feat: Support for v1.0 verification in BYOB (#609)

* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
slsa-framework · May 23, 2023 · ba32c70 · ba32c70
1 parent bda35e0
commit ba32c70
Show file tree

Hide file tree

Showing 8 changed files with 248 additions and 312 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -2,6 +2,8 @@
 run:
   concurrency: 2
   deadline: 5m
+  # For generics.
+  go: 1.18
 issues:
   include:
     - EXC0012

diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go
@@ -1319,35 +1319,51 @@ func Test_runVerifyGHADockerBased(t *testing.T) {
 		inputs      map[string]string
 		err         error
 	}{
-		{
-			name:       "valid main branch default",
-			artifacts:  []string{"workflow_dispatch.main.default"},
-			source:     "github.com/slsa-framework/example-package",
-			pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
-		},
+		// TODO(#610): Re-enable these tests.
+		// {
+		// 	name:       "valid main branch default",
+		// 	artifacts:  []string{"workflow_dispatch.main.default"},
+		// 	source:     "github.com/slsa-framework/example-package",
+		// 	pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
+		// },
+		// {
+		// 	name:        "versioned tag no match empty tag workflow_dispatch",
+		// 	artifacts:   []string{"workflow_dispatch.main.default"},
+		// 	source:      "github.com/slsa-framework/example-package",
+		// 	pBuilderID:  pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
+		// 	pversiontag: pString("v1"),
+		// 	err:         serrors.ErrorInvalidSemver,
+		// },
+		// {
+		// 	name:       "tag no match empty tag workflow_dispatch",
+		// 	artifacts:  []string{"workflow_dispatch.main.default"},
+		// 	source:     "github.com/slsa-framework/example-package",
+		// 	pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
+		// 	ptag:       pString("v1.2.3"),
+		// 	err:        serrors.ErrorMismatchTag,
+		// },
+		// {
+		// 	name:       "wrong branch master",
+		// 	artifacts:  []string{"workflow_dispatch.main.default"},
+		// 	source:     "github.com/slsa-framework/example-package",
+		// 	pbranch:    pString("master"),
+		// 	pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
+		// 	err:        serrors.ErrorMismatchBranch,
+		// },
+		// {
+		// 	name:       "valid main branch set",
+		// 	artifacts:  []string{"workflow_dispatch.main.default"},
+		// 	source:     "github.com/slsa-framework/example-package",
+		// 	pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
+		// 	pbranch:    pString("main"),
+		// },
 		{
 			name:       "valid main branch default - invalid builderID",
 			artifacts:  []string{"workflow_dispatch.main.default"},
 			source:     "github.com/slsa-framework/example-package",
 			pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/not-trusted.yml"),
 			err:        serrors.ErrorUntrustedReusableWorkflow,
 		},
-		{
-			name:       "valid main branch set",
-			artifacts:  []string{"workflow_dispatch.main.default"},
-			source:     "github.com/slsa-framework/example-package",
-			pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
-			pbranch:    pString("main"),
-		},
-
-		{
-			name:       "wrong branch master",
-			artifacts:  []string{"workflow_dispatch.main.default"},
-			source:     "github.com/slsa-framework/example-package",
-			pbranch:    pString("master"),
-			pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
-			err:        serrors.ErrorMismatchBranch,
-		},
 		{
 			name:       "wrong source append A",
 			artifacts:  []string{"workflow_dispatch.main.default"},
@@ -1369,22 +1385,6 @@ func Test_runVerifyGHADockerBased(t *testing.T) {
 			pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
 			err:        serrors.ErrorMismatchSource,
 		},
-		{
-			name:       "tag no match empty tag workflow_dispatch",
-			artifacts:  []string{"workflow_dispatch.main.default"},
-			source:     "github.com/slsa-framework/example-package",
-			pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
-			ptag:       pString("v1.2.3"),
-			err:        serrors.ErrorMismatchTag,
-		},
-		{
-			name:        "versioned tag no match empty tag workflow_dispatch",
-			artifacts:   []string{"workflow_dispatch.main.default"},
-			source:      "github.com/slsa-framework/example-package",
-			pBuilderID:  pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"),
-			pversiontag: pString("v1"),
-			err:         serrors.ErrorInvalidSemver,
-		},
 	}
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below

diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go
@@ -108,7 +108,7 @@ func verifyTrustedBuilderID(certPath, certTag string, expectedBuilderID *string,
 	// No builder ID provided by user: use the default trusted workflows.
 	if expectedBuilderID == nil || *expectedBuilderID == "" {
 		if _, ok := defaultTrustedBuilders[certPath]; !ok {
-			return nil, false, fmt.Errorf("%w: %s got %t", serrors.ErrorUntrustedReusableWorkflow, certPath, expectedBuilderID == nil)
+			return nil, false, fmt.Errorf("%w: %s with builderID provided: %t", serrors.ErrorUntrustedReusableWorkflow, certPath, expectedBuilderID != nil)
 		}
 		// Construct the builderID using the certificate's builder's name and tag.
 		trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderName+"@"+certTag, true)

diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
@@ -100,11 +100,12 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, a
 			source)
 	}
 
-	// Verify source from ConfigSource field.
-	fullConfigURI, err := prov.ConfigURI()
+	// Verify source in the trigger
+	fullConfigURI, err := prov.TriggerURI()
 	if err != nil {
 		return err
 	}
+
 	configURI, err := sourceFromURI(fullConfigURI, false)
 	if err != nil {
 		return err
@@ -119,6 +120,7 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string, a
 	if err != nil {
 		return err
 	}
+
 	materialURI, err := sourceFromURI(materialSourceURI, allowNoMaterialRef)
 	if err != nil {
 		return err
@@ -165,6 +167,7 @@ func sourceFromURI(uri string, allowNoRef bool) (string, error) {
 		return "", fmt.Errorf("%w: %s", serrors.ErrorMalformedURI,
 			uri)
 	}
+
 	return r[0], nil
 }