From 0fd09eb5ffe42fa780979f134ab9e42fa41e2a2d Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Thu, 21 Nov 2024 15:30:41 -0700
Subject: [PATCH] pr feedback

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/cmd/attestation/verification/extensions.go         |  1 +
 .../attestation/verify/attestation_integration_test.go | 10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go
index cc21d5ea0..2958408d0 100644
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@@ -13,6 +13,7 @@ var (
 	GitHubTenantOIDCIssuer = "https://token.actions.%s.ghe.com"
 )
 
+// VerifyCertExtensions allows us to perform case insensitive comparisons of certificate extensions
 func VerifyCertExtensions(results []*AttestationProcessingResult, ec EnforcementCriteria) ([]*AttestationProcessingResult, error) {
 	if len(results) == 0 {
 		return nil, errors.New("no attestations processing results")
diff --git a/pkg/cmd/attestation/verify/attestation_integration_test.go b/pkg/cmd/attestation/verify/attestation_integration_test.go
index 64d02984d..f07fb2c1e 100644
--- a/pkg/cmd/attestation/verify/attestation_integration_test.go
+++ b/pkg/cmd/attestation/verify/attestation_integration_test.go
@@ -86,12 +86,20 @@ func TestVerifyAttestations(t *testing.T) {
 		rwfResult := verification.BuildMockResult(reusableWorkflowAttestations[0].Bundle, "", "https://github.com/malancas", "", verification.GitHubOIDCIssuer)
 		sgjResult := verification.BuildDefaultMockResult(t)
 		mockResults := []*verification.AttestationProcessingResult{&sgjResult, &rwfResult, &sgjResult}
-
 		mockSgVerifier := verification.NewMockSigstoreVerifier(t, mockResults)
+
+		// we want to test that attestations that pass Sigstore verification but fail
+		// cert extension verification are filtered out properly in the second step
+		// in verifyAttestations. By using a mock Sigstore verifier, we can ensure
+		// that the call to verification.VerifyCertExtensions in verifyAttestations
+		// is filtering out attestations as expected
 		results, errMsg, err := verifyAttestations(*a, attestations, mockSgVerifier, ec)
 		require.NoError(t, err)
 		require.Zero(t, errMsg)
 		require.Len(t, results, 2)
+		for _, result := range results {
+			require.NotEqual(t, result.Attestation.Bundle, reusableWorkflowAttestations[0].Bundle)
+		}
 	})
 
 	t.Run("fails verification when cert extension verification fails", func(t *testing.T) {