cli · malancas · Nov 6, 2024 · Oct 29, 2024 · Oct 29, 2024 · Oct 29, 2024
@@ -4,21 +4,23 @@ import (
 	"errors"
 	"fmt"
 	"strings"
+
+	"github.com/sigstore/sigstore-go/pkg/fulcio/certificate"
 )
 
 var (
 	GitHubOIDCIssuer       = "https://token.actions.githubusercontent.com"
 	GitHubTenantOIDCIssuer = "https://token.actions.%s.ghe.com"
 )
 
-func VerifyCertExtensions(results []*AttestationProcessingResult, tenant, owner, repo, issuer string) error {
+func VerifyCertExtensions(results []*AttestationProcessingResult, ec EnforcementCriteria) error {
 	if len(results) == 0 {
 		return errors.New("no attestations proccessing results")
 	}
 
 	var atLeastOneVerified bool
 	for _, attestation := range results {
-		if err := verifyCertExtensions(attestation, tenant, owner, repo, issuer); err != nil {
+		if err := verifyCertExtensions(*attestation.VerificationResult.Signature.Certificate, ec); err != nil {
 			return err
 		}
 		atLeastOneVerified = true
@@ -31,52 +33,28 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, tenant, owner,
 	}
 }
 
-func verifyCertExtensions(attestation *AttestationProcessingResult, tenant, owner, repo, issuer string) error {
-	var want string
-
-	if tenant == "" {
-		want = fmt.Sprintf("https://github.com/%s", owner)
-	} else {
-		want = fmt.Sprintf("https://%s.ghe.com/%s", tenant, owner)
-	}
-	sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI
-	if !strings.EqualFold(want, sourceRepositoryOwnerURI) {
-		return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", want, sourceRepositoryOwnerURI)
+func verifyCertExtensions(verifiedCert certificate.Summary, criteria EnforcementCriteria) error {
+	sourceRepositoryOwnerURI := verifiedCert.Extensions.SourceRepositoryOwnerURI
+	if !strings.EqualFold(criteria.Certificate.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI) {
+		return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", criteria.Certificate.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI)
 	}
 
 	// if repo is set, check the SourceRepositoryURI field
-	if repo != "" {
-		if tenant == "" {
-			want = fmt.Sprintf("https://github.com/%s", repo)
-		} else {
-			want = fmt.Sprintf("https://%s.ghe.com/%s", tenant, repo)
-		}
-
-		sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI
-		if !strings.EqualFold(want, sourceRepositoryURI) {
-			return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", want, sourceRepositoryURI)
+	if criteria.Certificate.SourceRepositoryURI != "" {
+		sourceRepositoryURI := verifiedCert.Extensions.SourceRepositoryURI
+		if !strings.EqualFold(criteria.Certificate.SourceRepositoryURI, sourceRepositoryURI) {
+			return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", criteria.Certificate.SourceRepositoryURI, sourceRepositoryURI)
 		}
 	}
 
 	// if issuer is anything other than the default, use the user-provided value;
 	// otherwise, select the appropriate default based on the tenant
-	if issuer != GitHubOIDCIssuer {
-		want = issuer
-	} else {
-		if tenant != "" {
-			want = fmt.Sprintf(GitHubTenantOIDCIssuer, tenant)
-		} else {
-			want = GitHubOIDCIssuer
-		}
-	}
-
-	certIssuer := attestation.VerificationResult.Signature.Certificate.Extensions.Issuer
-	if !strings.EqualFold(want, certIssuer) {
-		if strings.Index(certIssuer, want+"/") == 0 {
-			return fmt.Errorf("expected Issuer to be %s, got %s -- if you have a custom OIDC issuer policy for your enterprise, use the --cert-oidc-issuer flag with your expected issuer", want, certIssuer)
-		} else {
-			return fmt.Errorf("expected Issuer to be %s, got %s", want, certIssuer)
+	certIssuer := verifiedCert.Extensions.Issuer
+	if !strings.EqualFold(criteria.Certificate.Issuer, certIssuer) {
+		if strings.Index(certIssuer, criteria.Certificate.Issuer+"/") == 0 {
+			return fmt.Errorf("expected Issuer to be %s, got %s -- if you have a custom OIDC issuer policy for your enterprise, use the --cert-oidc-issuer flag with your expected issuer", criteria.Certificate.Issuer, certIssuer)
 		}
+		return fmt.Errorf("expected Issuer to be %s, got %s", criteria.Certificate.Issuer, certIssuer)
 	}
 
