Combine common checks (slsa-framework#187)

Ian Lewis · web-flow · commit 001396751c60 · 2022-06-09T00:12:27.000Z
* Combine common checks

* fix buildType check

* move e2e_this_file

* Add environment checks
diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml
@@ -1,10 +1,10 @@
-name: pre-submit e2e generic workflow
+name: pre-submit e2e generic default
 on:
   pull_request:
     branches: [main]
 
 env:
-  THIS_FILE: pre-submit.e2e.generic.workflow.yml
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
   build:
@@ -15,7 +15,7 @@ jobs:
     uses: ./.github/workflows/slsa2_provenance.yml
     with:
       # echo "2e0390eb024a52963db7b95e84a9c2b12c004054a7bad9a97ec0c7c89d4681d2    binary-name" | base64 -w0
-      subjects: "MmUwMzkwZWIwMjRhNTI5NjNkYjdiOTVlODRhOWMyYjEyYzAwNDA1NGE3YmFkOWE5N2VjMGM3Yzg5ZDQ2ODFkMiAgICBiaW5hcnktbmFtZQo="
+      base64-subjects: "MmUwMzkwZWIwMjRhNTI5NjNkYjdiOTVlODRhOWMyYjEyYzAwNDA1NGE3YmFkOWE5N2VjMGM3Yzg5ZDQ2ODFkMiAgICBiaW5hcnktbmFtZQo="
 
   verify:
     runs-on: ubuntu-latest
@@ -26,5 +26,6 @@ jobs:
         with:
           name: ${{ needs.build.outputs.attestation-name }}
       - env:
+          BINARY: "binary-name"
           PROVENANCE: ${{ needs.build.outputs.attestation-name }}
-        run: "./.github/workflows/scripts/pre-submit.e2e.generic.workflow.sh"
+        run: ./.github/workflows/scripts/pre-submit.e2e.generic.default.sh
diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml
@@ -50,7 +50,4 @@ jobs:
       - env:
           BINARY: ${{ needs.build.outputs.go-binary-name }}
           PROVENANCE: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
-        run: |
-          set -euo pipefail
-
-          ./.github/workflows/scripts/e2e-verify.sh
+        run: ./.github/workflows/scripts/pre-submit.e2e.go.default.sh
diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh
@@ -2,6 +2,12 @@
 
 source "./.github/workflows/scripts/e2e-assert.sh"
 
+# Gets the name of the currently running workflow file.
+# Note: this requires GH_TOKEN to be set in the workflows.
+e2e_this_file() {
+    gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3
+}
+
 e2e_verify_predicate_subject_name() {
     _e2e_verify_query "$1" "$2" '.subject[0].name'
 }
@@ -10,7 +16,7 @@ e2e_verify_predicate_builder_id() {
     _e2e_verify_query "$1" "$2" '.predicate.builder.id'
 }
 
-e2e_verify_predicate_builderType() {
+e2e_verify_predicate_buildType() {
     _e2e_verify_query "$1" "$2" '.predicate.buildType'
 }
 
@@ -36,19 +42,19 @@ e2e_verify_predicate_buildConfig_step_command() {
 e2e_verify_predicate_buildConfig_step_env() {
     local attestation="$2"
     local expected="$(echo -n "$3" | jq -c '.| sort')"
-    
+
     if [[ "${expected}" == "[]" ]]; then
-        _e2e_verify_query "${attestation}" "null"  ".predicate.buildConfig.steps[$1].env"
+        _e2e_verify_query "${attestation}" "null" ".predicate.buildConfig.steps[$1].env"
     else
-        _e2e_verify_query "${attestation}" "${expected}"  ".predicate.buildConfig.steps[$1].env | sort"
+        _e2e_verify_query "${attestation}" "${expected}" ".predicate.buildConfig.steps[$1].env | sort"
     fi
 }
 
