add initial policy info method
Signed-off-by: Meredith Lancaster <malancas@github.com>
This commit is contained in:
Meredith Lancaster
parent
6d4c74b252
commit
07e9a4a19d
2 changed files with 29 additions and 3 deletions
|
|
@ -49,3 +49,29 @@ func (c EnforcementCriteria) Valid() error {
|
|||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c EnforcementCriteria) PrintPolicyInformation() string {
|
||||
info := fmt.Sprintf(`
|
||||
The following policy enforcement criteria will be checked against all attestations:
|
||||
- Attestation predicate type must match %s
|
||||
- Attestation must be signed by a certificate whose OIDC issuer matches %s
|
||||
- Attestation must be associated with an artifact built in an organization whose URI is %s
|
||||
`, c.PredicateType, c.Certificate.Issuer, c.Certificate.SourceRepositoryOwnerURI)
|
||||
|
||||
if c.Certificate.SourceRepositoryURI != "" {
|
||||
info += fmt.Sprintf("- Attestation must be associated with an artifact built in a repository whose URI is %s", c.Certificate.SourceRepositoryURI)
|
||||
}
|
||||
|
||||
if c.Certificate.RunnerEnvironment == GitHubRunner {
|
||||
info += "- Attestation must be signed by a certificate that was generated by a Action workflow executed in a GitHub hosted runner"
|
||||
}
|
||||
|
||||
if c.SANRegex != "" {
|
||||
info += fmt.Sprintf("- Attestation must be signed by a certificate with a Subject Alternative Name matching the regex %s", c.SANRegex)
|
||||
}
|
||||
if c.SAN != "" {
|
||||
info += fmt.Sprintf("- Attestation must be signed by a certificate with a Subject Alternative Name matching the exact value %s", c.SAN)
|
||||
}
|
||||
|
||||
return info
|
||||
}
|
||||
|
|
|
|||
|
|
@ -22,7 +22,9 @@ func expandToGitHubURL(tenant, ownerOrRepo string) string {
|
|||
}
|
||||
|
||||
func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, error) {
|
||||
var c verification.EnforcementCriteria
|
||||
c := verification.EnforcementCriteria{
|
||||
PredicateType: opts.PredicateType,
|
||||
}
|
||||
|
||||
// Set SANRegex using either the opts.SignerRepo or opts.SignerWorkflow values
|
||||
if opts.SignerRepo != "" {
|
||||
|
|
@ -80,8 +82,6 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er
|
|||
c.Certificate.Issuer = opts.OIDCIssuer
|
||||
}
|
||||
|
||||
c.PredicateType = opts.PredicateType
|
||||
|
||||
return c, nil
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue