STACKITGit/cli - Git hosting by STACKIT

Author	SHA1	Message	Date
Fredrik Skogman	1b59ec8ad0	This commit introduces tenancy aware attestation policy building. This is done by inspecting the current hostname to determine if tenancy is enabled. The attestation commands also accepts a --hostname parameter, that is used to pick the current host, similar to how the GH_HOST variable can be used. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>	2024-09-11 10:49:17 +02:00
Cody Soyland	500b619a5e	Move non-integration test to different test file Signed-off-by: Cody Soyland <codysoyland@github.com>	2024-09-06 13:55:25 -04:00
Cody Soyland	ea1a3da1eb	Rename ProtobufBundle to Bundle Signed-off-by: Cody Soyland <codysoyland@github.com>	2024-09-04 16:45:02 -04:00
Cody Soyland	8446079656	Upgrade to sigstore-go v0.6.1 Signed-off-by: Cody Soyland <codysoyland@github.com>	2024-09-04 16:38:13 -04:00
Meredith Lancaster	34d7ef7a0e	`gh attestation verify` handles empty JSONL files (#9541 ) * handle empty jsonl files Signed-off-by: Meredith Lancaster <malancas@github.com> * check processed attestations slice length Signed-off-by: Meredith Lancaster <malancas@github.com> * update err name and message Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-09-04 10:31:41 -06:00
Aryan Bhosale	9a0a7d427e	verify 2nd artifact without swapping order (#9532 ) * verify 2nd artifact without swapping order possible solution to https://github.com/cli/cli/issues/9521#issuecomment-2310686619? * copy the mentioned test file and adds some extra lines * rm unnecessary import * Update pkg/cmd/attestation/verification/attestation_test.go Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com> * gofmt --------- Co-authored-by: Meredith Lancaster <malancas@users.noreply.github.com>	2024-09-04 08:57:56 -06:00
Aryan Bhosale	8305a49c3f	"offline" verification using the bundle of attestations without any additional handling of the file (#9523 )	2024-08-26 09:58:29 -06:00
Eugene	e21d053faf	Merge branch 'trunk' into eugene/attestation/fetch-oci-bundle	2024-08-21 12:24:08 -04:00
ejahnGithub	47a8f4bbdd	update error message	2024-08-20 16:14:39 -04:00
Eugene	04e111db03	Merge branch 'trunk' into eugene/attestation/fetch-oci-bundle	2024-08-15 13:31:41 -04:00
Cody Soyland	4618a267de	Update attestation TUF root Signed-off-by: Cody Soyland <codysoyland@github.com>	2024-08-15 13:06:54 -04:00
ejahnGithub	5ae03d6e87	addded more test	2024-08-12 07:10:19 -07:00
Cody Soyland	35b2cf70cf	Change to requiring bundle v0.2 Signed-off-by: Cody Soyland <codysoyland@github.com>	2024-08-09 16:36:16 -04:00
Cody Soyland	574e131072	Require Sigstore Bundle v0.3 when verifying with `gh attestation` Signed-off-by: Cody Soyland <codysoyland@github.com>	2024-08-09 16:02:04 -04:00
ejahnGithub	57aea664e5	added test	2024-08-07 10:10:59 -07:00
ejahnGithub	8d17896080	refactor the logic and logging	2024-08-05 12:25:52 -07:00
ejahnGithub	1eaf712dd1	update test and remove logic to check SourceRepositoryOwnerURI is empty string	2024-07-31 07:29:43 -07:00
ejahnGithub	596ee8bd71	update test	2024-07-30 13:22:49 -07:00
ejahnGithub	580ddf6997	minor fix	2024-07-30 13:14:16 -07:00
ejahnGithub	e21e5ef5c5	update test	2024-07-30 13:09:28 -07:00
ejahnGithub	c1adb1a6cf	added	2024-07-30 12:24:27 -07:00
ejahnGithub	dc4e9cb532	handle attest case insensitivity	2024-07-30 12:11:25 -07:00
Zach Steindler	658f125ab3	Update sigstore-go in gh CLI to v0.5.1 (#9366 ) Signed-off-by: Zach Steindler <steiza@github.com>	2024-07-25 20:59:39 +02:00
Zach Steindler	f972050dc9	gh attestation trusted-root subcommand (#9206 ) Adds `trusted-root` subcommand to `gh attestation`. For use in upcoming docs on how to do offline verification with artifact attestations. --------- Signed-off-by: Zach Steindler <steiza@github.com> Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>	2024-07-01 11:50:39 -04:00
Forrin	c572383bda	Attestation Verification - Buffer Fix (#9198 ) * swap scanner to readline for attestations * replace readLine with readBytes	2024-06-14 13:55:58 -04:00
Viktor Szépe	6d9dd57774	Fix typos	2024-05-09 20:15:27 +00:00
Meredith Lancaster	6f350827d2	Run `attestation` command set integration tests separately (#9035 ) * rename and add integration build tag Signed-off-by: Meredith Lancaster <malancas@github.com> * run tests that include integration build tag in workflow Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-05-02 08:07:44 -06:00
William Martin	6d8709bdd7	Merge pull request #8997 from steiza/steiza/attestation-verify-offline Support offline mode for `gh attestation verify`	2024-04-29 12:22:08 +02:00
William Martin	cf2060ce9a	Remove unnecessary defensive check	2024-04-26 17:20:26 +02:00
William Martin	439c95c55e	Test verification failures when attestations are bad	2024-04-26 17:20:04 +02:00
William Martin	a0c06e170e	Rework sigstore tests for easier maintenance	2024-04-26 16:56:13 +02:00
