slsa-framework · laurentsimon · Aug 11, 2023 · Jul 31, 2023 · Jul 31, 2023 · Jul 31, 2023
@@ -18,7 +18,7 @@ type ProvenanceOpts struct {
 	// ExpectedSourceURI is the expected source URI in the provenance.
 	ExpectedSourceURI string
 
-	// ExpectedBuilderID is the expected builder ID.
+	// ExpectedBuilderID is the expected builder ID that is passed from user and verified
 	ExpectedBuilderID string
 
 	// ExpectedWorkflowInputs is a map of key=value inputs.
@@ -31,6 +31,6 @@ type ProvenanceOpts struct {
 
 // BuildOpts are the options for checking the builder.
 type BuilderOpts struct {
-	// ExpectedID is the expected builder ID.
+	// ExpectedBuilderID is the builderID passed in from the user to be verified
 	ExpectedID *string
 }
@@ -109,34 +109,45 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st
 		if _, ok := defaultTrustedBuilders[certBuilderID]; !ok {
 			return nil, false, fmt.Errorf("%w: %s with builderID provided: %t", serrors.ErrorUntrustedReusableWorkflow, certBuilderID, expectedBuilderID != nil)
 		}
+
 		// Construct the builderID using the certificate's builder's name and tag.
 		trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true)
 		if err != nil {
 			return nil, false, err
 		}
-	} else {
-		// Verify the builderID.
-		// We only accept IDs on github.com.
-		trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true)
-		if err != nil {
-			return nil, false, err
-		}
 
 		// Check if:
 		// - the builder in the cert is a BYOB builder
 		// - the caller trusts the BYOB builder
 		// If both are true, we don't match the user-provided builder ID
 		// against the certificate. Instead that will be done by the caller.
-		if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) {
-			return trustedBuilderID, true, nil
-		}
+		//
+		// This return of the delegator builderID enables non-compulsory
+		// builderID feature for BYOB builders by setting byob flag to true.
+		return trustedBuilderID, isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders), nil
+	}
 
-		// Not a BYOB builder. BuilderID provided by user should match the certificate.
-		// Note: the certificate builderID has the form `name@refs/tags/v1.2.3`,
-		// so we pass `allowRef = true`.
-		if err := trustedBuilderID.MatchesLoose(*expectedBuilderID, true); err != nil {
-			return nil, false, fmt.Errorf("%w: %v", serrors.ErrorUntrustedReusableWorkflow, err)
-		}
+	// Verify the builderID.
+	// We only accept IDs on github.com.
+	trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true)
+	if err != nil {
+		return nil, false, err
+	}
+
+	// Check if:
+	// - the builder in the cert is a BYOB builder
+	// - the caller trusts the BYOB builder
+	// If both are true, we don't match the user-provided builder ID
+	// against the certificate. Instead that will be done by the caller.
+	if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) {
+		return trustedBuilderID, true, nil
+	}
+
+	// Not a BYOB builder. BuilderID provided by user should match the certificate.
+	// Note: the certificate builderID has the form `name@refs/tags/v1.2.3`,
+	// so we pass `allowRef = true`.
+	if err := trustedBuilderID.MatchesLoose(*expectedBuilderID, true); err != nil {
+		return nil, false, fmt.Errorf("%w: %v", serrors.ErrorUntrustedReusableWorkflow, err)
 	}
 
 	return trustedBuilderID, false, nil

@@ -477,6 +477,17 @@
 			defaults: defaultBYOBReusableWorkflows,
 			byob:     true,
 		},
+		{
+			// This is a BYOB workflow without an id that tests non-compulsory builder-id
+			// feature of slsa-verifier and expects byob to be true
+			name:     "generic delegator workflow no id",
+			path:     trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml",
+			// NOTE: id is nil.
+			id:       nil,
+			tag:      "refs/tags/v1.2.3",
+			defaults: defaultBYOBReusableWorkflows,
+			byob:     true,
+		},
 		{
 			name:     "low perms delegator workflow short tag",
 			path:     trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml",
@@ -486,10 +497,15 @@
 			byob:     true,
 		},
 		{
+			// This is a BYOB workflow without an id that tests non-compulsory builder-id
+			// feature of slsa-verifier and expects byob to be true
 			name:     "low perms delegator workflow no ID provided",
 			path:     trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml",
+			// NOTE: id is nil.
+			id:       nil,
 			tag:      "v1.2.3",
 			defaults: defaultBYOBReusableWorkflows,
+			byob:     true,
 		},
 		{
 			name:     "default mismatch against container defaults long tag",

