Add Source Level 4 support (#168)

* Add Source Level 4 support

Now supports Source Level 4 if a review control is enabled.

If the user specifies L4 then they must have a review control
enabled in GH.  They _do not_ need to have the ReviewEnforced
field in their policy eneabled.

If the user doesn't specify ReviewEnforced in their policy
then REVIEW_ENFORCED won't show up in the VSA, just L4. But,
if they have L4 and ReviewEnforced then they'll get _both_
SLSA_SOURCE_LEVEL_4 _and_ REVIEW_ENFORCED.

Signed-off-by: Tom Hennen <tomhennen@google.com>

* add missing tests

Signed-off-by: Tom Hennen <tomhennen@google.com>

---------

Signed-off-by: Tom Hennen <tomhennen@google.com>

Author: TomHennen

sourcetool/pkg/policy/policy.go

@@ -129,11 +129,14 @@ func getLocalPolicy(path string) (*RepoPolicy, string, error) {
 	return &p, path, nil
 }
 
-func (pe PolicyEvaluator) getPolicy(ctx context.Context, gh_connection *gh_control.GitHubConnection) (*RepoPolicy, string, error) {
+func (pe PolicyEvaluator) getPolicy(ctx context.Context, gh_connection *gh_control.GitHubConnection) (policy *RepoPolicy, path string, err error) {
 	if pe.UseLocalPolicy == "" {
-		return getRemotePolicy(ctx, gh_connection)
+		policy, path, err = getRemotePolicy(ctx, gh_connection)
+	} else {
+		policy, path, err = getLocalPolicy(pe.UseLocalPolicy)
 	}
-	return getLocalPolicy(pe.UseLocalPolicy)
+
+	return policy, path, err
 }
 
 // Check to see if the local directory is a clean clone or not
@@ -247,10 +250,15 @@ func CreateLocalPolicy(ctx context.Context, gh_connection *gh_control.GitHubConn
 func computeEligibleSlsaLevel(controls slsa_types.Controls) (slsa_types.SlsaSourceLevel, string) {
 	continuityControl := controls.GetControl(slsa_types.ContinuityEnforced)
 	provControl := controls.GetControl(slsa_types.ProvenanceAvailable)
+	reviewControl := controls.GetControl(slsa_types.ReviewEnforced)
+
+	if continuityControl != nil && provControl != nil && reviewControl != nil {
+		return slsa_types.SlsaSourceLevel4, "continuity and review are enabled and provenance is available"
+	}
 
 	if continuityControl != nil && provControl != nil {
 		// Both continuity and prov means it can get level 3
-		return slsa_types.SlsaSourceLevel3, "continuity is enable and provenance is available"
+		return slsa_types.SlsaSourceLevel3, "continuity is enabled and provenance is available"
 	}
 
 	if continuityControl != nil {
@@ -269,6 +277,16 @@ func computeEligibleSlsaLevel(controls slsa_types.Controls) (slsa_types.SlsaSour
 func computeEligibleSince(controls slsa_types.Controls, level slsa_types.SlsaSourceLevel) (*time.Time, error) {
 	continuityControl := controls.GetControl(slsa_types.ContinuityEnforced)
 	provControl := controls.GetControl(slsa_types.ProvenanceAvailable)
+	reviewControl := controls.GetControl(slsa_types.ReviewEnforced)
+
+	if level == slsa_types.SlsaSourceLevel4 {
+		if continuityControl != nil && provControl != nil && reviewControl != nil {
+			t := slsa_types.LaterTime(continuityControl.Since, provControl.Since)
+			t = slsa_types.LaterTime(t, reviewControl.Since)
+			return &t, nil
+		}
+		return nil, nil
+	}
 
 	if level == slsa_types.SlsaSourceLevel3 {
 		if continuityControl != nil && provControl != nil {