William Martin	054b306d09	Make error more obvious when bundle has wrong extension	2024-04-26 16:23:56 +02:00
Zach Steindler	1aefeec71b	Use cmdutil.ExactArgs instead of MinimumArgs; also add tests Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-25 15:41:49 -04:00
Meredith Lancaster	63640b16a7	Update `gh attestation verify` output (#8991 ) * start updating default verify cmd output Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding support for printing a table of attestation details Signed-off-by: Meredith Lancaster <malancas@github.com> * extract attestation details from verification result Signed-off-by: Meredith Lancaster <malancas@github.com> * condense logging Signed-off-by: Meredith Lancaster <malancas@github.com> * update logging from feedback Signed-off-by: Meredith Lancaster <malancas@github.com> * update error logging Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup more error logging Signed-off-by: Meredith Lancaster <malancas@github.com> * include test data for printing to table in the mock sigstore verifier response Signed-off-by: Meredith Lancaster <malancas@github.com> * fix linter err Signed-off-by: Meredith Lancaster <malancas@github.com> * Update pkg/cmd/attestation/verification/mock_verifier.go Co-authored-by: Phill MV <phillmv@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Phill MV <phillmv@github.com>	2024-04-24 14:03:35 -06:00
Zach Steindler	caf0546a11	Just base verification policy on trusted root, not bundle Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-24 11:02:53 -04:00
Zach Steindler	d9f7b922d0	Support offline mode for `gh attestation verify` The main change is previously we always instantiated a TUF client for the public good and GitHub Sigstore instances. Now we only instantiate the TUF client we need, or no client if we are provided a custom trusted root. Note that `gh attestation verify` still requires authentication, that is being addressed in https://github.com/cli/cli/pull/8995. Some other changes are coming along for the ride: - Set TUF cache validity to 1 day, to help serial verification - Attempt to infer verification policy based on custom trusted root - Make command output more friendly if you leave off required arguments Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-24 10:24:23 -04:00
Andy Feller	a42450e9a3	Merge pull request #8949 from steiza/steiza/multi-attestation Add support to `attestation` command for more predicate types.	2024-04-12 11:12:59 -04:00
Meredith Lancaster	02158e896b	Fix `attestation` cmd offline unit test failure (#8933 ) * pass policy to Verify method Signed-off-by: Meredith Lancaster <malancas@github.com> * remove policy argument from SigstoreVerifier constructor Signed-off-by: Meredith Lancaster <malancas@github.com> * add SigstoreVerifier interface and introduce mock SigstoreVerifier struct for unit testing Signed-off-by: Meredith Lancaster <malancas@github.com> * gofmt Signed-off-by: Meredith Lancaster <malancas@github.com> * rename LiveSigstoreVerifier constructor Signed-off-by: Meredith Lancaster <malancas@github.com> * pr feedback, add todos for tests that need to be reimplemented Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unused import Signed-off-by: Meredith Lancaster <malancas@github.com> * add more missing TODO statements Signed-off-by: Meredith Lancaster <malancas@github.com> * update skipped test Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>	2024-04-11 18:09:10 -06:00
Zach Steindler	2b293c4840	Add unit test, update naming, ensure DSSE envelope is in-toto Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-10 09:49:34 -04:00
Zach Steindler	643f4031b2	Add support to `attestation` command for more predicate types. Before, we required all attestations have predicateType https://slsa.dev/provenance/v1. This allows you to use other predicate types, and adds the ability to filter responses from the API for a particular predicate type. Signed-off-by: Zach Steindler <steiza@github.com>	2024-04-09 17:26:32 -04:00
Meredith Lancaster	90b7bf97c5	gh-attestation cmd integration (#8698 ) * add attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * update args passed to the attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * rename file Signed-off-by: Meredith Lancaster <malancas@github.com> * use gh-attestation branch for passing iostreams from the root Signed-off-by: Meredith Lancaster <malancas@github.com> * add package security team entry to codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * start moving over verify cmd and general verification code Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up common and verify specific policy code Signed-off-by: Meredith Lancaster <malancas@github.com> * move artifact package over Signed-off-by: Meredith Lancaster <malancas@github.com> * start pulling in the github api client wrapper Signed-off-by: Meredith Lancaster <malancas@github.com> * fix