 	return nil

@@ -25,126 +25,45 @@ func TestVerifyCertExtensions(t *testing.T) {
 		},
 	}
 
-	t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", GitHubOIDCIssuer)
-		require.NoError(t, err)
-	})
+	certSummary := certificate.Summary{}
+	certSummary.SourceRepositoryOwnerURI = "https://github.com/owner"
+	certSummary.SourceRepositoryURI = "https://github.com/owner/repo"
+	certSummary.Issuer = GitHubOIDCIssuer
 
-	t.Run("VerifyCertExtensions with owner and repo, but wrong tenant", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", GitHubOIDCIssuer)
-		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/owner, got https://github.com/owner")
-	})
+	c := EnforcementCriteria{
+		Certificate: certSummary,
+	}
 
-	t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "", GitHubOIDCIssuer)
+	t.Run("success", func(t *testing.T) {
+		err := VerifyCertExtensions(results, c)
 		require.NoError(t, err)
 	})
 
-	t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "wrong", "", GitHubOIDCIssuer)
+	t.Run("with wrong SourceRepositoryOwnerURI", func(t *testing.T) {
+		expectedCriteria := c
+		expectedCriteria.Certificate.SourceRepositoryOwnerURI = "https://github.com/wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/wrong, got https://github.com/owner")
 	})
 
-	t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "wrong", GitHubOIDCIssuer)
-		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/wrong, got https://github.com/owner/repo")
+	t.Run("with wrong SourceRepositoryURI", func(t *testing.T) {
+		expectedCriteria := c
+		expectedCriteria.Certificate.SourceRepositoryURI = "https://github.com/foo/wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
+		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://github.com/foo/wrong, got https://github.com/owner/repo")
 	})
 
-	t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "", "wrong")
+	t.Run("with wrong OIDCIssuer", func(t *testing.T) {
+		expectedCriteria := c
+		expectedCriteria.Certificate.Issuer = "wrong"
+		err := VerifyCertExtensions(results, expectedCriteria)
 		require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com")
 	})
-}
-
-func TestVerifyCertExtensionsCustomizedIssuer(t *testing.T) {
-	results := []*AttestationProcessingResult{
-		{
-			VerificationResult: &verify.VerificationResult{
-				Signature: &verify.SignatureVerificationResult{
-					Certificate: &certificate.Summary{
-						Extensions: certificate.Extensions{
-							SourceRepositoryOwnerURI: "https://github.com/owner",
-							SourceRepositoryURI:      "https://github.com/owner/repo",
-							Issuer:                   "https://token.actions.githubusercontent.com/foo-bar",
-						},
-					},
-				},
-			},
-		},
-	}
-
-	t.Run("VerifyCertExtensions with exact issuer match", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", "https://token.actions.githubusercontent.com/foo-bar")
-		require.NoError(t, err)
-	})
 
