Add --allow-merge-commit experimental flag (#179)

* Fix panic in eval when no policy is found

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

* Add GitHUb connector options

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

* Add --allow-merge-commit flag

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

* Wire allowMergeCommit value

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

---------

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

Author: puerco

sourcetool/cmd/checklevel.go

@@ -5,6 +5,7 @@ package cmd
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log"
 	"os"
@@ -18,6 +19,14 @@ import (
 
 type CheckLevelArgs struct {
 	commit, owner, repo, branch, outputVsa, outputUnsignedVsa, useLocalPolicy string
+	allowMergeCommits                                                         bool
+}
+
+func (cla *CheckLevelArgs) Validate() error {
+	if cla.commit == "" || cla.owner == "" || cla.repo == "" || cla.branch == "" {
+		return errors.New("must set commit, owner, repo, and branch flags")
+	}
+	return nil
 }
 
 // checklevelCmd represents the checklevel command
@@ -31,20 +40,23 @@ var (
 
 This is meant to be run within the corresponding GitHub Actions workflow.`,
 		Run: func(cmd *cobra.Command, args []string) {
-			doCheckLevel(checkLevelArgs.commit, checkLevelArgs.owner, checkLevelArgs.repo, checkLevelArgs.branch, checkLevelArgs.outputVsa, checkLevelArgs.outputUnsignedVsa)
+			doCheckLevel(&checkLevelArgs)
 		},
 	}
 )
 
-func doCheckLevel(commit, owner, repo, branch, outputVsa, outputUnsignedVsa string) {
-	if commit == "" || owner == "" || repo == "" || branch == "" {
-		log.Fatal("Must set commit, owner, repo, and branch flags.")
+func doCheckLevel(cla *CheckLevelArgs) {
+	if err := cla.Validate(); err != nil {
+		log.Fatalf("Error: %v", err)
 	}
 
-	gh_connection := gh_control.NewGhConnection(owner, repo, gh_control.BranchToFullRef(branch)).WithAuthToken(githubToken)
-	ctx := context.Background()
+	gh_connection := gh_control.NewGhConnection(
+		cla.owner, cla.repo, gh_control.BranchToFullRef(cla.branch),
+	).WithAuthToken(githubToken)
+	gh_connection.Options.AllowMergeCommits = cla.allowMergeCommits
 
-	controlStatus, err := gh_connection.GetBranchControls(ctx, commit, gh_connection.GetFullRef())
+	ctx := context.Background()
+	controlStatus, err := gh_connection.GetBranchControls(ctx, cla.commit, gh_connection.GetFullRef())
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -56,24 +68,23 @@ func doCheckLevel(commit, owner, repo, branch, outputVsa, outputUnsignedVsa stri
 	}
 	fmt.Print(verifiedLevels)
 
-	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), commit, verifiedLevels, policyPath)
+	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), cla.commit, verifiedLevels, policyPath)
 	if err != nil {
 		log.Fatal(err)
 	}
-	if outputUnsignedVsa != "" {
-		err = os.WriteFile(outputUnsignedVsa, []byte(unsignedVsa), 0644)
-		if err != nil {
+	if cla.outputUnsignedVsa != "" {
+		if err = os.WriteFile(cla.outputUnsignedVsa, []byte(unsignedVsa), 0644); err != nil {
 			log.Fatal(err)
 		}
 	}
 
-	if outputVsa != "" {
+	if cla.outputVsa != "" {
 		// This will output in the sigstore bundle format.
 		signedVsa, err := attest.Sign(unsignedVsa)
 		if err != nil {
 			log.Fatal(err)
 		}
-		err = os.WriteFile(outputVsa, []byte(signedVsa), 0644)
+		err = os.WriteFile(cla.outputVsa, []byte(signedVsa), 0644)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -84,13 +95,12 @@ func init() {
 	rootCmd.AddCommand(checklevelCmd)
 
 	// Here you will define your flags and configuration settings.
-
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.commit, "commit", "", "The commit to check.")
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.owner, "owner", "", "The GitHub repository owner - required.")
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.repo, "repo", "", "The GitHub repository name - required.")
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.branch, "branch", "", "The branch within the repository - required.")
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.outputVsa, "output_vsa", "", "The path to write a signed VSA with the determined level.")
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.outputUnsignedVsa, "output_unsigned_vsa", "", "The path to write an unsigned vsa with the determined level.")
 	checklevelCmd.Flags().StringVar(&checkLevelArgs.useLocalPolicy, "use_local_policy", "", "UNSAFE: Use the policy at this local path instead of the official one.")
-
+	checklevelCmd.Flags().BoolVar(&checkLevelArgs.allowMergeCommits, "allow-merge-commits", false, "[EXPERIMENTAL] Allow merge commits in branch.")
 }

sourcetool/cmd/checklevelprov.go

@@ -29,6 +29,7 @@ type CheckLevelProvArgs struct {
 	expectedIssuer       string
 	expectedSan          string
 	useLocalPolicy       string
+	allowMergeCommits    bool
 }
 
