Merge branch 'main' into naveen/attest/github

in-toto · Jan 18, 2024 · d71ac76 · d71ac76
2 parents 7d9cf3b + 0b28c0f
commit d71ac76
Show file tree

Hide file tree

Showing 6 changed files with 87 additions and 24 deletions.
diff --git a/attestation/maven/maven.go b/attestation/maven/maven.go
@@ -24,12 +24,14 @@ import (
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/cryptoutil"
 	"github.com/in-toto/go-witness/log"
+	"github.com/in-toto/go-witness/registry"
 )
 
 const (
-	Name    = "maven"
-	Type    = "https://witness.dev/attestations/maven/v0.1"
-	RunType = attestation.PreMaterialRunType
+	Name           = "maven"
+	Type           = "https://witness.dev/attestations/maven/v0.1"
+	RunType        = attestation.PreMaterialRunType
+	defaultPomPath = "pom.xml"
 )
 
 // This is a hacky way to create a compile time error in case the attestor
@@ -42,7 +44,22 @@ var (
 func init() {
 	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
 		return New()
-	})
+	},
+		registry.StringConfigOption(
+			"pom-path",
+			fmt.Sprintf("The path to the Project Object Model (POM) XML file used for task being attested (default \"%s\").", defaultPomPath),
+			defaultPomPath,
+			func(a attestation.Attestor, pomPath string) (attestation.Attestor, error) {
+				mavAttestor, ok := a.(*Attestor)
+				if !ok {
+					return a, fmt.Errorf("unexpected attestor type: %T is not a maven attestor", a)
+				}
+
+				WithPom(pomPath)(mavAttestor)
+				return mavAttestor, nil
+			},
+		),
+	)
 }
 
 type Attestor struct {
@@ -73,7 +90,7 @@ func WithPom(path string) Option {
 
 func New(opts ...Option) *Attestor {
 	attestor := &Attestor{
-		pomPath: "pom.xml",
+		pomPath: defaultPomPath,
 	}
 
 	for _, opt := range opts {

diff --git a/attestation/maven/maven_test.go b/attestation/maven/maven_test.go
@@ -20,13 +20,12 @@ import (
 	"testing"
 
 	"github.com/in-toto/go-witness/attestation"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-func writeTempPomXml(t *testing.T) (string, error) {
+func writeTempPomXml(t *testing.T, path string) (string, error) {
 	tmpDir := t.TempDir()
-	pomPath := filepath.Join(tmpDir, "pom.xml")
+	pomPath := filepath.Join(tmpDir, path)
 	file, err := os.Create(pomPath)
 	if err != nil {
 		return "", err
@@ -41,13 +40,39 @@ func writeTempPomXml(t *testing.T) (string, error) {
 }
 
 func TestMaven(t *testing.T) {
-	pomPath, err := writeTempPomXml(t)
-	require.NoError(t, err)
-	attestor := New(WithPom(pomPath))
-	ctx, err := attestation.NewContext([]attestation.Attestor{attestor})
-	require.NoError(t, err)
-	err = attestor.Attest(ctx)
-	assert.NoError(t, err)
+	workingDir := t.TempDir()
+
+	tests := []struct {
+		name    string
+		pomPath string
+	}{
+		{"no pom specified", ""},
+		{"regular pom with custom name", "custom-pom.xml"},
+		{"effective pom", "effective-pom.xml"},
+	}
+
+	for _, test := range tests {
+		var p string
+		var err error
+		if test.pomPath != "" {
+			p, err = writeTempPomXml(t, test.pomPath)
+			if err != nil {
+				t.Fatal(err)
+			}
+		} else {
+			p, err = writeTempPomXml(t, "pom.xml")
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+
+		t.Run(test.name, func(t *testing.T) {
+			ctx, err := attestation.NewContext([]attestation.Attestor{}, attestation.WithWorkingDir(workingDir))
+			require.NoError(t, err)
+			a := New(WithPom(p))
+			require.NoError(t, a.Attest(ctx))
+		})
+	}
 }
 
 const testPomXml = `<?xml version="1.0" encoding="UTF-8"?>

diff --git a/dsse/dsse.go b/dsse/dsse.go
@@ -32,11 +32,11 @@ func (e ErrNoMatchingSigs) Error() string {
 
