Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support branch and tag from slsa v1 provenance #476

Merged
merged 2 commits into from
Feb 10, 2023
Merged

feat: support branch and tag from slsa v1 provenance #476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
08feb04
feat: support branch and tag from slsa v1 provenance
asraa Feb 10, 2023
561906e
lint
asraa Feb 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ require (
github.com/go-openapi/runtime v0.25.0
github.com/google/go-cmp v0.5.9
github.com/google/trillian v1.5.1-0.20220819043421-0a389c4bb8d9 // indirect
github.com/in-toto/in-toto-golang v0.6.1-0.20230207212643-96dcb8c596fb
github.com/in-toto/in-toto-golang v0.6.1-0.20230209184401-f8269f61247e
github.com/secure-systems-lab/go-securesystemslib v0.4.0
github.com/sigstore/rekor v1.0.1
github.com/sigstore/sigstore v1.5.1
Expand Down Expand Up @@ -232,18 +232,18 @@ require (
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
go.uber.org/zap v1.24.0 // indirect
golang.org/x/crypto v0.5.0 // indirect
golang.org/x/crypto v0.6.0 // indirect
golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect
golang.org/x/net v0.5.0 // indirect
golang.org/x/net v0.6.0 // indirect
golang.org/x/oauth2 v0.4.0 // indirect
golang.org/x/sync v0.1.0 // indirect
golang.org/x/sys v0.5.0 // indirect
golang.org/x/term v0.4.0 // indirect
golang.org/x/text v0.6.0 // indirect
golang.org/x/term v0.5.0 // indirect
golang.org/x/text v0.7.0 // indirect
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.5.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 // indirect
google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc // indirect
google.golang.org/grpc v1.53.0 // indirect
google.golang.org/protobuf v1.28.1
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
Expand Down
14 changes: 14 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -921,6 +921,10 @@ github.com/in-toto/in-toto-golang v0.6.1-0.20230207163334-3493691c6d9c h1:d50sx5
github.com/in-toto/in-toto-golang v0.6.1-0.20230207163334-3493691c6d9c/go.mod h1:AoOsIJkpD8RHrZIAQxXqhGPm7M38IzT4JAdgPpf4OZc=
github.com/in-toto/in-toto-golang v0.6.1-0.20230207212643-96dcb8c596fb h1:lUoNEu/QPf8P52025Pk46e5godp1uRUzSJ3CQknuFdE=
github.com/in-toto/in-toto-golang v0.6.1-0.20230207212643-96dcb8c596fb/go.mod h1:AoOsIJkpD8RHrZIAQxXqhGPm7M38IzT4JAdgPpf4OZc=
github.com/in-toto/in-toto-golang v0.6.1-0.20230209165403-64db848c2ff5 h1:rkgh5ngupN/AKqBOx1Iv6MMGvGjfGHmdp4m1G/V04w4=
github.com/in-toto/in-toto-golang v0.6.1-0.20230209165403-64db848c2ff5/go.mod h1:AoOsIJkpD8RHrZIAQxXqhGPm7M38IzT4JAdgPpf4OZc=
github.com/in-toto/in-toto-golang v0.6.1-0.20230209184401-f8269f61247e h1:GmiHh3s1OVNsSPBNsPSfehT+CcjJN8q6FQCkQphhBOA=
github.com/in-toto/in-toto-golang v0.6.1-0.20230209184401-f8269f61247e/go.mod h1:AoOsIJkpD8RHrZIAQxXqhGPm7M38IzT4JAdgPpf4OZc=
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
Expand Down Expand Up @@ -1651,6 +1655,8 @@ golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
Expand Down Expand Up @@ -1778,6 +1784,8 @@ golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20181106182150-f42d05182288/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
Expand Down Expand Up @@ -1956,6 +1964,8 @@ golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
golang.org/x/term v0.4.0 h1:O7UWfv5+A2qiuulQk30kVinPoMtoIPeVaKLEgLpVkvg=
golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
Expand All @@ -1971,6 +1981,8 @@ golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
Expand Down Expand Up @@ -2249,6 +2261,8 @@ google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa h1:qQPhfbPO23fwm/9
google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 h1:vArvWooPH749rNHpBGgVl+U9B9dATjiEhJzcWGlovNs=
google.golang.org/genproto v0.0.0-20230202175211-008b39050e57/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc h1:ijGwO+0vL2hJt5gaygqP2j6PfflOBrRot0IczKbmtio=
google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
Expand Down
3 changes: 1 addition & 2 deletions verifiers/internal/gha/provenance.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
"github.com/slsa-framework/slsa-verifier/v2/options"
"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance"
"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"

// Load provenance types.
_ "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/v0.2"
Expand Down Expand Up @@ -249,7 +248,7 @@ func VerifyWorkflowInputs(prov slsaprovenance.Provenance, inputs map[string]stri

// Verify all inputs.
for k, v := range inputs {
value, err := utils.GetAsString(pyldInputs, k)
value, err := slsaprovenance.GetAsString(pyldInputs, k)
if err != nil {
return fmt.Errorf("%w: cannot retrieve value of '%s'", serrors.ErrorMismatchWorkflowInputs, k)
}
Expand Down
138 changes: 127 additions & 11 deletions verifiers/internal/gha/provenance_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package gha
import (
"fmt"
"os"
"strings"
"testing"

