feat: adding git remotes to subjects and normalising url

Signed-off-by: chaosinthecrd <[email protected]>

attestation/git/git.go

@@ -17,6 +17,7 @@ package git
 import (
 	"crypto"
 	"fmt"
+	"path"
 	"strings"
 	"time"
 
@@ -25,7 +26,9 @@ import (
 	"github.com/go-git/go-git/v5/plumbing/object"
 	"github.com/in-toto/go-witness/attestation"
 	"github.com/in-toto/go-witness/cryptoutil"
+	"github.com/in-toto/go-witness/log"
 	"github.com/invopop/jsonschema"
+	giturl "github.com/whilp/git-urls"
 )
 
 const (
@@ -156,7 +159,14 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	}
 
 	for _, remote := range remotes {
-		a.Remotes = append(a.Remotes, remote.Config().URLs...)
+		for _, u := range remote.Config().URLs {
+			nu, err := normaliseRemoteURL(u)
+			if err != nil {
+				log.Debug(err.Error())
+			}
+
+			a.Remotes = append(a.Remotes, nu)
+		}
 	}
 
 	refs, err := repo.References()
@@ -326,6 +336,16 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 		subjects[subjectName] = ds
 	}
 
+	// add remotes
+	for _, remote := range a.Remotes {
+		subjectName = fmt.Sprintf("remote:%v", remote)
+		ds, err = cryptoutil.CalculateDigestSetFromBytes([]byte(remote), hashes)
+		if err != nil {
+			return nil
+		}
+		subjects[subjectName] = ds
+	}
+
 	// add refname short
 	subjectName = fmt.Sprintf("refnameshort:%v", a.RefNameShort)
 	ds, err = cryptoutil.CalculateDigestSetFromBytes([]byte(a.RefNameShort), hashes)
@@ -371,3 +391,16 @@ func statusCodeString(statusCode git.StatusCode) string {
 		return string(statusCode)
 	}
 }
+
+func normaliseRemoteURL(url string) (string, error) {
+	rurl, err := giturl.Parse(url)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse remote url: %w", err)
+	}
+
+	if strings.HasSuffix(rurl.Path, ".git") {
+		rurl.Path = strings.TrimSuffix(rurl.Path, ".git")
+	}
+
+	return path.Join(rurl.Host, rurl.Path), nil
+}

attestation/git/git_test.go

@@ -43,6 +43,25 @@ func TestNameTypeRunType(t *testing.T) {
 	require.Equal(t, RunType, attestor.RunType(), "Expected the attestor's run type")
 }
 
+func TestNormaliseRemotes(t *testing.T) {
+	remotes := []string{
+		"github.com/in-toto/go-witness",
+		"github.com/in-toto/go-witness.git",
+		"https://github.com/in-toto/go-witness",
+		"https://github.com/in-toto/go-witness.git",
+		"[email protected]:in-toto/go-witness",
+		"[email protected]:in-toto/go-witness.git",
+	}
+
+	for _, r := range remotes {
+		nr, err := normaliseRemoteURL(r)
+		require.NoError(t, err, "Expected no error from normaliseRemoteURL")
+
+		require.Equal(t, "github.com/in-toto/go-witness", nr, "normalising failed for %s. Expected 'github.com/in-toto/go-witness', got %s", r, nr)
+	}
+
+}
+
 func TestRunWorksWithCommits(t *testing.T) {
 	attestor := New()
 

go.mod

@@ -103,6 +103,7 @@ require (
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
+	github.com/whilp/git-urls v1.0.0 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/zclconf/go-cty v1.14.4 // indirect
 	go.opencensus.io v0.24.0 // indirect

go.sum

@@ -341,6 +341,8 @@ github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
+github.com/whilp/git-urls v1.0.0 h1:95f6UMWN5FKW71ECsXRUd3FVYiXdrE7aX4NZKcPmIjU=
+github.com/whilp/git-urls v1.0.0/go.mod h1:J16SAmobsqc3Qcy98brfl5f5+e0clUvg1krgwk/qCfE=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=