imports Signed-off-by: Meredith Lancaster <malancas@github.com> * add logger and test packages Signed-off-by: Meredith Lancaster <malancas@github.com> * add additional packages to support verify command Signed-off-by: Meredith Lancaster <malancas@github.com> * fix mock api client Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up mock api client Signed-off-by: Meredith Lancaster <malancas@github.com> * include missing fields Signed-off-by: Meredith Lancaster <malancas@github.com> * use correct owner Signed-off-by: Meredith Lancaster <malancas@github.com> * add more mock api client options Signed-off-by: Meredith Lancaster <malancas@github.com> * add download cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add inspect cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * pass factory object to inspect cmd, add inspect sub cmd to attestation cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * add verify-tuf-root cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * pass iostream struct from command Signed-off-by: Meredith Lancaster <malancas@github.com> * rename logger pkg to logger Signed-off-by: Meredith Lancaster <malancas@github.com> * fix path in codeowners Signed-off-by: Meredith Lancaster <malancas@github.com> * formatter Signed-off-by: Meredith Lancaster <malancas@github.com> * go mod tidy Signed-off-by: Meredith Lancaster <malancas@github.com> * fix printf linter issue Signed-off-by: Meredith Lancaster <malancas@github.com> * fix printf linter issue Signed-off-by: Meredith Lancaster <malancas@github.com> * check user's GH host for compatibility Signed-off-by: Meredith Lancaster <malancas@github.com> * pass oci client to commands directly Signed-off-by: Meredith Lancaster <malancas@github.com> * rename command Signed-off-by: Meredith Lancaster <malancas@github.com> * mark tuf-root-verify cmd hidden Signed-off-by: Meredith Lancaster <malancas@github.com> * move client initialization back to subcommands Signed-off-by: Meredith Lancaster <malancas@github.com> * add more verbose options and logging Signed-off-by: Meredith Lancaster <malancas@github.com> * add missing logger Signed-off-by: Meredith Lancaster <malancas@github.com> * add testing around OCI and API client Signed-off-by: Meredith Lancaster <malancas@github.com> * add integration test Signed-off-by: Meredith Lancaster <malancas@github.com> * fix file path Signed-off-by: Meredith Lancaster <malancas@github.com> * fix command Signed-off-by: Meredith Lancaster <malancas@github.com> * build executable before integration test Signed-off-by: Meredith Lancaster <malancas@github.com> * split integration tests Signed-off-by: Meredith Lancaster <malancas@github.com> * remove integration test steps Signed-off-by: Meredith Lancaster <malancas@github.com> * fix flag value Signed-off-by: Meredith Lancaster <malancas@github.com> * run integration tests on ubuntu for now Signed-off-by: Meredith Lancaster <malancas@github.com> * pull over doc updates Signed-off-by: Meredith Lancaster <malancas@github.com> * delete unused test data Signed-off-by: Meredith Lancaster <malancas@github.com> * remove Go patch version Signed-off-by: Meredith Lancaster <malancas@github.com> * switch assert to require Signed-off-by: Meredith Lancaster <malancas@github.com> * rename file Signed-off-by: Meredith Lancaster <malancas@github.com> * move integration tests to prexisting test workflow Signed-off-by: Meredith Lancaster <malancas@github.com> * use platform matrix for integration tests Signed-off-by: Meredith Lancaster <malancas@github.com> * simplify build step Signed-off-by: Meredith Lancaster <malancas@github.com> * use StringEnumFlag handling Signed-off-by: Meredith Lancaster <malancas@github.com> * typo Signed-off-by: Meredith Lancaster <malancas@github.com> * use the iostreams.Test helper func Signed-off-by: Meredith Lancaster <malancas@github.com> * create interface for oci client Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for oci client Signed-off-by: Meredith Lancaster <malancas@github.com> * rename files Signed-off-by: Meredith Lancaster <malancas@github.com> * format file Signed-off-by: Meredith Lancaster <malancas@github.com> * fix shellcheck issues Signed-off-by: Meredith Lancaster <malancas@github.com> * use testing TempDir method Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup unused tempdir handling Signed-off-by: Meredith Lancaster <malancas@github.com> * use table driven tests Signed-off-by: Meredith Lancaster <malancas@github.com> * check correct cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * support repo option in download sub cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * switch over to using RunE Signed-off-by: Meredith Lancaster <malancas@github.com> * unexport top level subcommand funcs Signed-off-by: Meredith Lancaster <malancas@github.com> * add comment around keychain option