From 4810fc2a74142408eb173222a91a4346a47d5562 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 4 Dec 2024 14:30:32 -0700 Subject: [PATCH 1/9] move content of veriy policy options function into enforcement criteria Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/options.go | 25 --------- pkg/cmd/attestation/verify/options_test.go | 60 ---------------------- pkg/cmd/attestation/verify/policy.go | 33 +++++++++--- pkg/cmd/attestation/verify/policy_test.go | 23 +++++++++ pkg/cmd/attestation/verify/verify.go | 3 -- 5 files changed, 50 insertions(+), 94 deletions(-) diff --git a/pkg/cmd/attestation/verify/options.go b/pkg/cmd/attestation/verify/options.go index 126159023..4296cb8ec 100644 --- a/pkg/cmd/attestation/verify/options.go +++ b/pkg/cmd/attestation/verify/options.go @@ -50,26 +50,6 @@ func (opts *Options) Clean() { } } -func (opts *Options) SetPolicyFlags() { - // check that Repo is in the expected format if provided - if opts.Repo != "" { - // we expect the repo argument to be in the format / - splitRepo := strings.Split(opts.Repo, "/") - - // if Repo is provided but owner is not, set the OWNER portion of the Repo value - // to Owner - opts.Owner = splitRepo[0] - - if !isSignerIdentityProvided(opts) { - opts.SANRegex = expandToGitHubURL(opts.Tenant, opts.Repo) - } - return - } - if !isSignerIdentityProvided(opts) { - opts.SANRegex = expandToGitHubURL(opts.Tenant, opts.Owner) - } -} - // AreFlagsValid checks that the provided flag combination is valid // and returns an error otherwise func (opts *Options) AreFlagsValid() error { @@ -108,11 +88,6 @@ func (opts *Options) AreFlagsValid() error { return nil } -// check if any of the signer identity flags have been provided -func isSignerIdentityProvided(opts *Options) bool { - return opts.SAN != "" || opts.SANRegex != "" || opts.SignerRepo != "" || opts.SignerWorkflow != "" -} - func isProvidedRepoValid(repo string) bool { // we expect a provided repository argument be in the format / splitRepo := strings.Split(repo, "/") diff --git a/pkg/cmd/attestation/verify/options_test.go b/pkg/cmd/attestation/verify/options_test.go index 77c0e3b23..bdb851e7b 100644 --- a/pkg/cmd/attestation/verify/options_test.go +++ b/pkg/cmd/attestation/verify/options_test.go @@ -80,63 +80,3 @@ func TestAreFlagsValid(t *testing.T) { require.ErrorContains(t, err, "bundle-from-oci flag cannot be used with bundle-path flag") }) } - -func TestSetPolicyFlags(t *testing.T) { - t.Run("sets Owner and SANRegex when Repo is provided", func(t *testing.T) { - opts := Options{ - ArtifactPath: publicGoodArtifactPath, - DigestAlgorithm: "sha512", - OIDCIssuer: "some issuer", - Repo: "sigstore/sigstore-js", - } - - opts.SetPolicyFlags() - require.Equal(t, "sigstore", opts.Owner) - require.Equal(t, "sigstore/sigstore-js", opts.Repo) - require.Equal(t, "(?i)^https://github.com/sigstore/sigstore-js/", opts.SANRegex) - }) - - t.Run("does not set SANRegex when SANRegex and Repo are provided", func(t *testing.T) { - opts := Options{ - ArtifactPath: publicGoodArtifactPath, - DigestAlgorithm: "sha512", - OIDCIssuer: "some issuer", - Repo: "sigstore/sigstore-js", - SANRegex: "^https://github/foo", - } - - opts.SetPolicyFlags() - require.Equal(t, "sigstore", opts.Owner) - require.Equal(t, "sigstore/sigstore-js", opts.Repo) - require.Equal(t, "^https://github/foo", opts.SANRegex) - }) - - t.Run("sets SANRegex when Owner is provided", func(t *testing.T) { - opts := Options{ - ArtifactPath: publicGoodArtifactPath, - BundlePath: publicGoodBundlePath, - DigestAlgorithm: "sha512", - OIDCIssuer: "some issuer", - Owner: "sigstore", - } - - opts.SetPolicyFlags() - require.Equal(t, "sigstore", opts.Owner) - require.Equal(t, "(?i)^https://github.com/sigstore/", opts.SANRegex) - }) - - t.Run("does not set SANRegex when SANRegex and Owner are provided", func(t *testing.T) { - opts := Options{ - ArtifactPath: publicGoodArtifactPath, - BundlePath: publicGoodBundlePath, - DigestAlgorithm: "sha512", - OIDCIssuer: "some