From bf2c31b669a5e9643147dd86a92504e8b5f7edea Mon Sep 17 00:00:00 2001 From: Kris Coleman Date: Wed, 5 Jun 2024 17:02:16 -0400 Subject: [PATCH 1/2] feat: add git refs to go witness git attestor this enables witness to track git refs Co-authored-by: Nick Kane Signed-off-by: Kris Coleman --- attestation/git/git.go | 10 ++++++++++ go.mod | 1 + go.sum | 4 ++-- schemagen/gcp-iit.json | 14 +++++++++++++- schemagen/git.json | 3 +++ schemagen/github.json | 14 +++++++++++++- schemagen/gitlab.json | 14 +++++++++++++- schemagen/jwt.json | 14 +++++++++++++- schemagen/verify.sh | 2 +- 9 files changed, 69 insertions(+), 7 deletions(-) diff --git a/attestation/git/git.go b/attestation/git/git.go index 68a0c564..7f41d5b7 100644 --- a/attestation/git/git.go +++ b/attestation/git/git.go @@ -94,6 +94,7 @@ type Attestor struct { Refs []string `json:"refs,omitempty"` Remotes []string `json:"remotes,omitempty"` Tags []Tag `json:"tags,omitempty"` + RefNameShort string `json:"branch,omitempty"` } func New() *Attestor { @@ -184,6 +185,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { a.CommitDate = commit.Author.When.String() a.CommitMessage = commit.Message a.Signature = commit.PGPSignature + a.RefNameShort = head.Name().Short() for _, parent := range commit.ParentHashes { a.ParentHashes = append(a.ParentHashes, parent.String()) @@ -289,6 +291,14 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { subjects[subjectName] = ds } + // add refname short + subjectName = fmt.Sprintf("refnameshort:%v", a.RefNameShort) + ds, err = cryptoutil.CalculateDigestSetFromBytes([]byte(a.RefNameShort), hashes) + if err != nil { + return nil + } + subjects[subjectName] = ds + return subjects } diff --git a/go.mod b/go.mod index a7053b1d..e1216bae 100644 --- a/go.mod +++ b/go.mod @@ -77,6 +77,7 @@ require ( github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.17.6 // indirect github.com/letsencrypt/boulder v0.0.0-20240226214708-a97e074b5a3e // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect diff --git a/go.sum b/go.sum index df2a380c..852f51a1 100644 --- a/go.sum +++ b/go.sum @@ -225,8 +225,8 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4= -github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= +github.com/klauspost/compress v1.17.6 h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2eRGjI= +github.com/klauspost/compress v1.17.6/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= diff --git a/schemagen/gcp-iit.json b/schemagen/gcp-iit.json index 324210c1..db9f8668 100644 --- a/schemagen/gcp-iit.json +++ b/schemagen/gcp-iit.json @@ -243,6 +243,12 @@ "$ref": "#/$defs/ObjectIdentifier" }, "type": "array" + }, + "Policies": { + "items": { + "$ref": "#/$defs/OID" + }, + "type": "array" } }, "additionalProperties": false, @@ -291,7 +297,8 @@ "PermittedURIDomains", "ExcludedURIDomains", "CRLDistributionPoints", - "PolicyIdentifiers" + "PolicyIdentifiers", + "Policies" ] }, "Extension": { @@ -464,6 +471,11 @@ "ExtraNames" ] }, + "OID": { + "properties": {}, + "additionalProperties": false, + "type": "object" + }, "ObjectIdentifier": { "items": { "type": "integer" diff --git a/schemagen/git.json b/schemagen/git.json index 49b89a6c..be8aa016 100644 --- a/schemagen/git.json +++ b/schemagen/git.json @@ -63,6 +63,9 @@ "$ref": "#/$defs/Tag" }, "type": "array" + }, + "branch": { + "type": "string" } }, "additionalProperties": false, diff --git a/schemagen/github.json b/schemagen/github.json index e95b314f..3bf34ee8 100644 --- a/schemagen/github.json +++ b/schemagen/github.json @@ -243,6 +243,12 @@ "$ref": "#/$defs/ObjectIdentifier" }, "type": "array" + }, + "Policies": { + "items": { + "$ref": "#/$defs/OID" + }, + "type": "array" } }, "additionalProperties": false, @@ -291,7 +297,8 @@ "PermittedURIDomains", "ExcludedURIDomains", "CRLDistributionPoints", - "PolicyIdentifiers" + "PolicyIdentifiers", + "Policies" ] }, "Extension": { @@ -464,6 +471,11 @@ "ExtraNames" ] }, + "OID": { + "properties": {}, + "additionalProperties": false, + "type": "object" + }, "ObjectIdentifier": { "items": { "type": "integer" diff --git a/schemagen/gitlab.json b/schemagen/gitlab.json index d46cea95..1065b4a8 100644 --- a/schemagen/gitlab.json +++ b/schemagen/gitlab.json @@ -243,6 +243,12 @@ "$ref": "#/$defs/ObjectIdentifier" }, "type": "array" + }, + "Policies": { + "items": { + "$ref": "#/$defs/OID" + }, + "type": "array" } }, "additionalProperties": false, @@ -291,7 +297,8 @@ "PermittedURIDomains", "ExcludedURIDomains", "CRLDistributionPoints", - "PolicyIdentifiers" + "PolicyIdentifiers", + "Policies" ] }, "Extension": { @@ -464,6 +471,11 @@ "ExtraNames" ] }, + "OID": { + "properties": {}, + "additionalProperties": false, + "type": "object" + }, "ObjectIdentifier": { "items": { "type": "integer" diff --git a/schemagen/jwt.json b/schemagen/jwt.json index 9d72efc6..4dce7db0 100644 --- a/schemagen/jwt.json +++ b/schemagen/jwt.json @@ -237,6 +237,12 @@ "$ref": "#/$defs/ObjectIdentifier" }, "type": "array" + }, + "Policies": { + "items": { + "$ref": "#/$defs/OID" + }, + "type": "array" } }, "additionalProperties": false, @@ -285,7 +291,8 @@ "PermittedURIDomains", "ExcludedURIDomains", "CRLDistributionPoints", - "PolicyIdentifiers" + "PolicyIdentifiers", + "Policies" ] }, "Extension": { @@ -458,6 +465,11 @@ "ExtraNames" ] }, + "OID": { + "properties": {}, + "additionalProperties": false, + "type": "object" + }, "ObjectIdentifier": { "items": { "type": "integer" diff --git a/schemagen/verify.sh b/schemagen/verify.sh index 9269ef30..cf2b02e7 100755 --- a/schemagen/verify.sh +++ b/schemagen/verify.sh @@ -22,7 +22,7 @@ tmpdir2=$(mktemp -d) cp ./schemagen/*.json "$tmpdir2/" go run ./schemagen --dir "$tmpdir" echo "###########################################" -echo "If diffs are found, run: make docgen" +echo "If diffs are found, run: make schema" echo "###########################################" diff -Nau "$tmpdir" "$tmpdir2" rm -rf "$tmpdir" "$tmpdir2" From 4523c25d56ccf76c50ce50b3c9e8456870017382 Mon Sep 17 00:00:00 2001 From: Kris Coleman Date: Wed, 5 Jun 2024 17:02:41 -0400 Subject: [PATCH 2/2] fix: updates for verify-schemagen.yaml for go 1.22.x and consistency Signed-off-by: Kris Coleman --- .github/workflows/verify-schemagen.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/verify-schemagen.yaml b/.github/workflows/verify-schemagen.yaml index dcda98ab..c0d94af5 100644 --- a/.github/workflows/verify-schemagen.yaml +++ b/.github/workflows/verify-schemagen.yaml @@ -8,13 +8,13 @@ permissions: contents: read jobs: - docgen: - name: Verify Docgen + verify-schema: + name: Verify Schema runs-on: ubuntu-latest steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: "1.21.x" + go-version: "1.22.x" - run: ./schemagen/verify.sh