Support slugs and defaults in prov subcommand (#225)

* Fix panic when commit string is blank

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

* provenance support slugs, defaults

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

* Use actual sha1 stringz in tests

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

---------

Signed-off-by: Adolfo Garcia Veytia (puerco) <[email protected]>

Author: puerco

sourcetool/internal/cmd/prov.go

@@ -36,13 +36,36 @@ func (po *provOptions) AddFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&po.prevCommit, "prev_commit", "", "The commit prior to 'commit'.")
 }
 
-// provCmd represents the prov command
+//nolint:dupl
 func addProv(parentCmd *cobra.Command) {
 	opts := provOptions{}
 	provCmd := &cobra.Command{
 		Use:   "prov",
 		Short: "Creates provenance for the given commit, but does not check policy.",
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			if len(args) > 0 {
+				if err := opts.ParseLocator(args[0]); err != nil {
+					return err
+				}
+			}
+
+			// Validate the repo opts here to provide a useful error
+			// when checking defaults
+			if err := opts.repoOptions.Validate(); err != nil {
+				return err
+			}
+
+			// Ensure we operate on the latest commit and the default
+			// branch if not spcified
+			if err := opts.EnsureDefaults(); err != nil {
+				return err
+			}
+			return nil
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if err := opts.Validate(); err != nil {
+				return fmt.Errorf("validating options: %w", err)
+			}
 			return doProv(&opts)
 		},
 	}

sourcetool/internal/cmd/verifycommit.go

@@ -36,6 +36,7 @@ func (vco *verifyCommitOptions) AddFlags(cmd *cobra.Command) {
 	)
 }
 
+//nolint:dupl
 func addVerifyCommit(cmd *cobra.Command) {
 	opts := verifyCommitOptions{}
 	verifyCommitCmd := &cobra.Command{

sourcetool/pkg/attest/provenance_test.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/google/go-github/v69/github"
 	"github.com/migueleliasweb/go-github-mock/src/mock"
+	"github.com/stretchr/testify/require"
 
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/ghcontrol"
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/slsa"
@@ -40,9 +41,8 @@ func createTestProv(t *testing.T, repoUri, ref, commit string) string {
 	}
 
 	statementBytes, err := json.Marshal(&stmt)
-	if err != nil {
-		t.Fatalf("failure marshalling statement: %v", err)
-	}
+	require.NoError(t, err, "failure marshalling statement: %v", err)
+
 	return string(statementBytes)
 }
 
@@ -129,7 +129,7 @@ func assertTagProvPredsEqual(t *testing.T, actual, expected *TagProvenancePred)
 }
 
 func TestReadProvSuccess(t *testing.T) {
-	testProv := createTestProv(t, "https://github.com/owner/repo", "main", "abc123")
+	testProv := createTestProv(t, "https://github.com/owner/repo", "main", "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa")
 	ghc := newTestGhConnection("owner", "repo", "branch",
 		// We just need _some_ rulesets response, we don't care what.
 		newTagHygieneRulesetsResponse(123, github.RulesetTargetTag,
@@ -138,7 +138,7 @@ func TestReadProvSuccess(t *testing.T) {
 	verifier := testsupport.NewMockVerifier()
 
 	pa := NewProvenanceAttestor(ghc, verifier)
-	readStmt, readPred, err := pa.GetProvenance(t.Context(), "abc123", "main")
+	readStmt, readPred, err := pa.GetProvenance(t.Context(), "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa", "main")
 	if err != nil {
 		t.Fatalf("error finding prov: %v", err)
 	}
@@ -148,7 +148,7 @@ func TestReadProvSuccess(t *testing.T) {
 }
 
 func TestReadProvFailure(t *testing.T) {
-	testProv := createTestProv(t, "foo", "main", "abc123")
+	testProv := createTestProv(t, "foo", "main", "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa")
 	ghc := newTestGhConnection("owner", "repo", "branch",
 		// We just need _some_ rulesets response, we don't care what.
 		newTagHygieneRulesetsResponse(456, github.RulesetTargetBranch,
@@ -157,7 +157,7 @@ func TestReadProvFailure(t *testing.T) {
 	verifier := testsupport.NewMockVerifier()
 
 	pa := NewProvenanceAttestor(ghc, verifier)
-	_, readPred, err := pa.GetProvenance(t.Context(), "abc123", "main")
+	_, readPred, err := pa.GetProvenance(t.Context(), "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa", "main")
 	if err != nil {
 		t.Fatalf("error finding prov: %v", err)
 	}
@@ -167,7 +167,7 @@ func TestReadProvFailure(t *testing.T) {
 }
 
 func TestCreateTagProvenance(t *testing.T) {
-	testVsa := createTestVsa(t, "https://github.com/owner/repo", "refs/some/ref", "abc123", slsa.SourceVerifiedLevels{"TEST_LEVEL"})
+	testVsa := createTestVsa(t, "https://github.com/owner/repo", "refs/some/ref", "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa", slsa.SourceVerifiedLevels{"TEST_LEVEL"})
 
 	ghc := newTestGhConnection("owner", "repo", "branch",
 		newTagHygieneRulesetsResponse(123, github.RulesetTargetTag,
@@ -177,7 +177,7 @@ func TestCreateTagProvenance(t *testing.T) {
 
 	pa := NewProvenanceAttestor(ghc, verifier)
 