sourcetool/pkg/policy/policy_test.go

@@ -567,18 +567,25 @@ const (
 func TestComputeEligibleSlsaLevel(t *testing.T) {
 	continuityEnforcedControl := slsa_types.Control{Name: slsa_types.ContinuityEnforced, Since: fixedTime}
 	provenanceAvailableControl := slsa_types.Control{Name: slsa_types.ProvenanceAvailable, Since: fixedTime}
+	reviewEnforcedControl := slsa_types.Control{Name: slsa_types.ReviewEnforced, Since: fixedTime}
 
 	tests := []struct {
 		name           string
 		controls       slsa_types.Controls
 		expectedLevel  slsa_types.SlsaSourceLevel
 		expectedReason string
 	}{
+		{
+			name:           "SLSA Level 4",
+			controls:       slsa_types.Controls{continuityEnforcedControl, provenanceAvailableControl, reviewEnforcedControl},
+			expectedLevel:  slsa_types.SlsaSourceLevel4,
+			expectedReason: "continuity and review are enabled and provenance is available",
+		},
 		{
 			name:           "SLSA Level 3",
 			controls:       slsa_types.Controls{continuityEnforcedControl, provenanceAvailableControl},
 			expectedLevel:  slsa_types.SlsaSourceLevel3,
-			expectedReason: "continuity is enable and provenance is available",
+			expectedReason: "continuity is enabled and provenance is available",
 		},
 		{
 			name:           "SLSA Level 2",
@@ -623,6 +630,7 @@ func TestEvaluateBranchControls(t *testing.T) {
 
 	// Branch Policies
 	policyL3Review := ProtectedBranch{TargetSlsaSourceLevel: slsa_types.SlsaSourceLevel3, RequireReview: true, Since: fixedTime}
+	policyL4 := ProtectedBranch{TargetSlsaSourceLevel: slsa_types.SlsaSourceLevel4, Since: fixedTime}
 	policyL1NoExtras := ProtectedBranch{TargetSlsaSourceLevel: slsa_types.SlsaSourceLevel1, RequireReview: false, Since: fixedTime}
 	policyL2Review := ProtectedBranch{TargetSlsaSourceLevel: slsa_types.SlsaSourceLevel2, RequireReview: true, Since: fixedTime}
 	policyL2NoReview := ProtectedBranch{TargetSlsaSourceLevel: slsa_types.SlsaSourceLevel2, RequireReview: false, Since: fixedTime}
@@ -644,37 +652,45 @@ func TestEvaluateBranchControls(t *testing.T) {
 		expectedErrorContains string
 	}{
 		{
-			name:           "Success - All Met (L3, Review, Tags)",
+			name:           "Success - L3, Review, Tags",
 			branchPolicy:   &policyL3Review,
 			tagPolicy:      &tagHygienePolicy,
 			controls:       slsa_types.Controls{continuityEnforcedEarlier, provenanceAvailableEarlier, reviewEnforcedEarlier, tagHygieneEarlier},
 			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel3), slsa_types.ReviewEnforced, slsa_types.TagHygiene},
 			expectError:    false,
 		},
 		{
-			name:           "Success - Only SLSA Level (L1)",
+			name:           "Success - L1",
 			branchPolicy:   &policyL1NoExtras,
 			tagPolicy:      &noTagHygienePolicy,
 			controls:       slsa_types.Controls{}, // L1 is met by default if policy targets L1 and other conditions pass
 			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel1)},
 			expectError:    false,
 		},
 		{
-			name:           "Success - SLSA & Review (L2, Review)",
+			name:           "Success - L2 & Review",
 			branchPolicy:   &policyL2Review,
 			tagPolicy:      &noTagHygienePolicy,
 			controls:       slsa_types.Controls{continuityEnforcedEarlier, reviewEnforcedEarlier}, // Provenance not needed for L2
 			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel2), slsa_types.ReviewEnforced},
 			expectError:    false,
 		},
 		{
-			name:           "Success - SLSA & Tags (L2, Tags)",
+			name:           "Success - L2 & Tags",
 			branchPolicy:   &policyL2NoReview,
 			tagPolicy:      &tagHygienePolicy,
 			controls:       slsa_types.Controls{continuityEnforcedEarlier, tagHygieneEarlier}, // Provenance not needed for L2
 			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel2), slsa_types.TagHygiene},
 			expectError:    false,
 		},
+		{
+			name:           "Success - L4",
+			branchPolicy:   &policyL4,
+			tagPolicy:      &tagHygienePolicy,
+			controls:       slsa_types.Controls{continuityEnforcedEarlier, provenanceAvailableEarlier, reviewEnforcedEarlier, tagHygieneEarlier},
+			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel4), slsa_types.TagHygiene},
+			expectError:    false,
+		},
 		{
 			name:                  "Error - computeSlsaLevel Fails (Policy L3, Controls L1)",
 			branchPolicy:          &policyL3Review, // Wants L3
@@ -1107,8 +1123,10 @@ func TestComputeEligibleSince(t *testing.T) {
 
