From 65708b733365a64efde8e285481571fa00a983f5 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Wed, 15 Feb 2023 14:37:58 -0600 Subject: [PATCH] test: add docker based spport and start adding tests Signed-off-by: Asra Ali --- cli/slsa-verifier/main_regression_test.go | 154 +++++++++++++++++- .../main/workflow_dispatch.main.default | 4 + ...flow_dispatch.main.default.intoto.sigstore | 1 + verifiers/internal/gha/builder.go | 5 +- verifiers/internal/gha/provenance.go | 8 +- .../gha/slsaprovenance/v1.0/provenance.go | 9 +- 6 files changed, 170 insertions(+), 11 deletions(-) create mode 100644 cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default create mode 100644 cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default.intoto.sigstore diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go index b7d1162fb..7632b2483 100644 --- a/cli/slsa-verifier/main_regression_test.go +++ b/cli/slsa-verifier/main_regression_test.go @@ -8,6 +8,7 @@ import ( "errors" "fmt" "io/ioutil" + "os" "path" "path/filepath" "strings" @@ -38,9 +39,12 @@ func pString(s string) *string { const TEST_DIR = "./testdata" var ( - GHA_ARTIFACT_PATH_BUILDERS = []string{"gha_go", "gha_generic"} - GHA_ARTIFACT_IMAGE_BUILDERS = []string{"gha_generic_container"} - GCB_ARTIFACT_IMAGE_BUILDERS = []string{"gcb_container"} + GHA_ARTIFACT_PATH_BUILDERS = []string{"gha_go", "gha_generic"} + // TODO(https://github.com/slsa-framework/slsa-verifier/issues/485): Merge this with + // GHA_ARTIFACT_PATH_BUILDERS. + GHA_ARTIFACT_DOCKER_BUILDERS = []string{"gha_docker-based"} + GHA_ARTIFACT_IMAGE_BUILDERS = []string{"gha_generic_container"} + GCB_ARTIFACT_IMAGE_BUILDERS = []string{"gcb_container"} ) func getBuildersAndVersions(t *testing.T, @@ -1231,3 +1235,147 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) { }) } } + +// TODO(https://github.com/slsa-framework/slsa-verifier/issues/485): Version the test-cases +// when a version for the builder is released. +func Test_runVerifyGHADockerBased(t *testing.T) { + // We cannot use t.Setenv due to parallelized tests. + os.Setenv("SLSA_VERIFIER_EXPERIMENTAL", "1") + + t.Parallel() + + builder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml" + tests := []struct { + name string + artifacts []string + source string + pbranch *string + ptag *string + pversiontag *string + pBuilderID *string + inputs map[string]string + err error + }{ + { + name: "valid main branch default", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/slsa-framework/example-package", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + }, + { + name: "valid main branch default - invalid builderID", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/slsa-framework/example-package", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/not-trusted.yml"), + err: serrors.ErrorUntrustedReusableWorkflow, + }, + { + name: "valid main branch set", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/slsa-framework/example-package", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + pbranch: pString("main"), + }, + + { + name: "wrong branch master", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/slsa-framework/example-package", + pbranch: