Add command contract info build to display GitHub attestation (experimental) (#1957)

Author: fnando

FULL_HELP_DOCS.md

@@ -524,6 +524,7 @@ Access info about contracts
 * `interface` — Output the interface of a contract
 * `meta` — Output the metadata stored in a contract
 * `env-meta` — Output the env required metadata stored in a contract
+* `build` — Output the contract build information, if available
 
 
 
@@ -647,6 +648,28 @@ Outputs no data when no data is present in the contract.
 
 
 
+## `stellar contract info build`
+
+Output the contract build information, if available.
+
+If the contract has a meta entry like `source_repo=github:user/repo`, this command will try to fetch the attestation information for the WASM file.
+
+**Usage:** `stellar contract info build [OPTIONS] <--wasm <WASM>|--wasm-hash <WASM_HASH>|--contract-id <CONTRACT_ID>>`
+
+###### **Options:**
+
+* `--wasm <WASM>` — Wasm file path on local filesystem. Provide this OR `--wasm-hash` OR `--contract-id`
+* `--wasm-hash <WASM_HASH>` — Hash of Wasm blob on a network. Provide this OR `--wasm` OR `--contract-id`
+* `--contract-id <CONTRACT_ID>` — Contract ID/alias on a network. Provide this OR `--wasm-hash` OR `--wasm`
+* `--rpc-url <RPC_URL>` — RPC server endpoint
+* `--rpc-header <RPC_HEADERS>` — RPC Header(s) to include in requests to the RPC provider
+* `--network-passphrase <NETWORK_PASSPHRASE>` — Network passphrase to sign the transaction sent to the rpc server
+* `-n`, `--network <NETWORK>` — Name of network to use from config
+* `--global` — Use global config
+* `--config-dir <CONFIG_DIR>` — Location of config directory, default is "."
+
+
+
 ## `stellar contract init`
 
 Initialize a Soroban contract project.

cmd/soroban-cli/src/commands/contract/info.rs

@@ -2,6 +2,7 @@ use std::fmt::Debug;
 
 use crate::commands::global;
 
+pub mod build;
 pub mod env_meta;
 pub mod interface;
 pub mod meta;
@@ -49,26 +50,38 @@ pub enum Cmd {
     ///
     /// Outputs no data when no data is present in the contract.
     EnvMeta(env_meta::Cmd),
+
+    /// Output the contract build information, if available.
+    ///
+    /// If the contract has a meta entry like `source_repo=github:user/repo`, this command will try
+    /// to fetch the attestation information for the WASM file.
+    Build(build::Cmd),
 }
 
 #[derive(thiserror::Error, Debug)]
 pub enum Error {
     #[error(transparent)]
     Interface(#[from] interface::Error),
+
     #[error(transparent)]
     Meta(#[from] meta::Error),
+
     #[error(transparent)]
     EnvMeta(#[from] env_meta::Error),
+
+    #[error(transparent)]
+    Build(#[from] build::Error),
 }
 
 impl Cmd {
     pub async fn run(&self, global_args: &global::Args) -> Result<(), Error> {
-        let result = match &self {
+        match &self {
             Cmd::Interface(interface) => interface.run(global_args).await?,
             Cmd::Meta(meta) => meta.run(global_args).await?,
             Cmd::EnvMeta(env_meta) => env_meta.run(global_args).await?,
+            Cmd::Build(build) => build.run(global_args).await?,
         };
-        println!("{result}");
+
         Ok(())
     }
 }

