vendor: update buildkit to master@ae9d0f5

Signed-off-by: Justin Chadwell <me@jedevc.com>

vendor/github.com/moby/buildkit/frontend/attestations/parse.go

@@ -0,0 +1,82 @@
+package attestations
+
+import (
+	"encoding/csv"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+const (
+	KeyTypeSbom       = "sbom"
+	KeyTypeProvenance = "provenance"
+)
+
+const (
+	// TODO: update this before next buildkit release
+	defaultSBOMGenerator = "jedevc/buildkit-syft-scanner:master@sha256:de630f621eb0ab1bb1245cea76d01c5bddfe78af4f5b9adecde424cb7ec5605e"
+)
+
+func Filter(v map[string]string) map[string]string {
+	attests := make(map[string]string)
+	for k, v := range v {
+		if strings.HasPrefix(k, "attest:") {
+			attests[k] = v
+			continue
+		}
+		if strings.HasPrefix(k, "build-arg:BUILDKIT_ATTEST_") {
+			attests[k] = v
+			continue
+		}
+	}
+	return attests
+}
+
+func Validate(values map[string]map[string]string) (map[string]map[string]string, error) {
+	for k := range values {
+		if k != KeyTypeSbom && k != KeyTypeProvenance {
+			return nil, errors.Errorf("unknown attestation type %q", k)
+		}
+	}
+	return values, nil
+}
+
+func Parse(values map[string]string) (map[string]map[string]string, error) {
+	attests := make(map[string]string)
+	for k, v := range values {
+		if strings.HasPrefix(k, "attest:") {
+			attests[strings.ToLower(strings.TrimPrefix(k, "attest:"))] = v
+			continue
+		}
+		if strings.HasPrefix(k, "build-arg:BUILDKIT_ATTEST_") {
+			attests[strings.ToLower(strings.TrimPrefix(k, "build-arg:BUILDKIT_ATTEST_"))] = v
+			continue
+		}
+	}
+
+	out := make(map[string]map[string]string)
+	for k, v := range attests {
+		attrs := make(map[string]string)
+		out[k] = attrs
+		if k == KeyTypeSbom {
+			attrs["generator"] = defaultSBOMGenerator
+		}
+		if v == "" {
+			continue
+		}
+		csvReader := csv.NewReader(strings.NewReader(v))
+		fields, err := csvReader.Read()
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to parse %s", k)
+		}
+		for _, field := range fields {
+			parts := strings.SplitN(field, "=", 2)
+			if len(parts) != 2 {
+				parts = append(parts, "")
+			}
+			attrs[parts[0]] = parts[1]
+		}
+	}
+
+	return Validate(out)
+}

vendor/github.com/moby/buildkit/frontend/gateway/client/attestation.go

@@ -0,0 +1,46 @@
+package client
+
+import (
+	pb "github.com/moby/buildkit/frontend/gateway/pb"
+	"github.com/moby/buildkit/solver/result"
+)
+
+func AttestationToPB(a *result.Attestation) (*pb.Attestation, error) {
+	subjects := make([]*pb.InTotoSubject, len(a.InToto.Subjects))
+	for i, subject := range a.InToto.Subjects {
+		subjects[i] = &pb.InTotoSubject{
+			Kind:   subject.Kind,
+			Name:   subject.Name,
+			Digest: subject.Digest,
+		}
+	}
+
+	return &pb.Attestation{
+		Kind:                a.Kind,
+		Path:                a.Path,
+		Ref:                 a.Ref,
+		InTotoPredicateType: a.InToto.PredicateType,
+		InTotoSubjects:      subjects,
+	}, nil
+}
+
+func AttestationFromPB(a *pb.Attestation) (*result.Attestation, error) {
+	subjects := make([]result.InTotoSubject, len(a.InTotoSubjects))
+	for i, subject := range a.InTotoSubjects {
+		subjects[i] = result.InTotoSubject{
+			Kind:   subject.Kind,
+			Name:   subject.Name,
+			Digest: subject.Digest,
+		}
+	}
+
+	return &result.Attestation{
+		Kind: a.Kind,
+		Path: a.Path,
+		Ref:  a.Ref,
+		InToto: result.InTotoAttestation{
+			PredicateType: a.InTotoPredicateType,
+			Subjects:      subjects,
+		},
+	}, nil
+}

vendor/github.com/moby/buildkit/frontend/gateway/client/client.go

@@ -7,12 +7,21 @@ import (
 
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/solver/result"
 	"github.com/moby/buildkit/util/apicaps"
 	digest "github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	fstypes "github.com/tonistiigi/fsutil/types"
 )
 
+type Result = result.Result[Reference]
+
+type BuildFunc func(context.Context, Client) (*Result, error)
+
+func NewResult() *Result {
+	return &Result{}
+}
+
 type Client interface {
 	Solve(ctx context.Context, req SolveRequest) (*Result, error)
 	ResolveImageConfig(ctx context.Context, ref string, opt llb.ResolveImageConfigOpt) (digest.Digest, []byte, error)
@@ -82,6 +91,7 @@ type ContainerProcess interface {
 
 type Reference interface {
 	ToState() (llb.State, error)
+	Evaluate(ctx context.Context) error
 	ReadFile(ctx context.Context, req ReadRequest) ([]byte, error)
 	StatFile(ctx context.Context, req StatRequest) (*fstypes.Stat, error)
 	ReadDir(ctx context.Context, req ReadDirRequest) ([]*fstypes.Stat, error)

vendor/github.com/moby/buildkit/frontend/gateway/client/result.go

@@ -1,54 +0,0 @@
-package client
-
-import (
-	"context"
-	"sync"
-
-	"github.com/pkg/errors"
-)
-
-type BuildFunc func(context.Context, Client) (*Result, error)
-
-type Result struct {
-	mu       sync.Mutex
-	Ref      Reference
-	Refs     map[string]Reference
-	Metadata map[string][]byte
-}
-
-func NewResult() *Result {
-	return &Result{}
-}
-
-func (r *Result) AddMeta(k string, v []byte) {
-	r.mu.Lock()
-	if r.Metadata == nil {
-		r.Metadata = map[string][]byte{}
-	}
-	r.Metadata[k] = v
-	r.mu.Unlock()
-}
-
-func (r *Result) AddRef(k string, ref Reference) {
-	r.mu.Lock()
-	if r.Refs == nil {
-		r.Refs = map[string]Reference{}
-	}
-	r.Refs[k] = ref
-	r.mu.Unlock()
-}
-
-func (r *Result) SetRef(ref Reference) {
-	r.Ref = ref
-}
-
-func (r *Result) SingleRef() (Reference, error) {
-	r.mu.Lock()
-	defer r.mu.Unlock()
-
-	if r.Refs != nil && r.Ref == nil {
-		return nil, errors.Errorf("invalid map result")
-	}
-
-	return r.Ref, nil
-}

vendor/github.com/moby/buildkit/frontend/gateway/grpcclient/client.go

@@ -115,7 +115,7 @@ func (c *grpcClient) Run(ctx context.Context, f client.BuildFunc) (retError erro
 			req := &pb.ReturnRequest{}
 			if retError == nil {
 				if res == nil {
-					res = &client.Result{}
+					res = client.NewResult()
 				}
 				pbRes := &pb.Result{
 					Metadata: res.Metadata,
@@ -160,6 +160,25 @@ func (c *grpcClient) Run(ctx context.Context, f client.BuildFunc) (retError erro
 						}
 					}
 				}
+
+				if res.Attestations != nil && c.caps.Supports(pb.CapAttestations) == nil {
+					attestations := map[string]*pb.Attestations{}
+					for k, as := range res.Attestations {
+						for _, a := range as {
+							pbAtt, err := client.AttestationToPB(&a)
+							if err != nil {
+								retError = err
+								continue
+							}
+							if attestations[k] == nil {
+								attestations[k] = &pb.Attestations{}
+							}
+							attestations[k].Attestation = append(attestations[k].Attestation, pbAtt)
+						}
+					}
+					pbRes.Attestations = attestations
+				}
+
 				if retError == nil {
 					req.Result = pbRes
 				}
@@ -368,30 +387,15 @@ func (c *grpcClient) Solve(ctx context.Context, creq client.SolveRequest) (res *
 		if c.caps.Supports(pb.CapGatewayEvaluateSolve) == nil {
 			req.Evaluate = creq.Evaluate
 		} else {
-			// If evaluate is not supported, fallback to running Stat(".") in order to
-			// trigger an evaluation of the result.
+			// If evaluate is not supported, fallback to running Stat(".") in
+			// order to trigger an evaluation of the result.
 			defer func() {
 				if res == nil {
 					return
 				}
-
-				var (
-					id  string
-					ref client.Reference
-				)
-				ref, err = res.SingleRef()
-				if err != nil {
-					for refID := range res.Refs {
-						id = refID
-						break
-					}
-				} else {
-					id = ref.(*reference).id
-				}
-
-				_, err = c.client.StatFile(ctx, &pb.StatFileRequest{
-					Ref:  id,
-					Path: ".",
+				err = res.EachRef(func(ref client.Reference) error {
+					_, err := ref.StatFile(ctx, client.StatRequest{Path: "."})
+					return err
 				})
 			}()
 		}
@@ -402,7 +406,7 @@ func (c *grpcClient) Solve(ctx context.Context, creq client.SolveRequest) (res *
 		return nil, err
 	}
 