pString("master"), + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + err: serrors.ErrorMismatchBranch, + }, + { + name: "wrong source append A", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/slsa-framework/example-packageA", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + err: serrors.ErrorMismatchSource, + }, + { + name: "wrong source prepend A", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "Agithub.com/slsa-framework/example-package", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + err: serrors.ErrorMismatchSource, + }, + { + name: "wrong source middle A", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/Aslsa-framework/example-package", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + err: serrors.ErrorMismatchSource, + }, + { + name: "tag no match empty tag workflow_dispatch", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/slsa-framework/example-package", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + ptag: pString("v1.2.3"), + err: serrors.ErrorMismatchTag, + }, + { + name: "versioned tag no match empty tag workflow_dispatch", + artifacts: []string{"workflow_dispatch.main.default"}, + source: "github.com/slsa-framework/example-package", + pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_docker-based_slsa3.yml"), + pversiontag: pString("v1"), + err: serrors.ErrorInvalidSemver, + }, + } + for _, tt := range tests { + tt := tt // Re-initializing variable so it is not changed while executing the closure below + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + checkVersions := getBuildersAndVersions(t, "", nil, GHA_ARTIFACT_DOCKER_BUILDERS) + + for _, v := range checkVersions { + testPath := filepath.Clean(filepath.Join(TEST_DIR, v, tt.artifacts[0])) + provenancePath := fmt.Sprintf("%s.intoto.sigstore", testPath) + + artifacts := make([]string, len(tt.artifacts)) + for i, artifact := range tt.artifacts { + artifacts[i] = filepath.Clean(filepath.Join(TEST_DIR, v, artifact)) + } + + // For each test, we run 2 sub-tests: + // 1. With the the full builderID including the semver in short form. + // 2. With the the full builderID including the semver in long form. + // 3. With only the name of the builder. + // 4. With no builder ID. + sv := path.Base(v) + builderIDs := []*string{ + pString(builder + "@" + sv), + pString(builder + "@refs/tags/" + sv), + pString(builder), + nil, + } + + // If builder ID is set, use it. + if tt.pBuilderID != nil { + builderIDs = []*string{tt.pBuilderID} + } + + for _, bid := range builderIDs { + cmd := verify.VerifyArtifactCommand{ + ProvenancePath: provenancePath, + SourceURI: tt.source, + SourceBranch: tt.pbranch, + BuilderID: bid, + SourceTag: tt.ptag, + SourceVersionTag: tt.pversiontag, + BuildWorkflowInputs: tt.inputs, + } + + // The outBuilderID is the actual builder ID from the provenance. + // This is always long form for the GHA builders. + _, err := cmd.Exec(context.Background(), artifacts) + if !errCmp(err, tt.err) { + t.Errorf("%v: %v", v, cmp.Diff(err, tt.err, cmpopts.EquateErrors())) + } + } + } + }) + } +} diff --git a/cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default