@@ -58,6 +58,27 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string)
 	return nil
 }
 
+// verifyBuilderIDPathPrefix verifies that the builder ID in provenance matches the provided expectedBuilderIDPathPrefix.
+// Returns provenance builderID if verified against provided expected Builder ID path prefix.
+func verifyBuilderIDPathPrefix(prov iface.Provenance, expectedBuilderIDPathPrefix string) (string, error) {
+	id, err := prov.BuilderID()
+	if err != nil {
+		return "", err
+	}
+
+	provBuilderID, err := utils.TrustedBuilderIDNew(id, false)
+	if err != nil {
+		return "", err
+	}
+
+	// Compare actual BuilderID with the expected BuilderID Path Prefix.
+	if !strings.HasPrefix(provBuilderID.Name(), expectedBuilderIDPathPrefix) {
+		return "", fmt.Errorf("%w: BuilderID Path Mismatch. Got: %q. Expected BuilderID Path Prefix: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), expectedBuilderIDPathPrefix)
+	}
+
+	return provBuilderID.Name(), nil
+}
+
 // Verify Builder ID in provenance statement.
 // This function verifies the names match. If the expected builder ID contains a version,
 // it also verifies the versions match.
@@ -70,6 +91,7 @@ func verifyBuilderIDLooseMatch(prov iface.Provenance, expectedBuilderID string)
 	if err != nil {
 		return err
 	}
+
 	if err := provBuilderID.MatchesLoose(expectedBuilderID, true); err != nil {
 		return err
 	}
@@ -304,7 +326,8 @@ func builderID(env *dsselib.Envelope, certTrustedBuilderID *utils.TrustedBuilder
 }
 
 // VerifyProvenance verifies the provenance for the given DSSE envelope.
-func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool) error {
+func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool,
+	expectedID *string) error {
 	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)
 	if err != nil {
 		return err
@@ -315,7 +338,24 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO
 		if err := isValidDelegatorBuilderID(prov); err != nil {
 			return err
 		}
-		// Note: `provenanceOpts.ExpectedBuilderID` is provided by the user.
+
+		// If expectedID is not provided, check to see if it is a trusted builder.
+		// If not provided, then a trusted builder is expected, to populate provenanceOpts.ExpectedBuilderID
+		// with that builder, otherwise, populate from user input.
+		//
+		// This can verify the actual BYOB builderIDPath against the trusted builderIDPath provided.
+		// Currently slsa-framework path is the only one supported for ExpectedBuilderPath.
+		if expectedID == nil {
+			var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/"
+			if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPathPrefix(prov, trustedBuilderRepositoryPath); err != nil {
+				return err
+			}
+		} else {
+			provenanceOpts.ExpectedBuilderID = *expectedID
+		}
+
+		// NOTE: `provenanceOpts.ExpectedBuilderID` is provided by the user
+		// or from return of verifyBuilderIDPath.
 		if err := verifyBuilderIDLooseMatch(prov, provenanceOpts.ExpectedBuilderID); err != nil {
 			return err
 		}

@@ -1,6 +1,9 @@
 package gha
 
 import (
+	"fmt"
+	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
@@ -9,6 +12,8 @@ import (
 	slsacommon "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
 	slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
+	"github.com/slsa-framework/slsa-verifier/v2/options"
+	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
 
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
@@ -1182,3 +1187,113 @@ func Test_VerifyVersionedTag(t *testing.T) {
 		})
 	}
 }
+
+func Test_VerifyTrustedProvenance(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name                 string
+		envelopePath         string
+		provenanceOpts       *options.ProvenanceOpts
+		trustedBuilderIDName string
+		byob                 bool
+		expectedID           *string
+		expected             error
+	}{
+		{
+			name:         "Verify Trusted (slsa-github-generator) Bazel Builder (v1.8.0",
+			envelopePath: "bazel-trusted-dsseEnvelope.build.slsa",
+			provenanceOpts: &options.ProvenanceOpts{
+				ExpectedBranch:         nil,
+				ExpectedTag:            nil,
+				ExpectedVersionedTag:   nil,
+				ExpectedDigest:         "caaadba2846905ac477c777e96a636e1c2e067fdf6fed90ec9eeca4df18d6ed9",
+				ExpectedSourceURI:      "github.com/enteraga6/slsa-lvl3-generic-provenance-with-bazel-example",
+				ExpectedBuilderID:      "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0",
+				ExpectedWorkflowInputs: map[string]string{},
+			},
+			byob:                 true,
+			trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.8.0",
+			expectedID:           nil,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			trustedBuilderID, tErr := utils.TrustedBuilderIDNew(tt.trustedBuilderIDName, true)
+			if tErr != nil {
+				t.Errorf("Provenance Verification FAILED. Error: %v", tErr)
+			}
+
+			envelopeBytes, err := os.ReadFile(filepath.Join("testdata", tt.envelopePath))
+			if err != nil {
+				panic(fmt.Errorf("os.ReadFile: %w", err))
+			}
+
+			env, err := EnvelopeFromBytes(envelopeBytes)
+			if err != nil {
+				panic(fmt.Errorf("unexpected error parsing envelope %s", err))
+			}
+
+			vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID)
+			if vErr != nil {
+				t.Errorf("Provenance Verification FAILED. Error: %v", vErr)
+			}
+		})
+	}
+}
+
+func Test_VerifyUntrustedProvenance(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name                 string
+		envelopePath         string
+		provenanceOpts       *options.ProvenanceOpts
+		trustedBuilderIDName string
+		byob                 bool
+		expectedID           *string
+		expected             error
+	}{
+		{
+			name:         "Verify Un-Trusted (slsa-github-generator) Bazel Builder (from enteraga6/slsa-github-generator)",
+			envelopePath: "bazel-untrusted-dsseEnvelope.sigstore",
+			provenanceOpts: &options.ProvenanceOpts{
+				ExpectedBranch:         nil,
+				ExpectedTag:            nil,
+				ExpectedVersionedTag:   nil,
+				ExpectedDigest:         "caaadba2846905ac477c777e96a636e1c2e067fdf6fed90ec9eeca4df18d6ed9",
+				ExpectedSourceURI:      "github.com/enteraga6/slsa-lvl3-generic-provenance-with-bazel-example",
+				ExpectedBuilderID:      "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0",
+				ExpectedWorkflowInputs: map[string]string{},
+			},
+			byob:                 true,
+			trustedBuilderIDName: "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml@refs/tags/v1.7.0",
+			expectedID:           nil,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			trustedBuilderID, tErr := utils.TrustedBuilderIDNew(tt.trustedBuilderIDName, true)
+			if tErr != nil {
+				t.Errorf("Provenance Verification FAILED. Error: %v", tErr)
+			}
+
+			envelopeBytes, err := os.ReadFile(filepath.Join("testdata", tt.envelopePath))
+			if err != nil {
+				panic(fmt.Errorf("os.ReadFile: %w", err))
+			}
+
+			env, err := EnvelopeFromBytes(envelopeBytes)
+			if err != nil {
+				panic(fmt.Errorf("unexpected error parsing envelope %s", err))
+			}
+
+			vErr := VerifyProvenance(env, tt.provenanceOpts, trustedBuilderID, tt.byob, tt.expectedID)
+			if vErr == nil {
+				t.Errorf("Provenance Verification should have failed but DID NOT. Error: untrusted builder is trusted")
+			}
+		})
+	}
+}