issuer", - Owner: "sigstore", - SANRegex: "^https://github/foo", - } - - opts.SetPolicyFlags() - require.Equal(t, "sigstore", opts.Owner) - require.Equal(t, "^https://github/foo", opts.SANRegex) - }) -} diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index c2e154fe2..019ae9bbb 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "regexp" + "strings" "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" "github.com/sigstore/sigstore-go/pkg/verify" @@ -22,7 +23,23 @@ func expandToGitHubURL(tenant, ownerOrRepo string) string { } func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, error) { - var c verification.EnforcementCriteria + // initialize the enforcement criteria with the provided PredicateType + c := verification.EnforcementCriteria{ + PredicateType: opts.PredicateType, + } + + // set the owner value by checking the repo and owner options + var owner string + if opts.Repo != "" { + // we expect the repo argument to be in the format / + splitRepo := strings.Split(opts.Repo, "/") + // if Repo is provided but owner is not, set the OWNER portion of the Repo value + // to Owner + owner = splitRepo[0] + } else { + // otherwise use the user provided owner value + owner = opts.Owner + } // Set SANRegex using either the opts.SignerRepo or opts.SignerWorkflow values if opts.SignerRepo != "" { @@ -35,10 +52,16 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er } c.SANRegex = validatedWorkflowRegex - } else { + } else if opts.SANRegex != "" || opts.SAN != "" { // If neither of those values were set, default to the provided SANRegex and SAN values c.SANRegex = opts.SANRegex c.SAN = opts.SAN + } else if opts.Repo != "" { + // if the user has not provided the SAN, SANRegex, SignerRepo, or SignerWorkflow options + // then we default to the repo and owner options + c.SANRegex = expandToGitHubURL(opts.Tenant, opts.Repo) + } else { + c.SANRegex = expandToGitHubURL(opts.Tenant, owner) } // if the DenySelfHostedRunner option is set to true, set the @@ -66,9 +89,9 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er // If the tenant option is provided, set the SourceRepositoryOwnerURI extension // using the specific URI format if opts.Tenant != "" { - c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, opts.Owner) + c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, owner) } else { - c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://github.com/%s", opts.Owner) + c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://github.com/%s", owner) } // if the tenant is provided and OIDC issuer provided matches the default @@ -80,8 +103,6 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er c.Certificate.Issuer = opts.OIDCIssuer } - c.PredicateType = opts.PredicateType - return c, nil } diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go index 420c57f3a..9290b4a9c 100644 --- a/pkg/cmd/attestation/verify/policy_test.go +++ b/pkg/cmd/attestation/verify/policy_test.go @@ -56,6 +56,29 @@ func TestNewEnforcementCriteria(t *testing.T) { require.Equal(t, "(?i)^https://github/foo", c.SANRegex) }) + t.Run("sets SANRegex using opts.Repo", func(t *testing.T) { + opts := &Options{ + ArtifactPath: artifactPath, + Owner: "foo", + Repo: "foo/bar", + } + + c, err := newEnforcementCriteria(opts) + require.NoError(t, err) + require.Equal(t, "(?i)^https://github.com/foo/bar/", c.SANRegex) + }) + + t.Run("sets SANRegex using opts.Owner", func(t *testing.T) { + opts := &Options{ + ArtifactPath: artifactPath, + Owner: "foo", + } + + c, err := newEnforcementCriteria(opts) + require.NoError(t, err) + require.Equal(t, "(?i)^https://github.com/foo/", c.SANRegex) + }) + t.Run("sets Extensions.RunnerEnvironment to GitHubRunner value if opts.DenySelfHostedRunner is true", func(t *testing.T) { opts := &Options{ ArtifactPath: artifactPath, diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index 5b31371ff..f77b7cc91 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -157,9 +157,6 @@ func NewVerifyCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command