Support attachment in jf evd verify and get commands

Author: mnsboev

evidence/get/get_base.go

@@ -9,7 +9,7 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/log"
 )
 
-const SchemaVersion = "1.0"
+const SchemaVersion = "1.1"
 
 type SubjectType string // Types in GetEvidence output
 
@@ -33,15 +33,23 @@ type JsonlLine struct {
 }
 
 type EvidenceEntry struct {
-	PredicateSlug string         `json:"predicateSlug"`
-	PredicateType string         `json:"predicateType,omitempty"`
-	DownloadPath  string         `json:"downloadPath"`
-	Verified      bool           `json:"verified"`
-	SigningKey    map[string]any `json:"signingKey,omitempty"`
-	Subject       map[string]any `json:"subject"`
-	CreatedBy     string         `json:"createdBy"`
-	CreatedAt     string         `json:"createdAt"`
-	Predicate     map[string]any `json:"predicate,omitempty"`
+	PredicateSlug string               `json:"predicateSlug"`
+	PredicateType string               `json:"predicateType,omitempty"`
+	DownloadPath  string               `json:"downloadPath"`
+	Verified      bool                 `json:"verified"`
+	SigningKey    map[string]any       `json:"signingKey,omitempty"`
+	Subject       map[string]any       `json:"subject"`
+	CreatedBy     string               `json:"createdBy"`
+	CreatedAt     string               `json:"createdAt"`
+	Predicate     map[string]any       `json:"predicate,omitempty"`
+	Attachments   []EvidenceAttachment `json:"attachments,omitempty"`
+}
+
+type EvidenceAttachment struct {
+	Name         string `json:"name"`
+	Sha256       string `json:"sha256"`
+	Type         string `json:"type,omitempty"`
+	DownloadPath string `json:"downloadPath"`
 }
 
 type CustomEvidenceResult struct {
@@ -276,5 +284,47 @@ func createOrderedEvidenceEntry(node map[string]any, includePredicate bool) Evid
 		}
 	}
 
+	if attachments, ok := extractEvidenceAttachments(node); ok {
+		entry.Attachments = attachments
+	}
+
 	return entry
 }
+
+func extractEvidenceAttachments(node map[string]any) ([]EvidenceAttachment, bool) {
+	attachmentsRaw, exists := node["attachments"]
+	if !exists || attachmentsRaw == nil {
+		return nil, false
+	}
+
+	items, ok := attachmentsRaw.([]any)
+	if !ok || len(items) == 0 {
+		return nil, false
+	}
+
+	attachments := make([]EvidenceAttachment, 0, len(items))
+	for _, item := range items {
+		attMap, ok := item.(map[string]any)
+		if !ok {
+			continue
+		}
+
+		name, _ := attMap["name"].(string)
+		sha256, _ := attMap["sha256"].(string)
+		downloadPath, _ := attMap["downloadPath"].(string)
+
+		mimeType, _ := attMap["type"].(string)
+
+		attachments = append(attachments, EvidenceAttachment{
+			Name:         name,
+			Sha256:       sha256,
+			Type:         mimeType,
+			DownloadPath: downloadPath,
+		})
+	}
+
+	if len(attachments) == 0 {
+		return nil, false
+	}
+	return attachments, true
+}

evidence/get/get_base_test.go

@@ -178,3 +178,31 @@ func TestExportEvidenceToConsole(t *testing.T) {
 	err = exportEvidenceToJsonlFile(inputJSON, "")
 	assert.NoError(t, err)
 }
+
+func TestCreateOrderedEvidenceEntry_Attachments(t *testing.T) {
+	entry := createOrderedEvidenceEntry(map[string]any{
+		"predicateSlug": "slug",
+		"attachments": []any{
+			map[string]any{
+				"name":         "a.txt",
+				"sha256":       "abc",
+				"type":         "text/plain",
+				"downloadPath": "repo/.evidence/a.txt",
+			},
+		},
+	}, false)
+
+	if assert.Len(t, entry.Attachments, 1) {
+		assert.Equal(t, "a.txt", entry.Attachments[0].Name)
+		assert.Equal(t, "abc", entry.Attachments[0].Sha256)
+		assert.Equal(t, "text/plain", entry.Attachments[0].Type)
+	}
+}
+
+func TestCreateOrderedEvidenceEntry_NoAttachmentsFieldWhenEmpty(t *testing.T) {
+	entry := createOrderedEvidenceEntry(map[string]any{
+		"predicateSlug": "slug",
+		"attachments":   []any{},
+	}, false)
+	assert.Nil(t, entry.Attachments)
+}

evidence/get/get_custom.go

@@ -10,11 +10,11 @@ import (
 	"github.com/jfrog/jfrog-cli-core/v2/artifactory/utils"
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 	"github.com/jfrog/jfrog-cli-evidence/evidence"
+	evidenceutils "github.com/jfrog/jfrog-cli-evidence/evidence/utils"
 	"github.com/jfrog/jfrog-client-go/onemodel"
 )
 