b/cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default new file mode 100644 index 000000000..e4997faad --- /dev/null +++ b/cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default @@ -0,0 +1,4 @@ +# Simple command for generating a file. +command = ["cp", ".github/configs-docker/config.toml", "config.toml"] +# Path to the file generated by the command above. +artifact_path = "config.toml" \ No newline at end of file diff --git a/cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default.intoto.sigstore b/cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default.intoto.sigstore new file mode 100644 index 000000000..1684c3f90 --- /dev/null +++ b/cli/slsa-verifier/testdata/gha_docker-based/main/workflow_dispatch.main.default.intoto.sigstore @@ -0,0 +1 @@ +{"mediaType":"application/vnd.dev.sigstore.bundle+json;version=0.1","verificationMaterial":{"x509CertificateChain":{"certificates":[{"rawBytes":"MIIEGDCCA52gAwIBAgIUCWYYB00jkc17bO6w0zT5xXq+dFAwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjMwMjE1MTkyMzQ3WhcNMjMwMjE1MTkzMzQ3WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEx8lrDBT2vkXlGh3C5uRL7iICjn6H+GvOpAOU62WY3noxmTfLpxLVt9p9IOQqQbxZUKmkPiNZG678qrNzVolk06OCArwwggK4MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUCVhAiPdNj3YJds8kDQKqXJN0/4IwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgYYGA1UdEQEB/wR8MHqGeGh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGRlcl9kb2NrZXItYmFzZWRfc2xzYTMueW1sQHJlZnMvaGVhZHMvbWFpbjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMB8GCisGAQQBg78wAQIEEXdvcmtmbG93X2Rpc3BhdGNoMDYGCisGAQQBg78wAQMEKDJkMDQ5ODIwMWEwN2FjMzRjOGNmMTI2MTY5NWE0YTU0NzE5ZDYyNDQwWQYKKwYBBAGDvzABBARLLmdpdGh1Yi93b3JrZmxvd3MvZTJlLmRvY2tlci1iYXNlZC53b3JrZmxvd19kaXNwYXRjaC5tYWluLmRlZmF1bHQuc2xzYTMueW1sMCwGCisGAQQBg78wAQUEHnNsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZTAdBgorBgEEAYO/MAEGBA9yZWZzL2hlYWRzL21haW4wgYsGCisGAQQB1nkCBAIEfQR7AHkAdwDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAYZWiG93AAAEAwBIMEYCIQDQqeoEL5drqu8X0RsNCPH5umCTIkvYo4zhpjCYaBOKfAIhAPrmWh7LGpIFjT0+0V4RaSV5rumZOfWnET+sA/C6PvbQMAoGCCqGSM49BAMDA2kAMGYCMQDYSGRL9P2ddAF2yYfWpvqwOxlZ65xnB9qStBjDc4LWknQI4gbUwGINc0Y78GHEHVQCMQDYiUWP8c4VyqUHMtId97sBJsQqFL3SItCFQ17P2D3IJJ3xOJfUfGyGwIm+xhLTJiY="},{"rawBytes":"MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="},{"rawBytes":"MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"}]},"tlogEntries":[{"logIndex":"13419795","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"intoto","version":"0.0.2"},"integratedTime":"1676489027","inclusionPromise":{"signedEntryTimestamp":"MEYCIQDez3v1XaIzk72GNAXRsmcPFWom2ZXmc25SF4u7ooLzIwIhALMz8n93pxGOYxUGDelyAzS6uNUJ2Ro6V7TlUFc8dYkk"},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjIiLCJraW5kIjoiaW50b3RvIiwic3BlYyI6eyJjb250ZW50Ijp7ImVudmVsb3BlIjp7InBheWxvYWRUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8ranNvbiIsInNpZ25hdHVyZXMiOlt7InB1YmxpY0tleSI6IkxTMHRMUzFDUlVkSlRpQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENrMUpTVVZIUkVORFFUVXlaMEYzU1VKQlowbFZRMWRaV1VJd01HcHJZekUzWWs4MmR6QjZWRFY0V0hFclpFWkJkME5uV1VsTGIxcEplbW93UlVGM1RYY0tUbnBGVmsxQ1RVZEJNVlZGUTJoTlRXTXliRzVqTTFKMlkyMVZkVnBIVmpKTlVqUjNTRUZaUkZaUlVVUkZlRlo2WVZka2VtUkhPWGxhVXpGd1ltNVNiQXBqYlRGc1drZHNhR1JIVlhkSWFHTk9UV3BOZDAxcVJURk5WR3Q1VFhwUk0xZG9ZMDVOYWsxM1RXcEZNVTFVYTNwTmVsRXpWMnBCUVUxR2EzZEZkMWxJQ2t0dldrbDZhakJEUVZGWlNVdHZXa2w2YWpCRVFWRmpSRkZuUVVWNE9HeHlSRUpVTW5acldHeEhhRE5ETlhWU1REZHBTVU5xYmpaSUswZDJUM0JCVDFVS05qSlhXVE51YjNodFZHWk1jSGhNVm5RNWNEbEpUMUZ4VVdKNFdsVkxiV3RRYVU1YVJ6WTNPSEZ5VG5wV2IyeHJNRFpQUTBGeWQzZG5aMHMwVFVFMFJ3cEJNVlZrUkhkRlFpOTNVVVZCZDBsSVowUkJWRUpuVGxaSVUxVkZSRVJCUzBKblozSkNaMFZHUWxGalJFRjZRV1JDWjA1V1NGRTBSVVpuVVZWRFZtaEJDbWxRWkU1cU0xbEtaSE00YTBSUlMzRllTazR3THpSSmQwaDNXVVJXVWpCcVFrSm5kMFp2UVZVek9WQndlakZaYTBWYVlqVnhUbXB3UzBaWGFYaHBORmtLV2tRNGQyZFpXVWRCTVZWa1JWRkZRaTkzVWpoTlNIRkhaVWRvTUdSSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVlbUpJVG1oTVYxcDVXVmN4YkFwa01qbDVZWGs1ZW1KSVRtaE1WMlJ3WkVkb01WbHBNVzVhVnpWc1kyMUdNR0l6U1haTWJXUndaRWRvTVZscE9UTmlNMHB5V20xNGRtUXpUWFpaYmxad0NtSkhVbXhqYkRscllqSk9jbHBZU1hSWmJVWjZXbGRTWm1NeWVIcFpWRTExWlZjeGMxRklTbXhhYmsxMllVZFdhRnBJVFhaaVYwWndZbXBCTlVKbmIzSUtRbWRGUlVGWlR5OU5RVVZDUWtOMGIyUklVbmRqZW05MlRETlNkbUV5Vm5WTWJVWnFaRWRzZG1KdVRYVmFNbXd3WVVoV2FXUllUbXhqYlU1MlltNVNiQXBpYmxGMVdUSTVkRTFDT0VkRGFYTkhRVkZSUW1jM09IZEJVVWxGUlZoa2RtTnRkRzFpUnpreldESlNjR016UW1oa1IwNXZUVVJaUjBOcGMwZEJVVkZDQ21jM09IZEJVVTFGUzBSS2EwMUVVVFZQUkVsM1RWZEZkMDR5Um1wTmVsSnFUMGRPYlUxVVNUSk5WRmsxVGxkRk1GbFVWVEJPZWtVMVdrUlplVTVFVVhjS1YxRlpTMHQzV1VKQ1FVZEVkbnBCUWtKQlVreE1iV1J3WkVkb01WbHBPVE5pTTBweVdtMTRkbVF6VFhaYVZFcHNURzFTZGxreWRHeGphVEZwV1ZoT2JBcGFRelV6WWpOS2NscHRlSFprTVRscllWaE9kMWxZVW1waFF6VjBXVmRzZFV4dFVteGFiVVl4WWtoUmRXTXllSHBaVkUxMVpWY3hjMDFEZDBkRGFYTkhDa0ZSVVVKbk56aDNRVkZWUlVodVRuTmpNa1YwV201S2FHSlhWak5pTTBweVRESldORmxYTVhkaVIxVjBZMGRHYW1FeVJtNWFWRUZrUW1kdmNrSm5SVVVLUVZsUEwwMUJSVWRDUVRsNVdsZGFla3d5YUd4WlYxSjZUREl4YUdGWE5IZG5XWE5IUTJselIwRlJVVUl4Ym10RFFrRkpSV1pSVWpkQlNHdEJaSGRFWkFwUVZFSnhlSE5qVWsxdFRWcElhSGxhV25walEyOXJjR1YxVGpRNGNtWXJTR2x1UzBGTWVXNTFhbWRCUVVGWldsZHBSemt6UVVGQlJVRjNRa2xOUlZsRENrbFJSRkZ4Wlc5RlREVmtjbkYxT0Znd1VuTk9RMUJJTlhWdFExUkphM1paYnpSNmFIQnFRMWxoUWs5TFprRkphRUZRY20xWGFEZE1SM0JKUm1wVU1Dc0tNRlkwVW1GVFZqVnlkVzFhVDJaWGJrVlVLM05CTDBNMlVIWmlVVTFCYjBkRFEzRkhVMDAwT1VKQlRVUkJNbXRCVFVkWlEwMVJSRmxUUjFKTU9WQXlaQXBrUVVZeWVWbG1WM0IyY1hkUGVHeGFOalY0YmtJNWNWTjBRbXBFWXpSTVYydHVVVWswWjJKVmQwZEpUbU13V1RjNFIwaEZTRlpSUTAxUlJGbHBWVmRRQ2poak5GWjVjVlZJVFhSSlpEazNjMEpLYzFGeFJrd3pVMGwwUTBaUk1UZFFNa1F6U1VwS00zaFBTbVpWWmtkNVIzZEpiU3Q0YUV4VVNtbFpQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09Iiwic2lnIjoiVFVWWlEwbFJSRkJqUTA1U01XTTNaVXh5SzA5bmFDOHpOMmgxU1RaTVVrTlJWR1ZJTUhaRVNFNUtaV2QyVURKalluZEphRUZMUW1wamQxbHZUWE42UzNSeFVXMWFVME0zYkZkSFFWSk1VRGxyWm1GSFNFbHNWbHBKVXpWeGRuQmoifV19LCJoYXNoIjp7ImFsZ29yaXRobSI6InNoYTI1NiIsInZhbHVlIjoiZjYxN2ZkNTdhODdkZjEwZTM2YTM0NjBiZDRjZDEzYTExNTA1MjY1MTU0YTc4NmZhMDNhODllNGUwYjRhYTVkZiJ9LCJwYXlsb2FkSGFzaCI6eyJhbGdvcml0aG0iOiJzaGEyNTYiLCJ2YWx1ZSI6IjVjYjMzMGFhZDc3NmNmNzYzYmRlMjg4M2MzMzA4NTM5MzVlNTgwZTk1NTJlZDdhNjE0NWNhNjRjM2Q0MTA1OGUifX19fQ=="}]},"dsseEnvelope":{"payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJjb25maWcudG9tbCIsImRpZ2VzdCI6eyJzaGEyNTYiOiI1ZDY3MmIwZGJiNjk2YTMyODk2MzJiZjI0MWNjNGJiMDhkYmIzMmMzZTk1NTllYTdlOWY5NmIwNDkwMjA5ODkxIn19XSwicHJlZGljYXRlVHlwZSI6Imh0dHBzOi8vc2xzYS5kZXYvcHJvdmVuYW5jZS92MS4wP2RyYWZ0IiwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL3Nsc2EuZGV2L2NvbnRhaW5lci1iYXNlZC1idWlsZC92MC4xP2RyYWZ0IiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7InNvdXJjZSI6eyJ1cmkiOiJnaXQraHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZUByZWZzL2hlYWRzL21haW4iLCJkaWdlc3QiOnsic2hhMSI6IjJkMDQ5ODIwMWEwN2FjMzRjOGNmMTI2MTY5NWE0YTU0NzE5ZDYyNDQifX0sImJ1aWxkZXJJbWFnZSI6eyJ1cmkiOiJiYXNoQHNoYTI1Njo5ZTJiYTUyNDg3ZDk0NTUwNGQyNTBkZTE4NmNiNGZlMmUzYmEwMjNlZDI5MjFkZDZhYzhiOTdlZDQzZTc2YWY5IiwiZGlnZXN0Ijp7InNoYTI1NiI6IjllMmJhNTI0ODdkOTQ1NTA0ZDI1MGRlMTg2Y2I0ZmUyZTNiYTAyM2VkMjkyMWRkNmFjOGI5N2VkNDNlNzZhZjkifX0sImNvbmZpZ1BhdGgiOiIuZ2l0aHViL2NvbmZpZ3MtZG9ja2VyL2NvbmZpZy50b21sIiwiYnVpbGRDb25maWciOnsiQXJ0aWZhY3RQYXRoIjoiY29uZmlnLnRvbWwiLCJDb21tYW5kIjpbImNwIiwiLmdpdGh1Yi9jb25maWdzLWRvY2tlci9jb25maWcudG9tbCIsImNvbmZpZy50b21sIl19fSwicmVzb2x2ZWREZXBlbmRlbmNpZXMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yQHJlZnMvaGVhZHMvbWFpbiIsImRpZ2VzdCI6eyJzaGEyNTYiOiI4Y2UzOWE1NjE2M2FkMWE1ZjA1MzEwMThiZWRhNDJhNGFjMzQ5YjJhZjcwMjcwMWQ1NTY0MWNhOWRkNDQyNWZjIn19XSwic3lzdGVtUGFyYW1ldGVycyI6eyJHSVRIVUJfRVZFTlRfTkFNRSI6IndvcmtmbG93X2Rpc3BhdGNoIiwiR0lUSFVCX0pPQiI6InByb3ZlbmFuY2UiLCJHSVRIVUJfUkVGIjoicmVmcy9oZWFkcy9tYWluIiwiR0lUSFVCX1JFRl9UWVBFIjoiYnJhbmNoIiwiR0lUSFVCX1JFUE9TSVRPUlkiOiJzbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UiLCJHSVRIVUJfUlVOX0FUVEVNUFQiOiIxIiwiR0lUSFVCX1JVTl9JRCI6NDE4NzM4MTM4MiwiR0lUSFVCX1JVTl9OVU1CRVIiOjIwLCJHSVRIVUJfU0hBIjoiMmQwNDk4MjAxYTA3YWMzNGM4Y2YxMjYxNjk1YTRhNTQ3MTlkNjI0NCIsIkdJVEhVQl9XT1JLRkxPVyI6Ii5naXRodWIvd29ya2Zsb3dzL2UyZS5kb2NrZXItYmFzZWQud29ya2Zsb3dfZGlzcGF0Y2gubWFpbi5kZWZhdWx0LnNsc2EzLnltbCIsIkdJVEhVQl9XT1JLRkxPV19SRUYiOiJzbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvLmdpdGh1Yi93b3JrZmxvd3MvZTJlLmRvY2tlci1iYXNlZC53b3JrZmxvd19kaXNwYXRjaC5tYWluLmRlZmF1bHQuc2xzYTMueW1sQHJlZnMvaGVhZHMvbWFpbiIsIkdJVEhVQl9XT1JLRkxPV19TSEEiOiIyZDA0OTgyMDFhMDdhYzM0YzhjZjEyNjE2OTVhNGE1NDcxOWQ2MjQ0IiwiSU1BR0VfT1MiOiJ1YnVudHUyMiIsIklNQUdFX1ZFUlNJT04iOiIyMDIzMDIwNi4xIiwiUlVOTkVSX0FSQ0giOiJYNjQiLCJSVU5ORVJfTkFNRSI6Ikhvc3RlZCBBZ2VudCIsIlJVTk5FUl9PUyI6IkxpbnV4IiwiR0lUSFVCX0FDVE9SX0lEIjoiNTE5NDU2OSIsIkdJVEhVQl9SRVBPU0lUT1JZX0lEIjoiNDg2MzI1ODA5IiwiR0lUSFVCX1JFUE9TSVRPUllfT1dORVJfSUQiOiI4MDQzMTE4NyIsIkdJVEhVQl9FVkVOVF9QQVlMT0FEIjp7ImlucHV0cyI6bnVsbCwib3JnYW5pemF0aW9uIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvODA0MzExODc/dj00IiwiZGVzY3JpcHRpb24iOiJTdXBwbHktY2hhaW4gTGV2ZWxzIGZvciBTb2Z0d2FyZSBBcnRpZmFjdHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9vcmdzL3Nsc2EtZnJhbWV3b3JrL2V2ZW50cyIsImhvb2tzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9zbHNhLWZyYW1ld29yay9ob29rcyIsImlkIjo4MDQzMTE4NywiaXNzdWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9zbHNhLWZyYW1ld29yay9pc3N1ZXMiLCJsb2dpbiI6InNsc2EtZnJhbWV3b3JrIiwibWVtYmVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL29yZ3Mvc2xzYS1mcmFtZXdvcmsvbWVtYmVyc3svbWVtYmVyfSIsIm5vZGVfaWQiOiJNREV5T2s5eVoyRnVhWHBoZEdsdmJqZ3dORE14TVRnMyIsInB1YmxpY19tZW1iZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9zbHNhLWZyYW1ld29yay9wdWJsaWNfbWVtYmVyc3svbWVtYmVyfSIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9zbHNhLWZyYW1ld29yay9yZXBvcyIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