-	t.Run("VerifyCertExtensions with partial issuer match", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", "https://token.actions.githubusercontent.com")
+	t.Run("with partial OIDCIssuer match", func(t *testing.T) {
+		expectedResults := results
+		expectedResults[0].VerificationResult.Signature.Certificate.Extensions.Issuer = "https://token.actions.githubusercontent.com/foo-bar"
+		err := VerifyCertExtensions(expectedResults, c)
 		require.ErrorContains(t, err, "expected Issuer to be https://token.actions.githubusercontent.com, got https://token.actions.githubusercontent.com/foo-bar -- if you have a custom OIDC issuer")
 	})
-
-	t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "", "wrong")
-		require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.githubusercontent.com/foo-bar")
-	})
-}
-
-func TestVerifyTenancyCertExtensions(t *testing.T) {
-	defaultIssuer := GitHubOIDCIssuer
-
-	results := []*AttestationProcessingResult{
-		{
-			VerificationResult: &verify.VerificationResult{
-				Signature: &verify.SignatureVerificationResult{
-					Certificate: &certificate.Summary{
-						Extensions: certificate.Extensions{
-							SourceRepositoryOwnerURI: "https://foo.ghe.com/owner",
-							SourceRepositoryURI:      "https://foo.ghe.com/owner/repo",
-							Issuer:                   "https://token.actions.foo.ghe.com",
-						},
-					},
-				},
-			},
-		},
-	}
-
-	t.Run("VerifyCertExtensions with owner and repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", defaultIssuer)
-		require.NoError(t, err)
-	})
-
-	t.Run("VerifyCertExtensions with owner and repo, no tenant", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "", "owner", "owner/repo", defaultIssuer)
-		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://github.com/owner, got https://foo.ghe.com/owner")
-	})
-
-	t.Run("VerifyCertExtensions with owner and repo, wrong tenant", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "bar", "owner", "owner/repo", defaultIssuer)
-		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://bar.ghe.com/owner, got https://foo.ghe.com/owner")
-	})
-
-	t.Run("VerifyCertExtensions with owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "", defaultIssuer)
-		require.NoError(t, err)
-	})
-
-	t.Run("VerifyCertExtensions with wrong owner", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "wrong", "", defaultIssuer)
-		require.ErrorContains(t, err, "expected SourceRepositoryOwnerURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner")
-	})
-
-	t.Run("VerifyCertExtensions with wrong repo", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "wrong", defaultIssuer)
-		require.ErrorContains(t, err, "expected SourceRepositoryURI to be https://foo.ghe.com/wrong, got https://foo.ghe.com/owner/repo")
-	})
-
-	t.Run("VerifyCertExtensions with correct, non-default issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", "https://token.actions.foo.ghe.com")
-		require.NoError(t, err)
-	})
-
-	t.Run("VerifyCertExtensions with wrong issuer", func(t *testing.T) {
-		err := VerifyCertExtensions(results, "foo", "owner", "owner/repo", "wrong")
-		require.ErrorContains(t, err, "expected Issuer to be wrong, got https://token.actions.foo.ghe.com")
-	})
 }
@@ -2,12 +2,17 @@ package verification
 
 import (
 	"encoding/hex"
+	"fmt"
 
 	"github.com/cli/cli/v2/pkg/cmd/attestation/artifact"
 
+	"github.com/sigstore/sigstore-go/pkg/fulcio/certificate"
 	"github.com/sigstore/sigstore-go/pkg/verify"
 )
 
+// represents the GitHub hosted runner in the certificate RunnerEnvironment extension
+const GitHubRunner = "github-hosted"
+
 // BuildDigestPolicyOption builds a verify.ArtifactPolicyOption
 // from the given artifact digest and digest algorithm
 func BuildDigestPolicyOption(a artifact.DigestedArtifact) (verify.ArtifactPolicyOption, error) {
@@ -18,3 +23,29 @@ func BuildDigestPolicyOption(a artifact.DigestedArtifact) (verify.ArtifactPolicy
 	}
 	return verify.WithArtifactDigest(a.Algorithm(), decoded), nil
 }
+
+type EnforcementCriteria struct {
+	Certificate   certificate.Summary
+	PredicateType string
+	SANRegex      string
+	SAN           string
+}
+
+func (c EnforcementCriteria) Valid() error {
+	if c.Certificate.Issuer == "" {
+		return fmt.Errorf("Issuer must be set")
+	}
+	if c.Certificate.RunnerEnvironment != "" && c.Certificate.RunnerEnvironment != GitHubRunner {
+		return fmt.Errorf("RunnerEnvironment must be set to either \"\" or %s", GitHubRunner)
+	}
+	if c.Certificate.SourceRepositoryOwnerURI == "" {
+		return fmt.Errorf("SourceRepositoryOwnerURI must be set")
+	}
+	if c.PredicateType == "" {
+		return fmt.Errorf("PredicateType must be set")
+	}
+	if c.SANRegex == "" && c.SAN == "" {
+		return fmt.Errorf("SANRegex or SAN must be set")
+	}
+	return nil
+}