Use cobra to handle multiple commands. (#27)

* Rearranges to split commands from logic.
* Adds go.work
* Adds .gitignore to get rid of tuf stuff

Signed-off-by: Tom Hennen <[email protected]>

Author: TomHennen

.gitignore

@@ -0,0 +1,2 @@
+tuf-repo-cdn.sigstage.dev.json
+tuf-repo-cdn.sigstage.dev/

sourcetool/cmd/checklevel.go

@@ -0,0 +1,85 @@
+/*
+Copyright © 2025 NAME HERE <EMAIL ADDRESS>
+*/
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/checklevel"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/vsa"
+
+	"github.com/google/go-github/v68/github"
+	"github.com/spf13/cobra"
+)
+
+// checklevelCmd represents the checklevel command
+var (
+	commit, owner, repo, branch, outputVsa string
+	minDays                                int
+
+	checklevelCmd = &cobra.Command{
+		Use:   "checklevel",
+		Short: "A brief description of your command",
+		Long: `A longer description that spans multiple lines and likely contains examples
+and usage of using your command. For example:
+
+Cobra is a CLI library for Go that empowers applications.
+This application is a tool to generate the needed files
+to quickly create a Cobra application.`,
+		Run: func(cmd *cobra.Command, args []string) {
+			doCheckLevel()
+		},
+	}
+)
+
+func doCheckLevel() {
+	if commit == "" || owner == "" || repo == "" || branch == "" {
+		log.Fatal("Must set commit, owner, repo, and branch flags.")
+	}
+
+	gh_client := github.NewClient(nil)
+	ctx := context.Background()
+
+	sourceLevel, err := checklevel.DetermineSourceLevel(ctx, gh_client, commit, owner, repo, branch, minDays)
+	if err != nil {
+		log.Fatal(err)
+	}
+	fmt.Print(sourceLevel)
+
+	if outputVsa != "" {
+		// This will output in the sigstore bundle format.
+		signedVsa, err := vsa.CreateSignedSourceVsa(owner, repo, commit, sourceLevel)
+		if err != nil {
+			log.Fatal(err)
+		}
+		err = os.WriteFile(outputVsa, []byte(signedVsa), 0644)
+		if err != nil {
+			log.Fatal(err)
+		}
+	}
+}
+
+func init() {
+	rootCmd.AddCommand(checklevelCmd)
+
+	// Here you will define your flags and configuration settings.
+
+	// Cobra supports Persistent Flags which will work for this command
+	// and all subcommands, e.g.:
+	// checklevelCmd.PersistentFlags().String("foo", "", "A help for foo")
+
+	// Cobra supports local flags which will only run when this command
+	// is called directly, e.g.:
+	// checklevelCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+
+	checklevelCmd.Flags().StringVar(&commit, "commit", "", "The commit to check.")
+	checklevelCmd.Flags().StringVar(&owner, "owner", "", "The GitHub repository owner - required.")
+	checklevelCmd.Flags().StringVar(&repo, "repo", "", "The GitHub repository name - required.")
+	checklevelCmd.Flags().StringVar(&branch, "branch", "", "The branch within the repository - required.")
+	checklevelCmd.Flags().IntVar(&minDays, "min_days", 1, "The minimum duration that the rules need to have been enabled for.")
+	checklevelCmd.Flags().StringVar(&outputVsa, "output_vsa", "", "The path to write a signed VSA with the determined level.")
+}

sourcetool/cmd/root.go

@@ -0,0 +1,51 @@
+/*
+Copyright © 2025 NAME HERE <EMAIL ADDRESS>
+
+*/
+package cmd
+
+import (
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+
+
+// rootCmd represents the base command when called without any subcommands
+var rootCmd = &cobra.Command{
+	Use:   "sourcetool",
+	Short: "A brief description of your application",
+	Long: `A longer description that spans multiple lines and likely contains
+examples and usage of using your application. For example:
+
+Cobra is a CLI library for Go that empowers applications.
+This application is a tool to generate the needed files
+to quickly create a Cobra application.`,
+	// Uncomment the following line if your bare application
+	// has an action associated with it:
+	// Run: func(cmd *cobra.Command, args []string) { },
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the rootCmd.
+func Execute() {
+	err := rootCmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
+}
+
+func init() {
+	// Here you will define your flags and configuration settings.
+	// Cobra supports persistent flags, which, if defined here,
+	// will be global for your application.
+
+	// rootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is $HOME/.sourcetool.yaml)")
+
+	// Cobra also supports local flags, which will only run
+	// when this action is called directly.
+	rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
+}
+
+

