Phill MV
33ab0b8f3b
Tweaked language a bit, improved error message.
2025-03-27 09:47:11 -04:00
Meredith Lancaster
37a91ebfdb
undo regex changes
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-02-24 10:47:39 -07:00
Meredith Lancaster
ce87c746b2
remove signer-ref option
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-02-24 10:44:29 -07:00
Meredith Lancaster
c6b5928ddc
fix issues causing tests to fail
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-01-30 07:58:42 -07:00
Meredith Lancaster
313faf9cd0
add signer and source ref, commit options
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-01-30 07:43:13 -07:00
Meredith Lancaster
728aa3d83f
set new options in enforcement criteria
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2025-01-24 13:20:01 -07:00
Meredith Lancaster
ce6150d136
simplify func params
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-12-19 07:18:01 -07:00
Meredith Lancaster
83770d8e55
update san and sanregex configuration for readability
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-12-16 18:42:29 -07:00
Meredith Lancaster
1df2976e81
reduce duplication when creating policy content
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-12-16 17:06:36 -07:00
Meredith Lancaster
4810fc2a74
move content of veriy policy options function into enforcement criteria
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-12-04 14:30:32 -07:00
Meredith Lancaster
b9c9f0acc2
move comment
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-11-04 07:35:42 -07:00
Meredith Lancaster
3281bd457c
simplify logic, add comments
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-11-04 07:32:10 -07:00
Meredith Lancaster
bb1584b52a
comment
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-11-01 09:02:56 -06:00
Meredith Lancaster
a6d15b4f60
update OIDC issuer logic
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-11-01 09:02:23 -06:00
Meredith Lancaster
0fb82a6e7c
comments
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 17:11:02 -06:00
Meredith Lancaster
50cda0df44
add Valid method for EnforcementCriteria
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 16:56:49 -06:00
Meredith Lancaster
8336f797ad
use sigstore-go certificate.Summary type for criteria
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 16:27:21 -06:00
Meredith Lancaster
9f3d00960c
keep comment
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 16:16:09 -06:00
Meredith Lancaster
7948ce4dc9
rename function
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 16:09:08 -06:00
Meredith Lancaster
6f4b5ddc40
remove artifact from EnforcementCriteria
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 16:07:25 -06:00
Meredith Lancaster
9cdeb31fc6
reorganize funcs
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 08:32:35 -06:00
Meredith Lancaster
61b60e9430
fix runner setting
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-31 08:19:33 -06:00
Meredith Lancaster
bb0dcd9db4
fix wrong field settings
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-30 17:19:15 -06:00
Meredith Lancaster
8b02c43085
add tests for newEnforcementCriteria
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-30 16:05:39 -06:00
Meredith Lancaster
b44c9d3003
undo policy method changes
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-30 15:23:50 -06:00
Meredith Lancaster
3378b546da
simplify if else logic
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-30 12:58:40 -06:00
Meredith Lancaster
41c3ba5fa7
drop sigstore instance for now
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-29 18:19:19 -06:00
Meredith Lancaster
e16b69bd08
cert extension funcs are now policy methods
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-29 17:27:47 -06:00
Meredith Lancaster
e5b2b09a6e
move policy functions into methods
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-29 16:41:17 -06:00
Meredith Lancaster
704de0cf37
start building a separate policy struct
...
Signed-off-by: Meredith Lancaster <malancas@github.com>
2024-10-29 15:33:24 -06:00
Brian DeHamer
8c8423aa3d
better error for att verify custom issuer mismatch
...
Signed-off-by: Brian DeHamer <bdehamer@github.com>
Co-authored-by: Zach Steindler <steiza@github.com>
Co-authored-by: Phill MV <phillmv@github.com>
2024-09-16 12:38:12 -07:00
Fredrik Skogman
1b59ec8ad0
This commit introduces tenancy aware attestation policy building.
...
This is done by inspecting the current hostname to determine if
tenancy is enabled.
The attestation commands also accepts a --hostname parameter, that
is used to pick the current host, similar to how the GH_HOST variable
can be used.
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
2024-09-11 10:49:17 +02:00
ejahnGithub
580ddf6997
minor fix
2024-07-30 13:14:16 -07:00
ejahnGithub
dc4e9cb532
handle attest case insensitivity
2024-07-30 12:11:25 -07:00
Zach Steindler
658f125ab3
Update sigstore-go in gh CLI to v0.5.1 ( #9366 )
...
Signed-off-by: Zach Steindler <steiza@github.com>
2024-07-25 20:59:39 +02:00
Meredith Lancaster
cd5562f5ac
Add signer-repo and signer-workflow flags to gh attestation verify ( #9137 )
...
* add signer-repo and signer-workflow flags
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add check for SignerRepo option
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add helper function and comment for clarity
Signed-off-by: Meredith Lancaster <malancas@github.com>
* update flag comment
Signed-off-by: Meredith Lancaster <malancas@github.com>
* reference correct field
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move function to more relevant file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* Update pkg/cmd/attestation/verify/verify.go
Co-authored-by: Zach Steindler <steiza@github.com>
* Update pkg/cmd/attestation/verify/verify.go
Co-authored-by: Zach Steindler <steiza@github.com>
* make all reusable workflow flags mutually exclusive
Signed-off-by: Meredith Lancaster <malancas@github.com>
* accept signer workflow without host
Signed-off-by: Meredith Lancaster <malancas@github.com>
* support client optionally providing host with signer workflow flag
Signed-off-by: Meredith Lancaster <malancas@github.com>
* comment
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add tests for parsing signer workflow
Signed-off-by: Meredith Lancaster <malancas@github.com>
---------
Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Zach Steindler <steiza@github.com>
2024-05-30 07:40:55 -06:00
Meredith Lancaster
c9e8fd6c64
Fix attestation verify source repository check bug ( #9053 )
...
* add build source repo URI extension when repo is provided, add integration tests for this change
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add initial docs on specifying cert identity
Signed-off-by: Meredith Lancaster <malancas@github.com>
* wording
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add reusable workflow example
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more test cases
Signed-off-by: Meredith Lancaster <malancas@github.com>
* tweak to verify docs
---------
Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Phill MV <phillmv@github.com>
2024-05-08 07:44:52 -06:00
Zach Steindler
c96fb7c553
Updates from linter feedback
...
Signed-off-by: Zach Steindler <steiza@github.com>
2024-04-09 17:34:45 -04:00
Zach Steindler
643f4031b2
Add support to attestation command for more predicate types.
...
Before, we required all attestations have predicateType
https://slsa.dev/provenance/v1 . This allows you to use other predicate
types, and adds the ability to filter responses from the API for a
particular predicate type.
Signed-off-by: Zach Steindler <steiza@github.com>
2024-04-09 17:26:32 -04:00
Meredith Lancaster
90b7bf97c5
gh-attestation cmd integration ( #8698 )
...
* add attestation cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add codeowners
Signed-off-by: Meredith Lancaster <malancas@github.com>
* update args passed to the attestation cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use gh-attestation branch for passing iostreams from the root
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add package security team entry to codeowners
Signed-off-by: Meredith Lancaster <malancas@github.com>
* start moving over verify cmd and general verification code
Signed-off-by: Meredith Lancaster <malancas@github.com>
* clean up common and verify specific policy code
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move artifact package over
Signed-off-by: Meredith Lancaster <malancas@github.com>
* start pulling in the github api client wrapper
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix imports
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add logger and test packages
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add additional packages to support verify command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix mock api client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* clean up mock api client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* include missing fields
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use correct owner
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more mock api client options
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add download cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add inspect cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pass factory object to inspect cmd, add inspect sub cmd to attestation cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add verify-tuf-root cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pass iostream struct from command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename logger pkg to logger
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix path in codeowners
Signed-off-by: Meredith Lancaster <malancas@github.com>
* formatter
Signed-off-by: Meredith Lancaster <malancas@github.com>
* go mod tidy
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix printf linter issue
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix printf linter issue
Signed-off-by: Meredith Lancaster <malancas@github.com>
* check user's GH host for compatibility
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pass oci client to commands directly
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* mark tuf-root-verify cmd hidden
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move client initialization back to subcommands
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more verbose options and logging
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add missing logger
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add testing around OCI and API client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add integration test
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix file path
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix command
Signed-off-by: Meredith Lancaster <malancas@github.com>
* build executable before integration test
Signed-off-by: Meredith Lancaster <malancas@github.com>
* split integration tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove integration test steps
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix flag value
Signed-off-by: Meredith Lancaster <malancas@github.com>
