feat: add git refs to go witness git attestor

this enables witness to track git refs Co-authored-by: Nick Kane <nkanedev@gmail.com>
testifysec · Jun 5, 2024 · 8455496 · 8455496
1 parent 94c5d38
commit 8455496
Show file tree

Hide file tree

Showing 10 changed files with 71 additions and 9 deletions.
diff --git a/.github/workflows/verify-schemagen.yaml b/.github/workflows/verify-schemagen.yaml
@@ -8,8 +8,8 @@ permissions:
   contents: read
 
 jobs:
-  docgen:
-    name: Verify Docgen
+  verify-schema:
+    name: Verify Schema
     runs-on: ubuntu-latest
 
     steps:

diff --git a/attestation/git/git.go b/attestation/git/git.go
@@ -94,6 +94,7 @@ type Attestor struct {
 	Refs           []string             `json:"refs,omitempty"`
 	Remotes        []string             `json:"remotes,omitempty"`
 	Tags           []Tag                `json:"tags,omitempty"`
+	RefNameShort   string               `json:"branch,omitempty"`
 }
 
 func New() *Attestor {
@@ -184,6 +185,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
 	a.CommitDate = commit.Author.When.String()
 	a.CommitMessage = commit.Message
 	a.Signature = commit.PGPSignature
+	a.RefNameShort = head.Name().Short()
 
 	for _, parent := range commit.ParentHashes {
 		a.ParentHashes = append(a.ParentHashes, parent.String())
@@ -289,6 +291,14 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
 		subjects[subjectName] = ds
 	}
 
+	// add refname short
+	subjectName = fmt.Sprintf("refnameshort:%v", a.RefNameShort)
+	ds, err = cryptoutil.CalculateDigestSetFromBytes([]byte(a.RefNameShort), hashes)
+	if err != nil {
+		return nil
+	}
+	subjects[subjectName] = ds
+
 	return subjects
 }
 

diff --git a/go.mod b/go.mod
@@ -77,6 +77,7 @@ require (
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.17.6 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20240226214708-a97e074b5a3e // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect

diff --git a/go.sum b/go.sum
@@ -225,8 +225,8 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
-github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
+github.com/klauspost/compress v1.17.6 h1:60eq2E/jlfwQXtvZEeBUYADs+BwKBWURIY+Gj2eRGjI=
+github.com/klauspost/compress v1.17.6/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=

diff --git a/schemagen/gcp-iit.json b/schemagen/gcp-iit.json
@@ -243,6 +243,12 @@
                     "$ref": "#/$defs/ObjectIdentifier"
                   },
                   "type": "array"
+                },
+                "Policies": {
+                  "items": {
+                    "$ref": "#/$defs/OID"
+                  },
+                  "type": "array"
                 }
               },
               "additionalProperties": false,
@@ -291,7 +297,8 @@
                 "PermittedURIDomains",
                 "ExcludedURIDomains",
                 "CRLDistributionPoints",
-                "PolicyIdentifiers"
+                "PolicyIdentifiers",
+                "Policies"
               ]
             },
             "Extension": {
@@ -464,6 +471,11 @@
                 "ExtraNames"
               ]
             },
+            "OID": {
+              "properties": {},
+              "additionalProperties": false,
+              "type": "object"
+            },
             "ObjectIdentifier": {
               "items": {
                 "type": "integer"

diff --git a/schemagen/git.json b/schemagen/git.json
@@ -63,6 +63,9 @@
             "$ref": "#/$defs/Tag"
           },
           "type": "array"
+        },
+        "branch": {
+          "type": "string"
         }
       },
       "additionalProperties": false,

diff --git a/schemagen/github.json b/schemagen/github.json
@@ -243,6 +243,12 @@
                     "$ref": "#/$defs/ObjectIdentifier"
                   },
                   "type": "array"
+                },
+                "Policies": {
+                  "items": {
+                    "$ref": "#/$defs/OID"
+                  },
+                  "type": "array"
                 }
               },
               "additionalProperties": false,
@@ -291,7 +297,8 @@
                 "PermittedURIDomains",
                 "ExcludedURIDomains",
                 "CRLDistributionPoints",
-                "PolicyIdentifiers"
+                "PolicyIdentifiers",
+                "Policies"
               ]
             },
             "Extension": {
@@ -464,6 +471,11 @@
                 "ExtraNames"
               ]
             },
+            "OID": {
+              "properties": {},
+              "additionalProperties": false,
+              "type": "object"
+            },
             "ObjectIdentifier": {
               "items": {
                 "type": "integer"

diff --git a/schemagen/gitlab.json b/schemagen/gitlab.json
@@ -243,6 +243,12 @@
                     "$ref": "#/$defs/ObjectIdentifier"
                   },
                   "type": "array"
+                },
+                "Policies": {
+                  "items": {
+                    "$ref": "#/$defs/OID"
+                  },
+                  "type": "array"
                 }
               },
               "additionalProperties": false,
@@ -291,7 +297,8 @@
                 "PermittedURIDomains",
                 "ExcludedURIDomains",
                 "CRLDistributionPoints",
-                "PolicyIdentifiers"
+                "PolicyIdentifiers",
+                "Policies"
               ]
             },
             "Extension": {
@@ -464,6 +471,11 @@
                 "ExtraNames"
               ]
             },
+            "OID": {
+              "properties": {},
+              "additionalProperties": false,
+              "type": "object"
+            },
             "ObjectIdentifier": {
               "items": {
                 "type": "integer"

diff --git a/schemagen/jwt.json b/schemagen/jwt.json
@@ -237,6 +237,12 @@
             "$ref": "#/$defs/ObjectIdentifier"
           },
           "type": "array"
+        },
+        "Policies": {
+          "items": {
+            "$ref": "#/$defs/OID"
+          },
+          "type": "array"
         }
       },
       "additionalProperties": false,
@@ -285,7 +291,8 @@
         "PermittedURIDomains",
         "ExcludedURIDomains",
         "CRLDistributionPoints",
-        "PolicyIdentifiers"
+        "PolicyIdentifiers",
+        "Policies"
       ]
     },
     "Extension": {
@@ -458,6 +465,11 @@
         "ExtraNames"
       ]
     },
+    "OID": {
+      "properties": {},
+      "additionalProperties": false,
+      "type": "object"
+    },
     "ObjectIdentifier": {
       "items": {
         "type": "integer"

diff --git a/schemagen/verify.sh b/schemagen/verify.sh
@@ -22,7 +22,7 @@ tmpdir2=$(mktemp -d)
 cp ./schemagen/*.json "$tmpdir2/"
 go run ./schemagen --dir "$tmpdir"
 echo "###########################################"
-echo "If diffs are found, run: make docgen"
+echo "If diffs are found, run: make schema"
 echo "###########################################"
 diff -Nau "$tmpdir" "$tmpdir2"
 rm -rf "$tmpdir" "$tmpdir2"