STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix wrong field settings

Browse source 
Signed-off-by: Meredith Lancaster <malancas@github.com>
This commit is contained in:
Meredith Lancaster 2024-10-30 17:19:15 -06:00
parent 318bd90356
commit bb0dcd9db4
4 changed files with 25 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

2
pkg/cmd/attestation/verification/extensions_test.go
View file

@ -49,7 +49,7 @@ func TestVerifyCertExtensions(t *testing.T) {
expectedCriteria := c
expectedCriteria.Extensions.SourceRepositoryURI = "https://github.com/foo/wrong"
err := VerifyCertExtensions(results, expectedCriteria)
require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/foo/wrong, got https://github.com/foo/bar")
require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/foo/wrong, got https://github.com/owner/repo")
})
t.Run("with wrong OIDCIssuer", func(t *testing.T) {

1
pkg/cmd/attestation/verification/policy.go
View file

@ -23,7 +23,6 @@ type Extensions struct {
RunnerEnvironment string
SANRegex string
SAN string
BuildSourceRepoURI string
SignerWorkflow string
SourceRepositoryOwnerURI string
SourceRepositoryURI string

5
pkg/cmd/attestation/verify/policy.go
View file

@ -72,9 +72,10 @@ func newEnforcementCriteria(opts *Options, a artifact.DigestedArtifact) (verific
if opts.Repo != "" {
if opts.Tenant != "" {
c.Extensions.BuildSourceRepoURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, opts.Repo)
c.Extensions.SourceRepositoryURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, opts.Repo)
} else {
c.Extensions.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo)
}
c.Extensions.BuildSourceRepoURI = fmt.Sprintf("https://github.com/%s", opts.Repo)
}
if opts.Tenant != "" {

41
pkg/cmd/attestation/verify/policy_test.go
View file

@ -20,22 +20,23 @@ func TestNewEnforcementCriteria(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
SignerRepo: "foo/bar",
}
c, err := newEnforcementCriteria(opts, *artifact)
require.NoError(t, err)
require.Equal(t, "^https://github.com/foo/bar", c.Extensions.SANRegex)
require.Equal(t, "(?i)^https://github.com/foo/bar/", c.Extensions.SANRegex)
require.Zero(t, c.Extensions.SAN)
})
t.Run("sets SANRegex using SignerWorkflow", func(t *testing.T) {
t.Run("sets SANRegex using SignerWorkflow matching host regex", func(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
SignerWorkflow: "foo/bar/.github/workflows/attest.yml",
Hostname: "github.com",
}
c, err := newEnforcementCriteria(opts, *artifact)
@ -48,22 +49,22 @@ func TestNewEnforcementCriteria(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
SAN: "https://github/foo/bar/.github/workflows/attest.yml",
SANRegex: "^https://github/foo",
SANRegex: "(?i)^https://github/foo",
}
c, err := newEnforcementCriteria(opts, *artifact)
require.NoError(t, err)
require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.Extensions.SANRegex)
require.Equal(t, "^https://github/foo", c.Extensions.SAN)
require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.Extensions.SAN)
require.Equal(t, "(?i)^https://github/foo", c.Extensions.SANRegex)
})
t.Run("sets Extensions.RunnerEnvironment to GitHubRunner value if opts.DenySelfHostedRunner is true", func(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
DenySelfHostedRunner: true,
}
@ -76,7 +77,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
DenySelfHostedRunner: false,
}
@ -85,36 +86,36 @@ func TestNewEnforcementCriteria(t *testing.T) {
require.Equal(t, "*", c.Extensions.RunnerEnvironment)
})
t.Run("sets Extensions.BuildSourceRepoURI using opts.Repo and opts.Tenant", func(t *testing.T) {
t.Run("sets Extensions.SourceRepositoryURI using opts.Repo and opts.Tenant", func(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
Tenant: "baz",
}
c, err := newEnforcementCriteria(opts, *artifact)
require.NoError(t, err)
require.Equal(t, "https://baz.ghe.com/foo/bar", c.Extensions.BuildSourceRepoURI)
require.Equal(t, "https://baz.ghe.com/foo/bar", c.Extensions.SourceRepositoryURI)
})
t.Run("sets Extensions.BuildSourceRepoURI using opts.Repo", func(t *testing.T) {
t.Run("sets Extensions.SourceRepositoryURI using opts.Repo", func(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
}
c, err := newEnforcementCriteria(opts, *artifact)
require.NoError(t, err)
require.Equal(t, "https://github.com/foo/bar", c.Extensions.BuildSourceRepoURI)
require.Equal(t, "https://github.com/foo/bar", c.Extensions.SourceRepositoryURI)
})
t.Run("sets Extensions.SourceRepositoryOwnerURI using opts.Owner and opts.Tenant", func(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
Tenant: "baz",
}
@ -127,7 +128,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
}
c, err := newEnforcementCriteria(opts, *artifact)
@ -139,7 +140,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
Tenant: "baz",
OIDCIssuer: "https://foo.com",
}
@ -153,7 +154,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
opts := &Options{
ArtifactPath: artifactPath,
Owner: "foo",
Repo: "bar",
Repo: "foo/bar",
OIDCIssuer: "https://foo.com",
}