Create policy from controls, not att (#244)

puerco · web-flow · commit 53486b0b1134 · 2025-07-28T02:56:12.000-06:00
This commit modifies the sourcetool module to create the policuy from
the enabked controls instead of basing it on the last provenance
attestation.

Signed-off-by: Adolfo Garcia Veytia (puerco) &lt;puerco@carabiner.dev&gt;
diff --git a/sourcetool/pkg/sourcetool/tool.go b/sourcetool/pkg/sourcetool/tool.go
@@ -187,46 +187,27 @@ func (t *Tool) CreateBranchPolicy(ctx context.Context, r *models.Repository, bra
 		return nil, fmt.Errorf("getting backend: %w", err)
 	}
 
-	// Get the branch latest commit from the backend
-	latestCommit, err := backend.GetLatestCommit(ctx, r, branches[0])
+	controls, err := t.impl.GetBranchControls(ctx, backend, r, branches[0])
 	if err != nil {
-		return nil, fmt.Errorf("could not get latest commit: %w", err)
-	}
-
-	reader, err := t.impl.GetAttestationReader(nil)
-	if err != nil {
-		return nil, fmt.Errorf("getting attestation reader")
-	}
-
-	// Get the latest commit provenance attestation
-	_, predicate, err := reader.GetCommitProvenance(ctx, branches[0], latestCommit)
-	if err != nil {
-		return nil, fmt.Errorf("could not get provenance for latest commit: %w", err)
+		return nil, fmt.Errorf("getting branch controls: %w", err)
 	}
 
-	controls := &slsa.Controls{}
-	if predicate != nil {
-		for _, c := range predicate.GetControls() {
-			controls.AddControl(c)
-		}
-	}
 	return t.createPolicy(r, branches[0], controls)
 }
 
 // This function will be moved to the policy package once we start integrating
 // it with the global data models (if we do).
-func (t *Tool) createPolicy(r *models.Repository, branch *models.Branch, controls *slsa.Controls) (*policy.RepoPolicy, error) {
+func (t *Tool) createPolicy(r *models.Repository, branch *models.Branch, controls *slsa.ControlSetStatus) (*policy.RepoPolicy, error) {
 	// Default to SLSA1 since unset date
 	eligibleSince := &time.Time{}
 	eligibleLevel := slsa.SlsaSourceLevel1
 
 	var err error
 	// Unless there is previous provenance metadata, then we can compute
 	// a higher level
-
 	if controls != nil {
-		eligibleLevel = policy.ComputeEligibleSlsaLevel(*controls)
-		eligibleSince, err = policy.ComputeEligibleSince(*controls, eligibleLevel)
+		eligibleLevel = policy.ComputeEligibleSlsaLevel(*controls.GetActiveControls())
+		eligibleSince, err = policy.ComputeEligibleSince(*controls.GetActiveControls(), eligibleLevel)
 		if err != nil {
 			return nil, fmt.Errorf("could not compute eligible_since: %w", err)
 		}
