feat(slsa): add RequireAttestation configuration for strict SLSA verification

leodido · ona-agent · leodido · commit aa90eac6c04d · 2025-10-29T16:00:04.000+01:00
Add support for LEEWAY_SLSA_REQUIRE_ATTESTATION environment variable and
--slsa-require-attestation CLI flag to control behavior when SLSA
attestations are missing or invalid.

When RequireAttestation=true (strict mode):
- Missing/invalid attestation → skip download, build locally
- Enables self-healing for cross-PR attestation mismatches
- Auto-enabled when provenance.slsa=true in WORKSPACE.yaml

When RequireAttestation=false (permissive mode, default):
- Missing/invalid attestation → download without verification (with warning)
- Provides graceful degradation and backward compatibility

Changes:
- Add EnvvarSLSARequireAttestation constant to cmd/root.go and pkg/leeway/workspace.go
- Add --slsa-require-attestation flag to build command
- Update parseSLSAConfig() to read and apply RequireAttestation setting
- Update ApplySLSADefaults() to auto-enable RequireAttestation with SLSA L3
- Enhance documentation in pkg/leeway/cache/types.go
- Update implementation comments in pkg/leeway/cache/remote/s3.go

The actual RequireAttestation logic in downloadWithSLSAVerification() was
already implemented; this commit adds the configuration mechanism.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/cmd/build.go b/cmd/build.go
@@ -202,6 +202,7 @@ func addBuildFlags(cmd *cobra.Command) {
 	cmd.Flags().StringToString("docker-build-options", nil, "Options passed to all 'docker build' commands")
 	cmd.Flags().Bool("slsa-cache-verification", false, "Enable SLSA verification for cached artifacts")
 	cmd.Flags().String("slsa-source-uri", "", "Expected source URI for SLSA verification (required when verification enabled)")
+	cmd.Flags().Bool("slsa-require-attestation", false, "Require SLSA attestations (missing/invalid → build locally)")
 	cmd.Flags().Bool("in-flight-checksums", false, "Enable checksumming of cache artifacts to prevent TOCTU attacks")
 	cmd.Flags().String("report", "", "Generate a HTML report after the build has finished. (e.g. --report myreport.html)")
 	cmd.Flags().String("report-segment", os.Getenv(EnvvarSegmentKey), "Report build events to segment using the segment key (defaults to $LEEWAY_SEGMENT_KEY)")
@@ -442,6 +443,7 @@ func parseSLSAConfig(cmd *cobra.Command) (*cache.SLSAConfig, error) {
 	// Get SLSA verification settings from environment variables (defaults)
 	slsaVerificationEnabled := os.Getenv(EnvvarSLSACacheVerification) == "true"
 	slsaSourceURI := os.Getenv(EnvvarSLSASourceURI)
+	requireAttestation := os.Getenv(EnvvarSLSARequireAttestation) == "true"
 	
 	// CLI flags override environment variables (if cmd is provided)
 	if cmd != nil {
@@ -455,6 +457,11 @@ func parseSLSAConfig(cmd *cobra.Command) (*cache.SLSAConfig, error) {
 				slsaSourceURI = flagValue
 			}
 		}
+		if cmd.Flags().Changed("slsa-require-attestation") {
+			if flagValue, err := cmd.Flags().GetBool("slsa-require-attestation"); err == nil {
+				requireAttestation = flagValue
+			}
+		}
 	}
 	
 	// If verification is disabled, return nil
@@ -471,7 +478,7 @@ func parseSLSAConfig(cmd *cobra.Command) (*cache.SLSAConfig, error) {
 		Verification:       true,
 		SourceURI:          slsaSourceURI,
 		TrustedRoots:       []string{"https://fulcio.sigstore.dev"},
-		RequireAttestation: false, // Default: missing attestation → download without verification
+		RequireAttestation: requireAttestation,
 	}, nil
 }
 
diff --git a/cmd/root.go b/cmd/root.go
@@ -31,6 +31,9 @@ const (
 	// EnvvarSLSASourceURI configures the expected source URI for SLSA verification
 	EnvvarSLSASourceURI = "LEEWAY_SLSA_SOURCE_URI"
 
+	// EnvvarSLSARequireAttestation requires SLSA attestations (missing/invalid → build locally)
+	EnvvarSLSARequireAttestation = "LEEWAY_SLSA_REQUIRE_ATTESTATION"
+
 	// EnvvarEnableInFlightChecksums enables in-flight checksumming of cache artifacts
 	EnvvarEnableInFlightChecksums = "LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS"
 
