Support tag control automation in sourcetool setup repo (#246)

* onboard: Do preflight check with authenticator

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Regenerate fakes

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add tag hygiene to repo setup

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Suggest policy until SLSA3+

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Report all control errs, honor noop

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Report control config

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

sourcetool/internal/cmd/setup.go

@@ -180,6 +180,13 @@ sourcetool is about to perform the following actions on your behalf:
 				return fmt.Errorf("onboarding repo: %w", err)
 			}
 
+			fmt.Println()
+			fmt.Println(w("✅ Controls have been configured successfully."))
+			fmt.Println()
+			fmt.Printf("Please run %s\n", w2("sourcetool status "+opts.GetRepository().Path))
+			fmt.Println("to check the status of the new controls and for the next steps.")
+			fmt.Println()
+
 			return nil
 		},
 	}

sourcetool/internal/cmd/status.go

@@ -171,8 +171,8 @@ sourcetool status myorg/myrepo@mybranch
 					continue
 				}
 
-				// Suggest creating the policy but only on the higher levels
-				if status.Name == slsa.PolicyAvailable && toplevel == slsa.SlsaSourceLevel1 {
+				// Suggest creating the policy but only when reaching SLSA3+
+				if status.Name == slsa.PolicyAvailable && !slsa.IsLevelHigherOrEqualTo(toplevel, slsa.SlsaSourceLevel3) {
 					continue
 				}
 

sourcetool/pkg/sourcetool/backends/vcs/github/manage.go

@@ -59,7 +59,7 @@ func (b *Backend) CreateWorkflowPR(r *models.Repository, branches []*models.Bran
 	}
 	workflowYAML := fmt.Sprintf(workflowData, strings.Join(quotedBranchesList, ", "))
 
-	// Create a PAR manager
+	// Create a PR manager
 	prManager := repo.NewPullRequestManager(repo.WithAuthenticator(b.authenticator))
 
 	// TODO(puerco): Honor forks settings, etc
@@ -191,29 +191,43 @@ func (b *Backend) CreateTagRuleset(r *models.Repository) error {
 	return nil
 }
 
+// ConfigureControls configure the SLSA controls in the repository
 func (b *Backend) ConfigureControls(r *models.Repository, branches []*models.Branch, configs []models.ControlConfiguration) error {
+	errs := []error{}
 	for _, config := range configs {
 		switch config {
 		case models.CONFIG_BRANCH_RULES:
 			if err := b.CreateRepoRuleset(r, branches); err != nil {
-				return fmt.Errorf("creating rules in the repository: %w", err)
+				if !errors.Is(err, models.ErrProtectionAlreadyInPlace) {
+					errs = append(errs, fmt.Errorf("creating rules in the repository: %w", err))
+				}
 			}
 		case models.CONFIG_GEN_PROVENANCE:
-			if err := b.CheckWorkflowFork(r); err != nil {
-				return fmt.Errorf("checking repository fork: %w", err)
+			pr, err := b.FindWorkflowPR(context.Background(), r)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("checking repository pull request: %w", err))
+			}
+
+			if pr != nil {
+				continue
 			}
+
 			if _, err := b.CreateWorkflowPR(r, branches); err != nil {
-				return fmt.Errorf("opening SLSA source workflow pull request: %w", err)
+				if !errors.Is(err, models.ErrProtectionAlreadyInPlace) {
+					errs = append(errs, fmt.Errorf("opening SLSA source workflow pull request: %w", err))
+				}
 			}
 		case models.CONFIG_TAG_RULES:
 			if err := b.CreateTagRuleset(r); err != nil {
-				return fmt.Errorf("opening SLSA source workflow pull request: %w", err)
+				if !errors.Is(err, models.ErrProtectionAlreadyInPlace) {
+					errs = append(errs, fmt.Errorf("opening SLSA source workflow pull request: %w", err))
+				}
 			}
 		case models.CONFIG_POLICY:
 			// Noop, this is not handled by the VCS handler
 		default:
-			return fmt.Errorf("unknown configuration flag: %q", config)
+			errs = append(errs, fmt.Errorf("unknown configuration flag: %q", config))
 		}
 	}
-	return nil
+	return errors.Join(errs...)
 }

sourcetool/pkg/sourcetool/implementation.go

@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 	"time"
 
@@ -23,15 +22,11 @@ import (
 	"github.com/slsa-framework/slsa-source-poc/sourcetool/pkg/sourcetool/options"
 )
 
-const (
-	tokenVar = "GITHUB_TOKEN" //nolint:gosec // This are not creds, just the name
-)
-
 // toolImplementation defines the mockable implementation of source tool
 //
 //counterfeiter:generate . toolImplementation
 type toolImplementation interface {
-	VerifyOptionsForFullOnboard(*options.Options) error
+	VerifyOptionsForFullOnboard(*auth.Authenticator, *options.Options) error
 	CheckPolicyFork(*options.Options) error
 	CreatePolicyPR(*auth.Authenticator, *options.Options, *models.Repository, *policy.RepoPolicy) (*models.PullRequest, error)
 	CheckForks(*options.Options) error
@@ -72,10 +67,14 @@ func (impl *defaultToolImplementation) GetVcsBackend(*models.Repository) (models
 
 // VerifyOptions checks options are in good shape to run
 // TODO(puerco): To be completed
-func (impl *defaultToolImplementation) VerifyOptionsForFullOnboard(opts *options.Options) error {
+func (impl *defaultToolImplementation) VerifyOptionsForFullOnboard(a *auth.Authenticator, opts *options.Options) error {
 	errs := []error{}
-	if t := os.Getenv(tokenVar); t == "" {
-		errs = append(errs, fmt.Errorf("$%s environment variable not set", tokenVar))
+	uid, err := a.WhoAmI()
+	if err != nil {
+		errs = append(errs, err)
+	}
+	if uid == nil {
+		errs = append(errs, errors.New("sourcetool is not logged in"))
 	}
 
 	return errors.Join(errs...)

sourcetool/pkg/sourcetool/sourcetoolfakes/fake_tool_implementation.go

@@ -80,28 +80,18 @@ func (t *Tool) OnboardRepository(repo *models.Repository, branches []*models.Bra
 		return fmt.Errorf("getting VCS backend: %w", err)
 	}
 
-	if err := t.impl.CheckForks(&t.Options); err != nil {
-		return fmt.Errorf("checking repository forks: %w", err)
-	}
-
-	if err := t.impl.VerifyOptionsForFullOnboard(&t.Options); err != nil {
+	if err := t.impl.VerifyOptionsForFullOnboard(t.Authenticator, &t.Options); err != nil {
 		return fmt.Errorf("verifying options: %w", err)
 	}
 
 	if err = backend.ConfigureControls(
 		repo, branches, []models.ControlConfiguration{
-			models.CONFIG_BRANCH_RULES, models.CONFIG_GEN_PROVENANCE,
+			models.CONFIG_BRANCH_RULES, models.CONFIG_GEN_PROVENANCE, models.CONFIG_TAG_RULES,
 		},
 	); err != nil {
 		return fmt.Errorf("configuring controls: %w", err)
 	}
 
-	// TODO(puerco): Compute the policy here
-	_, err = t.impl.CreatePolicyPR(t.Authenticator, &t.Options, repo, nil)
-	if err != nil {
-		return fmt.Errorf("opening the policy pull request: %w", err)
-	}
-
 	return nil
 }