cmd/soroban-cli/src/commands/contract/info/build.rs

@@ -0,0 +1,261 @@
+use super::shared::{self, Fetched};
+use crate::commands::contract::info::shared::fetch;
+use crate::{commands::global, print::Print, utils::http};
+use base64::Engine as _;
+use clap::{command, Parser};
+use sha2::{Digest, Sha256};
+use soroban_spec_tools::contract;
+use soroban_spec_tools::contract::Spec;
+use std::fmt::Debug;
+use stellar_xdr::curr::{ScMetaEntry, ScMetaV0};
+
+#[derive(Parser, Debug, Clone)]
+#[group(skip)]
+pub struct Cmd {
+    #[command(flatten)]
+    pub common: shared::Args,
+}
+
+#[derive(thiserror::Error, Debug)]
+pub enum Error {
+    #[error(transparent)]
+    Wasm(#[from] shared::Error),
+
+    #[error(transparent)]
+    Spec(#[from] contract::Error),
+
+    #[error("'source_repo' meta entry is not stored in the contract")]
+    SourceRepoNotSpecified,
+
+    #[error("'source_repo' meta entry '{0}' has prefix unsupported, only 'github:' supported")]
+    SourceRepoUnsupported(String),
+
+    #[error(transparent)]
+    Json(#[from] serde_json::Error),
+
+    #[error(transparent)]
+    Reqwest(#[from] reqwest::Error),
+
+    #[error("GitHub attestation not found")]
+    AttestationNotFound,
+
+    #[error("GitHub attestation invalid")]
+    AttestationInvalid,
+
+    #[error("Stellar asset contract doesn't contain meta information")]
+    NoSACMeta(),
+}
+
+impl Cmd {
+    pub async fn run(&self, global_args: &global::Args) -> Result<(), Error> {
+        let print = Print::new(global_args.quiet);
+        print.warnln("\x1b[31mThis command displays information about the GitHub Actions run that attested to have built the wasm, and does not verify the source code. Please review the run, its workflow, and source code.\x1b[0m".to_string());
+
+        let Fetched { contract, .. } = fetch(&self.common, &print).await?;
+
+        let bytes = match contract {
+            shared::Contract::Wasm { wasm_bytes } => wasm_bytes,
+            shared::Contract::StellarAssetContract => return Err(Error::NoSACMeta()),
+        };
+
+        let wasm_hash = Sha256::digest(&bytes);
+        let wasm_hash_hex = hex::encode(wasm_hash);
+        print.infoln(format!("Wasm Hash: {wasm_hash_hex}"));
+
+        let spec = Spec::new(&bytes)?;
+        let Some(source_repo) = spec.meta.iter().find_map(|meta_entry| {
+            let ScMetaEntry::ScMetaV0(ScMetaV0 { key, val }) = meta_entry;
+            if key.to_string() == "source_repo" {
+                Some(val.to_string())
+            } else {
+                None
+            }
+        }) else {
+            return Err(Error::SourceRepoNotSpecified);
+        };
+        print.infoln(format!("Source Repo: {source_repo}"));
+        let Some(github_source_repo) = source_repo.strip_prefix("github:") else {
+            return Err(Error::SourceRepoUnsupported(source_repo));
+        };
+
+        let url = format!(
+            "https://api.github.com/repos/{github_source_repo}/attestations/sha256:{wasm_hash_hex}"
+        );
+        print.infoln(format!("Collecting GitHub attestation from {url}"));
+        let resp = http::client().get(url).send().await?;
+        let resp: gh_attest_resp::Root = resp.json().await?;
+        let Some(attestation) = resp.attestations.first() else {
+            return Err(Error::AttestationNotFound);
+        };
+        let Ok(payload) = base64::engine::general_purpose::STANDARD
+            .decode(&attestation.bundle.dsse_envelope.payload)
+        else {
+            return Err(Error::AttestationInvalid);
+        };
+        let payload: gh_payload::Root = serde_json::from_slice(&payload)?;
+        print.checkln("Attestation found linked to GitHub Actions Workflow Run:");
+        let workflow_repo = payload
+            .predicate
+            .build_definition
+            .external_parameters
+            .workflow
+            .repository;
+        let workflow_ref = payload
+            .predicate
+            .build_definition
+            .external_parameters
+            .workflow
+            .ref_field;
+        let workflow_path = payload
+            .predicate
+            .build_definition
+            .external_parameters
+            .workflow
+            .path;
+        let git_commit = &payload
+            .predicate
+            .build_definition
+            .resolved_dependencies
+            .first()
+            .unwrap()
+            .digest
+            .git_commit;
+        let runner_environment = payload
+            .predicate
+            .build_definition
+            .internal_parameters
+            .github
+            .runner_environment
+            .as_str();
+        print.blankln(format!(" \x1b[34mRepository:\x1b[0m {workflow_repo}"));
+        print.blankln(format!(" \x1b[34mRef:\x1b[0m        {workflow_ref}"));
+        print.blankln(format!(" \x1b[34mPath:\x1b[0m       {workflow_path}"));
+        print.blankln(format!(" \x1b[34mGit Commit:\x1b[0m {git_commit}"));
+        match runner_environment
+        {
+            runner @ "github-hosted" => print.blankln(format!(" \x1b[34mRunner:\x1b[0m     {runner}")),
+            runner => print.warnln(format!(" \x1b[34mRunner:\x1b[0m     {runner} (runners not hosted by GitHub could have any configuration or environmental changes)")),
+        }
+        print.blankln(format!(
+            " \x1b[34mRun:\x1b[0m        {}",
+            payload.predicate.run_details.metadata.invocation_id
+        ));
+        print.globeln(format!(
+            "View the workflow at {workflow_repo}/blob/{git_commit}/{workflow_path}"
+        ));
+        print.globeln(format!(
+            "View the repo at {workflow_repo}/tree/{git_commit}"
+        ));
+
+        Ok(())
+    }
+}
+
+mod gh_attest_resp {
+    use serde::Deserialize;
+    use serde::Serialize;
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Root {
+        pub attestations: Vec<Attestation>,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Attestation {
+        pub bundle: Bundle,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Bundle {
+        pub dsse_envelope: DsseEnvelope,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct DsseEnvelope {
+        pub payload: String,
+    }
+}
+
+mod gh_payload {
+    use serde::Deserialize;
+    use serde::Serialize;
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Root {
+        pub predicate_type: String,
+        pub predicate: Predicate,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Predicate {
+        pub build_definition: BuildDefinition,
+        pub run_details: RunDetails,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct BuildDefinition {
+        pub external_parameters: ExternalParameters,
+        pub internal_parameters: InternalParameters,
+        pub resolved_dependencies: Vec<ResolvedDependency>,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct ExternalParameters {
+        pub workflow: Workflow,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Workflow {
+        #[serde(rename = "ref")]
+        pub ref_field: String,
+        pub repository: String,
+        pub path: String,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct InternalParameters {
+        pub github: Github,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Github {
+        #[serde(rename = "runner_environment")]
+        pub runner_environment: String,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct ResolvedDependency {
+        pub uri: String,
+        pub digest: Digest,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Digest {
+        pub git_commit: String,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct RunDetails {
+        pub metadata: Metadata,
+    }
+
+    #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct Metadata {
+        pub invocation_id: String,
+    }
+}

