?+dIhDUT#Q2aMM+E}llA*ed(42#+i*>$AT3HGu-ALRlr1%=Q*+Eyx*NWyvQBnK
z<Oidq*<X?o`U_#nCSE=5!;9^LoaGtT7L0}H2@{dg)v1ScsasDZxtUQtJKsX)*jzsi
gat23&1l!Z_Cr&4_|B>nY^XK{Y0yP33S}i*O079_8S^xk5

literal 0
HcmV?d00001