 # $1: step number
 # $2: the attestation content
 # $3: expected value.
 e2e_verify_predicate_buildConfig_step_workingDir() {
-     _e2e_verify_query "$2" "$3" ".predicate.buildConfig.steps[$1].workingDir"
+    _e2e_verify_query "$2" "$3" ".predicate.buildConfig.steps[$1].workingDir"
 }
 
 e2e_verify_predicate_metadata() {
diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+#
+# This file contains tests for common fields of Github Actions provenance.
+
+source "./.github/workflows/scripts/e2e-utils.sh"
+
+# Runs all generic SLSA checks that shouldn't change on a per-builder basis.
+# $1: the attestation content
+e2e_verify_common_all() {
+    e2e_verify_common_builder "$1"
+    e2e_verify_common_invocation "$1"
+    e2e_verify_common_metadata "$1"
+    e2e_verify_common_materials "$1"
+}
+
+# Verifies the builder for generic provenance.
+# $1: the attestation content
+e2e_verify_common_builder() {
+    e2e_verify_predicate_builder_id "$1" "https://github.com/Attestations/GitHubHostedActions@v1"
+}
+
+# Verifies the invocation for generic provenance.
+# $1: the attestation content
+e2e_verify_common_invocation() {
+    # NOTE: We set GITHUB_WORKFLOW to the entryPoint for pull_requests.
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/131): support retrieving entryPoint in pull requests.
+    e2e_verify_predicate_invocation_configSource "$1" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"},\"entryPoint\":\"$GITHUB_WORKFLOW\"}"
+
+    e2e_verify_predicate_invocation_environment "$1" "github_actor" "$GITHUB_ACTOR"
+    e2e_verify_predicate_invocation_environment "$1" "github_sha1" "$GITHUB_SHA"
+    # e2e_verify_predicate_invocation_environment "$1" "os" "ubuntu20"
+    # e2e_verify_predicate_invocation_environment "$1" "arch" "X64"
+    e2e_verify_predicate_invocation_environment "$1" "github_event_name" "$GITHUB_EVENT_NAME"
+    e2e_verify_predicate_invocation_environment "$1" "github_ref" "$GITHUB_REF"
+    e2e_verify_predicate_invocation_environment "$1" "github_ref_type" "$GITHUB_REF_TYPE"
+    e2e_verify_predicate_invocation_environment "$1" "github_run_id" "$GITHUB_RUN_ID"
+    e2e_verify_predicate_invocation_environment "$1" "github_run_number" "$GITHUB_RUN_NUMBER"
+    e2e_verify_predicate_invocation_environment "$1" "github_run_attempt" "$GITHUB_RUN_ATTEMPT"
+    # The checks below are commented out because they are populated via the OIDC token, which is not available in PRs.
+    #ACTOR_ID=$(gh api -H "Accept: application/vnd.github.v3+json"   /users/"$GITHUB_ACTOR" | jq -r '.id')
+    #OWNER_ID=$(gh api -H "Accept: application/vnd.github.v3+json"   /users/"$GITHUB_REPOSITORY_OWNER" | jq -r '.id')
+    #REPO_ID=$(gh api -H "Accept: application/vnd.github.v3+json"   /repos/"$GITHUB_REPOSITORY" | jq -r '.id')
+    #e2e_verify_predicate_invocation_environment "$1" "github_actor_id" "$ACTOR_ID"
+    #e2e_verify_predicate_invocation_environment "$1" "github_repository_owner_id" "$OWNER_ID"
+    #e2e_verify_predicate_invocation_environment "$1" "github_repository_id" "$REPO_ID"
+}
+
+# Verifies the expected metadata.
+# $1: the attestation content
+e2e_verify_common_metadata() {
+    e2e_verify_predicate_metadata "$1" "{\"buildInvocationID\":\"$GITHUB_RUN_ID-$GITHUB_RUN_ATTEMPT\",\"completeness\":{\"parameters\":true,\"environment\":false,\"materials\":false},\"reproducible\":false}"
+}
+
+# Verifies the materials include the GitHub repository.
+# $1: the attestation content
+e2e_verify_common_materials() {
+    e2e_verify_predicate_materials "$1" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}"
+}
diff --git a/.github/workflows/scripts/e2e-verify.sh b/.github/workflows/scripts/e2e-verify.sh