-	res = &client.Result{}
+	res = client.NewResult()
 	if resp.Result == nil {
 		if id := resp.Ref; id != "" {
 			c.requests[id] = req
@@ -443,6 +447,18 @@ func (c *grpcClient) Solve(ctx context.Context, creq client.SolveRequest) (res *
 				res.AddRef(k, ref)
 			}
 		}
+
+		if resp.Result.Attestations != nil {
+			for p, as := range resp.Result.Attestations {
+				for _, a := range as.Attestation {
+					att, err := client.AttestationFromPB(a)
+					if err != nil {
+						return nil, err
+					}
+					res.AddAttestation(p, *att, nil)
+				}
+			}
+		}
 	}
 
 	return res, nil
@@ -1023,6 +1039,15 @@ func (r *reference) ToState() (st llb.State, err error) {
 	return llb.NewState(defop), nil
 }
 
+func (r *reference) Evaluate(ctx context.Context) error {
+	req := &pb.EvaluateRequest{Ref: r.id}
+	_, err := r.c.client.Evaluate(ctx, req)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func (r *reference) ReadFile(ctx context.Context, req client.ReadRequest) ([]byte, error) {
 	rfr := &pb.ReadFileRequest{FilePath: req.Filename, Ref: r.id}
 	if r := req.Range; r != nil {

vendor/github.com/moby/buildkit/frontend/gateway/pb/caps.go

@@ -56,8 +56,14 @@ const (
 	// errors.
 	CapGatewayEvaluateSolve apicaps.CapID = "gateway.solve.evaluate"
 
+	CapGatewayEvaluate apicaps.CapID = "gateway.evaluate"
+
 	// CapGatewayWarnings is the capability to log warnings from frontend
 	CapGatewayWarnings apicaps.CapID = "gateway.warnings"
+
+	// CapAttestations is the capability to indicate that attestation
+	// references will be attached to results
+	CapAttestations apicaps.CapID = "reference.attestations"
 )
 
 func init() {
@@ -194,10 +200,24 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapGatewayEvaluate,
+		Name:    "gateway evaluate",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapGatewayWarnings,
 		Name:    "logging warnings",
 		Enabled: true,
 		Status:  apicaps.CapStatusExperimental,
 	})
+
+	Caps.Init(apicaps.Cap{
+		ID:      CapAttestations,
+		Name:    "reference attestations",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
 }

vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.proto

@@ -25,6 +25,8 @@ service LLBBridge {
 	rpc ReadDir(ReadDirRequest) returns (ReadDirResponse);
 	// apicaps:CapStatFile
 	rpc StatFile(StatFileRequest) returns (StatFileResponse);
+	// apicaps:CapGatewayEvaluate
+	rpc Evaluate(EvaluateRequest) returns (EvaluateResponse);
 	rpc Ping(PingRequest) returns (PongResponse);
 	rpc Return(ReturnRequest) returns (ReturnResponse);
 	// apicaps:CapFrontendInputs
@@ -48,6 +50,7 @@ message Result {
 		RefMap refs = 4;
 	}
 	map<string, bytes> metadata = 10;
+	map<string, Attestations> attestations = 11;
 }
 
 message RefMapDeprecated {
@@ -63,6 +66,38 @@ message RefMap {
 	map<string, Ref> refs = 1;
 }
 
+message Attestations {
+    repeated Attestation attestation = 1;
+}
+
+message Attestation {
+	AttestationKind kind = 1;
+
+	string ref = 2;
+	string path = 3;
+	string inTotoPredicateType = 4;
+	repeated InTotoSubject inTotoSubjects = 5;
+}
+
+enum AttestationKind {
+	option (gogoproto.goproto_enum_prefix) = false;
+	InToto = 0 [(gogoproto.enumvalue_customname) = "AttestationKindInToto"];
+	Bundle = 1 [(gogoproto.enumvalue_customname) = "AttestationKindBundle"];
+}
+
+message InTotoSubject {
+	InTotoSubjectKind kind = 1;
+
+	repeated string digest = 2 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
+	string name = 3;
+}
+
+enum InTotoSubjectKind {
+	option (gogoproto.goproto_enum_prefix) = false;
+	Self = 0 [(gogoproto.enumvalue_customname) = "InTotoSubjectKindSelf"];
+	Raw = 1 [(gogoproto.enumvalue_customname) = "InTotoSubjectKindRaw"];
+}
+
 message ReturnRequest {
 	Result result = 1;
 	google.rpc.Status error = 2;
@@ -163,6 +198,13 @@ message StatFileResponse {
 	fsutil.types.Stat stat = 1;
 }
 
+message EvaluateRequest {
+	string Ref = 1;
+}
+
+message EvaluateResponse {
+}
+
 message PingRequest{
 }
 message PongResponse{