 	continuityEnforcedT1 := slsa_types.Control{Name: slsa_types.ContinuityEnforced, Since: time1}
 	provenanceAvailableT1 := slsa_types.Control{Name: slsa_types.ProvenanceAvailable, Since: time1}
+	reviewEnforcedT1 := slsa_types.Control{Name: slsa_types.ReviewEnforced, Since: time1}
 	continuityEnforcedT2 := slsa_types.Control{Name: slsa_types.ContinuityEnforced, Since: time2}
 	provenanceAvailableT2 := slsa_types.Control{Name: slsa_types.ProvenanceAvailable, Since: time2}
+	reviewEnforcedT2 := slsa_types.Control{Name: slsa_types.ReviewEnforced, Since: time2}
 	continuityEnforcedZero := slsa_types.Control{Name: slsa_types.ContinuityEnforced, Since: zeroTime}
 	provenanceAvailableZero := slsa_types.Control{Name: slsa_types.ProvenanceAvailable, Since: zeroTime}
 
@@ -1120,6 +1138,20 @@ func TestComputeEligibleSince(t *testing.T) {
 		expectError   bool
 		expectedError string
 	}{
+		{
+			name:         "L4 eligible (prov, review later)",
+			controls:     slsa_types.Controls{continuityEnforcedT1, provenanceAvailableT2, reviewEnforcedT2},
+			level:        slsa_types.SlsaSourceLevel4,
+			expectedTime: &time2,
+			expectError:  false,
+		},
+		{
+			name:         "L4 eligible (continuity later)",
+			controls:     slsa_types.Controls{continuityEnforcedT2, provenanceAvailableT1, reviewEnforcedT1},
+			level:        slsa_types.SlsaSourceLevel4,
+			expectedTime: &time2,
+			expectError:  false,
+		},
 		{
 			name:         "L3 eligible (ProvLater), L3 requested: expect Prov.Since",       // Was: "Eligible for SLSA Level 3 - time1 later"
 			controls:     slsa_types.Controls{continuityEnforcedT1, provenanceAvailableT2}, // Prov.Since (time2) > Cont.Since (time1)

sourcetool/pkg/slsa_types/slsa_types.go

@@ -9,6 +9,7 @@ const (
 	SlsaSourceLevel1         SlsaSourceLevel = "SLSA_SOURCE_LEVEL_1"
 	SlsaSourceLevel2         SlsaSourceLevel = "SLSA_SOURCE_LEVEL_2"
 	SlsaSourceLevel3         SlsaSourceLevel = "SLSA_SOURCE_LEVEL_3"
+	SlsaSourceLevel4         SlsaSourceLevel = "SLSA_SOURCE_LEVEL_4"
 	ContinuityEnforced       ControlName     = "CONTINUITY_ENFORCED"
 	ProvenanceAvailable      ControlName     = "PROVENANCE_AVAILABLE"
 	ReviewEnforced           ControlName     = "REVIEW_ENFORCED"