macaron.slsa_analyzer.provenance.intoto.v1 package

This module handles in-toto version 1 attestations.

class macaron.slsa_analyzer.provenance.intoto.v1.InTotoV1Statement

Bases: TypedDict

An in-toto version 1 statement.

This is the type of the payload in a version 1 in-toto attestation. Specification: https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md.

subject: list[InTotoV1ResourceDescriptor]

predicateType: str

predicate: dict[str, int | float | str | None | bool | list[int | float | str | None | bool | list[JsonType] | dict[str, JsonType]] | dict[str, int | float | str | None | bool | list[JsonType] | dict[str, JsonType]]] | None

class macaron.slsa_analyzer.provenance.intoto.v1.InTotoV1ResourceDescriptor

Bases: TypedDict

An in-toto resource descriptor.

Specification: https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md

name: str | None

uri: str | None

digest: dict[str, str] | None

content: str | None

download_location: str | None

media_type: str | None

annotations: dict[str, int | float | str | None | bool | list[int | float | str | None | bool | list[JsonType] | dict[str, JsonType]] | dict[str, int | float | str | None | bool | list[JsonType] | dict[str, JsonType]]] | None

macaron.slsa_analyzer.provenance.intoto.v1.validate_intoto_statement(payload)

Validate the statement of an in-toto attestation.

Specification: https://github.com/in-toto/attestation/tree/main/spec/v1/statement.md.

Parameters:

payload (dict[str, JsonType]) – The JSON statement after being base64-decoded.

Returns:

True if the attestation statement is valid, in which case its type is narrowed to an InTotoStatement; False otherwise.

Return type:

TypeGuard[InTotoStatement]

Raises:

ValidateInTotoPayloadError – When the payload does not follow the expected schema.

macaron.slsa_analyzer.provenance.intoto.v1.validate_intoto_subject(subject)

Validate a single subject in the in-toto statement.

See specification: https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md

Parameters:

subject (JsonType) – The JSON element representing a single subject.

Returns:

True if the subject element is valid, in which case its type is narrowed to an InTotoV1ResourceDescriptor; False otherwise.

Return type:

TypeGuard[InTotoV1ResourceDescriptor]

Raises:

ValidateInTotoPayloadError – When the payload does not follow the expecting schema.

macaron.slsa_analyzer.provenance.intoto.v1.is_valid_digest_set(digest)

Validate the digest set.

Specification for the digest set: https://github.com/in-toto/attestation/blob/main/spec/v1/digest_set.md.

Parameters:

digest (JsonType) – The digest set.

Returns:

True if the digest is valid according to the spec.

Return type:

bool