-	stmt, err := pa.CreateTagProvenance(t.Context(), "abc123", "refs/tags/v1", "the-tag-pusher")
+	stmt, err := pa.CreateTagProvenance(t.Context(), "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa", "refs/tags/v1", "the-tag-pusher")
 	if err != nil {
 		t.Fatalf("error creating tag prov %v", err)
 	}
@@ -190,8 +190,8 @@ func TestCreateTagProvenance(t *testing.T) {
 		t.Errorf("statement pred type %v does not match expected %v", stmt.GetPredicateType(), TagProvPredicateType)
 	}
 
-	if !DoesSubjectIncludeCommit(stmt, "abc123") {
-		t.Errorf("statement subject %v does not match expected %v", stmt.GetSubject(), "abc123")
+	if !DoesSubjectIncludeCommit(stmt, "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa") {
+		t.Errorf("statement subject %v does not match expected %v", stmt.GetSubject(), "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa")
 	}
 
 	tagPred, err := GetTagProvPred(stmt)

sourcetool/pkg/attest/vsa_test.go

@@ -30,15 +30,15 @@ func createTestVsaWithIdAndResult(t *testing.T, repoUri, ref, commit, id, result
 }
 
 func TestReadVsaSuccess(t *testing.T) {
-	testVsa := createTestVsa(t, "https://github.com/owner/repo", "refs/some/ref", "abc123", slsa.SourceVerifiedLevels{"TEST_LEVEL"})
+	testVsa := createTestVsa(t, "https://github.com/owner/repo", "refs/some/ref", "de9395302d14b24c0a42685cf27315d93c88ff79", slsa.SourceVerifiedLevels{"TEST_LEVEL"})
 	ghc := newTestGhConnection("owner", "repo", "branch",
 		// We just need _some_ rulesets response, we don't care what.
 		newTagHygieneRulesetsResponse(123, github.RulesetTargetTag,
 			github.RulesetEnforcementActive, rulesetOldTime),
 		newNotesContent(testVsa))
 	verifier := testsupport.NewMockVerifier()
 
-	readStmt, readPred, err := GetVsa(t.Context(), ghc, verifier, "abc123", "refs/some/ref")
+	readStmt, readPred, err := GetVsa(t.Context(), ghc, verifier, "de9395302d14b24c0a42685cf27315d93c88ff79", "refs/some/ref")
 	if err != nil {
 		t.Fatalf("error finding vsa: %v", err)
 	}
@@ -54,7 +54,7 @@ func TestReadVsaSuccess(t *testing.T) {
 func TestReadVsaInvalidVsas(t *testing.T) {
 	goodRepo := "https://github.com/org/foo"
 	goodRef := "refs/heads/main"
-	goodCommit := "abc123"
+	goodCommit := "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa"
 
 	// We want to make sure invalid VSAs aren't returned.
 	tests := []struct {
@@ -91,7 +91,7 @@ func TestReadVsaInvalidVsas(t *testing.T) {
 				newNotesContent(tt.vsa))
 			verifier := testsupport.NewMockVerifier()
 
-			_, readPred, err := GetVsa(t.Context(), ghc, verifier, "abc123", "refs/heads/main")
+			_, readPred, err := GetVsa(t.Context(), ghc, verifier, "73f0a864c2c9af12e03dae433a6ff5f5e719d7aa", "refs/heads/main")
 			if err != nil {
 				t.Fatalf("error finding vsa: %v", err)
 			}

sourcetool/pkg/ghcontrol/notes.go

@@ -16,6 +16,10 @@ func (ghc *GitHubConnection) GetNotesForCommit(ctx context.Context, commit strin
 	// They'll be in the path <co/mmit> within ref `refs/notes/commits`
 	// where the first two characters of the commit sha are separated from the
 	// rest with a slash, eg e5/73149ab3e574abc2e5a151a04acfaf2a59b453.
+	if len(commit) != 40 {
+		return "", fmt.Errorf("invalid commit string")
+	}
+
 	path := commit[0:2] + "/" + commit[2:]
 	contents, _, resp, err := ghc.Client().Repositories.GetContents(
 		ctx, ghc.Owner(), ghc.Repo(), path, &github.RepositoryContentGetOptions{Ref: "refs/notes/commits"})

sourcetool/pkg/ghcontrol/notes_test.go

@@ -23,7 +23,8 @@ func TestGetNotesForCommit(t *testing.T) {
 		mustErr     bool
 	}{
 		{name: "success", owner: "slsa-framework", repo: "slsa-source-poc", commit: "e573149ab3e574abc2e5a151a04acfaf2a59b453", mustBeEmpty: false, mustErr: false},
-		{name: "non-existent", owner: "kjsdhi373iuh", repo: "lksjdhfk3773", commit: "invalid", mustBeEmpty: true, mustErr: false},
+		{name: "invalida-commit", owner: "kjsdhi373iuh", repo: "lksjdhfk3773", commit: "invalid", mustBeEmpty: true, mustErr: true},
+		{name: "non-existent", owner: "kjsdhi373iuh", repo: "lksjdhfk3773", commit: "de9395302d14b24c0a42685cf27315d93c88ff79", mustBeEmpty: true, mustErr: false},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()