@@ -120,6 +123,7 @@ variables have an effect on leeway:
     <light_blue>LEEWAY_DEFAULT_CACHE_LEVEL</>  Sets the default cache level for builds. Defaults to "remote".
 <light_blue>LEEWAY_SLSA_CACHE_VERIFICATION</>  Enables SLSA verification for cached artifacts (true/false).
         <light_blue>LEEWAY_SLSA_SOURCE_URI</>  Expected source URI for SLSA verification (github.com/owner/repo).
+<light_blue>LEEWAY_SLSA_REQUIRE_ATTESTATION</>  Require valid attestations; missing/invalid → build locally (true/false).
 <light_blue>LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS</>  Enable checksumming of cache artifacts (true/false).
            <light_blue>LEEWAY_EXPERIMENTAL</>  Enables experimental leeway features and commands.
 `),
diff --git a/pkg/leeway/cache/remote/s3.go b/pkg/leeway/cache/remote/s3.go
@@ -442,7 +442,11 @@ func (s *S3Cache) downloadOriginal(ctx context.Context, p cache.Package, version
 // This function tries multiple extensions (.tar.gz, .tar) and their corresponding attestations.
 // Returns nil (not an error) when no suitable artifacts are found to allow graceful fallback to local builds.
 //
-// Future CLI flag consideration: --slsa-require-attestation could set RequireAttestation=true
+// Configuration:
+// RequireAttestation can be set via:
+//   - Environment variable: LEEWAY_SLSA_REQUIRE_ATTESTATION=true
+//   - CLI flag: --slsa-require-attestation
+//   - Workspace config: Automatically enabled when provenance.slsa=true in WORKSPACE.yaml
 func (s *S3Cache) downloadWithSLSAVerification(ctx context.Context, p cache.Package, version, localPath string) error {
 	log.WithFields(log.Fields{
 		"package": p.FullName(),
diff --git a/pkg/leeway/cache/types.go b/pkg/leeway/cache/types.go
@@ -4,19 +4,23 @@
 // The cache system supports SLSA (Supply-chain Levels for Software Artifacts) verification
 // for enhanced security. The behavior is controlled by the SLSAConfig.RequireAttestation field:
 //
-//   - RequireAttestation=false (default): Missing attestation → download without verification
-//     This provides graceful degradation and backward compatibility.
+//   - RequireAttestation=false (default): Missing/invalid attestation → download without verification
+//     This provides graceful degradation and backward compatibility. The artifact is downloaded
+//     and used, but a warning is logged about the missing or invalid attestation.
 //
-//   - RequireAttestation=true: Missing attestation → skip download, allow local build fallback
-//     This enforces strict security but may impact build performance.
+//   - RequireAttestation=true: Missing/invalid attestation → skip download, allow local build fallback
+//     This enforces strict security but may impact build performance. When verification fails,
+//     the artifact is not downloaded, forcing a local rebuild with proper attestation.
 //
 // The cache system is designed to never fail builds due to cache issues. When artifacts
 // cannot be downloaded (missing, verification failed, network issues), the system gracefully
 // falls back to local builds.
 //
-// Future Evolution:
-// A CLI flag like --slsa-require-attestation could be added to set RequireAttestation=true
-// for environments that require strict SLSA compliance.
+// Configuration:
+// RequireAttestation can be controlled via:
+// - Environment variable: LEEWAY_SLSA_REQUIRE_ATTESTATION=true
+// - CLI flag: --slsa-require-attestation
+// - Workspace SLSA config: Automatically enabled when provenance.slsa=true in WORKSPACE.yaml
 package cache
 
 import (
diff --git a/pkg/leeway/workspace.go b/pkg/leeway/workspace.go
@@ -37,6 +37,9 @@ const (
 	// EnvvarSLSASourceURI configures the expected source URI for SLSA verification
 	EnvvarSLSASourceURI = "LEEWAY_SLSA_SOURCE_URI"
 
+	// EnvvarSLSARequireAttestation requires SLSA attestations (missing/invalid → build locally)
+	EnvvarSLSARequireAttestation = "LEEWAY_SLSA_REQUIRE_ATTESTATION"
+
 	// EnvvarEnableInFlightChecksums enables in-flight checksumming of cache artifacts
 	EnvvarEnableInFlightChecksums = "LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS"
 )
@@ -75,6 +78,7 @@ type WorkspaceProvenance struct {
 //
 // Sets environment variables as defaults (only if not already set):
 // - LEEWAY_SLSA_CACHE_VERIFICATION
+// - LEEWAY_SLSA_REQUIRE_ATTESTATION
 // - LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS
 // - LEEWAY_DOCKER_EXPORT_TO_CACHE
 // - LEEWAY_SLSA_SOURCE_URI (from Git origin)
@@ -92,6 +96,11 @@ func (w *Workspace) ApplySLSADefaults() {
 		log.Debug("Auto-enabled: LEEWAY_SLSA_CACHE_VERIFICATION=true")
 	}
 
+	// Auto-enable require attestation for strict SLSA compliance (global feature)
+	if setEnvDefault(EnvvarSLSARequireAttestation, "true") {
+		log.Debug("Auto-enabled: LEEWAY_SLSA_REQUIRE_ATTESTATION=true")
+	}
+
 	// Auto-enable in-flight checksumming (global feature)
 	if setEnvDefault(EnvvarEnableInFlightChecksums, "true") {
 		log.Debug("Auto-enabled: LEEWAY_ENABLE_IN_FLIGHT_CHECKSUMS=true")
