From 3be5e284d98629157e840b2edfbe3cb46d52e861 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 4 Aug 2022 04:13:34 +0000 Subject: [PATCH] update --- cli/slsa-verifier/main_test.go | 15 +++++++++--- options/options.go | 2 +- verifiers/internal/gha/builder.go | 3 ++- verifiers/internal/gha/builder_test.go | 33 +++++++++++++++++++------- verifiers/internal/gha/provenance.go | 10 +++----- verifiers/internal/gha/verifier.go | 2 +- 6 files changed, 43 insertions(+), 22 deletions(-) diff --git a/cli/slsa-verifier/main_test.go b/cli/slsa-verifier/main_test.go index 7aceeeb3b..199e258d8 100644 --- a/cli/slsa-verifier/main_test.go +++ b/cli/slsa-verifier/main_test.go @@ -9,8 +9,6 @@ import ( "golang.org/x/mod/semver" - serrors "github.com/slsa-framework/slsa-verifier/errors" - "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" ) @@ -43,6 +41,7 @@ func Test_runVerify(t *testing.T) { ptag *string pversiontag *string pbuilderID *string + builderID string err error // noversion is a special case where we are not testing all builder versions // for example, testdata for the builder at head in trusted repo workflows @@ -344,6 +343,7 @@ func Test_runVerify(t *testing.T) { minversion: "v1.2.0", builders: []string{"generic"}, pbuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"), + builderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/heads/main", }, // Special case of the e2e test repository building builder from head. { @@ -352,6 +352,7 @@ func Test_runVerify(t *testing.T) { source: "github.com/slsa-framework/example-package", branch: "main", noversion: true, + builderID: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/heads/main", }, // Malicious builders and workflows. { @@ -434,7 +435,7 @@ func Test_runVerify(t *testing.T) { artifactPath := filepath.Clean(filepath.Join(TEST_DIR, v, tt.artifact)) provenancePath := fmt.Sprintf("%s.intoto.jsonl", artifactPath) - _, _, err := runVerify(artifactPath, + _, builderID, err := runVerify(artifactPath, provenancePath, tt.source, branch, tt.pbuilderID, tt.ptag, tt.pversiontag) @@ -442,6 +443,14 @@ func Test_runVerify(t *testing.T) { if !errCmp(err, tt.err) { t.Errorf(cmp.Diff(err, tt.err, cmpopts.EquateErrors())) } + + if err != nil { + return + } + + if tt.builderID != "" && builderID != tt.builderID { + t.Errorf(cmp.Diff(builderID, tt.builderID)) + } } }) } diff --git a/options/options.go b/options/options.go index 9f46cb1e8..7bc7b37f7 100644 --- a/options/options.go +++ b/options/options.go @@ -19,7 +19,7 @@ type ProvenanceOpts struct { ExpectedVersionedTag *string // ExpectedBuilderID is the expected builder ID. - ExpectedBuilderID *string + ExpectedBuilderID string } // BuildOpts are the options for checking the builder. diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index 4bcfd0da9..c8ab27bc8 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -59,7 +59,8 @@ func VerifyWorkflowIdentity(id *WorkflowIdentity, expectedSource, id.CallerRepository) } - return builderID, nil + // Return the builder and its tag. + return builderID + "@" + workflowPath[1], nil } func verifyTrustedBuilderID(path string, builderID *string) (string, error) { diff --git a/verifiers/internal/gha/builder_test.go b/verifiers/internal/gha/builder_test.go index 3f49a81d9..0f084975b 100644 --- a/verifiers/internal/gha/builder_test.go +++ b/verifiers/internal/gha/builder_test.go @@ -65,7 +65,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { Trigger: "workflow_dispatch", Issuer: "https://token.actions.githubusercontent.com", }, - source: trustedBuilderRepository, + source: trustedBuilderRepository, + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main", }, { name: "valid main ref for e2e test", @@ -76,7 +77,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { Trigger: "workflow_dispatch", Issuer: certOidcIssuer, }, - source: e2eTestRepository, + source: e2eTestRepository, + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main", }, { name: "valid main ref for e2e test - match builderID", @@ -91,6 +93,7 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { buildOpts: &options.BuilderOpts{ ExpectedID: asStringPointer("https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml"), }, + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main", }, { name: "valid main ref for e2e test - mismatch builderID", @@ -116,8 +119,9 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { Trigger: "workflow_dispatch", Issuer: certOidcIssuer, }, - source: "malicious/source", - err: serrors.ErrorMismatchSource, + source: "malicious/source", + err: serrors.ErrorMismatchSource, + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/heads/main", }, { name: "valid main ref for builder", @@ -151,7 +155,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { Trigger: "workflow_dispatch", Issuer: certOidcIssuer, }, - source: "asraa/slsa-on-github-test", + source: "asraa/slsa-on-github-test", + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3", }, { name: "valid workflow identity - match builderID", @@ -166,6 +171,7 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { buildOpts: &options.BuilderOpts{ ExpectedID: asStringPointer("https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml"), }, + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3", }, { name: "valid workflow identity - mismatch builderID", @@ -191,8 +197,9 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { Trigger: "workflow_dispatch", Issuer: certOidcIssuer, }, - source: "asraa/slsa-on-github-test", - err: serrors.ErrorInvalidRef, + source: "asraa/slsa-on-github-test", + err: serrors.ErrorInvalidRef, + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3-alpha", }, { name: "invalid workflow identity with build", @@ -227,7 +234,8 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { Trigger: "workflow_dispatch", Issuer: certOidcIssuer, }, - source: "github.com/asraa/slsa-on-github-test", + source: "github.com/asraa/slsa-on-github-test", + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3", }, { name: "valid workflow identity with fully qualified source - match builderID", @@ -242,6 +250,7 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { buildOpts: &options.BuilderOpts{ ExpectedID: asStringPointer("https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml"), }, + builderID: "https://github.com/" + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.2.3", }, { name: "valid workflow identity with fully qualified source - mismatch builderID", @@ -267,10 +276,16 @@ func Test_VerifyWorkflowIdentity(t *testing.T) { if opts == nil { opts = &options.BuilderOpts{} } - _, err := VerifyWorkflowIdentity(tt.workflow, opts, tt.source) + id, err := VerifyWorkflowIdentity(tt.workflow, opts, tt.source) if !errCmp(err, tt.err) { t.Errorf(cmp.Diff(err, tt.err, cmpopts.EquateErrors())) } + if err != nil { + return + } + if id != tt.builderID { + t.Errorf(cmp.Diff(id, tt.builderID)) + } }) } } diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index e280f69be..319c2a603 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -39,13 +39,9 @@ func provenanceFromEnv(env *dsselib.Envelope) (prov *intoto.ProvenanceStatement, // Verify Builder ID in provenance statement. func verifyBuilderID(prov *intoto.ProvenanceStatement, builderID string) error { - id, err := sourceFromURI(prov.Predicate.Builder.ID) - if err != nil { - return err - } - if !strings.EqualFold(id, builderID) { + if !strings.EqualFold(prov.Predicate.Builder.ID, builderID) { return fmt.Errorf("%w: expected '%s' in builder.id, got '%s'", serrors.ErrorMismatchBuilderID, - builderID, id) + builderID, prov.Predicate.Builder.ID) } return nil } @@ -178,7 +174,7 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO } // Verify Builder ID. - if err := verifyBuilderID(prov, *provenanceOpts.ExpectedBuilderID); err != nil { + if err := verifyBuilderID(prov, provenanceOpts.ExpectedBuilderID); err != nil { return err } diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go index 797a8fdb2..5843dcc50 100644 --- a/verifiers/internal/gha/verifier.go +++ b/verifiers/internal/gha/verifier.go @@ -65,7 +65,7 @@ func (v *GHAVerifier) Verify(ctx context.Context, /* Verify properties of the SLSA provenance. */ // Unpack and verify info in the provenance, including the Subject Digest. - provenanceOpts.ExpectedBuilderID = &builderID + provenanceOpts.ExpectedBuilderID = builderID if err := VerifyProvenance(env, provenanceOpts); err != nil { return nil, "", err }