"github.com/google/go-cmp/cmp"
Expand Down Expand Up @@ -586,6 +587,42 @@ func Test_VerifyBranch(t *testing.T) {
branch: "main",
expected: serrors.ErrorMismatchBranch,
},

{
name: "ref main",
path: "./testdata/dsse-main-ref-v1.intoto.jsonl",
branch: "main",
},
{
name: "ref branch3",
path: "./testdata/dsse-branch3-ref-v1.intoto.jsonl",
branch: "branch3",
},

{
name: "invalid ref type",
path: "./testdata/dsse-invalid-ref-type-v1.intoto.jsonl",
expected: serrors.ErrorInvalidDssePayload,
},

{
name: "tag branch2 push trigger",
path: "./testdata/dsse-branch2-tag-v1.intoto.jsonl",
branch: "branch2",
},

{
name: "v10.0.1 release trigger",
path: "./testdata/dsse-v10.0.1-release-v1.intoto.jsonl",
branch: "main",
},

{
name: "from commit push - no branch",
path: "./testdata/dsse-annotated-tag-v1.intoto.jsonl",
branch: "main",
expected: serrors.ErrorMismatchBranch,
},
}
for _, tt := range tests {
tt := tt // Re-initializing variable so it is not changed while executing the closure below
Expand Down Expand Up @@ -671,6 +708,60 @@ func Test_VerifyWorkflowInputs(t *testing.T) {
},
expected: serrors.ErrorMismatchWorkflowInputs,
},
{
name: "match all",
path: "./testdata/dsse-workflow-inputs-v1.intoto.jsonl",
inputs: map[string]string{
"release_version": "v1.2.3",
"some_bool": "true",
"some_integer": "123",
},
},
{
name: "match subset",
path: "./testdata/dsse-workflow-inputs-v1.intoto.jsonl",
inputs: map[string]string{
"release_version": "v1.2.3",
"some_integer": "123",
},
},
{
name: "missing field",
path: "./testdata/dsse-workflow-inputs-v1.intoto.jsonl",
inputs: map[string]string{
"release_version": "v1.2.3",
"missing_field": "123",
},
expected: serrors.ErrorMismatchWorkflowInputs,
},
{
name: "mismatch field release_version",
path: "./testdata/dsse-workflow-inputs-v1.intoto.jsonl",
inputs: map[string]string{
"release_version": "v1.2.4",
"some_integer": "123",
},
expected: serrors.ErrorMismatchWorkflowInputs,
},
{
name: "mismatch field some_integer",
path: "./testdata/dsse-workflow-inputs-v1.intoto.jsonl",
inputs: map[string]string{
"release_version": "v1.2.3",
"some_integer": "124",
},
expected: serrors.ErrorMismatchWorkflowInputs,
},
{
name: "not workflow_dispatch trigger",
path: "./testdata/dsse-workflow-inputs-wrong-trigger-v1.intoto.jsonl",
inputs: map[string]string{
"release_version": "v1.2.3",
"some_bool": "true",
"some_integer": "123",
},
expected: serrors.ErrorMismatchWorkflowInputs,
},
}
for _, tt := range tests {
tt := tt // Re-initializing variable so it is not changed while executing the closure below
Expand Down Expand Up @@ -722,6 +813,26 @@ func Test_VerifyTag(t *testing.T) {
path: "./testdata/dsse-vslsa1-tag.intoto.jsonl",
tag: "vslsa1",
},
{
name: "ref main",
path: "./testdata/dsse-main-ref-v1.intoto.jsonl",
expected: serrors.ErrorMismatchTag,
},
{
name: "ref branch3",
path: "./testdata/dsse-branch3-ref-v1.intoto.jsonl",
expected: serrors.ErrorMismatchTag,
},
{
name: "invalid ref type",
path: "./testdata/dsse-invalid-ref-type-v1.intoto.jsonl",
expected: serrors.ErrorInvalidDssePayload,
},
{
name: "tag vslsa1",
path: "./testdata/dsse-vslsa1-tag-v1.intoto.jsonl",
tag: "vslsa1",
},
}
for _, tt := range tests {
tt := tt // Re-initializing variable so it is not changed while executing the closure below
Expand Down Expand Up @@ -1058,18 +1169,23 @@ func Test_VerifyVersionedTag(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
t.Parallel()

content, err := os.ReadFile(tt.path)
if err != nil {
panic(fmt.Errorf("os.ReadFile: %w", err))
}
prov, err := provenanceFromBytes(content)
if err != nil {
panic(fmt.Errorf("provenanceFromBytes: %w", err))
}
for _, version := range []string{"", "-v1"} {
pathParts := strings.Split(tt.path, ".intoto")
pathName := []string{pathParts[0] + version}
pathName = append(pathName, pathParts[1:]...)
content, err := os.ReadFile(strings.Join(pathName, ".intoto"))
if err != nil {
panic(fmt.Errorf("os.ReadFile: %w", err))
}
prov, err := provenanceFromBytes(content)
if err != nil {
panic(fmt.Errorf("provenanceFromBytes: %w", err))
}

err = VerifyVersionedTag(prov, tt.tag)
if !errCmp(err, tt.expected) {
t.Errorf(cmp.Diff(err, tt.expected))
err = VerifyVersionedTag(prov, tt.tag)
if !errCmp(err, tt.expected) {
t.Errorf(cmp.Diff(err, tt.expected))
}
}
})
}
Expand Down
Loading