Create Attestations List API
Why are we doing this work
In order to support the SLSA Verification Workflow an API will need to be created to allow attestations to be listed. The scope of this issue is to build out the implementation for this API.
Requirements
- Authentication is required. Discussion here.
- Endpoint
/project/:id/attestations/:subject_digest,:subject_digestassha256:HEX_DIGEST - Should return an array of attestations
- Should support pagination
Relevant links
- Draft: SLSA Workflow POC. This MR documents the approach we should follow.
- SLSA Level 3 Provenance Attestations
- Draft: Add file upload capability to Attestation model. This MR deals with the storage of the bundle files.
- Create Ci::Slsa::Attestation model. This MR deals with the creation of the Attestation model.
- API style guide
Non-functional requirements
-
Documentation: API documentation is required. See "Documenting REST API resources" -
Feature flag: [FF] slsa_provenance_statement-- Roll out feature flag to publish SLSA provenance statements -
Performance: N/A -
Testing: end-to-end verification in a production environment. See verification below.
Implementation plan
- Mount a new api endpoint in
lib/api/api.rb - Create a new class that inherits from
::API::Baseinlib/api/supply_chain/attestations.rb. Ensure return type is an array of attestations. - Implement authentication. Check if the user has read access to the project. Create a custom permission in
app/policies/project_policy.rbfor:read_attestationso that permission can be adjusted independent of other permissions if necessary. Discussion here. - Implement pagination as described in the Pagination guidelines.
Verification steps
-
Test locally that the endpoint is only accessible if the feature flag is enabled for a specific project. With tests etc. -
Test locally that the endpoint can only be accessed for projects for which we have :project_read. -
Send to production, test on production. (Will be blocked by Draft: Resolve "Modify PublishProvenanceService to persist attestation")
Edited by Sam Roque-Worcel