Add a repo policy feature (#25)

* Introduce repo 'policies'

These are meant to be stored centrally.  Repos that want to onboard
would send a PR adding a policy file for their repo.

Signed-off-by: Tom Hennen <[email protected]>

* add readme and first policy

Signed-off-by: Tom Hennen <[email protected]>

---------

Signed-off-by: Tom Hennen <[email protected]>

Author: TomHennen

POLICY.md

@@ -14,14 +14,15 @@ are answered).
 
 Level 1+: git is one of the modern tools, since this tool only works with git this requirement is met.
 
-
 ### Canonical location
 
 Open question: It's unclear how this should be checked by tooling. One thought is that this
 requirement may be in the wrong spot.  Instead perhaps what we're looking for is that given
 packages distributed further downstream should indicate which source repos are canonical.
 They could do this using SLSA _build_ provenance.
 
+TODO: Now enabling people to set a canonical location in a policy file.  Not yet requried for Level 1.
+
 ### Distribute summary attestations
 
 Open question: This tool doesn't yet distribute attestations. We need to figure that out.
@@ -68,7 +69,8 @@ Open question: Is this duplicative of "Distribute summary attestations"
 
 Level 1: N/A
 
-Level 2+: Open question.
+Level 2+: For a commit on a branch to qualify as Level 2+ it must be explicitly indicated in the corresponding policy file.
+This is taken as an indication that is meant for consumption.
 
 ### Continuity
 

policy/README.md

@@ -0,0 +1,10 @@
+# Policy
+
+This folder stores 'policies' for individual repos.
+
+It is a place for organizations to:
+
+* Declare which branches are meant for consumption.
+* Indicate when SLSA protections were enabled without allowing
+  those protections to be disabled without it affecting the
+  determined SLSA level.

policy/github.com/TomHennen/slsa-source-poc/source-policy.json

@@ -0,0 +1,10 @@
+{
+    "canonical_repo": "https://github.com/slsa-framework/slsa-source-repo",
+    "protected_branches": [
+        {
+            "name": "main",
+            "since": "2025-01-23T16:32:27.845Z",
+            "target_slsa_source_level": "SLSA_SOURCE_LEVEL_2"
+        }
+    ]
+}

sourcetool/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
@@ -13,8 +14,10 @@ import (
 )
 
 const (
-	SlsaSourceLevel1 = "SLSA_SOURCE_LEVEL_1"
-	SlsaSourceLevel2 = "SLSA_SOURCE_LEVEL_2"
+	SlsaSourceLevel1      = "SLSA_SOURCE_LEVEL_1"
+	SlsaSourceLevel2      = "SLSA_SOURCE_LEVEL_2"
+	SourcePolicyRepoOwner = "slsa-framework"
+	SourcePolicyRepo      = "slsa-source-poc"
 )
 
 type activity struct {
@@ -26,6 +29,40 @@ type activity struct {
 	ActivityType string `json:"activity_type"`
 }
 
+type protectedBranch struct {
+	Name                  string
+	Since                 time.Time
+	TargetSlsaSourceLevel string `json:"target_slsa_source_level"`
+}
+type repoPolicy struct {
+	// I'm actually not sure we need this.  Consider removing?
+	CanonicalRepo     string            `json:"canonical_repo"`
+	ProtectedBranches []protectedBranch `json:"protected_branches"`
+}
+
+func getBranchPolicy(ctx context.Context, gh_client *github.Client, owner string, repo string, branch string) (*protectedBranch, error) {
+	path := fmt.Sprintf("../policy/github.com/%s/%s/source-policy.json", owner, repo)
+
+	policyContents, _, _, err := gh_client.Repositories.GetContents(ctx, SourcePolicyRepoOwner, SourcePolicyRepo, path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	var p repoPolicy
+	err = json.Unmarshal(policyContents.GetContents(), &p)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, pb := range p.ProtectedBranches {
+		if pb.Name == branch {
+			return &pb, nil
+		}
+	}
+
+	return nil, errors.New(fmt.Sprintf("Could not find rule for branch %s", branch))
+}
+
 // Checks to see if the rule meets our requirements.
 func checkRule(ctx context.Context, gh_client *github.Client, owner string, repo string, rule *github.RepositoryRule, minTime time.Time) (bool, error) {
 	ruleset, _, err := gh_client.Repositories.GetRuleset(ctx, owner, repo, rule.RulesetID, false)
@@ -104,16 +141,23 @@ func determineSourceLevel(ctx context.Context, gh_client *github.Client, commit
 		return "", err
 	}
 
-	// We'd like to check that the rules have been enabled for the appropriate amount of time
-	// (to ensure they weren't disabled).  For now we just require something that's not in
-	// the future.
-	minTime := pushTime.AddDate(0, 0, -1*minDays)
+	// We want to check to ensure the repo hasn't enabled/disabled the rules since
+	// setting the 'since' field in their policy.
+	branchPolicy, err := getBranchPolicy(ctx, gh_client, owner, repo, branch)
+	if err != nil {
+		return "", err
+	}
+
+	if pushTime.Before(branchPolicy.Since) {
+		// This commit was pushed before they had an explicit policy.
+		return SlsaSourceLevel1, nil
+	}
 
-	deletionGood, err := checkRule(ctx, gh_client, owner, repo, deletionRule, minTime)
+	deletionGood, err := checkRule(ctx, gh_client, owner, repo, deletionRule, branchPolicy.Since)
 	if err != nil {
 		return "", err
 	}
-	nonFFGood, err := checkRule(ctx, gh_client, owner, repo, nonFastFowardRule, minTime)
+	nonFFGood, err := checkRule(ctx, gh_client, owner, repo, nonFastFowardRule, branchPolicy.Since)
 	if err != nil {
 		return "", err
 	}