vb3Jncy9zbHNhLWZyYW1ld29yayJ9LCJyZWYiOiJyZWZzL2hlYWRzL21haW4iLCJyZXBvc2l0b3J5Ijp7ImFsbG93X2ZvcmtpbmciOnRydWUsImFyY2hpdmVfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2Fzc2lnbmVlc3svdXNlcn0iLCJibG9ic191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9naXQvYmxvYnN7L3NoYX0iLCJicmFuY2hlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UuZ2l0IiwiY29sbGFib3JhdG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9jb2xsYWJvcmF0b3Jzey9jb2xsYWJvcmF0b3J9IiwiY29tbWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2NvbW1pdHN7L3NoYX0iLCJjb21wYXJlX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2NvbXBhcmUve2Jhc2V9Li4ue2hlYWR9IiwiY29udGVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9jb250cmlidXRvcnMiLCJjcmVhdGVkX2F0IjoiMjAyMi0wNC0yN1QxOTozMDo0M1oiLCJkZWZhdWx0X2JyYW5jaCI6Im1haW4iLCJkZXBsb3ltZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9kZXBsb3ltZW50cyIsImRlc2NyaXB0aW9uIjpudWxsLCJkaXNhYmxlZCI6ZmFsc2UsImRvd25sb2Fkc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZXZlbnRzIiwiZm9yayI6ZmFsc2UsImZvcmtzIjoxMCwiZm9ya3NfY291bnQiOjEwLCJmb3Jrc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9mb3JrcyIsImZ1bGxfbmFtZSI6InNsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZSIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2dpdC9jb21taXRzey9zaGF9IiwiZ2l0X3JlZnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZ2l0L3JlZnN7L3NoYX0iLCJnaXRfdGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS5naXQiLCJoYXNfZGlzY3Vzc2lvbnMiOmZhbHNlLCJoYXNfZG93bmxvYWRzIjp0cnVlLCJoYXNfaXNzdWVzIjp0cnVlLCJoYXNfcGFnZXMiOmZhbHNlLCJoYXNfcHJvamVjdHMiOnRydWUsImhhc193aWtpIjp0cnVlLCJob21lcGFnZSI6bnVsbCwiaG9va3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvaG9va3MiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UiLCJpZCI6NDg2MzI1ODA5LCJpc190ZW1wbGF0ZSI6ZmFsc2UsImlzc3VlX2NvbW1lbnRfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvaXNzdWVzL2NvbW1lbnRzey9udW1iZXJ9IiwiaXNzdWVfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2lzc3Vlcy9ldmVudHN7L251bWJlcn0iLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvaXNzdWVzey9udW1iZXJ9Iiwia2V5c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9rZXlzey9rZXlfaWR9IiwibGFiZWxzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2xhYmVsc3svbmFtZX0iLCJsYW5ndWFnZSI6IlN0YXJsYXJrIiwibGFuZ3VhZ2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2xhbmd1YWdlcyIsImxpY2Vuc2UiOnsia2V5IjoiYXBhY2hlLTIuMCIsIm5hbWUiOiJBcGFjaGUgTGljZW5zZSAyLjAiLCJub2RlX2lkIjoiTURjNlRHbGpaVzV6WlRJPSIsInNwZHhfaWQiOiJBcGFjaGUtMi4wIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9saWNlbnNlcy9hcGFjaGUtMi4wIn0sIm1lcmdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9tZXJnZXMiLCJtaWxlc3RvbmVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL21pbGVzdG9uZXN7L251bWJlcn0iLCJtaXJyb3JfdXJsIjpudWxsLCJuYW1lIjoiZXhhbXBsZS1wYWNrYWdlIiwibm9kZV9pZCI6IlJfa2dET0hQeS1NUSIsIm5vdGlmaWNhdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uvbm90aWZpY2F0aW9uc3s/c2luY2UsYWxsLHBhcnRpY2lwYXRpbmd9Iiwib3Blbl9pc3N1ZXMiOjE5LCJvcGVuX2lzc3Vlc19jb3VudCI6MTksIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvODA0MzExODc/dj00IiwiZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvZXZlbnRzey9wcml2YWN5fSIsImZvbGxvd2Vyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL2ZvbGxvd2luZ3svb3RoZXJfdXNlcn0iLCJnaXN0c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL2dpc3Rzey9naXN0X2lkfSIsImdyYXZhdGFyX2lkIjoiIiwiaHRtbF91cmwiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsiLCJpZCI6ODA0MzExODcsImxvZ2luIjoic2xzYS1mcmFtZXdvcmsiLCJub2RlX2lkIjoiTURFeU9rOXlaMkZ1YVhwaGRHbHZiamd3TkRNeE1UZzMiLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrL3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvc2xzYS1mcmFtZXdvcmsvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJPcmdhbml6YXRpb24iLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL3Nsc2EtZnJhbWV3b3JrIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9wdWxsc3svbnVtYmVyfSIsInB1c2hlZF9hdCI6IjIwMjMtMDItMTVUMDc6MTE6NTBaIiwicmVsZWFzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvcmVsZWFzZXN7L2lkfSIsInNpemUiOjQ0MDAsInNzaF91cmwiOiJnaXRAZ2l0aHViLmNvbTpzbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UuZ2l0Iiwic3RhcmdhemVyc19jb3VudCI6Niwic3RhcmdhemVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9zdGFyZ2F6ZXJzIiwic3RhdHVzZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2Uvc3RhdHVzZXMve3NoYX0iLCJzdWJzY3JpYmVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9zdWJzY3JpYmVycyIsInN1YnNjcmlwdGlvbl91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS9zdWJzY3JpcHRpb24iLCJzdm5fdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZSIsInRhZ3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvdGFncyIsInRlYW1zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3Mvc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL3RlYW1zIiwidG9waWNzIjpbXSwidHJlZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UvZ2l0L3RyZWVzey9zaGF9IiwidXBkYXRlZF9hdCI6IjIwMjMtMDEtMzFUMTk6NDc6MjVaIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9zbHNhLWZyYW1ld29yay9leGFtcGxlLXBhY2thZ2UiLCJ2aXNpYmlsaXR5IjoicHVibGljIiwid2F0Y2hlcnMiOjYsIndhdGNoZXJzX2NvdW50Ijo2LCJ3ZWJfY29tbWl0X3NpZ25vZmZfcmVxdWlyZWQiOnRydWV9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS81MTk0NTY5P3Y9NCIsImV2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2FzcmFhL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9hc3JhYS9mb2xsb3dlcnMiLCJmb2xsb3dpbmdfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9hc3JhYS9mb2xsb3dpbmd7L290aGVyX3VzZXJ9IiwiZ2lzdHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9hc3JhYS9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL2FzcmFhIiwiaWQiOjUxOTQ1NjksImxvZ2luIjoiYXNyYWEiLCJub2RlX2lkIjoiTURRNlZYTmxjalV4T1RRMU5qaz0iLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvYXNyYWEvb3JncyIsInJlY2VpdmVkX2V2ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2FzcmFhL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvYXNyYWEvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL2FzcmFhL3N0YXJyZWR7L293bmVyfXsvcmVwb30iLCJzdWJzY3JpcHRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvYXNyYWEvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9hc3JhYSJ9LCJ3b3JrZmxvdyI6Ii5naXRodWIvd29ya2Zsb3dzL2UyZS5kb2NrZXItYmFzZWQud29ya2Zsb3dfZGlzcGF0Y2gubWFpbi5kZWZhdWx0LnNsc2EzLnltbCJ9fX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvYnVpbGRlcl9kb2NrZXItYmFzZWRfc2xzYTMueW1sQHJlZnMvaGVhZHMvbWFpbiJ9LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvZXhhbXBsZS1wYWNrYWdlL2FjdGlvbnMvcnVucy80MTg3MzgxMzgyL2F0dGVtcHRzLzEifX19fQ==","payloadType":"application/vnd.in-toto+json","signatures":[{"sig":"MEYCIQDPcCNR1c7eLr+Ogh/37huI6LRCQTeH0vDHNJegvP2cbwIhAKBjcwYoMszKtqQmZSC7lWGARLP9kfaGHIlVZIS5qvpc","keyid":""}]}} \ No newline at end of file diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go index f39005827..423fc0e8e 100644 --- a/verifiers/internal/gha/builder.go +++ b/verifiers/internal/gha/builder.go @@ -23,8 +23,9 @@ var ( ) var defaultArtifactTrustedReusableWorkflows = map[string]bool{ - trustedBuilderRepository + "/.github/workflows/generator_generic_slsa3.yml": true, - trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml": true, + trustedBuilderRepository + "/.github/workflows/generator_generic_slsa3.yml": true, + trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml": true, + trustedBuilderRepository + "/.github/workflows/builder_docker-based_slsa3.yml": true, } var defaultContainerTrustedReusableWorkflows = map[string]bool{ diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 7480dc2c5..7aa8c4389 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -85,7 +85,7 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string) e if err != nil { return err } - configURI, err := sourceFromURI(fullConfigURI, false) + configURI, err := sourceFromURI(fullConfigURI) if err != nil { return err } @@ -99,7 +99,7 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string) e if err != nil { return err } - materialURI, err := sourceFromURI(materialSourceURI, false) + materialURI, err := sourceFromURI(materialSourceURI) if err != nil { return err } @@ -119,13 +119,13 @@ func verifySourceURI(prov slsaprovenance.Provenance, expectedSourceURI string) e return nil } -func sourceFromURI(uri string, allowNotTag bool) (string, error) { +func sourceFromURI(uri string) (string, error) { if uri == "" { return "", fmt.Errorf("%w: empty uri", serrors.ErrorMalformedURI) } r := strings.SplitN(uri, "@", 2) - if len(r) < 2 && !allowNotTag { + if len(r) < 2 { return "", fmt.Errorf("%w: %s", serrors.ErrorMalformedURI, uri) } diff --git a/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go b/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go index 95c76877f..4eeef96f1 100644 --- a/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go +++ b/verifiers/internal/gha/slsaprovenance/v1.0/provenance.go @@ -1,6 +1,7 @@ package v1 import ( + "encoding/json" "fmt" intoto "github.com/in-toto/in-toto-golang/in_toto" @@ -44,8 +45,12 @@ func (prov *ProvenanceV1) SourceURI() (string, error) { if !ok { return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters source") } - sourceRef, ok := source.(slsa1.ArtifactReference) - if !ok { + sourceBytes, err := json.Marshal(source) + if err != nil { + return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, err) + } + var sourceRef slsa1.ArtifactReference + if err := json.Unmarshal(sourceBytes, &sourceRef); err != nil { return "", fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, "external parameters source type") } return sourceRef.URI, nil