cmd/soroban-cli/src/commands/contract/info/env_meta.rs

@@ -41,7 +41,7 @@ pub enum Error {
 }
 
 impl Cmd {
-    pub async fn run(&self, global_args: &global::Args) -> Result<String, Error> {
+    pub async fn run(&self, global_args: &global::Args) -> Result<(), Error> {
         let print = Print::new(global_args.quiet);
         let Fetched { contract, .. } = fetch(&self.common, &print).await?;
 
@@ -79,6 +79,8 @@ impl Cmd {
             }
         };
 
-        Ok(res)
+        println!("{res}");
+
+        Ok(())
     }
 }

cmd/soroban-cli/src/commands/contract/info/interface.rs

@@ -44,7 +44,7 @@ pub enum Error {
 }
 
 impl Cmd {
-    pub async fn run(&self, global_args: &global::Args) -> Result<String, Error> {
+    pub async fn run(&self, global_args: &global::Args) -> Result<(), Error> {
         let print = Print::new(global_args.quiet);
         let Fetched { contract, .. } = fetch(&self.common, &print).await?;
 
@@ -72,6 +72,8 @@ impl Cmd {
                 .expect("Unexpected spec format error"),
         };
 
-        Ok(res)
+        println!("{res}");
+
+        Ok(())
     }
 }