diff --git a/.github/workflows/scripts/pre-submit.e2e.generic.default.sh b/.github/workflows/scripts/pre-submit.e2e.generic.default.sh
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+#
+# Copyright 2022 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+source "./.github/workflows/scripts/e2e-verify.common.sh"
+
+# TODO(github.com/slsa-framework/slsa-github-generator/issues/129): Address base64 output format.
+ATTESTATION=$(cat "$PROVENANCE")
+
+# Verify common provenance fields.
+e2e_verify_common_all "$ATTESTATION"
+
+e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY"
+e2e_verify_predicate_buildType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator@v1"
diff --git a/.github/workflows/scripts/pre-submit.e2e.generic.workflow.sh b/.github/workflows/scripts/pre-submit.e2e.generic.workflow.sh
diff --git a/.github/workflows/scripts/pre-submit.e2e.go.default.sh b/.github/workflows/scripts/pre-submit.e2e.go.default.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# To test:
+# export GITHUB_SHA=6f3b6435f5a17a25ad6cf2704d0c192bcef8193f
+# export GITHUB_RUN_ID=2272442563
+# export GITHUB_ACTOR=laurentsimon
+# export GITHUB_RUN_ATTEMPT=1
+# export GITHUB_REF=refs/heads/branch-name or refs/tags/tag-name
+# export GITHUB_REF_TYPE=branch or tag
+# export GITHUB_REPOSITORY=slsa-framework/example-package
+# export GITHUB_REF_NAME=v1.2.3
+# export GITHUB_WORKFLOW=go schedule main SLSA3 config-noldflags
+# export THIS_FILE=e2e.go.workflow_dispatch.main.config-noldflags.slsa3.yml
+# export BINARY=binary-linux-amd64
+# export PROVENANCE=example.intoto.jsonl
+# export GITHUB_EVENT_NAME=pull_request
+
+source "./.github/workflows/scripts/e2e-verify.common.sh"
+
+BRANCH="main"
+
+# Provenance content verification.
+ATTESTATION=$(base64 -d "$PROVENANCE")
+LDFLAGS=$(e2e_this_file | cut -d '.' -f4 | grep -v noldflags)
+
+# Verify common provenance fields.
+e2e_verify_common_all "$ATTESTATION"
+
+# Verify the subject and build type
+e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY"
+e2e_verify_predicate_buildType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/go@v1"
+
+# Verify extra invocation environment.
+e2e_verify_predicate_invocation_environment "$ATTESTATION" "os" "ubuntu20"
+e2e_verify_predicate_invocation_environment "$ATTESTATION" "arch" "X64"
+
+# Verify the buildConfig
+
+# First step is vendoring
+e2e_verify_predicate_buildConfig_step_command "0" "$ATTESTATION" "[\"mod\",\"vendor\"]"
+e2e_verify_predicate_buildConfig_step_env "0" "$ATTESTATION" "[]"
+e2e_verify_predicate_buildConfig_step_workingDir "0" "$ATTESTATION" "$PWD/internal/builders/go/e2e-presubmits"
+
+# Second step is the actual compilation.
+e2e_verify_predicate_buildConfig_step_env "1" "$ATTESTATION" "[\"GOOS=linux\",\"GOARCH=amd64\",\"GO111MODULE=on\",\"CGO_ENABLED=0\"]"
+e2e_verify_predicate_buildConfig_step_workingDir "1" "$ATTESTATION" "$PWD/internal/builders/go/e2e-presubmits"
+
+if [[ -n "$LDFLAGS" ]]; then
+	e2e_verify_predicate_buildConfig_step_command "1" "$ATTESTATION" "[\"build\",\"-mod=vendor\",\"-trimpath\",\"-tags=netgo\",\"-ldflags=-X main.gitVersion=v1.2.3 -X main.gitCommit=abcdef -X main.gitBranch=$BRANCH\",\"-o\",\"$BINARY\",\"main.go\"]"
+	chmod a+x ./"$BINARY"
+	V=$(./"$BINARY" | grep 'GitVersion: v1.2.3')
+	C=$(./"$BINARY" | grep 'GitCommit: abcdef')
+	B=$(./"$BINARY" | grep "GitBranch: main")
+	e2e_assert_not_eq "$V" "" "GitVersion should not be empty"
+	e2e_assert_not_eq "$C" "" "GitCommit should not be empty"
+	e2e_assert_not_eq "$B" "" "GitBranch should not be empty"
+else
+	e2e_verify_predicate_buildConfig_step_command "1" "$ATTESTATION" "[\"build\",\"-mod=vendor\",\"-trimpath\",\"-tags=netgo\",\"-o\",\"$BINARY\",\"main.go\"]"
+fi