-const getCustomEvidenceWithoutPredicateGraphqlQuery = `{"query":"{ evidence { searchEvidence( where: { hasSubjectWith: { repositoryKey: \"%s\", path: \"%s\", name: \"%s\"}} ) { totalCount edges { node { predicateSlug predicateType downloadPath verified signingKey { alias } createdBy createdAt subject { sha256 } } } } } }"}`
-const getCustomEvidenceWithPredicateGraphqlQuery = `{"query":"{ evidence { searchEvidence( where: { hasSubjectWith: { repositoryKey: \"%s\", path: \"%s\", name: \"%s\"}} ) { totalCount edges { node { predicateSlug predicateType downloadPath verified signingKey { alias } createdBy createdAt subject { sha256 } predicate } } } } }"}`
+const getCustomEvidenceQueryTemplate = `{"query":"{ evidence { searchEvidence( where: { hasSubjectWith: { repositoryKey: \"%s\", path: \"%s\", name: \"%s\"}} ) { totalCount edges { node { ` + evidenceutils.NodeFieldsPlaceholder + ` } } } } }"}`
 
 type getEvidenceCustom struct {
 	getEvidenceBase
@@ -66,13 +66,25 @@ func (g *getEvidenceCustom) Run() error {
 }
 
 func (g *getEvidenceCustom) getEvidence(onemodelClient onemodel.Manager) ([]byte, error) {
-	query, err := g.buildGraphqlQuery(g.subjectRepoPath)
+	query, err := g.buildGraphqlQuery(g.subjectRepoPath, true)
 	if err != nil {
 		return nil, err
 	}
 	evidence, err := onemodelClient.GraphqlQuery(query)
 	if err != nil {
-		return nil, err
+		if evidenceutils.IsAttachmentsFieldNotFound(err) {
+			log.Debug("GraphQL schema does not support attachments field. Falling back to query without attachments.")
+			queryWithoutAttachments, qErr := g.buildGraphqlQuery(g.subjectRepoPath, false)
+			if qErr != nil {
+				return nil, qErr
+			}
+			evidence, err = onemodelClient.GraphqlQuery(queryWithoutAttachments)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			return nil, err
+		}
 	}
 
 	transformedEvidence, err := g.transformGraphQLOutput(evidence)
@@ -136,23 +148,30 @@ func (g *getEvidenceCustom) transformGraphQLOutput(rawEvidence []byte) ([]byte,
 	return transformed, nil
 }
 
-func (g *getEvidenceCustom) buildGraphqlQuery(subjectRepoPath string) ([]byte, error) {
-	repoKey, path, name, err := g.getRepoKeyAndPath(subjectRepoPath)
+func (g *getEvidenceCustom) buildGraphqlQuery(subjectRepoPath string, includeAttachments bool) ([]byte, error) {
+	repoKey, pathVal, name, err := g.getRepoKeyAndPath(subjectRepoPath)
 	if err != nil {
 		return nil, err
 	}
-	graphqlQuery := fmt.Sprintf(g.getGraphqlQuery(g.includePredicate), repoKey, path, name)
+	nodeFields := evidenceutils.NewNodeFieldsBuilder(
+		evidenceutils.FieldPredicateSlug,
+		evidenceutils.FieldPredicateType,
+		evidenceutils.FieldDownloadPath,
+		evidenceutils.FieldVerified,
+		evidenceutils.FieldSigningKeyAlias,
+		evidenceutils.FieldCreatedBy,
+		evidenceutils.FieldCreatedAt,
+		evidenceutils.FieldSubjectSha256,
+	).
+		WithIf(includeAttachments, evidenceutils.AttachmentsFragment).
+		WithIf(g.includePredicate, evidenceutils.FieldPredicate).
+		Build()
+	queryTemplate := evidenceutils.BuildQuery(getCustomEvidenceQueryTemplate, nodeFields)
+	graphqlQuery := fmt.Sprintf(queryTemplate, repoKey, pathVal, name)
 	log.Debug("GraphQL query: ", graphqlQuery)
 	return []byte(graphqlQuery), nil
 }
 
-func (g *getEvidenceCustom) getGraphqlQuery(includePredicate bool) string {
-	if includePredicate {
-		return getCustomEvidenceWithPredicateGraphqlQuery
-	}
-	return getCustomEvidenceWithoutPredicateGraphqlQuery
-}
-
 func (g *getEvidenceCustom) getRepoKeyAndPath(subjectRepoPath string) (string, string, string, error) {
 	firstSlashIndex := strings.Index(subjectRepoPath, "/")
 	if firstSlashIndex <= 0 || firstSlashIndex == len(subjectRepoPath)-1 {

evidence/get/get_custom_test.go

@@ -3,7 +3,6 @@ package get
 import (
 	"encoding/json"
 	"fmt"
-	"log"
 	"net/http"
 	"testing"
 
@@ -27,6 +26,19 @@ func (m *mockOnemodelManagerCustomError) GraphqlQuery(_ []byte) ([]byte, error)
 	return nil, fmt.Errorf("HTTP %d: Not Found", http.StatusNotFound)
 }
 
+type mockOnemodelManagerCustomFallback struct {
+	calls int
+}
+
+func (m *mockOnemodelManagerCustomFallback) GraphqlQuery(_ []byte) ([]byte, error) {
+	m.calls++
+	if m.calls == 1 {
+		return nil, fmt.Errorf(`{"errors":[{"message":"Cannot query field \"attachments\" on type \"Evidence\"."}]}`)
+	}
+	response := `{"data":{"evidence":{"searchEvidence":{"totalCount":1,"edges":[{"cursor":"1","node":{"predicateSlug":"test-slug","downloadPath":"test/path","verified":true,"signingKey":{"alias":"test-alias"},"subject":{"sha256":"test-digest"},"createdBy":"test-user","createdAt":"2024-01-01T00:00:00Z"}}]}}}}`
+	return []byte(response), nil
+}
+
 func validatePredicateEvidence(t *testing.T, result []byte) {
 	var output CustomEvidenceOutput
 	err := json.Unmarshal(result, &output)
@@ -74,22 +86,19 @@ func TestNewGetEvidenceCustom(t *testing.T) {
 // Test getEvidence method
 func TestGetCustomEvidence(t *testing.T) {
 	tests := []struct {
-		name                string
-		onemodelClient      onemodel.Manager
-		expectedError       bool
-		expectedEvidenceLen int
+		name           string
+		onemodelClient onemodel.Manager
+		expectedError  bool
 	}{
 		{
-			name:                "Successful evidence retrieval",
-			onemodelClient:      &mockOnemodelManagerCustomSuccess{},
-			expectedError:       false,
-			expectedEvidenceLen: 1,
+			name:           "Successful evidence retrieval",
+			onemodelClient: &mockOnemodelManagerCustomSuccess{},
+			expectedError:  false,
 		},
 		{
-			name:                "Error retrieving evidence",
-			onemodelClient:      &mockOnemodelManagerCustomError{},
-			expectedError:       true,
-			expectedEvidenceLen: 0,
+			name:           "Error retrieving evidence",
+			onemodelClient: &mockOnemodelManagerCustomError{},
+			expectedError:  true,
 		},
 	}
 
