set new options in enforcement criteria

Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-01-24 13:20:01 -07:00 · 2025-01-24 13:20:01 -07:00 · 728aa3d83f
commit 728aa3d83f
parent 11dc8d48f5
2 changed files with 51 additions and 1 deletions
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@ -14,6 +14,7 @@ import (
 )

 const hostRegex = `^[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+.*$`
+const workflowURIRegex = `^https:\/\/[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+.*\/.github\/workflows\/[a-zA-Z0-9-]+.(yml|yaml)$`

 func expandToGitHubURL(tenant, ownerOrRepo string) string {
 	if tenant == "" {
@ -66,7 +67,7 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er
 		// then we default to the repo option
 		c.SANRegex = expandToGitHubURLRegex(opts.Tenant, opts.Repo)
 	} else {
-		// if opts.Repo was not provided, we fallback to the opts.Owner value
+		// if opts.Repo was not provided, we fall back to the opts.Owner value
 		c.SANRegex = expandToGitHubURLRegex(opts.Tenant, owner)
 	}

@ -98,9 +99,44 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er
 		c.Certificate.Issuer = opts.OIDCIssuer
 	}

+	if opts.SignerDigest != "" {
+		c.Certificate.BuildSignerDigest = opts.SignerDigest
+	}
+
+	if opts.SignerRef != "" {
+		// need to build the full URI value
+		uri, err := getFullWorkflowURI(c.SANRegex)
+		if err != nil {
+			return verification.EnforcementCriteria{}, err
+		}
+		c.Certificate.BuildSignerURI = uri
+	}
+
+	if opts.SourceDigest != "" {
+		c.Certificate.SourceRepositoryDigest = opts.SourceDigest
+	}
+
+	if opts.SourceRef != "" {
+		c.Certificate.SourceRepositoryRef = opts.SourceRef
+	}
+
 	return c, nil
 }

+func getFullWorkflowURI(s string) (string, error) {
+	trimmed, _ := strings.CutPrefix(s, "^")
+	match, err := regexp.MatchString(workflowURIRegex, trimmed)
+	if err != nil {
+		return "", err
+	}
+
+	if !match {
+		return "", nil
+	}
+
+	return trimmed, nil
+}
+
 func buildCertificateIdentityOption(c verification.EnforcementCriteria) (verify.PolicyOption, error) {
 	sanMatcher, err := verify.NewSANMatcher(c.SAN, c.SANRegex)
 	if err != nil {
--- a/pkg/cmd/attestation/verify/policy_test.go
+++ b/pkg/cmd/attestation/verify/policy_test.go
@ -1,6 +1,7 @@
 package verify

 import (
+	"fmt"
 	"testing"

 	"github.com/cli/cli/v2/pkg/cmd/attestation/verification"
@ -275,3 +276,16 @@ func TestValidateSignerWorkflow(t *testing.T) {
 		}
 	}
 }
+
+func TestGetFullWorkflowURI(t *testing.T) {
+	expectedURI := "https://github.com/foo/bar/.github/workflows/mybuildjob.yaml"
+	// exact matching
+	uri, err := getFullWorkflowURI(expectedURI)
+	require.NoError(t, err)
+	require.Equal(t, expectedURI, uri)
+
+	// matching after stripping regex prefix characters
+	uri, err = getFullWorkflowURI(fmt.Sprintf("^%s", expectedURI))
+	require.NoError(t, err)
+	require.Equal(t, expectedURI, uri)
+}