sourcetool/go.mod

@@ -6,6 +6,8 @@ require (
 	github.com/google/go-github/v68 v68.0.0
 	github.com/in-toto/attestation v1.1.1-0.20250123155712-7017ad824404
 	github.com/sigstore/sigstore-go v0.6.3-0.20250123153628-85b2bcba8898
+	github.com/spf13/cobra v1.8.1
+	github.com/theupdateframework/go-tuf/v2 v2.0.2
 	google.golang.org/protobuf v1.36.3
 )
 
@@ -66,12 +68,10 @@ require (
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.19.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.0.2 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect

sourcetool/go.work

@@ -0,0 +1,3 @@
+go 1.24
+
+use .

sourcetool/go.work.sum

@@ -0,0 +1 @@
+github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=

sourcetool/main.go

@@ -1,212 +1,10 @@
+/*
+Copyright © 2025 NAME HERE <EMAIL ADDRESS>
+*/
 package main
 
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"flag"
-	"fmt"
-	"log"
-	"os"
-	"time"
+import "github.com/slsa-framework/slsa-source-poc/sourcetool/cmd"
 
-	"github.com/google/go-github/v68/github"
-)
-
-const (
-	SlsaSourceLevel1      = "SLSA_SOURCE_LEVEL_1"
-	SlsaSourceLevel2      = "SLSA_SOURCE_LEVEL_2"
-	SourcePolicyRepoOwner = "slsa-framework"
-	SourcePolicyRepo      = "slsa-source-poc"
-)
-
-type activity struct {
-	Id           int
-	Before       string
-	After        string
-	Ref          string
-	Timestamp    time.Time
-	ActivityType string `json:"activity_type"`
-}
-
-type protectedBranch struct {
-	Name                  string
-	Since                 time.Time
-	TargetSlsaSourceLevel string `json:"target_slsa_source_level"`
-}
-type repoPolicy struct {
-	// I'm actually not sure we need this.  Consider removing?
-	CanonicalRepo     string            `json:"canonical_repo"`
-	ProtectedBranches []protectedBranch `json:"protected_branches"`
-}
-
-func getBranchPolicy(ctx context.Context, gh_client *github.Client, owner string, repo string, branch string) (*protectedBranch, error) {
-	path := fmt.Sprintf("policy/github.com/%s/%s/source-policy.json", owner, repo)
-
-	policyContents, _, _, err := gh_client.Repositories.GetContents(ctx, SourcePolicyRepoOwner, SourcePolicyRepo, path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	content, err := policyContents.GetContent()
-	if err != nil {
-		return nil, err
-	}
-	var p repoPolicy
-	err = json.Unmarshal([]byte(content), &p)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, pb := range p.ProtectedBranches {
-		if pb.Name == branch {
-			return &pb, nil
-		}
-	}
-
-	return nil, errors.New(fmt.Sprintf("Could not find rule for branch %s", branch))
-}
-
-// Checks to see if the rule meets our requirements.
-func checkRule(ctx context.Context, gh_client *github.Client, owner string, repo string, rule *github.RepositoryRule, minTime time.Time) (bool, error) {
-	ruleset, _, err := gh_client.Repositories.GetRuleset(ctx, owner, repo, rule.RulesetID, false)
-	if err != nil {
-		return false, err
-	}
-
-	// We need rules to be 'active' and to have been updated no later than minTime.
-	if ruleset.Enforcement != "active" {
-		return false, nil
-	}
-
-	if minTime.Before(ruleset.UpdatedAt.Time) {
-		return false, nil
-	}
-
-	return true, nil
-}
-
-func commitPushTime(ctx context.Context, gh_client *github.Client, commit string, owner string, repo string, branch string) (time.Time, error) {
-	// Unfortunately the gh_client doesn't have native support for this...'
-	reqUrl := fmt.Sprintf("repos/%s/%s/activity", owner, repo)
-	req, err := gh_client.NewRequest("GET", reqUrl, nil)
-	if err != nil {
-		return time.Time{}, err
-	}
-
-	var result []*activity
