From 997896bafc7e50d383fd37a3c591646e2f203806 Mon Sep 17 00:00:00 2001
From: Nate Sales <nate@natesales.net>
Date: Tue, 19 Nov 2024 23:56:06 -0500
Subject: [PATCH] feat: fetch attestation from URL or file

---
 cmd/main.go | 49 +++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 41 insertions(+), 8 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index 7115bb7..0d1bef6 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -6,24 +6,32 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"log"
 	"net/http"
 	"os"
+	"strings"
 
+	"github.com/tinfoilanalytics/verifier/pkg/models"
 	"github.com/tinfoilanalytics/verifier/pkg/nitro"
 	"github.com/tinfoilanalytics/verifier/pkg/sigstore"
 )
 
 var (
-	attestationDoc = flag.String("attestation-doc", "", "Path to the attestation document")
+	attestationDoc = flag.String("attestation", "", "Path to the attestation document or URL")
 	digest         = flag.String("digest", "", "Artifact digest")
 	repo           = flag.String("repo", "", "Attested repo (e.g. tinfoilanalytics/nitro-pipeline-test)")
 )
 
 func gitHubAttestation(digest string) ([]byte, error) {
-	bundleResponse, err := http.Get("https://api.github.com/repos/" + *repo + "/attestations/sha256:" + digest)
+	url := "https://api.github.com/repos/" + *repo + "/attestations/sha256:" + digest
+	log.Printf("Fetching sigstore attestation from %s", url)
+	bundleResponse, err := http.Get(url)
 	if err != nil {
 		return nil, err
 	}
+	if bundleResponse.StatusCode != 200 {
+		return nil, fmt.Errorf("failed to fetch attestation: %s", bundleResponse.Status)
+	}
 
 	var responseJSON struct {
 		Attestations []struct {
@@ -40,7 +48,12 @@ func gitHubAttestation(digest string) ([]byte, error) {
 func main() {
 	flag.Parse()
 
+	var sigstoreMeasurements *models.Measurements
 	if *digest != "" {
+		if *repo == "" {
+			log.Fatal("Missing repo")
+		}
+
 		bundleBytes, err := gitHubAttestation(*digest)
 		if err != nil {
 			panic(err)
@@ -55,7 +68,7 @@ func main() {
 			panic(err)
 		}
 
-		sigstoreMeasurements, err := sigstore.VerifyAttestedMeasurements(
+		sigstoreMeasurements, err = sigstore.VerifyAttestedMeasurements(
 			sigstoreRootBytes,
 			bundleBytes,
 			*digest,
@@ -66,17 +79,37 @@ func main() {
 		fmt.Println("Sigstore", sigstoreMeasurements)
 	}
 
+	var nitroMeasurements *models.Measurements
 	if *attestationDoc != "" {
-		attDocBytes, err := os.ReadFile(*attestationDoc)
-		if err != nil {
-			panic(err)
+		var attDocBytes []byte
+		var err error
+		if strings.HasPrefix(*attestationDoc, "http") {
+			log.Printf("Fetching attestation doc from %s", *attestationDoc)
+			resp, err := http.Get(*attestationDoc)
+			if err != nil {
+				panic(err)
+			}
+			defer resp.Body.Close()
+			attDocBytes, err = io.ReadAll(resp.Body)
+			if err != nil {
+				panic(err)
+			}
+		} else {
+			log.Printf("Reading attestation doc from %s", *attestationDoc)
+			attDocBytes, err = os.ReadFile(*attestationDoc)
+			if err != nil {
+				panic(err)
+			}
 		}
-		nitroMeasurements, err := nitro.VerifyAttestation(attDocBytes)
+
+		nitroMeasurements, err = nitro.VerifyAttestation(attDocBytes)
 		if err != nil {
 			panic(err)
 		}
 		fmt.Println("Nitro", nitroMeasurements)
 	}
 
-	//fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
+	if sigstoreMeasurements != nil && nitroMeasurements != nil {
+		fmt.Println("Match?", sigstoreMeasurements.Equals(nitroMeasurements))
+	}
 }