* run integration tests on ubuntu for now
Signed-off-by: Meredith Lancaster <malancas@github.com>
* pull over doc updates
Signed-off-by: Meredith Lancaster <malancas@github.com>
* delete unused test data
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove Go patch version
Signed-off-by: Meredith Lancaster <malancas@github.com>
* switch assert to require
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move integration tests to prexisting test workflow
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use platform matrix for integration tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* simplify build step
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use StringEnumFlag handling
Signed-off-by: Meredith Lancaster <malancas@github.com>
* typo
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use the iostreams.Test helper func
Signed-off-by: Meredith Lancaster <malancas@github.com>
* create interface for oci client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add tests for oci client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* rename files
Signed-off-by: Meredith Lancaster <malancas@github.com>
* format file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix shellcheck issues
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use testing TempDir method
Signed-off-by: Meredith Lancaster <malancas@github.com>
* cleanup unused tempdir handling
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use table driven tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* check correct cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* support repo option in download sub cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* switch over to using RunE
Signed-off-by: Meredith Lancaster <malancas@github.com>
* unexport top level subcommand funcs
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add comment around keychain option
Signed-off-by: Meredith Lancaster <malancas@github.com>
* update comments
Signed-off-by: Meredith Lancaster <malancas@github.com>
* fix inconsistent naming
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add tests for CLI commands
Signed-off-by: Meredith Lancaster <malancas@github.com>
* check for noattestationsfound err
Signed-off-by: Meredith Lancaster <malancas@github.com>
* try out metadata abstraction instead
Signed-off-by: Meredith Lancaster <malancas@github.com>
* switch to using MetadataStore abstraction
Signed-off-by: Meredith Lancaster <malancas@github.com>
* include test case with failing metadata store
Signed-off-by: Meredith Lancaster <malancas@github.com>
* look for err specific to file write
Signed-off-by: Meredith Lancaster <malancas@github.com>
* unexport fields
Signed-off-by: Meredith Lancaster <malancas@github.com>
* return err when an unsupported hash alg is provided
Signed-off-by: Meredith Lancaster <malancas@github.com>
* PrintTableToStdOut returns err when rendering fails
Signed-off-by: Meredith Lancaster <malancas@github.com>
* start adding sigstore verifier unit tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more sigstore verifier specific tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use cli table printer
Signed-off-by: Meredith Lancaster <malancas@github.com>
* return JSON results in slice instead of table
Signed-off-by: Meredith Lancaster <malancas@github.com>
* move mock client to test file
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove unneeded table printer method
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add initial tests for tufrootverify cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* formatting
Signed-off-by: Meredith Lancaster <malancas@github.com>
* cleanup method
Signed-off-by: Meredith Lancaster <malancas@github.com>
* close file in error handling branch
Signed-off-by: Meredith Lancaster <malancas@github.com>
* normalize artifact path
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove unneeded embedded file system
Signed-off-by: Meredith Lancaster <malancas@github.com>
* include image name reference err
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use GH_DEBUG value for io handling
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove quiet and verbose flags
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add more tufrootveriify tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* GitHubTUFOptions no longer needs to return error
Signed-off-by: Meredith Lancaster <malancas@github.com>
* remove unneeded slice
Signed-off-by: Meredith Lancaster <malancas@github.com>
* normalize all relative paths
Signed-off-by: Meredith Lancaster <malancas@github.com>
* clean up nil client checks
Signed-off-by: Meredith Lancaster <malancas@github.com>
* set api server based on host
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add comment about http client
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use format flag to handle json output in verify cmd
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use format flag to handle json output
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use normalized path for cli test arg
Signed-off-by: Meredith Lancaster <malancas@github.com>
* add tests for json output
Signed-off-by: Meredith Lancaster <malancas@github.com>
* cleanup error wrapping
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use test fixtures correctly by normalizing path
Signed-off-by: Meredith Lancaster <malancas@github.com>
* dont clean
Signed-off-by: Meredith Lancaster <malancas@github.com>
* escape backwards slash for windows files with replace
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use strings.Split func
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use strings.Replace for all command tests
Signed-off-by: Meredith Lancaster <malancas@github.com>
* use CLI cache dir to store tuf metadata
Signed-off-by: Meredith Lancaster <malancas@github.com>
* Tweaked docstrings for gh attestation download
* Tweaked docstrings for gh attestation verify
* Fix for bug in gh attestation where the wrong hostname was being passed to the API client.
* lets hide tuf-root-verify eh?
* Forgot verify's short str.
* add remote verification test
Signed-off-by: Meredith Lancaster <malancas@github.com>
* Revert "add remote verification test"
This reverts commit c0ceb99ca8
2024-04-01 11:13:47 -06:00
