remove artifact from EnforcementCriteria

Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 16:07:25 -06:00 · 2024-10-31 16:07:25 -06:00 · 6f4b5ddc40
commit 6f4b5ddc40
parent 9cdeb31fc6
4 changed files with 17 additions and 25 deletions
--- a/pkg/cmd/attestation/verification/policy.go
+++ b/pkg/cmd/attestation/verification/policy.go
@ -31,6 +31,5 @@ type Extensions struct {
 type EnforcementCriteria struct {
 	Extensions    Extensions
 	PredicateType string
-	Artifact      artifact.DigestedArtifact
 	OIDCIssuer    string
 }
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@ -25,10 +25,8 @@ func expandToGitHubURL(tenant, ownerOrRepo string) string {
 	return fmt.Sprintf("(?i)^https://%s.ghe.com/%s/", tenant, ownerOrRepo)
 }

-func newEnforcementCriteria(opts *Options, a artifact.DigestedArtifact) (verification.EnforcementCriteria, error) {
-	c := verification.EnforcementCriteria{
-		Artifact: a,
-	}
+func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, error) {
+	c := verification.EnforcementCriteria{}

 	if opts.SignerRepo != "" {
 		signedRepoRegex := expandToGitHubURL(opts.Tenant, opts.SignerRepo)
@ -98,8 +96,8 @@ func buildCertificateIdentityOption(c verification.EnforcementCriteria) (verify.
 	return verify.WithCertificateIdentity(certId), nil
 }

-func SigstorePolicy(c verification.EnforcementCriteria) (verify.PolicyBuilder, error) {
-	artifactDigestPolicyOption, err := verification.BuildDigestPolicyOption(c.Artifact)
+func SigstorePolicy(c verification.EnforcementCriteria, a artifact.DigestedArtifact) (verify.PolicyBuilder, error) {
+	artifactDigestPolicyOption, err := verification.BuildDigestPolicyOption(a)
 	if err != nil {
 		return verify.PolicyBuilder{}, err
 	}
--- a/pkg/cmd/attestation/verify/policy_test.go
+++ b/pkg/cmd/attestation/verify/policy_test.go
@ -3,8 +3,6 @@ package verify
 import (
 	"testing"

-	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact"
-	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact/oci"
 	"github.com/cli/cli/v2/pkg/cmd/factory"

 	"github.com/stretchr/testify/require"
@ -13,9 +11,6 @@ import (
 func TestNewEnforcementCriteria(t *testing.T) {
 	artifactPath := "../test/data/sigstore-js-2.1.0.tgz"

-	artifact, err := artifact.NewDigestedArtifact(oci.MockClient{}, artifactPath, "sha256")
-	require.NoError(t, err)
-
 	t.Run("sets SANRegex using SignerRepo", func(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
@ -24,7 +19,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			SignerRepo:   "foo/bar",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "(?i)^https://github.com/foo/bar/", c.Extensions.SANRegex)
 		require.Zero(t, c.Extensions.SAN)
@ -39,7 +34,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			Hostname:       "github.com",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "^https://github.com/foo/bar/.github/workflows/attest.yml", c.Extensions.SANRegex)
 		require.Zero(t, c.Extensions.SAN)
@ -54,7 +49,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			SANRegex:     "(?i)^https://github/foo",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.Extensions.SAN)
 		require.Equal(t, "(?i)^https://github/foo", c.Extensions.SANRegex)
@ -68,7 +63,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			DenySelfHostedRunner: true,
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, GitHubRunner, c.Extensions.RunnerEnvironment)
 	})
@ -81,7 +76,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			DenySelfHostedRunner: false,
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Zero(t, c.Extensions.RunnerEnvironment)
 	})
@ -94,7 +89,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			Tenant:       "baz",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "https://baz.ghe.com/foo/bar", c.Extensions.SourceRepositoryURI)
 	})
@ -106,7 +101,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			Repo:         "foo/bar",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "https://github.com/foo/bar", c.Extensions.SourceRepositoryURI)
 	})
@ -119,7 +114,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			Tenant:       "baz",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "https://baz.ghe.com/foo", c.Extensions.SourceRepositoryOwnerURI)
 	})
@ -131,7 +126,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			Repo:         "foo/bar",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "https://github.com/foo", c.Extensions.SourceRepositoryOwnerURI)
 	})
@ -145,7 +140,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			OIDCIssuer:   "https://foo.com",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "https://token.actions.baz.ghe.com", c.OIDCIssuer)
 	})
@ -158,7 +153,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			OIDCIssuer:   "https://foo.com",
 		}

-		c, err := newEnforcementCriteria(opts, *artifact)
+		c, err := newEnforcementCriteria(opts)
 		require.NoError(t, err)
 		require.Equal(t, "https://foo.com", c.OIDCIssuer)
 	})
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@ -258,13 +258,13 @@ func runVerify(opts *Options) error {

 	opts.Logger.VerbosePrintf("Verifying attestations with predicate type: %s\n", opts.PredicateType)

-	ec, err := newEnforcementCriteria(opts, *artifact)
+	ec, err := newEnforcementCriteria(opts)
 	if err != nil {
 		opts.Logger.Println(opts.Logger.ColorScheme.Red("✗ Failed to build verification policy"))
 		return err
 	}

-	sp, err := SigstorePolicy(ec)
+	sp, err := SigstorePolicy(ec, *artifact)
 	if err != nil {
 		opts.Logger.Println(opts.Logger.ColorScheme.Red("✗ Failed to build Sigstore verification policy"))
 		return err