Signed-off-by: Meredith Lancaster <malancas@github.com> * update comments Signed-off-by: Meredith Lancaster <malancas@github.com> * fix inconsistent naming Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for CLI commands Signed-off-by: Meredith Lancaster <malancas@github.com> * check for noattestationsfound err Signed-off-by: Meredith Lancaster <malancas@github.com> * try out metadata abstraction instead Signed-off-by: Meredith Lancaster <malancas@github.com> * switch to using MetadataStore abstraction Signed-off-by: Meredith Lancaster <malancas@github.com> * include test case with failing metadata store Signed-off-by: Meredith Lancaster <malancas@github.com> * look for err specific to file write Signed-off-by: Meredith Lancaster <malancas@github.com> * unexport fields Signed-off-by: Meredith Lancaster <malancas@github.com> * return err when an unsupported hash alg is provided Signed-off-by: Meredith Lancaster <malancas@github.com> * PrintTableToStdOut returns err when rendering fails Signed-off-by: Meredith Lancaster <malancas@github.com> * start adding sigstore verifier unit tests Signed-off-by: Meredith Lancaster <malancas@github.com> * add more sigstore verifier specific tests Signed-off-by: Meredith Lancaster <malancas@github.com> * use cli table printer Signed-off-by: Meredith Lancaster <malancas@github.com> * return JSON results in slice instead of table Signed-off-by: Meredith Lancaster <malancas@github.com> * move mock client to test file Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded table printer method Signed-off-by: Meredith Lancaster <malancas@github.com> * add initial tests for tufrootverify cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * formatting Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup method Signed-off-by: Meredith Lancaster <malancas@github.com> * close file in error handling branch Signed-off-by: Meredith Lancaster <malancas@github.com> * normalize artifact path Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded embedded file system Signed-off-by: Meredith Lancaster <malancas@github.com> * include image name reference err Signed-off-by: Meredith Lancaster <malancas@github.com> * use GH_DEBUG value for io handling Signed-off-by: Meredith Lancaster <malancas@github.com> * remove quiet and verbose flags Signed-off-by: Meredith Lancaster <malancas@github.com> * add more tufrootveriify tests Signed-off-by: Meredith Lancaster <malancas@github.com> * GitHubTUFOptions no longer needs to return error Signed-off-by: Meredith Lancaster <malancas@github.com> * remove unneeded slice Signed-off-by: Meredith Lancaster <malancas@github.com> * normalize all relative paths Signed-off-by: Meredith Lancaster <malancas@github.com> * clean up nil client checks Signed-off-by: Meredith Lancaster <malancas@github.com> * set api server based on host Signed-off-by: Meredith Lancaster <malancas@github.com> * add comment about http client Signed-off-by: Meredith Lancaster <malancas@github.com> * use format flag to handle json output in verify cmd Signed-off-by: Meredith Lancaster <malancas@github.com> * use format flag to handle json output Signed-off-by: Meredith Lancaster <malancas@github.com> * use normalized path for cli test arg Signed-off-by: Meredith Lancaster <malancas@github.com> * add tests for json output Signed-off-by: Meredith Lancaster <malancas@github.com> * cleanup error wrapping Signed-off-by: Meredith Lancaster <malancas@github.com> * use test fixtures correctly by normalizing path Signed-off-by: Meredith Lancaster <malancas@github.com> * dont clean Signed-off-by: Meredith Lancaster <malancas@github.com> * escape backwards slash for windows files with replace Signed-off-by: Meredith Lancaster <malancas@github.com> * use strings.Split func Signed-off-by: Meredith Lancaster <malancas@github.com> * use strings.Replace for all command tests Signed-off-by: Meredith Lancaster <malancas@github.com> * use CLI cache dir to store tuf metadata Signed-off-by: Meredith Lancaster <malancas@github.com> * Tweaked docstrings for gh attestation download * Tweaked docstrings for gh attestation verify * Fix for bug in gh attestation where the wrong hostname was being passed to the API client. * lets hide tuf-root-verify eh? * Forgot verify's short str. * add remote verification test Signed-off-by: Meredith Lancaster <malancas@github.com> * Revert "add remote verification test" This reverts commit `c0ceb99ca8`. * update json result handling Signed-off-by: Meredith Lancaster <malancas@github.com> * add json tags to struct returned by command Signed-off-by: Meredith Lancaster <malancas@github.com> * fix how json results are handled Signed-off-by: Meredith Lancaster <malancas@github.com> * add test to ensure JSON output is valid Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com> Co-authored-by: Phill MV <phillmv@github.com>	2024-04-01 11:13:47 -06:00

41 commits