STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update VerifyCertExtensions args

Browse source 
Signed-off-by: Meredith Lancaster <malancas@github.com>
This commit is contained in:
Meredith Lancaster 2024-10-31 16:14:28 -06:00
parent e6d0a067e6
commit a81cb730fc
1 changed files with 17 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

32
pkg/cmd/attestation/verification/extensions.go
View file

@ -4,6 +4,8 @@ import (
"errors"
"fmt"
"strings"
"github.com/sigstore/sigstore-go/pkg/fulcio/certificate"
)
var (
@ -18,7 +20,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, ec Enforcement
var atLeastOneVerified bool
for _, attestation := range results {
if err := verifyCertExtensions(attestation, ec); err != nil {
if err := verifyCertExtensions(*attestation.VerificationResult.Signature.Certificate, ec); err != nil {
return err
}
atLeastOneVerified = true
@ -32,30 +34,30 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, ec Enforcement
}
func verifyCertExtensions(verifiedCert certificate.Summary, criteria EnforcementCriteria) error {
if c.Extensions.SourceRepositoryOwnerURI != "" {
sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
if !strings.EqualFold(c.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", c.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
if criteria.Extensions.SourceRepositoryOwnerURI != "" {
sourceRepositoryOwnerURI := verifiedCert.Extensions.SourceRepositoryOwnerURI
if !strings.EqualFold(criteria.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", criteria.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
}
}
// if repo is set, check the SourceRepositoryURI field
if c.Extensions.SourceRepositoryURI != "" {
sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
if !strings.EqualFold(c.Extensions.SourceRepositoryURI, sourceRepositoryURI) {
return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", c.Extensions.SourceRepositoryURI, sourceRepositoryURI)
if criteria.Extensions.SourceRepositoryURI != "" {
sourceRepositoryURI := verifiedCert.Extensions.SourceRepositoryURI
if !strings.EqualFold(criteria.Extensions.SourceRepositoryURI, sourceRepositoryURI) {
return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", criteria.Extensions.SourceRepositoryURI, sourceRepositoryURI)
}
}
// if issuer is anything other than the default, use the user-provided value;
// otherwise, select the appropriate default based on the tenant
if c.OIDCIssuer != "" {
certIssuer := attestation.VerificationResult.Signature.Certificate.Extensions.Issuer
if !strings.EqualFold(c.OIDCIssuer, certIssuer) {
if strings.Index(certIssuer, c.OIDCIssuer+"/") == 0 {
return fmt.Errorf("expected Issuer to be %s, got %s -- if you have a custom OIDC issuer policy for your enterprise, use the --cert-oidc-issuer flag with your expected issuer", c.OIDCIssuer, certIssuer)
if criteria.OIDCIssuer != "" {
certIssuer := verifiedCert.Extensions.Issuer
if !strings.EqualFold(criteria.OIDCIssuer, certIssuer) {
if strings.Index(certIssuer, criteria.OIDCIssuer+"/") == 0 {
return fmt.Errorf("expected Issuer to be %s, got %s -- if you have a custom OIDC issuer policy for your enterprise, use the --cert-oidc-issuer flag with your expected issuer", criteria.OIDCIssuer, certIssuer)
}
return fmt.Errorf("expected Issuer to be %s, got %s", c.OIDCIssuer, certIssuer)
return fmt.Errorf("expected Issuer to be %s, got %s", criteria.OIDCIssuer, certIssuer)
}
}