 // checklevelprovCmd represents the checklevelprov command
@@ -47,6 +48,7 @@ var (
 func doCheckLevelProv(checkLevelProvArgs CheckLevelProvArgs) {
 	gh_connection :=
 		gh_control.NewGhConnection(checkLevelProvArgs.owner, checkLevelProvArgs.repo, gh_control.BranchToFullRef(checkLevelProvArgs.branch)).WithAuthToken(githubToken)
+	gh_connection.Options.AllowMergeCommits = checkLevelProvArgs.allowMergeCommits
 	ctx := context.Background()
 
 	prevCommit := checkLevelProvArgs.prevCommit
@@ -135,5 +137,5 @@ func init() {
 	checklevelprovCmd.Flags().StringVar(&checkLevelProvArgs.outputUnsignedBundle, "output_unsigned_bundle", "", "The path to write a bundle of unsigned attestations.")
 	checklevelprovCmd.Flags().StringVar(&checkLevelProvArgs.outputSignedBundle, "output_signed_bundle", "", "The path to write a bundle of signed attestations.")
 	checklevelprovCmd.Flags().StringVar(&checkLevelProvArgs.useLocalPolicy, "use_local_policy", "", "UNSAFE: Use the policy at this local path instead of the official one.")
-
+	checklevelprovCmd.Flags().BoolVar(&checkLevelProvArgs.allowMergeCommits, "allow-merge-commits", false, "[EXPERIMENTAL] Allow merge commits in branch")
 }

sourcetool/pkg/gh_control/connection.go

@@ -10,6 +10,7 @@ import (
 // Manages a connection to a GitHub repository.
 type GitHubConnection struct {
 	client           *github.Client
+	Options          Options
 	owner, repo, ref string
 }
 
@@ -19,10 +20,12 @@ func NewGhConnection(owner, repo, ref string) *GitHubConnection {
 
 func NewGhConnectionWithClient(owner, repo, ref string, client *github.Client) *GitHubConnection {
 	return &GitHubConnection{
-		client: client,
-		owner:  owner,
-		repo:   repo,
-		ref:    ref}
+		client:  client,
+		owner:   owner,
+		repo:    repo,
+		ref:     ref,
+		Options: defaultOptions,
+	}
 }
 
 func (ghc *GitHubConnection) Client() *github.Client {
@@ -68,7 +71,7 @@ func (ghc *GitHubConnection) GetPriorCommit(ctx context.Context, sha string) (st
 		return "", fmt.Errorf("there is no commit earlier than %s, that isn't yet supported", sha)
 	}
 
-	if len(commit.Parents) > 1 {
+	if len(commit.Parents) > 1 && !ghc.Options.AllowMergeCommits {
 		return "", fmt.Errorf("commit %s has more than one parent (%v), which is not supported", sha, commit.Parents)
 	}
 

sourcetool/pkg/gh_control/options.go

@@ -0,0 +1,11 @@
+package gh_control
+
+var defaultOptions = Options{
+	AllowMergeCommits: false,
+}
+
+type Options struct {
+	// AllowMergeCommits causes the GitHub connector to reject merge
+	// commits when set to false.
+	AllowMergeCommits bool
+}

sourcetool/pkg/policy/policy.go

@@ -459,7 +459,7 @@ func (pe PolicyEvaluator) EvaluateControl(ctx context.Context, gh_connection *gh
 	// We want to check to ensure the repo hasn't enabled/disabled the rules since
 	// setting the 'since' field in their policy.
 	rp, policyPath, err := pe.getPolicy(ctx, gh_connection)
-	if err != nil {
+	if err != nil || rp == nil {
 		return slsa_types.SourceVerifiedLevels{}, "", err
 	}
 
@@ -485,7 +485,7 @@ func (pe PolicyEvaluator) EvaluateControl(ctx context.Context, gh_connection *gh
 // Evaluates the provenance against the policy and returns the resulting source level and policy path
 func (pe PolicyEvaluator) EvaluateSourceProv(ctx context.Context, gh_connection *gh_control.GitHubConnection, prov *spb.Statement) (slsa_types.SourceVerifiedLevels, string, error) {
 	rp, policyPath, err := pe.getPolicy(ctx, gh_connection)
-	if err != nil {
+	if err != nil || rp == nil {
 		return slsa_types.SourceVerifiedLevels{}, "", err
 	}