Start creation of a checktag command. (#149)

This command creates tag provenance (new!) and VSAs for those tags.

There's more work to do to fully iron this out but it's ready for
some testing.

This was a fairly large refactor that involved generalizing the
GitHubConnection class so that it doesn't assume there are branches and
being able to mock the bnd verifier to make unit tests possible/easier.

Signed-off-by: Tom Hennen <[email protected]>

Author: TomHennen

.github/workflows/local_attest.yml

@@ -2,6 +2,7 @@ name: SLSA Source
 on:
   push:
     branches: [ "main" ]
+    tags: ['**']
 
 jobs:
   # Whenever new source is pushed recompute the slsa source information.

DESIGN.md

@@ -233,7 +233,8 @@ This tool can also check to see if the GitHub repo/ref is configured to require
 ### IMMUTABLE_TAGS
 
 This tool can also check to see if the GitHub repo is configured to require
-immutable tags.  To do so it checks that the repo:
+immutable tags.  To do so it checks that the repo enables the follow rules
+to ~ALL tags:
 
 1. Doesn't allow tag updates
 2. Doesn't allow tag deletions
@@ -243,6 +244,11 @@ Importing [rulesets/tag_immutability.json](rulesets/tag_immutability.json)
 to a repos rulesets will enable the repo controls. The `immutable_tags`
 field in the policy then needs to be enabled too.
 
+TODO: In the future this tool could be updated to allow some subset of tags
+to be updated (e.g. `latest`, `nightly`), but that feature is not yet
+supported. Tracked
+[here](https://github.com/slsa-framework/slsa-source-poc/issues/129).
+
 ## Open Issues
 
 ### Dealing with reliability

actions/slsa_with_provenance/action.yml

@@ -22,11 +22,18 @@ runs:
     - id: setup
       run: mkdir -p metadata
       shell: bash
-    - id: determine_level
+    - id: handle_branch_push
+      if: ${{ startsWith(github.ref, 'refs/heads/') }}
       run: |
-        echo "## SLSA Source Properties" >> $GITHUB_STEP_SUMMARY
+        echo "## SLSA Source Properties Branch Push" >> $GITHUB_STEP_SUMMARY
         go run github.com/slsa-framework/slsa-source-poc/sourcetool@8de659f119d933d4cfaed300e7d8bd78528a48c7 --github_token ${{ github.token }} checklevelprov --commit ${{ github.sha }} --owner ${{ github.repository_owner }} --repo ${{ github.event.repository.name }} --branch ${{ github.ref_name }} --output_signed_bundle ${{ github.workspace }}/metadata/signed_bundle.intoto.jsonl >> $GITHUB_STEP_SUMMARY
       shell: bash
+    - id: handle_tag_push
+      if: ${{ startsWith(github.ref, 'refs/tags/') }}
+      run: |
+        echo "## SLSA Source Properties Tag Push" >> $GITHUB_STEP_SUMMARY
+        echo "TODO"
+      shell: bash
     - id: summary
       run: |
         echo "## Signed Bundle" >> $GITHUB_STEP_SUMMARY

go.work.sum

@@ -73,6 +73,7 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/bufbuild/protocompile v0.10.0/go.mod h1:G9qQIQo0xZ6Uyj6CMNz0saGmx2so+KONo8/KrELABiY=
+github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
 github.com/buildkite/agent/v3 v3.81.0/go.mod h1:edJeyycODRxaFvpT22rDGwaQ5oa4eB8GjtbjgX5VpFw=
 github.com/buildkite/go-pipeline v0.13.1/go.mod h1:2HHqlSFTYgHFhzedJu0LhLs9n5c9XkYnHiQFVN5HE4U=
 github.com/buildkite/interpolate v0.1.3/go.mod h1:UNVe6A+UfiBNKbhAySrBbZFZFxQ+DXr9nWen6WVt/A8=
@@ -180,7 +181,6 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3
 github.com/google/wire v0.6.0/go.mod h1:F4QhpQ9EDIdJ1Mbop/NZBRB+5yrR6qg3BnctaoUk6NA=
 github.com/googleapis/google-cloud-go-testing v0.0.0-20210719221736-1c9a4c676720/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
 github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
-github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=

