From 580ddf69979777481acd2b4d0cff92eb8795a204 Mon Sep 17 00:00:00 2001 From: ejahnGithub Date: Tue, 30 Jul 2024 13:14:16 -0700 Subject: [PATCH] minor fix --- pkg/cmd/attestation/verification/extensions.go | 13 +++++++------ pkg/cmd/attestation/verify/policy.go | 11 ++++------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go index cadb2668f..6d093a5d7 100644 --- a/pkg/cmd/attestation/verification/extensions.go +++ b/pkg/cmd/attestation/verification/extensions.go @@ -7,15 +7,16 @@ import ( func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, repo string) error { for _, attestation := range results { - if owner != "" { - expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) - sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI - if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { - return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) - } + // TODO: handle proxima prefix + expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner) + sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI + if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) } + // if repo is set, check the SourceRepositoryURI field if repo != "" { + // TODO: handle proxima prefix expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo) sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) { diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index 938e8048f..4d850ddcc 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -21,6 +21,7 @@ const ( ) func expandToGitHubURL(ownerOrRepo string) string { + // TODO: handle proxima prefix return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo) } @@ -42,12 +43,6 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error return verify.SubjectAlternativeNameMatcher{}, nil } -func buildCertExtensions(runnerEnv string) certificate.Extensions { - return certificate.Extensions{ - RunnerEnvironment: runnerEnv, - } -} - func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) { sanMatcher, err := buildSANMatcher(opts) if err != nil { @@ -59,7 +54,9 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol return nil, err } - extensions := buildCertExtensions(runnerEnv) + extensions := certificate.Extensions{ + RunnerEnvironment: runnerEnv, + } certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions) if err != nil {