@@ -112,23 +121,20 @@ func TestGetCustomEvidence(t *testing.T) {
 				assert.Empty(t, evidence)
 			} else {
 				assert.NoError(t, err)
-				assert.NotEmpty(t, evidence)
-
-				// Additional check on the number of edges in the result
-				var data map[string]any
-				if err := json.Unmarshal(evidence, &data); err == nil {
-					if evidenceData, ok := data["data"].(map[string]any); ok {
-						if evidenceNode, ok := evidenceData["evidence"].(map[string]any); ok {
-							if searchEvidence, ok := evidenceNode["searchEvidence"].(map[string]any); ok {
-								edgesInterface, ok := searchEvidence["edges"].([]any)
-								if !ok {
-									log.Fatalf("Type assertion failed: expected []any")
-								}
-								edges := edgesInterface
-								assert.Equal(t, tt.expectedEvidenceLen, len(edges))
-							}
-						}
-					}
+
+				var output CustomEvidenceOutput
+				assert.NoError(t, json.Unmarshal(evidence, &output))
+				assert.Equal(t, SchemaVersion, output.SchemaVersion)
+				assert.Equal(t, ArtifactType, output.Type)
+				assert.Equal(t, "myRepo/my/path", output.Result.RepoPath)
+
+				if assert.Len(t, output.Result.Evidence, 1) {
+					entry := output.Result.Evidence[0]
+					assert.Equal(t, "test-slug", entry.PredicateSlug)
+					assert.Equal(t, "test/path", entry.DownloadPath)
+					assert.Equal(t, true, entry.Verified)
+					assert.Equal(t, "test-user", entry.CreatedBy)
+					assert.Equal(t, "2024-01-01T00:00:00Z", entry.CreatedAt)
 				}
 			}
 		})
@@ -311,3 +317,91 @@ func TestTransformGraphQLOutput(t *testing.T) {
 		})
 	}
 }
+
+func TestGetCustomEvidence_FallbackToLegacyQueryWhenAttachmentsUnsupported(t *testing.T) {
+	manager := &mockOnemodelManagerCustomFallback{}
+	g := &getEvidenceCustom{
+		subjectRepoPath: "myRepo/my/path",
+		getEvidenceBase: getEvidenceBase{
+			includePredicate: true,
+		},
+	}
+
+	evidence, err := g.getEvidence(manager)
+	assert.NoError(t, err)
+	assert.Equal(t, 2, manager.calls, "should have made 2 GraphQL calls (initial + fallback)")
+
+	var output CustomEvidenceOutput
+	assert.NoError(t, json.Unmarshal(evidence, &output))
+	assert.Equal(t, SchemaVersion, output.SchemaVersion)
+	assert.Equal(t, ArtifactType, output.Type)
+
+	if assert.Len(t, output.Result.Evidence, 1) {
+		entry := output.Result.Evidence[0]
+		assert.Equal(t, "test-slug", entry.PredicateSlug)
+		assert.Equal(t, "test/path", entry.DownloadPath)
+		assert.Equal(t, true, entry.Verified)
+		assert.Equal(t, "test-user", entry.CreatedBy)
+	}
+}
+
+func TestTransformGraphQLOutput_WithAttachments(t *testing.T) {
+	g := &getEvidenceCustom{
+		subjectRepoPath: "test-repo/path/file.txt",
+		getEvidenceBase: getEvidenceBase{
+			includePredicate: false,
+		},
+	}
+
+	input := []byte(`{
+		"data": {
+			"evidence": {
+				"searchEvidence": {
+					"edges": [{
+						"node": {
+							"predicateSlug": "slug",
+							"downloadPath": "evd/path",
+							"verified": true,
+							"subject": {"sha256": "sub-sha"},
+							"createdBy": "me",
+							"createdAt": "2026-01-01T00:00:00Z",
+							"attachments": [{
+								"name": "a.txt",
+								"sha256": "abc",
+								"type": "text/plain",
+								"downloadPath": "repo/.evidence/att/a.txt"
+							}]
+						}
+					}]
+				}
+			}
+		}
+	}`)
+
+	result, err := g.transformGraphQLOutput(input)
+	assert.NoError(t, err)
+
+	var output CustomEvidenceOutput
+	assert.NoError(t, json.Unmarshal(result, &output))
+
+	assert.Equal(t, SchemaVersion, output.SchemaVersion)
+	assert.Equal(t, ArtifactType, output.Type)
+	assert.Equal(t, "test-repo/path/file.txt", output.Result.RepoPath)
+
+	if assert.Len(t, output.Result.Evidence, 1) {
+		entry := output.Result.Evidence[0]
+		assert.Equal(t, "slug", entry.PredicateSlug)
+		assert.Equal(t, "evd/path", entry.DownloadPath)
+		assert.Equal(t, true, entry.Verified)
+		assert.Equal(t, "me", entry.CreatedBy)
+		assert.Equal(t, "2026-01-01T00:00:00Z", entry.CreatedAt)
+
+		if assert.Len(t, entry.Attachments, 1) {
+			att := entry.Attachments[0]
+			assert.Equal(t, "a.txt", att.Name)
+			assert.Equal(t, "abc", att.Sha256)
+			assert.Equal(t, "text/plain", att.Type)
+			assert.Equal(t, "repo/.evidence/att/a.txt", att.DownloadPath)
+		}
+	}
+}