handle attest case insensitivity

2024-07-30 12:11:25 -07:00 · 2024-07-30 12:11:25 -07:00 · dc4e9cb532
commit dc4e9cb532
parent 30f3a38959
3 changed files with 38 additions and 12 deletions
--- a/pkg/cmd/attestation/verification/extensions.go
+++ b/pkg/cmd/attestation/verification/extensions.go
@ -0,0 +1,27 @@
+package verification
+
+import (
+	"fmt"
+	"strings"
+)
+
+func VerifyCertExtensions(results []*AttestationProcessingResult, owner string, repo string) error {
+	for _, attestation := range results {
+		if owner != "" {
+			expectedSourceRepositoryOwnerURI := fmt.Sprintf("https://github.com/%s", owner)
+			sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
+			if !strings.EqualFold(expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
+				return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", expectedSourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
+			}
+		}
+
+		if repo != "" {
+			expectedSourceRepositoryURI := fmt.Sprintf("https://github.com/%s", repo)
+			sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
+			if !strings.EqualFold(expectedSourceRepositoryURI, sourceRepositoryURI) {
+				return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", expectedSourceRepositoryURI, sourceRepositoryURI)
+			}
+		}
+	}
+	return nil
+}
--- a/pkg/cmd/attestation/verify/policy.go
+++ b/pkg/cmd/attestation/verify/policy.go
@ -21,7 +21,7 @@ const (
 )

 func expandToGitHubURL(ownerOrRepo string) string {
-	return fmt.Sprintf("^https://github.com/%s/", ownerOrRepo)
+	return fmt.Sprintf("(?i)^https://github.com/%s/", ownerOrRepo)
 }

 func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error) {
@ -42,17 +42,10 @@ func buildSANMatcher(opts *Options) (verify.SubjectAlternativeNameMatcher, error
 	return verify.SubjectAlternativeNameMatcher{}, nil
 }

-func buildCertExtensions(opts *Options, runnerEnv string) certificate.Extensions {
-	extensions := certificate.Extensions{
-		SourceRepositoryOwnerURI: fmt.Sprintf("https://github.com/%s", opts.Owner),
-		RunnerEnvironment:        runnerEnv,
+func buildCertExtensions(runnerEnv string) certificate.Extensions {
+	return certificate.Extensions{
+		RunnerEnvironment: runnerEnv,
 	}
-
-	// if opts.Repo is set, set the SourceRepositoryURI field before returning the extensions
-	if opts.Repo != "" {
-		extensions.SourceRepositoryURI = fmt.Sprintf("https://github.com/%s", opts.Repo)
-	}
-	return extensions
 }

 func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.PolicyOption, error) {
@ -66,7 +59,7 @@ func buildCertificateIdentityOption(opts *Options, runnerEnv string) (verify.Pol
 		return nil, err
 	}

-	extensions := buildCertExtensions(opts, runnerEnv)
+	extensions := buildCertExtensions(runnerEnv)

 	certId, err := verify.NewCertificateIdentity(sanMatcher, issuerMatcher, extensions)
 	if err != nil {
--- a/pkg/cmd/attestation/verify/verify.go
+++ b/pkg/cmd/attestation/verify/verify.go
@ -235,6 +235,12 @@ func runVerify(opts *Options) error {
 		return sigstoreRes.Error
 	}

+	// Verify extensions
+	if err := verification.VerifyCertExtensions(sigstoreRes.VerifyResults, opts.Owner, opts.Repo); err != nil {
+		opts.Logger.Println(opts.Logger.ColorScheme.Red("✗ Verification failed"))
+		return err
+	}
+
 	opts.Logger.Println(opts.Logger.ColorScheme.Green("✓ Verification succeeded!\n"))

 	// If an exporter is provided with the --json flag, write the results to the terminal in JSON format