From 3281bd457cc5c38c4ca62ce9481f8691ea567bc0 Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Mon, 4 Nov 2024 07:32:10 -0700
Subject: [PATCH] simplify logic, add comments

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 pkg/cmd/attestation/verify/policy.go | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go
index 99e3ea94e..d158cf375 100644
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@@ -25,7 +25,7 @@ func expandToGitHubURL(tenant, ownerOrRepo string) string {
 }
 
 func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, error) {
-	c := verification.EnforcementCriteria{}
+	var c verification.EnforcementCriteria
 
 	// Set SANRegex using either the opts.SignerRepo or opts.SignerWorkflow values
 	if opts.SignerRepo != "" {
@@ -66,7 +66,7 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er
 		}
 	}
 
-	// If the Tenant option is provided, set the SourceRepositoryOwnerURI extension
+	// If the tenant option is provided, set the SourceRepositoryOwnerURI extension
 	// using the specific URI format
 	if opts.Tenant != "" {
 		c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, opts.Owner)
@@ -74,16 +74,13 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er
 		c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://github.com/%s", opts.Owner)
 	}
 
-	// if issuer is anything other than the default, use the user-provided value;
-	// otherwise, select the appropriate default based on the tenant
-	if opts.OIDCIssuer != verification.GitHubOIDCIssuer {
-		c.Certificate.Issuer = opts.OIDCIssuer
+	// if the tenant is provided and OIDC issuer provided matches the default
+	// use the tenant-specific issuer
+	if opts.Tenant != "" && opts.OIDCIssuer == verification.GitHubOIDCIssuer {
+		c.Certificate.Issuer = fmt.Sprintf(verification.GitHubTenantOIDCIssuer, opts.Tenant)
 	} else {
-		if opts.Tenant != "" {
-			c.Certificate.Issuer = fmt.Sprintf(verification.GitHubTenantOIDCIssuer, opts.Tenant)
-		} else {
-			c.Certificate.Issuer = verification.GitHubOIDCIssuer
-		}
+		// otherwise use the custom OIDC issuer provided as an option
+		c.Certificate.Issuer = opts.OIDCIssuer
 	}
 
 	c.PredicateType = opts.PredicateType
@@ -142,6 +139,8 @@ func validateSignerWorkflow(opts *Options) (string, error) {
 		return fmt.Sprintf("^https://%s", opts.SignerWorkflow), nil
 	}
 
+	// if the provided workflow did not match the expect format
+	// we move onto creating a signer workflow using the provided host name
 	if opts.Hostname == "" {
 		return "", errors.New("unknown host")
 	}