Merge branch 'tmp-07-31' into eugene/gh-attestation-case-insensitivity

2024-07-31 07:31:58 -07:00 · 2024-07-31 07:31:58 -07:00 · 87ff22d37d
commit 87ff22d37d
parent 12715fdcc6 1eaf712dd1
3 changed files with 24 additions and 4 deletions
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@ -10,7 +10,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string,
 		// TODO: handle proxima prefix
 		expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner)
 		sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
-		if sourceRepositoryOwnerURI != "" && !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
+		if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
 			return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
 		}

@ -19,7 +19,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, owner string,
 			// TODO: handle proxima prefix
 			expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo)
 			sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
-			if sourceRepositoryURI != "" && !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
+			if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
 				return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI)
 			}
 		}
--- a/pkg/cmd/attestation/verification/mock_verifier.go
+++ b/pkg/cmd/attestation/verification/mock_verifier.go
@ -31,7 +31,9 @@ func (v *MockSigstoreVerifier) Verify(attestations []*api.Attestation, policy ve
 			Signature: &verify.SignatureVerificationResult{
 				Certificate: &certificate.Summary{
 					Extensions: certificate.Extensions{
-						BuildSignerURI: "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main",
+						BuildSignerURI:           "https://github.com/github/example/.github/workflows/release.yml@refs/heads/main",
+						SourceRepositoryOwnerURI: "https://github.com/sigstore",
+						SourceRepositoryURI:      "https://github.com/sigstore/sigstore-js",
 					},
 				},
 			},
--- a/pkg/cmd/attestation/verify/verify_test.go
+++ b/pkg/cmd/attestation/verify/verify_test.go
@ -340,14 +340,32 @@ func TestRunVerify(t *testing.T) {
 		require.Nil(t, runVerify(&opts))
 	})

+	t.Run("with owner which not matches SourceRepositoryOwnerURI", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.BundlePath = ""
+		opts.Owner = "owner"
+
+		err := runVerify(&opts)
+		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://github.com/sigstore")
+	})
+
 	t.Run("with repo", func(t *testing.T) {
 		opts := publicGoodOpts
 		opts.BundlePath = ""
-		opts.Repo = "github/example"
+		opts.Repo = "sigstore/sigstore-js"

 		require.Nil(t, runVerify(&opts))
 	})

+	t.Run("with repo which not matches SourceRepositoryURI", func(t *testing.T) {
+		opts := publicGoodOpts
+		opts.BundlePath = ""
+		opts.Repo = "wrong/example"
+
+		err := runVerify(&opts)
+		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong/example, got https://github.com/sigstore/sigstore-js")
+	})
+
 	t.Run("with invalid repo", func(t *testing.T) {
 		opts := publicGoodOpts
 		opts.BundlePath = ""