policy/github.com/TomHennen/Concordance/source-policy.json

@@ -5,8 +5,11 @@
       "Name": "master",
       "Since": "2025-03-23T18:08:43.25099739Z",
       "target_slsa_source_level": "SLSA_SOURCE_LEVEL_3",
-      "require_review": false,
-      "immutable_tags": true
+      "require_review": false
     }
-  ]
+  ],
+  "protected_tag": {
+    "Since": "2025-03-23T18:08:43.25099739Z",
+    "immutable_tags": true
+  }
 }

sourcetool/cmd/checklevel.go

@@ -41,22 +41,22 @@ func doCheckLevel(commit, owner, repo, branch, outputVsa, outputUnsignedVsa stri
 		log.Fatal("Must set commit, owner, repo, and branch flags.")
 	}
 
-	gh_connection := gh_control.NewGhConnection(owner, repo, branch).WithAuthToken(githubToken)
+	gh_connection := gh_control.NewGhConnection(owner, repo, gh_control.BranchToFullRef(branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
 
-	controlStatus, err := gh_connection.GetControls(ctx, commit)
+	controlStatus, err := gh_connection.GetBranchControls(ctx, commit, gh_connection.GetFullRef())
 	if err != nil {
 		log.Fatal(err)
 	}
-	pol := policy.NewPolicy()
-	pol.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
-	verifiedLevels, policyPath, err := pol.EvaluateControl(ctx, gh_connection, controlStatus)
+	pe := policy.NewPolicyEvaluator()
+	pe.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
+	verifiedLevels, policyPath, err := pe.EvaluateControl(ctx, gh_connection, controlStatus)
 	if err != nil {
 		log.Fatal(err)
 	}
 	fmt.Print(verifiedLevels)
 
-	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection, commit, verifiedLevels, policyPath)
+	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), commit, verifiedLevels, policyPath)
 	if err != nil {
 		log.Fatal(err)
 	}

sourcetool/cmd/checklevelprov.go

@@ -46,7 +46,7 @@ var (
 
 func doCheckLevelProv(checkLevelProvArgs CheckLevelProvArgs) {
 	gh_connection :=
-		gh_control.NewGhConnection(checkLevelProvArgs.owner, checkLevelProvArgs.repo, checkLevelProvArgs.branch).WithAuthToken(githubToken)
+		gh_control.NewGhConnection(checkLevelProvArgs.owner, checkLevelProvArgs.repo, gh_control.BranchToFullRef(checkLevelProvArgs.branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
 
 	prevCommit := checkLevelProvArgs.prevCommit
@@ -58,22 +58,22 @@ func doCheckLevelProv(checkLevelProvArgs CheckLevelProvArgs) {
 		}
 	}
 
-	pa := attest.NewProvenanceAttestor(gh_connection, getVerificationOptions())
-	prov, err := pa.CreateSourceProvenance(ctx, checkLevelProvArgs.prevBundlePath, checkLevelProvArgs.commit, prevCommit)
+	pa := attest.NewProvenanceAttestor(gh_connection, getVerifier())
+	prov, err := pa.CreateSourceProvenance(ctx, checkLevelProvArgs.prevBundlePath, checkLevelProvArgs.commit, prevCommit, gh_connection.GetFullRef())
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	// check p against policy
-	pol := policy.NewPolicy()
-	pol.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
-	verifiedLevels, policyPath, err := pol.EvaluateProv(ctx, gh_connection, prov)
+	pe := policy.NewPolicyEvaluator()
+	pe.UseLocalPolicy = checkLevelProvArgs.useLocalPolicy
+	verifiedLevels, policyPath, err := pe.EvaluateSourceProv(ctx, gh_connection, prov)
 	if err != nil {
 		log.Fatal(err)
 	}
 
 	// create vsa
-	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection, checkLevelProvArgs.commit, verifiedLevels, policyPath)
+	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), checkLevelProvArgs.commit, verifiedLevels, policyPath)
 	if err != nil {
 		log.Fatal(err)
 	}