 type ErrThresholdNotMet struct {
 	Theshold int
-	Acutal   int
+	Actual   int
 }
 
 func (e ErrThresholdNotMet) Error() string {
-	return fmt.Sprintf("envelope did not meet verifier threshold. expected %v valid verifiers but got %v", e.Theshold, e.Acutal)
+	return fmt.Sprintf("envelope did not meet verifier threshold. expected %v valid verifiers but got %v", e.Theshold, e.Actual)
 }
 
 type ErrInvalidThreshold int

diff --git a/dsse/dsse_test.go b/dsse/dsse_test.go
@@ -217,7 +217,7 @@ func TestThreshold(t *testing.T) {
 	assert.ElementsMatch(t, approvedVerifiers, expectedVerifiers)
 
 	approvedVerifiers, err = env.Verify(VerifyWithVerifiers(verifiers...), VerifyWithThreshold(10))
-	require.ErrorIs(t, err, ErrThresholdNotMet{Acutal: 5, Theshold: 10})
+	require.ErrorIs(t, err, ErrThresholdNotMet{Actual: 5, Theshold: 10})
 	assert.ElementsMatch(t, approvedVerifiers, expectedVerifiers)
 
 	_, err = env.Verify(VerifyWithVerifiers(verifiers...), VerifyWithThreshold(-10))

diff --git a/dsse/verify.go b/dsse/verify.go
@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/log"
 )
 
 type TimestampVerifier interface {
@@ -115,6 +116,8 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
 				if verifier, err := verifyX509Time(cert, sigIntermediates, options.roots, pae, sig.Signature, time.Now()); err == nil {
 					matchingSigFound = true
 					passedVerifiers = append(passedVerifiers, PassedVerifier{Verifier: verifier})
+				} else {
+					log.Debugf("failed to verify with timestamp verifier: %w", err)
 				}
 			} else {
 				var passedVerifier cryptoutil.Verifier
@@ -130,7 +133,10 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
 						if verifier, err := verifyX509Time(cert, sigIntermediates, options.roots, pae, sig.Signature, timestamp); err == nil {
 							passedVerifier = verifier
 							passedTimestampVerifiers = append(passedTimestampVerifiers, timestampVerifier)
+						} else {
+							log.Debugf("failed to verify with timestamp verifier: %w", err)
 						}
+
 					}
 				}
 
@@ -159,7 +165,7 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
 	}
 
 	if len(passedVerifiers) < options.threshold {
-		return passedVerifiers, ErrThresholdNotMet{Theshold: options.threshold, Acutal: len(passedVerifiers)}
+		return passedVerifiers, ErrThresholdNotMet{Theshold: options.threshold, Actual: len(passedVerifiers)}
 	}
 
 	return passedVerifiers, nil

diff --git a/verify.go b/verify.go
@@ -40,10 +40,13 @@ func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelo
 }
 
 type verifyOptions struct {
-	policyEnvelope   dsse.Envelope
-	policyVerifiers  []cryptoutil.Verifier
-	collectionSource source.Sourcer
-	subjectDigests   []string
+	policyTimestampAuthorities []dsse.TimestampVerifier
+	policyCARoots              []*x509.Certificate
+	policyCAIntermediates      []*x509.Certificate
+	policyEnvelope             dsse.Envelope
+	policyVerifiers            []cryptoutil.Verifier
+	collectionSource           source.Sourcer
+	subjectDigests             []string
 }
 
 type VerifyOption func(*verifyOptions)
@@ -64,6 +67,18 @@ func VerifyWithCollectionSource(source source.Sourcer) VerifyOption {
 	}
 }
 
+func VerifyWithPolicyTimestampAuthorities(authorities []dsse.TimestampVerifier) VerifyOption {
+	return func(vo *verifyOptions) {
+		vo.policyTimestampAuthorities = authorities
+	}
+}
+
+func VerifyWithPolicyCARoots(roots []*x509.Certificate) VerifyOption {
+	return func(vo *verifyOptions) {
+		vo.policyCARoots = roots
+	}
+}
+
 // Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned
 // if verifiation is successful.
 func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (map[string][]source.VerifiedCollection, error) {
@@ -76,7 +91,7 @@ func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers [
 		opt(&vo)
 	}
 
-	if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...)); err != nil {
+	if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...), dsse.VerifyWithTimestampVerifiers(vo.policyTimestampAuthorities...), dsse.VerifyWithRoots(vo.policyCARoots...), dsse.VerifyWithIntermediates(vo.policyCAIntermediates...)); err != nil {
 		return nil, fmt.Errorf("could not verify policy: %w", err)
 	}