From ec4f58ae2cfb57b04058d8e00c3a4900a03a83b8 Mon Sep 17 00:00:00 2001
From: John Kjell <john@testifysec.com>
Date: Fri, 19 Apr 2024 09:49:43 -0500
Subject: [PATCH] Try to gracefully handle gitlab jwt

Signed-off-by: John Kjell <john@testifysec.com>
---
 attestation/gitlab/gitlab.go |  6 ++++--
 attestation/slsa/slsa.go     | 19 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/attestation/gitlab/gitlab.go b/attestation/gitlab/gitlab.go
index 133a4223..f4be947b 100644
--- a/attestation/gitlab/gitlab.go
+++ b/attestation/gitlab/gitlab.go
@@ -107,13 +107,15 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	}
 
 	a.CIServerUrl = os.Getenv("CI_SERVER_URL")
-	jwksUrl := fmt.Sprintf("%s/-/jwks", a.CIServerUrl)
-	jwtString := os.Getenv("CI_JOB_JWT")
+	jwksUrl := fmt.Sprintf("%s/oauth/discovery/keys", a.CIServerUrl)
+	jwtString := os.Getenv("ID_TOKEN")
 	if jwtString != "" {
 		a.JWT = jwt.New(jwt.WithToken(jwtString), jwt.WithJWKSUrl(jwksUrl))
 		if err := a.JWT.Attest(ctx); err != nil {
 			return err
 		}
+	} else {
+		log.Warn("(attestation/gitlab) no jwt token found in environment")
 	}
 
 	a.CIConfigPath = os.Getenv("CI_CONFIG_PATH")
diff --git a/attestation/slsa/slsa.go b/attestation/slsa/slsa.go
index 2ad8a9c2..e3563ddd 100644
--- a/attestation/slsa/slsa.go
+++ b/attestation/slsa/slsa.go
@@ -152,6 +152,12 @@ func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {
 			p.PbProvenance.RunDetails.Builder.Id = GHABuilderId
 			p.PbProvenance.RunDetails.Metadata.InvocationId = gh.Data().PipelineUrl
 			digest := make(map[string]string)
+
+			if gh.Data().JWT == nil {
+				log.Warn("No JWT found in GitHub attestor")
+				continue
+			}
+
 			digest["sha1"] = gh.Data().JWT.Claims["sha"].(string)
 
 		case gitlab.Name:
@@ -159,7 +165,18 @@ func (p *Provenance) Attest(ctx *attestation.AttestationContext) error {
 			p.PbProvenance.RunDetails.Builder.Id = GLCBuilderId
 			p.PbProvenance.RunDetails.Metadata.InvocationId = gl.Data().PipelineUrl
 			digest := make(map[string]string)
-			digest["sha1"] = gl.Data().JWT.Claims["sha"].(string)
+
+			if gl.Data().JWT == nil {
+				log.Warn("No JWT found in GitLab attestor")
+				continue
+			}
+
+			sha, found := gl.Data().JWT.Claims["sha"]
+			if found {
+				digest["sha1"] = sha.(string)
+			} else {
+				log.Warn("No SHA found in GitLab JWT")
+			}
 
 		// Material Attestors
 		case material.Name: