Add Grafeas transport

[adityasaky]

This PR introduces Grafeas as a transport for the in-toto jenkins plugin.

For a grafeas server located at https://grafeas.example.com/, for some project example_project, the in-toto links generated by the plugin can be sent using the following transport:

grafeas+https://grafeas.example.com/v1beta1/projects/example_project/occurrences?noteName=<note_occurrence_corresponds_to>&resourceUri=<resource_id>

Note, this plugin depends on the changes introduced to the Grafeas server in grafeas/grafeas#391. Any further changes there can affect the plugin and therefore this must only be merged when that PR is merged.

[adityasaky]

I was able to use this transport to dispatch grafeas occurrences to a test grafeas server from a test jenkins instance. However, more clean up is required.

[adityasaky]

in-toto is now officially in Grafeas (grafeas/grafeas#391)! The implementation of in-toto within Grafeas requires some minor modifications to the in-toto document format, and a translator of some sort will need to be built and integrated with the changes proposed in this PR.

[adityasaky]

Okay! The conversion is mostly working, bar a couple of pending FIXMEs for resource URIs.

For reference, here's the demo Jenkins pipeline script:

pipeline {
    agent any
    stages {
        stage('Beta') {
            //agent { label 'worker 1' }
            steps {
                // Clone package
                in_toto_wrap(['stepName': 'clone',
                'keyPath': '/keys/bob',
                'transport': 'grafeas+https://<GRAFEAS>/v1beta1/projects/example_project/occurrences?noteName=projects/example_project/notes/clone&resourceUri=demoProjectJekyll']){
                    git 'https://github.com/in-toto/demo-project-jekyll'
                }
                
                // Jekyll build
                in_toto_wrap(['stepName': 'jekyll-build',
                'keyPath': '/keys/carl',
                'transport': 'grafeas+https://<GRAFEAS>/v1beta1/projects/example_project/occurrences?noteName=projects/example_project/notes/jekyllBuild&resourceUri=demoProjectJekyll']){
                    sh label: 'jekyll-build', script: 'jekyll build'
                }

                // HTML Linter
                in_toto_wrap(['stepName': 'html-linter',
                'keyPath': '/keys/carl',
                'transport': 'grafeas+https://<GRAFEAS>/v1beta1/projects/example_project/occurrences?noteName=projects/example_project/notes/htmlLinter&resourceUri=demoProjectJekyll']){
                    sh label: 'html-linter', script: 'htmlproofer _site'
                }

                // Docker build
                in_toto_wrap(['stepName': 'docker-build',
                'keyPath': '/keys/carl',
                'transport': 'grafeas+https://<GRAFEAS>/v1beta1/projects/example_project/occurrences?noteName=projects/example_project/notes/dockerBuild&resourceUri=demoProjectJekyll']){
                    sh label: 'docker-build', script: 'docker build --iidfile docker_container_id -t jekyll-demo .'
                }
            }
        }
    }
}

This relies on in-toto-java with in-toto/in-toto-java#19.

[SantiagoTorres]

I think there are some minor naming nits, but it's looking good!

[SantiagoTorres]

Thank you for your updates! I think there is just one outstanding comment and figure out why the build is failing and we can merge...

[adityasaky]

The build seems to fail here: https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fin-toto-plugin/detail/PR-10/12/pipeline#log-146

Which means it's not seeing the changes at in-toto/in-toto-java#19. Investigating...

[adityasaky]

Resolved! It's also worth noting that I was able to successfully reverse the grafeas in-toto format to the regular in-toto serialization, and verify the signature. :)

[SantiagoTorres]

I think we are almost there. I just have an overarching question.

[SantiagoTorres]

awesome, LGTM. Merging!