From fc2f809a2cb46acbe4cce759190fda2e84ef163b Mon Sep 17 00:00:00 2001
From: Matt Moore <mattmoor@chainguard.dev>
Date: Tue, 21 May 2024 12:25:11 -0700
Subject: [PATCH] Switch yaml libraries to use json annotations

Signed-off-by: Matt Moore <mattmoor@chainguard.dev>
---
 go.mod                      |  1 -
 go.sum                      |  2 --
 pkg/webhook/webhook.go      |  2 +-
 pkg/webhook/webhook_test.go | 47 +++++++++++++++++++++++++++++++++++++
 4 files changed, 48 insertions(+), 4 deletions(-)
 create mode 100644 pkg/webhook/webhook_test.go

diff --git a/go.mod b/go.mod
index 7e4d6c2..c65fec4 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,6 @@ require (
 	golang.org/x/oauth2 v0.19.0
 	google.golang.org/api v0.174.0
 	google.golang.org/grpc v1.63.2
-	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/apimachinery v0.29.1
 	sigs.k8s.io/yaml v1.4.0
 )
diff --git a/go.sum b/go.sum
index 06cb92d..4be6152 100644
--- a/go.sum
+++ b/go.sum
@@ -310,8 +310,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/pkg/webhook/webhook.go b/pkg/webhook/webhook.go
index 55aeef9..642bb25 100644
--- a/pkg/webhook/webhook.go
+++ b/pkg/webhook/webhook.go
@@ -19,8 +19,8 @@ import (
 	"github.com/google/go-github/v58/github"
 	"github.com/hashicorp/go-multierror"
 	"github.com/octo-sts/app/pkg/octosts"
-	"gopkg.in/yaml.v2"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"sigs.k8s.io/yaml"
 )
 
 const (
diff --git a/pkg/webhook/webhook_test.go b/pkg/webhook/webhook_test.go
new file mode 100644
index 0000000..bdece72
--- /dev/null
+++ b/pkg/webhook/webhook_test.go
@@ -0,0 +1,47 @@
+// Copyright 2024 Chainguard, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package webhook
+
+import (
+	"testing"
+
+	"github.com/octo-sts/app/pkg/octosts"
+	"sigs.k8s.io/yaml"
+)
+
+func TestYAMLUnmarshalStrict(t *testing.T) {
+	const orgPolicy = `
+issuer: https://issuer.enforce.dev
+subject: 9e8b549b441afc4f082e9dccb5d1eeda843af975
+claim_pattern:
+  email: .*
+
+permissions:
+  metadata: read
+  administration: read
+
+repositories: [] # Act over all of the repos in the org.
+`
+	const repoPolicy = `
+issuer: https://issuer.enforce.dev
+subject: 9e8b549b441afc4f082e9dccb5d1eeda843af975
+claim_pattern:
+  email: .*
+
+permissions:
+  metadata: read
+  administration: read
+`
+	if err := yaml.UnmarshalStrict([]byte(orgPolicy), &octosts.OrgTrustPolicy{}); err != nil {
+		t.Error(err)
+	}
+
+	tp := &octosts.TrustPolicy{}
+	if err := yaml.UnmarshalStrict([]byte(orgPolicy), tp); err == nil {
+		t.Errorf("Wanted error, got: %v", tp)
+	}
+	if err := yaml.UnmarshalStrict([]byte(repoPolicy), &octosts.TrustPolicy{}); err != nil {
+		t.Error(err)
+	}
+}