From dd95e5a863b82fda0ae580fe26c0154d52ece9e4 Mon Sep 17 00:00:00 2001 From: Phill MV Date: Fri, 13 Dec 2024 15:55:49 -0500 Subject: [PATCH] tweak output of build policy info --- pkg/cmd/attestation/verification/policy.go | 42 +++++++++++++--------- pkg/cmd/attestation/verify/verify.go | 3 +- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/pkg/cmd/attestation/verification/policy.go b/pkg/cmd/attestation/verification/policy.go index fa75f4c9f..7bae2eff9 100644 --- a/pkg/cmd/attestation/verification/policy.go +++ b/pkg/cmd/attestation/verification/policy.go @@ -3,6 +3,7 @@ package verification import ( "encoding/hex" "fmt" + "strings" "github.com/cli/cli/v2/pkg/cmd/attestation/artifact" @@ -51,34 +52,43 @@ func (c EnforcementCriteria) Valid() error { } func (c EnforcementCriteria) BuildPolicyInformation() string { - policyInfo := - fmt.Sprintf(` -The following policy criteria will be enforced against all attestations: -- Predicate type must match %s`, c.PredicateType) + policyAttr := make([][]string, 0, 6) + policyAttr = appendStr(policyAttr, "- OIDC Issuer must match", c.Certificate.Issuer) if c.Certificate.RunnerEnvironment == GitHubRunner { - runnerInfo := "\n- Attestation must have been generated by an Action workflow executed in a GitHub-hosted runner" - policyInfo += runnerInfo + policyAttr = appendStr(policyAttr, "- Action workflow Runner Environment must match ", GitHubRunner) } - ownerUriInfo := fmt.Sprintf("\n- Source Repository Owner URI must match %s", c.Certificate.SourceRepositoryOwnerURI) - policyInfo += ownerUriInfo + policyAttr = appendStr(policyAttr, "- Source Repository Owner URI must match", c.Certificate.SourceRepositoryOwnerURI) if c.Certificate.SourceRepositoryURI != "" { - repoUriInfo := fmt.Sprintf("\n- Source Repository URI must match %s", c.Certificate.SourceRepositoryURI) - policyInfo += repoUriInfo + policyAttr = appendStr(policyAttr, "- Source Repository URI must match", c.Certificate.SourceRepositoryURI) } - issuerInfo := fmt.Sprintf("\n- Signing certificate's OIDC issuer must match %s", c.Certificate.Issuer) - policyInfo += issuerInfo + policyAttr = appendStr(policyAttr, "- Predicate type must match", c.PredicateType) if c.SAN != "" { - sanInfo := fmt.Sprintf("\n- Signing certificate Subject Alternative Name must match %s", c.SAN) - policyInfo += sanInfo + policyAttr = appendStr(policyAttr, "- Subject Alternative Name must match", c.SAN) } else if c.SANRegex != "" { - sanRegexInfo := fmt.Sprintf("\n- Signing certificate Subject Alternative Name must match the regex %s", c.SANRegex) - policyInfo += sanRegexInfo + policyAttr = appendStr(policyAttr, "- Subject Alternative Name must match regex", c.SANRegex) + } + + maxColLen := 0 + for _, attr := range policyAttr { + if len(attr[0]) > maxColLen { + maxColLen = len(attr[0]) + } + } + + policyInfo := "" + for _, attr := range policyAttr { + dots := strings.Repeat(".", maxColLen-len(attr[0])) + policyInfo += fmt.Sprintf("%s:%s %s\n", attr[0], dots, attr[1]) } return policyInfo } + +func appendStr(arr [][]string, a, b string) [][]string { + return append(arr, []string{a, b}) +} diff --git a/pkg/cmd/attestation/verify/verify.go b/pkg/cmd/attestation/verify/verify.go index d332dd1ab..837e2024e 100644 --- a/pkg/cmd/attestation/verify/verify.go +++ b/pkg/cmd/attestation/verify/verify.go @@ -243,6 +243,7 @@ func runVerify(opts *Options) error { attestations = filteredAttestations // print information about the policy that will be enforced against attestations + opts.Logger.Println("\nThe following policy criteria will be enforced:") opts.Logger.Println(ec.BuildPolicyInformation()) verified, errMsg, err := verifyAttestations(*artifact, attestations, opts.SigstoreVerifier, ec) @@ -251,7 +252,7 @@ func runVerify(opts *Options) error { return err } - opts.Logger.Println(opts.Logger.ColorScheme.Green("\nāœ“ Verification succeeded!\n")) + opts.Logger.Println(opts.Logger.ColorScheme.Green("āœ“ Verification succeeded!\n")) // If an exporter is provided with the --json flag, write the results to the terminal in JSON format if opts.exporter != nil {