sigstore · haydentherapper · May 13, 2024 · May 10, 2024 · May 10, 2024
diff --git a/pkg/policy/attestation.go b/pkg/policy/attestation.go
@@ -29,6 +29,17 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign/attestation"
 )
 
+// PayloadProvider is a subset of oci.Signature that only provides the
+// Payload() method.
+type PayloadProvider interface {
+	// Payload fetches the opaque data that is being signed.
+	// This will always return data when there is no error.
+	Payload() ([]byte, error)
+}
+
+// Assert that oci.Signature implements PayloadProvider
+var _ PayloadProvider = (oci.Signature)(nil)
+
 // AttestationToPayloadJSON takes in a verified Attestation (oci.Signature) and
 // marshals it into a JSON depending on the payload that's then consumable
 // by policy engine like cue, rego, etc.
@@ -45,7 +56,7 @@ import (
 // or the predicateType is not the one they are looking for. Without returning
 // this, it's hard for users to know which attestations/predicateTypes were
 // inspected.
-func AttestationToPayloadJSON(_ context.Context, predicateType string, verifiedAttestation oci.Signature) ([]byte, string, error) {
+func AttestationToPayloadJSON(_ context.Context, predicateType string, verifiedAttestation PayloadProvider) ([]byte, string, error) {
 	if predicateType == "" {
 		return nil, "", errors.New("missing predicate type")
 	}

diff --git a/pkg/policy/attestation_test.go b/pkg/policy/attestation_test.go
@@ -16,6 +16,7 @@
 package policy
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"encoding/json"
@@ -166,6 +167,50 @@ func TestAttestationToPayloadJson(t *testing.T) {
 	}
 }
 
+type myPayloadProvider struct {
+	payload []byte
+}
+
+func (m *myPayloadProvider) Payload() ([]byte, error) {
+	return m.payload, nil
+}
+
+// assert that myPayloadProvider implements PayloadProvider
+var _ PayloadProvider = &myPayloadProvider{}
+
+// TestPayloadProvider tests that the PayloadProvider interface is working as expected.
+func TestPayloadProvider(t *testing.T) {
+	// Control: oci.Signature
+	attestationBytes := readAttestationFromTestFile(t, "valid", "vuln")
+	ociSig, err := static.NewSignature(attestationBytes, "")
+	if err != nil {
+		t.Fatal("Failed to create static.NewSignature: ", err)
+	}
+	jsonBytes, gotPredicateType, err := AttestationToPayloadJSON(context.TODO(), "vuln", ociSig)
+	if err != nil {
+		t.Fatalf("Failed to convert : %s", err)
+	}
+	if len(jsonBytes) == 0 {
+		t.Fatalf("Failed to get jsonBytes")
+	}
+	if gotPredicateType != attestation.CosignVulnProvenanceV01 {
+		t.Fatalf("Did not get expected predicateType, want: %s got: %s", attestation.CosignVulnProvenanceV01, gotPredicateType)
+	}
+
+	// Test: myPayloadProvider
+	provider := &myPayloadProvider{payload: attestationBytes}
+	jsonBytes2, gotPredicateType2, err := AttestationToPayloadJSON(context.TODO(), "vuln", provider)
+	if err != nil {
+		t.Fatalf("Failed to convert : %s", err)
+	}
+	if !bytes.Equal(jsonBytes, jsonBytes2) {
+		t.Fatalf("Expected same jsonBytes, got different")
+	}
+	if gotPredicateType != gotPredicateType2 {
+		t.Fatalf("Expected same predicateType, got different")
+	}
+}
+
 func checkPredicateType(t *testing.T, want, got string) {
 	t.Helper()
 	if want != got {