opts.Tenant = tenant } - // set policy flags based on what has been provided - opts.SetPolicyFlags() - if runF != nil { return runF(opts) } From ee05325e1df0de092e16ad4e054901c66bee9813 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 4 Dec 2024 14:48:44 -0700 Subject: [PATCH 2/9] update tests Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify_test.go | 8 -------- 1 file changed, 8 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index 9a2e9f18c..e9f38e841 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -91,7 +91,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: verification.SLSAPredicateV1, - SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -108,7 +107,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: verification.SLSAPredicateV1, - SANRegex: "(?i)^https://foo.ghe.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -125,7 +123,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: verification.SLSAPredicateV1, - SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: true, @@ -142,7 +139,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: verification.SLSAPredicateV1, - SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -190,7 +186,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: verification.SLSAPredicateV1, - SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -206,7 +201,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: verification.SLSAPredicateV1, - SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsErr: false, @@ -256,7 +250,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: verification.SLSAPredicateV1, - SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsExporter: true, @@ -273,7 +266,6 @@ func TestNewVerifyCmd(t *testing.T) { OIDCIssuer: verification.GitHubOIDCIssuer, Owner: "sigstore", PredicateType: "https://spdx.dev/Document/v2.3", - SANRegex: "(?i)^https://github.com/sigstore/", SigstoreVerifier: verification.NewMockSigstoreVerifier(t), }, wantsExporter: true, From b4dfc9fc7293a5d43084589792a1ad6d26a3eb8e Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 4 Dec 2024 14:59:10 -0700 Subject: [PATCH 3/9] update tests Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/verify_integration_test.go | 9 --------- pkg/cmd/attestation/verify/verify_test.go | 4 ++-- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/pkg/cmd/attestation/verify/verify_integration_test.go b/pkg/cmd/attestation/verify/verify_integration_test.go index 781cb4df1..abf2f3a25 100644 --- a/pkg/cmd/attestation/verify/verify_integration_test.go +++ b/pkg/cmd/attestation/verify/verify_integration_test.go @@ -76,15 +76,6 @@ func TestVerifyIntegration(t *testing.T) { require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/fakeowner, got https://github.com/sigstore") }) - t.Run("with invalid owner and invalid repo", func(t *testing.T) { - opts := publicGoodOpts - opts.Repo = "fakeowner/fakerepo" - - err := runVerify(&opts) - require.Error(t, err) - require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/fakeowner/fakerepo, got https://github.com/sigstore/sigstore-js") - }) - t.Run("with no matching OIDC issuer", func(t *testing.T) { opts := publicGoodOpts opts.OIDCIssuer = "some-other-issuer" diff --git a/pkg/cmd/attestation/verify/verify_test.go b/pkg/cmd/attestation/verify/verify_test.go index e9f38e841..5e4f33507 100644 --- a/pkg/cmd/attestation/verify/verify_test.go +++ b/pkg/cmd/attestation/verify/verify_test.go @@ -449,10 +449,10 @@ func TestRunVerify(t *testing.T) { t.Run("with repo which not matches SourceRepositoryURI", func(t *testing.T) { opts := publicGoodOpts opts.BundlePath = "" - opts.Repo = "wrong/example" + opts.Repo = "sigstore/wrong" err := runVerify(&opts) - require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong/example, got https://github.com/sigstore/sigstore-js") + require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/sigstore/wrong, got https://github.com/sigstore/sigstore-js") }) t.Run("with invalid repo", func(t *testing.T) { From 1df2976e81c2241b45b1580c6d24bbef54a73aaa Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Mon, 16 Dec 2024 17:06:36 -0700 Subject: [PATCH 4/9] reduce duplication when creating policy content Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/policy.go | 32 +++++++++++----------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index 019ae9bbb..59b5772eb 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -17,9 +17,14 @@ const hostRegex = `^[a-zA-Z0-9-]+\.[a-zA-Z0-9-]+.*$` func expandToGitHubURL(tenant, ownerOrRepo string) string { if tenant == "" { - return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo) + return fmt.Sprintf("https://github.com/%s", ownerOrRepo) } - return fmt.Sprintf("(?i)^https://%s.ghe.com/%s/", tenant, ownerOrRepo) + return fmt.Sprintf("https://%s.ghe.com/%s", tenant, ownerOrRepo) +} + +func expandToGitHubURLRegex(tenant, ownerOrRepo string) string { + url := expandToGitHubURL(tenant, ownerOrRepo) + return fmt.Sprintf("(?i)^%s/", url) } func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, error) { @@ -43,7 +48,7 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er // Set SANRegex using either the opts.SignerRepo or opts.SignerWorkflow values if opts.SignerRepo != "" { - signedRepoRegex := expandToGitHubURL(opts.Tenant, opts.SignerRepo) + signedRepoRegex := expandToGitHubURLRegex(opts.Tenant, opts.SignerRepo) c.SANRegex = signedRepoRegex } else if opts.SignerWorkflow != "" { validatedWorkflowRegex, err := validateSignerWorkflow(opts) @@ -59,9 +64,9 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er } else if opts.Repo != "" { // if the user has not provided the SAN, SANRegex, SignerRepo, or SignerWorkflow options // then we default to the repo and owner options - c.SANRegex = expandToGitHubURL(opts.Tenant, opts.Repo) + c.SANRegex = expandToGitHubURLRegex(opts.Tenant, opts.Repo) } else { - c.SANRegex = expandToGitHubURL(opts.Tenant, owner) + c.SANRegex = expandToGitHubURLRegex(opts.Tenant, owner) } // if the DenySelfHostedRunner option is set to true, set the @@ -77,22 +82,11 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er // If the Repo option is provided, set the SourceRepositoryURI extension if opts.Repo != "" { - // If the Tenant options is also provided, set the SourceRepositoryURI extension - // using the specific URI format - if opts.Tenant != "" { - c.Certificate.SourceRepositoryURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, opts.Repo) - } else { - c.Certificate.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo) - } + c.Certificate.SourceRepositoryURI = expandToGitHubURL(opts.Tenant, opts.Repo) } - // If the tenant option is provided, set the SourceRepositoryOwnerURI extension - // using the specific URI format - if opts.Tenant != "" { - c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, owner) - } else { - c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://github.com/%s", owner) - } + // Set the SourceRepositoryOwnerURI extension using owner and tenant if provided + c.Certificate.SourceRepositoryOwnerURI = expandToGitHubURL(opts.Tenant, owner) // if the tenant is provided and OIDC issuer provided matches the default // use the tenant-specific issuer From 83770d8e55ea5c85b30691075266231013381ea3 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Mon, 16 Dec 2024 18:42:29 -0700 Subject: [PATCH 5/9] update san and sanregex configuration for readability Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/policy.