-	_, err = gh_client.Do(ctx, req, &result)
-	if err != nil {
-		return time.Time{}, err
-	}
-
-	targetRef := fmt.Sprintf("refs/heads/%s", branch)
-	for _, activity := range result {
-		if activity.ActivityType != "push" && activity.ActivityType != "force_push" {
-			continue
-		}
-		if activity.After == commit && activity.Ref == targetRef {
-			// Found it
-			return activity.Timestamp, nil
-		}
-	}
-
-	return time.Time{}, errors.New(fmt.Sprintf("Could not find repo activity for commit %s", commit))
-}
-
-func determineSourceLevel(ctx context.Context, gh_client *github.Client, commit string, owner string, repo string, branch string, minDays int) (string, error) {
-	rules, _, err := gh_client.Repositories.GetRulesForBranch(ctx, owner, repo, branch)
-
-	if err != nil {
-		return "", err
-	}
-
-	var deletionRule *github.RepositoryRule
-	var nonFastFowardRule *github.RepositoryRule
-	for _, rule := range rules {
-		switch rule.Type {
-		case "deletion":
-			deletionRule = rule
-		case "non_fast_forward":
-			nonFastFowardRule = rule
-		default:
-			// ignore
-		}
-	}
-
-	if deletionRule == nil && nonFastFowardRule == nil {
-		// For L2 we need deletion and non-fast-forward rules.
-		return SlsaSourceLevel1, nil
-	}
-
-	// We want to know when this commit was pushed to ensure the rules were active _then_.
-	pushTime, err := commitPushTime(ctx, gh_client, commit, owner, repo, branch)
-	if err != nil {
-		return "", err
-	}
-
-	// We want to check to ensure the repo hasn't enabled/disabled the rules since
-	// setting the 'since' field in their policy.
-	branchPolicy, err := getBranchPolicy(ctx, gh_client, owner, repo, branch)
-	if err != nil {
-		return "", err
-	}
-
-	if pushTime.Before(branchPolicy.Since) {
-		// This commit was pushed before they had an explicit policy.
-		return SlsaSourceLevel1, nil
-	}
-
-	deletionGood, err := checkRule(ctx, gh_client, owner, repo, deletionRule, branchPolicy.Since)
-	if err != nil {
-		return "", err
-	}
-	nonFFGood, err := checkRule(ctx, gh_client, owner, repo, nonFastFowardRule, branchPolicy.Since)
-	if err != nil {
-		return "", err
-	}
-
-	if deletionGood && nonFFGood {
-		return SlsaSourceLevel2, nil
-	}
-
-	return SlsaSourceLevel1, nil
-}
-
-// Determines the source level of a repo.
 func main() {
-	var commit, owner, repo, branch, outputVsa string
-	var minDays int
-	flag.StringVar(&commit, "commit", "", "The commit to check.")
-	flag.StringVar(&owner, "owner", "", "The GitHub repository owner - required.")
-	flag.StringVar(&repo, "repo", "", "The GitHub repository name - required.")
-	flag.StringVar(&branch, "branch", "", "The branch within the repository - required.")
-	flag.IntVar(&minDays, "min_days", 1, "The minimum duration that the rules need to have been enabled for.")
-	flag.StringVar(&outputVsa, "output_vsa", "", "The path to write a signed VSA with the determined level.")
-	flag.Parse()
-
-	if commit == "" || owner == "" || repo == "" || branch == "" {
-		log.Fatal("Must set commit, owner, repo, and branch flags.")
-	}
-
-	gh_client := github.NewClient(nil)
-	ctx := context.Background()
-
-	sourceLevel, err := determineSourceLevel(ctx, gh_client, commit, owner, repo, branch, minDays)
-	if err != nil {
-		log.Fatal(err)
-	}
-	fmt.Print(sourceLevel)
-
-	if outputVsa != "" {
-		// This will output in the sigstore bundle format.
-		signedVsa, err := createSignedSourceVsa(owner, repo, commit, sourceLevel)
-		if err != nil {
-			log.Fatal(err)
-		}
-		err = os.WriteFile(outputVsa, []byte(signedVsa), 0644)
-		if err != nil {
-			log.Fatal(err)
-		}
-	}
+	cmd.Execute()
 }