From bb0dcd9db4112f31cecee836af4d236f9208a58b Mon Sep 17 00:00:00 2001
From: Meredith Lancaster <malancas@github.com>
Date: Wed, 30 Oct 2024 17:19:15 -0600
Subject: [PATCH] fix wrong field settings

Signed-off-by: Meredith Lancaster <malancas@github.com>
---
 .../verification/extensions_test.go           |  2 +-
 pkg/cmd/attestation/verification/policy.go    |  1 -
 pkg/cmd/attestation/verify/policy.go          |  5 ++-
 pkg/cmd/attestation/verify/policy_test.go     | 41 ++++++++++---------
 4 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/pkg/cmd/attestation/verification/extensions_test.go b/pkg/cmd/attestation/verification/extensions_test.go
index e01c14a6f..f34cc8304 100644
--- a/pkg/cmd/attestation/verification/extensions_test.go
+++ b/pkg/cmd/attestation/verification/extensions_test.go
@@ -49,7 +49,7 @@ func TestVerifyCertExtensions(t *testing.T) {
 		expectedCriteria := c
 		expectedCriteria.Extensions.SourceRepositoryURI = "https://github.com/foo/wrong"
 		err := VerifyCertExtensions(results, expectedCriteria)
-		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/foo/wrong, got https://github.com/foo/bar")
+		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/foo/wrong, got https://github.com/owner/repo")
 	})
 
 	t.Run("with wrong OIDCIssuer", func(t *testing.T) {
diff --git a/pkg/cmd/attestation/verification/policy.go b/pkg/cmd/attestation/verification/policy.go
index 21210e730..974eae4e2 100644
--- a/pkg/cmd/attestation/verification/policy.go
+++ b/pkg/cmd/attestation/verification/policy.go
@@ -23,7 +23,6 @@ type Extensions struct {
 	RunnerEnvironment        string
 	SANRegex                 string
 	SAN                      string
-	BuildSourceRepoURI       string
 	SignerWorkflow           string
 	SourceRepositoryOwnerURI string
 	SourceRepositoryURI      string
diff --git a/pkg/cmd/attestation/verify/policy.go b/pkg/cmd/attestation/verify/policy.go
index ff8a575af..789b7dfb8 100644
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@@ -72,9 +72,10 @@ func newEnforcementCriteria(opts *Options, a artifact.DigestedArtifact) (verific
 
 	if opts.Repo != "" {
 		if opts.Tenant != "" {
-			c.Extensions.BuildSourceRepoURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, opts.Repo)
+			c.Extensions.SourceRepositoryURI = fmt.Sprintf("https://%s.ghe.com/%s", opts.Tenant, opts.Repo)
+		} else {
+			c.Extensions.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo)
 		}
-		c.Extensions.BuildSourceRepoURI = fmt.Sprintf("https://github.com/%s", opts.Repo)
 	}
 
 	if opts.Tenant != "" {
diff --git a/pkg/cmd/attestation/verify/policy_test.go b/pkg/cmd/attestation/verify/policy_test.go
index 9ef34e440..daadcf346 100644
--- a/pkg/cmd/attestation/verify/policy_test.go
+++ b/pkg/cmd/attestation/verify/policy_test.go
@@ -20,22 +20,23 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 			SignerRepo:   "foo/bar",
 		}
 
 		c, err := newEnforcementCriteria(opts, *artifact)
 		require.NoError(t, err)
-		require.Equal(t, "^https://github.com/foo/bar", c.Extensions.SANRegex)
+		require.Equal(t, "(?i)^https://github.com/foo/bar/", c.Extensions.SANRegex)
 		require.Zero(t, c.Extensions.SAN)
 	})
 
-	t.Run("sets SANRegex using SignerWorkflow", func(t *testing.T) {
+	t.Run("sets SANRegex using SignerWorkflow matching host regex", func(t *testing.T) {
 		opts := &Options{
 			ArtifactPath:   artifactPath,
 			Owner:          "foo",
-			Repo:           "bar",
+			Repo:           "foo/bar",
 			SignerWorkflow: "foo/bar/.github/workflows/attest.yml",
+			Hostname:       "github.com",
 		}
 
 		c, err := newEnforcementCriteria(opts, *artifact)
@@ -48,22 +49,22 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 			SAN:          "https://github/foo/bar/.github/workflows/attest.yml",
-			SANRegex:     "^https://github/foo",
+			SANRegex:     "(?i)^https://github/foo",
 		}
 
 		c, err := newEnforcementCriteria(opts, *artifact)
 		require.NoError(t, err)
-		require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.Extensions.SANRegex)
-		require.Equal(t, "^https://github/foo", c.Extensions.SAN)
+		require.Equal(t, "https://github/foo/bar/.github/workflows/attest.yml", c.Extensions.SAN)
+		require.Equal(t, "(?i)^https://github/foo", c.Extensions.SANRegex)
 	})
 
 	t.Run("sets Extensions.RunnerEnvironment to GitHubRunner value if opts.DenySelfHostedRunner is true", func(t *testing.T) {
 		opts := &Options{
 			ArtifactPath:         artifactPath,
 			Owner:                "foo",
-			Repo:                 "bar",
+			Repo:                 "foo/bar",
 			DenySelfHostedRunner: true,
 		}
 
@@ -76,7 +77,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		opts := &Options{
 			ArtifactPath:         artifactPath,
 			Owner:                "foo",
-			Repo:                 "bar",
+			Repo:                 "foo/bar",
 			DenySelfHostedRunner: false,
 		}
 
@@ -85,36 +86,36 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		require.Equal(t, "*", c.Extensions.RunnerEnvironment)
 	})
 
-	t.Run("sets Extensions.BuildSourceRepoURI using opts.Repo and opts.Tenant", func(t *testing.T) {
+	t.Run("sets Extensions.SourceRepositoryURI using opts.Repo and opts.Tenant", func(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 			Tenant:       "baz",
 		}
 
 		c, err := newEnforcementCriteria(opts, *artifact)
 		require.NoError(t, err)
-		require.Equal(t, "https://baz.ghe.com/foo/bar", c.Extensions.BuildSourceRepoURI)
+		require.Equal(t, "https://baz.ghe.com/foo/bar", c.Extensions.SourceRepositoryURI)
 	})
 
-	t.Run("sets Extensions.BuildSourceRepoURI using opts.Repo", func(t *testing.T) {
+	t.Run("sets Extensions.SourceRepositoryURI using opts.Repo", func(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 		}
 
 		c, err := newEnforcementCriteria(opts, *artifact)
 		require.NoError(t, err)
-		require.Equal(t, "https://github.com/foo/bar", c.Extensions.BuildSourceRepoURI)
+		require.Equal(t, "https://github.com/foo/bar", c.Extensions.SourceRepositoryURI)
 	})
 
 	t.Run("sets Extensions.SourceRepositoryOwnerURI using opts.Owner and opts.Tenant", func(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 			Tenant:       "baz",
 		}
 
@@ -127,7 +128,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 		}
 
 		c, err := newEnforcementCriteria(opts, *artifact)
@@ -139,7 +140,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 			Tenant:       "baz",
 			OIDCIssuer:   "https://foo.com",
 		}
@@ -153,7 +154,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
-			Repo:         "bar",
+			Repo:         "foo/bar",
 			OIDCIssuer:   "https://foo.com",
 		}