sourcetool/cmd/checktag.go

@@ -0,0 +1,108 @@
+/*
+Copyright © 2025 NAME HERE <EMAIL ADDRESS>
+*/
+package cmd
+
+import (
+	"context"
+	"log"
+	"os"
+
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/attest"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/gh_control"
+	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/policy"
+	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+type CheckTagArgs struct {
+	commit             string
+	owner              string
+	repo               string
+	tagName            string
+	outputSignedBundle string
+	useLocalPolicy     string
+}
+
+var (
+	checkTagArgs CheckTagArgs
+	// checktagCmd represents the checktag command
+	checktagCmd = &cobra.Command{
+		Use:   "checktag",
+		Short: "Checks to see if the tag operation should be allowed and issues a VSA",
+		Run: func(cmd *cobra.Command, args []string) {
+			doCheckTag(checkTagArgs)
+		},
+	}
+)
+
+func doCheckTag(args CheckTagArgs) {
+	gh_connection :=
+		gh_control.NewGhConnection(args.owner, args.repo, gh_control.TagToFullRef(args.tagName)).WithAuthToken(githubToken)
+	ctx := context.Background()
+	verifier := getVerifier()
+
+	// Create tag provenance.
+	pa := attest.NewProvenanceAttestor(gh_connection, verifier)
+	prov, err := pa.CreateTagProvenance(ctx, args.commit, gh_control.TagToFullRef(args.tagName))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// check p against policy
+	pe := policy.NewPolicyEvaluator()
+	pe.UseLocalPolicy = args.useLocalPolicy
+	verifiedLevels, policyPath, err := pe.EvaluateTagProv(ctx, gh_connection, prov)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// create vsa
+	unsignedVsa, err := attest.CreateUnsignedSourceVsa(gh_connection.GetRepoUri(), gh_connection.GetFullRef(), args.commit, verifiedLevels, policyPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	unsignedProv, err := protojson.Marshal(prov)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	if args.outputSignedBundle != "" {
+		f, err := os.OpenFile(args.outputSignedBundle, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0644)
+		if err != nil {
+			log.Fatal(err)
+		}
+		defer f.Close()
+
+		signedProv, err := attest.Sign(string(unsignedProv))
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		signedVsa, err := attest.Sign(unsignedVsa)
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		f.WriteString(signedProv)
+		f.WriteString("\n")
+		f.WriteString(signedVsa)
+		f.WriteString("\n")
+	} else {
+		log.Printf("unsigned prov: %s\n", unsignedProv)
+		log.Printf("unsigned vsa: %s\n", unsignedVsa)
+	}
+}
+
+func init() {
+	rootCmd.AddCommand(checktagCmd)
+
+	checktagCmd.Flags().StringVar(&checkTagArgs.commit, "commit", "", "The commit to check - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.owner, "owner", "", "The GitHub repository owner - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.repo, "repo", "", "The GitHub repository name - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.tagName, "tag_name", "", "The name of the new tag - required.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.outputSignedBundle, "output_signed_bundle", "", "The path to write a bundle of signed attestations.")
+	checktagCmd.Flags().StringVar(&checkTagArgs.useLocalPolicy, "use_local_policy", "", "UNSAFE: Use the policy at this local path instead of the official one.")
+
+}

sourcetool/cmd/createpolicy.go

@@ -35,7 +35,7 @@ var (
 )
 
 func doCreatePolicy(policyRepoPath, owner, repo, branch string) {
-	gh_connection := gh_control.NewGhConnection(owner, repo, branch).WithAuthToken(githubToken)
+	gh_connection := gh_control.NewGhConnection(owner, repo, gh_control.BranchToFullRef(branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
 	outpath, err := policy.CreateLocalPolicy(ctx, gh_connection, policyRepoPath)
 	if err != nil {

sourcetool/cmd/prov.go

@@ -32,10 +32,10 @@ var (
 )
 
 func doProv(prevAttPath, commit, prevCommit, owner, repo, branch string) {
-	gh_connection := gh_control.NewGhConnection(owner, repo, branch).WithAuthToken(githubToken)
+	gh_connection := gh_control.NewGhConnection(owner, repo, gh_control.BranchToFullRef(branch)).WithAuthToken(githubToken)
 	ctx := context.Background()
-	pa := attest.NewProvenanceAttestor(gh_connection, attest.DefaultVerifierOptions)
-	newProv, err := pa.CreateSourceProvenance(ctx, prevAttPath, commit, prevCommit)
+	pa := attest.NewProvenanceAttestor(gh_connection, getVerifier())
+	newProv, err := pa.CreateSourceProvenance(ctx, prevAttPath, commit, prevCommit, gh_connection.GetFullRef())
 	if err != nil {
 		log.Fatal(err)
 	}