slsa-framework · laurentsimon · Aug 11, 2023 · Jul 31, 2023 · Jul 31, 2023 · Jul 31, 2023
@@ -18,7 +18,8 @@ type ProvenanceOpts struct {
 	// ExpectedSourceURI is the expected source URI in the provenance.
 	ExpectedSourceURI string
 
-	// ExpectedBuilderID is the expected builder ID.
+	// ExpectedBuilderID is the expected builder ID that is parsed from the envelope
+	// of the provenance.
 	ExpectedBuilderID string
 
 	// ExpectedWorkflowInputs is a map of key=value inputs.
@@ -31,6 +32,7 @@ type ProvenanceOpts struct {
 
 // BuildOpts are the options for checking the builder.
 type BuilderOpts struct {
-	// ExpectedID is the expected builder ID.
+	// ExpectedID is the expected builder ID that is inputted
+	// at the command line by the user to be verified.
 	ExpectedID *string
 }
@@ -109,11 +109,25 @@ func verifyTrustedBuilderID(certBuilderID, certTag string, expectedBuilderID *st
 		if _, ok := defaultTrustedBuilders[certBuilderID]; !ok {
 			return nil, false, fmt.Errorf("%w: %s with builderID provided: %t", serrors.ErrorUntrustedReusableWorkflow, certBuilderID, expectedBuilderID != nil)
 		}
+
 		// Construct the builderID using the certificate's builder's name and tag.
 		trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true)
 		if err != nil {
 			return nil, false, err
 		}
+
+		// Check if:
+		// - the builder in the cert is a BYOB builder
+		// - the caller trusts the BYOB builder
+		// If both are true, we don't match the user-provided builder ID
+		// against the certificate. Instead that will be done by the caller.
+		//
+		// This return enables non-compulsory builderID feature for BYOB builders
+		// by setting byob flag to true.
+		if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) {
+			return trustedBuilderID, true, nil
+		}
+
 	} else {
 		// Verify the builderID.
 		// We only accept IDs on github.com.

@@ -477,6 +477,15 @@ func Test_verifyTrustedBuilderID(t *testing.T) {
 			defaults: defaultBYOBReusableWorkflows,
 			byob:     true,
 		},
+		{
+			// This is a BYOB workflow without an id that tests non-compulsory builder-id
+			// feature of slsa-verifier and expects byob to be true
+			name:     "generic delegator workflow no id",
+			path:     trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml",
+			tag:      "refs/tags/v1.2.3",
+			defaults: defaultBYOBReusableWorkflows,
+			byob:     true,
+		},
 		{
 			name:     "low perms delegator workflow short tag",
 			path:     trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml",
@@ -486,10 +495,13 @@ func Test_verifyTrustedBuilderID(t *testing.T) {
 			byob:     true,
 		},
 		{
+			// This is a BYOB workflow without an id that tests non-compulsory builder-id
+			// feature of slsa-verifier and expects byob to be true
 			name:     "low perms delegator workflow no ID provided",
 			path:     trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml",
 			tag:      "v1.2.3",
 			defaults: defaultBYOBReusableWorkflows,
+			byob:     true,
 		},
 		{
 			name:     "default mismatch against container defaults long tag",

@@ -58,6 +58,31 @@ func verifyBuilderIDExactMatch(prov iface.Provenance, expectedBuilderID string)
 	return nil
 }
 
+// Verifies expectedBuilderIDPath against path in provenance, and returns the actual
+// builderIDPath if verified against inputted expected path.
+//
+// Example: the expectedBuilderID will default to the delegator builder ID for BYOB.
+// This can verify actual BYOB builderIDPath against the trusted builderIDPath inputted,
+// Currently slsa-framework path is the only one supported for ExpectedBuilderPath.
+func verifyBuilderIDPath(prov iface.Provenance, expectedBuilderIDPath string) (string, error) {
+	id, err := prov.BuilderID()
+	if err != nil {
+		return "", err
+	}
+
+	provBuilderID, err := utils.TrustedBuilderIDNew(id, false)
+	if err != nil {
+		return "", err
+	}
+
+	// Compare actual BuilderIDPath with the expected.
+	if !strings.HasPrefix(provBuilderID.Name(), expectedBuilderIDPath) {
+		return "", fmt.Errorf("%w: BuilderID Path Mismatch. Got: %q. Expected: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), expectedBuilderIDPath)
+	}
+
+	return provBuilderID.Name(), nil
+}
+
 // Verify Builder ID in provenance statement.
 // This function verifies the names match. If the expected builder ID contains a version,
 // it also verifies the versions match.
@@ -70,6 +95,7 @@ func verifyBuilderIDLooseMatch(prov iface.Provenance, expectedBuilderID string)
 	if err != nil {
 		return err
 	}
+
 	if err := provBuilderID.MatchesLoose(expectedBuilderID, true); err != nil {
 		return err
 	}
@@ -286,7 +312,8 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 }
 
 // VerifyProvenance verifies the provenance for the given DSSE envelope.
-func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool) error {
+func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool,
+	builderOpts *options.BuilderOpts) error {
 	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)
 	if err != nil {
 		return err
@@ -297,7 +324,21 @@ func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceO
 		if err := isValidDelegatorBuilderID(prov); err != nil {
 			return err
 		}
-		// Note: `provenanceOpts.ExpectedBuilderID` is provided by the user.
+
+		// If ExpectedID is empty, check to see if it is a trusted builder.
+		// If empty and trusted builder, populate with path from provenance,
+		// otherwise, populate from user input.
+		if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" {
+			var trustedBuilderRepositoryPath = httpsGithubCom + trustedBuilderRepository + "/.github/workflows/"
+			if provenanceOpts.ExpectedBuilderID, err = verifyBuilderIDPath(prov, trustedBuilderRepositoryPath); err != nil {
+				return err
+			}
+		} else {
+			provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID
+		}
+
+		// Note: `provenanceOpts.ExpectedBuilderID` is provided by the user
+		// or from return of verifyBuilderIDPath.
 		if err := verifyBuilderIDLooseMatch(prov, provenanceOpts.ExpectedBuilderID); err != nil {
 			return err
 		}

@@ -71,15 +71,8 @@ func verifyEnvAndCert(env *dsse.Envelope,
 	// There is a corner-case to handle: if the verified builder ID from the cert
 	// is a delegator builder, the user MUST provide an expected builder ID
 	// and we MUST match it against the content of the provenance.
-	if byob {
-		if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" {
-			// NOTE: we will need to update the logic here once our default trusted builders
-			// are migrated to using BYOB.
-			return nil, nil, fmt.Errorf("%w: empty ID", serrors.ErrorInvalidBuilderID)
-		}
-		provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID
-	}
-	if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob); err != nil {
+
+	if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob, builderOpts); err != nil {
 		return nil, nil, err
 	}