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go index 59b5772eb..41b9ea27e 100644 --- a/pkg/cmd/attestation/verify/policy.go +++ b/pkg/cmd/attestation/verify/policy.go @@ -46,8 +46,13 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er owner = opts.Owner } - // Set SANRegex using either the opts.SignerRepo or opts.SignerWorkflow values - if opts.SignerRepo != "" { + // Set the SANRegex and SAN values using the provided options + // First check if the opts.SANRegex or opts.SAN values are provided + if opts.SANRegex != "" || opts.SAN != "" { + c.SANRegex = opts.SANRegex + c.SAN = opts.SAN + } else if opts.SignerRepo != "" { + // next check if opts.SignerRepo was provided signedRepoRegex := expandToGitHubURLRegex(opts.Tenant, opts.SignerRepo) c.SANRegex = signedRepoRegex } else if opts.SignerWorkflow != "" { @@ -55,17 +60,13 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er if err != nil { return verification.EnforcementCriteria{}, err } - c.SANRegex = validatedWorkflowRegex - } else if opts.SANRegex != "" || opts.SAN != "" { - // If neither of those values were set, default to the provided SANRegex and SAN values - c.SANRegex = opts.SANRegex - c.SAN = opts.SAN } else if opts.Repo != "" { // if the user has not provided the SAN, SANRegex, SignerRepo, or SignerWorkflow options - // then we default to the repo and owner options + // then we default to the repo option c.SANRegex = expandToGitHubURLRegex(opts.Tenant, opts.Repo) } else { + // if opts.Repo was not provided, we fallback to the opts.Owner value c.SANRegex = expandToGitHubURLRegex(opts.Tenant, owner) } From ede6c4de1a690362d03a88193eb0675f5ba4d6a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 14:41:05 +0000 Subject: [PATCH 6/9] Bump github.com/cpuguy83/go-md2man/v2 from 2.0.5 to 2.0.6 Bumps [github.com/cpuguy83/go-md2man/v2](https://github.com/cpuguy83/go-md2man) from 2.0.5 to 2.0.6. - [Release notes](https://github.com/cpuguy83/go-md2man/releases) - [Commits](https://github.com/cpuguy83/go-md2man/compare/v2.0.5...v2.0.6) --- updated-dependencies: - dependency-name: github.com/cpuguy83/go-md2man/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index abc21efae..5191e3c78 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/cli/go-internal v0.0.0-20241025142207-6c48bcd5ce24 github.com/cli/oauth v1.1.1 github.com/cli/safeexec v1.0.1 - github.com/cpuguy83/go-md2man/v2 v2.0.5 + github.com/cpuguy83/go-md2man/v2 v2.0.6 github.com/creack/pty v1.1.24 github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 github.com/distribution/reference v0.5.0 diff --git a/go.sum b/go.sum index a13a3c261..0777687a8 100644 --- a/go.sum +++ b/go.sum @@ -112,8 +112,8 @@ github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSk github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= -github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc= -github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0= +github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s= github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= From 86b815e9bf3ab8827722f3901776f5dd6d213967 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 18 Dec 2024 06:49:08 -0700 Subject: [PATCH 7/9] add some more fields to test that san, sanregex are set properly Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/policy_test.go | 41 ++++++++++++----------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go index 9290b4a9c..95c4095a6 100644 --- a/pkg/cmd/attestation/verify/policy_test.go +++ b/pkg/cmd/attestation/verify/policy_test.go @@ -12,12 +12,30 @@ import ( func TestNewEnforcementCriteria(t *testing.T) { artifactPath := "../test/data/sigstore-js-2.1.0.tgz" + t.Run("sets SANRegex and SAN using SANRegex and SAN", func(t *testing.T) { + opts := &Options{ + ArtifactPath: artifactPath, + Owner: "foo", + Repo: "foo/bar", + SAN: "https://github/foo/bar/.github/workflows/attest.yml", + SANRegex: "(?i)^https://github/foo", + SignerRepo: "wrong/value", + SignerWorkflow: "wrong/value/.github/workflows/attest.yml", + } + + c, err := newEnforcementCriteria(opts) + require.NoError(t, err) + require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.SAN) + require.Equal(t, "(?i)^https://github/foo", c.SANRegex) + }) + t.Run("sets SANRegex using SignerRepo", func(t *testing.T) { opts := &Options{ - ArtifactPath: artifactPath, - Owner: "foo", - Repo: "foo/bar", - SignerRepo: "foo/bar", + ArtifactPath: artifactPath, + Owner: "foo", + Repo: "foo/bar", + SignerRepo: "foo/bar", + SignerWorkflow: "wrong/value/.github/workflows/attest.yml", } c, err := newEnforcementCriteria(opts) @@ -41,21 +59,6 @@ func TestNewEnforcementCriteria(t *testing.T) { require.Zero(t, c.SAN) }) - t.Run("sets SANRegex and SAN using SANRegex and SAN", func(t *testing.T) { - opts := &Options{ - ArtifactPath: artifactPath, - Owner: "foo", - Repo: "foo/bar", - SAN: "https://github/foo/bar/.github/workflows/attest.yml", - SANRegex: "(?i)^https://github/foo", - } - - c, err := newEnforcementCriteria(opts) - require.NoError(t, err) - require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.SAN) - require.Equal(t, "(?i)^https://github/foo", c.SANRegex) - }) - t.Run("sets SANRegex using opts.Repo", func(t *testing.T) { opts := &Options{ ArtifactPath: artifactPath, From 4431fa9d8fc8b5986c0ca0b4e1cde2b9b96f1004 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 18 Dec 2024 06:55:00 -0700 Subject: [PATCH 8/9] add test for signerRepo and tenant Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/policy_test.go | 26 ++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go index 95c4095a6..774d9acaf 100644 --- a/pkg/cmd/attestation/verify/policy_test.go +++ b/pkg/cmd/attestation/verify/policy_test.go @@ -32,8 +32,8 @@ func TestNewEnforcementCriteria(t *testing.T) { t.Run("sets SANRegex using SignerRepo", func(t *testing.T) { opts := &Options{ ArtifactPath: artifactPath, - Owner: "foo", - Repo: "foo/bar", + Owner: "wrong", + Repo: "wrong/value", SignerRepo: "foo/bar", SignerWorkflow: "wrong/value/.github/workflows/attest.yml", } @@ -44,11 +44,27 @@ func TestNewEnforcementCriteria(t *testing.T) { require.Zero(t, c.SAN) }) + t.Run("sets SANRegex using SignerRepo and Tenant", func(t *testing.T) { + opts := &Options{ + ArtifactPath: artifactPath, + Owner: "wrong", + Repo: "wrong/value", + SignerRepo: "foo/bar", + SignerWorkflow: "wrong/value/.github/workflows/attest.yml", + Tenant: "baz", + } + + c, err := newEnforcementCriteria(opts) + require.NoError(t, err) + require.Equal(t, "(?i)^https://baz.ghe.com/foo/bar/", c.SANRegex) + require.Zero(t, c.SAN) + }) + t.Run("sets SANRegex using SignerWorkflow matching host regex", func(t *testing.T) { opts := &Options{ ArtifactPath: artifactPath, - Owner: "foo", - Repo: "foo/bar", + Owner: "wrong", + Repo: "wrong/value", SignerWorkflow: "foo/bar/.github/workflows/attest.yml", Hostname: "github.com", } @@ -62,7 +78,7 @@ func TestNewEnforcementCriteria(t *testing.T) { t.Run("sets SANRegex using opts.Repo", func(t *testing.T) { opts := &Options{ ArtifactPath: artifactPath, - Owner: "foo", + Owner: "wrong", Repo: "foo/bar", } From 3542b3566a0c26ad97d87c9f6fbdc31d3ff53a9c Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Wed, 18 Dec 2024 07:24:44 -0700 Subject: [PATCH 9/9] add test for different SAN and SourceRepositoryURI values Signed-off-by: Meredith Lancaster --- pkg/cmd/attestation/verify/policy_test.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go index 774d9acaf..30724afef 100644 --- a/pkg/cmd/attestation/verify/policy_test.go +++ b/pkg/cmd/attestation/verify/policy_test.go @@ -149,6 +149,22 @@ func TestNewEnforcementCriteria(t *testing.T) { require.Equal(t, "https://github.com/foo/bar", c.Certificate.SourceRepositoryURI) }) + t.Run("sets SANRegex and SAN using SANRegex and SAN, sets Extensions.SourceRepositoryURI using opts.Repo", func(t *testing.T) { + opts := &Options{ + ArtifactPath: artifactPath, + Owner: "baz", + Repo: "baz/xyz", + SAN: "https://github/foo/bar/.github/workflows/attest.yml", + SANRegex: "(?i)^https://github/foo", + } + + c, err := newEnforcementCriteria(opts) + require.NoError(t, err) + require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.SAN) + require.Equal(t, "(?i)^https://github/foo", c.SANRegex) + require.Equal(t, "https://github.com/baz/xyz", c.Certificate.SourceRepositoryURI) + }) + t.Run("sets Extensions.SourceRepositoryOwnerURI using opts.Owner and opts.Tenant", func(t *testing.T) { opts := &Options{ ArtifactPath: artifactPath,