feat: Use low-perms delegator for Node.js builder (#577)

Ian Lewis · web-flow · commit 88cd40e2eeb2 · 2023-05-01T16:27:58.000+09:00
Signed-off-by: Ian Lewis &lt;ianlewis@google.com&gt;
diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go
@@ -35,9 +35,11 @@ var defaultContainerTrustedReusableWorkflows = map[string]bool{
 }
 
 var delegatorGenericReusableWorkflow = trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml"
+var delegatorLowPermsGenericReusableWorkflow = trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml"
 
 var defaultBYOBReusableWorkflows = map[string]bool{
-	delegatorGenericReusableWorkflow: true,
+	delegatorGenericReusableWorkflow:         true,
+	delegatorLowPermsGenericReusableWorkflow: true,
 }
 
 // VerifyCertficateSourceRepository verifies the source repository.
diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
@@ -101,7 +101,7 @@ func verifyNpmEnvAndCert(env *dsse.Envelope,
 	// We verify against the delegator re-usable workflow, not the user-provided
 	// builder. This is because the signing identity for delegator-based builders
 	// is *always* the delegator workflow.
-	expectedDelegatorWorkflow := httpsGithubCom + delegatorGenericReusableWorkflow
+	expectedDelegatorWorkflow := httpsGithubCom + delegatorLowPermsGenericReusableWorkflow
 	delegatorBuilderOpts := options.BuilderOpts{
 		ExpectedID: &expectedDelegatorWorkflow,
 	}
diff --git a/verifiers/utils/builder.go b/verifiers/utils/builder.go
@@ -7,6 +7,7 @@ import (
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
 )
 
+// TrustedBuilderID represents a builder ID that has been explicitly trusted.
 type TrustedBuilderID struct {
 	name, version string
 }
@@ -24,7 +25,7 @@ func TrustedBuilderIDNew(builderID string, needVersion bool) (*TrustedBuilderID,
 	}, nil
 }
 
-// Matches matches the builderID string against the reference builderID.
+// MatchesLoose matches the builderID string against the reference builderID.
 // If the builderID contains a semver, the full builderID must match.
 // Otherwise, only the name needs to match.
 // `allowRef: true` indicates that the matching need not be an eaxct
@@ -39,7 +40,7 @@ func (b *TrustedBuilderID) MatchesLoose(builderID string, allowRef bool) error {
 
 	if name != b.name {
 		return fmt.Errorf("%w: expected name '%s', got '%s'", serrors.ErrorMismatchBuilderID,
-			name, b.name)
+			b.name, name)
 	}
 
 	if version != "" && version != b.version {
@@ -55,7 +56,7 @@ func (b *TrustedBuilderID) MatchesLoose(builderID string, allowRef bool) error {
 	return nil
 }
 
-// Matches matches the builderID string against the reference builderID.
+// MatchesFull matches the builderID string against the reference builderID.
 // Both the name and versions are always verified.
 func (b *TrustedBuilderID) MatchesFull(builderID string, allowRef bool) error {
 	name, version, err := ParseBuilderID(builderID, false)
@@ -65,7 +66,7 @@ func (b *TrustedBuilderID) MatchesFull(builderID string, allowRef bool) error {
 
 	if name != b.name {
 		return fmt.Errorf("%w: expected name '%s', got '%s'", serrors.ErrorMismatchBuilderID,
-			name, b.name)
+			b.name, name)
 	}
 
 	if version != b.version {
@@ -81,14 +82,17 @@ func (b *TrustedBuilderID) MatchesFull(builderID string, allowRef bool) error {
 	return nil
 }
 
+// Name returns the trusted builder's name.
 func (b *TrustedBuilderID) Name() string {
 	return b.name
 }
 
+// Version returns the trusted builder's version reference if any.
 func (b *TrustedBuilderID) Version() string {
 	return b.version
 }
 
+// String returns the full trusted builder ID as a string.
 func (b *TrustedBuilderID) String() string {
 	if b.version == "" {
 		return b.name

Original file line number	Diff line number	Diff line change
`@@ -35,9 +35,11 @@ var defaultContainerTrustedReusableWorkflows = map[string]bool{`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`var delegatorGenericReusableWorkflow = trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml"`
	`38`	`+var delegatorLowPermsGenericReusableWorkflow = trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml"`
`38`	`39`
`39`	`40`	`var defaultBYOBReusableWorkflows = map[string]bool{`
`40`		`- delegatorGenericReusableWorkflow: true,`
	`41`	`+ delegatorGenericReusableWorkflow: true,`
	`42`	`+ delegatorLowPermsGenericReusableWorkflow: true,`
`41`	`43`	`}`
`42`	`44`
`43`	`45`	`// VerifyCertficateSourceRepository verifies the source repository.`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ func verifyNpmEnvAndCert(env *dsse.Envelope,`
`101`	`101`	`// We verify against the delegator re-usable workflow, not the user-provided`
`102`	`102`	`// builder. This is because the signing identity for delegator-based builders`
`103`	`103`	`// is always the delegator workflow.`
`104`		`- expectedDelegatorWorkflow := httpsGithubCom + delegatorGenericReusableWorkflow`
	`104`	`+ expectedDelegatorWorkflow := httpsGithubCom + delegatorLowPermsGenericReusableWorkflow`
`105`	`105`	`delegatorBuilderOpts := options.BuilderOpts{`
`106`	`106`	`ExpectedID: &expectedDelegatorWorkflow,`
`107`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`serrors "github.com/slsa-framework/slsa-verifier/v2/errors"`
`8`	`8`	`)`
`9`	`9`
	`10`	`+// TrustedBuilderID represents a builder ID that has been explicitly trusted.`
`10`	`11`	`type TrustedBuilderID struct {`
`11`	`12`	`name, version string`
`12`	`13`	`}`
`@@ -24,7 +25,7 @@ func TrustedBuilderIDNew(builderID string, needVersion bool) (*TrustedBuilderID,`
`24`	`25`	`}, nil`
`25`	`26`	`}`
`26`	`27`
`27`		`-// Matches matches the builderID string against the reference builderID.`
	`28`	`+// MatchesLoose matches the builderID string against the reference builderID.`
`28`	`29`	`// If the builderID contains a semver, the full builderID must match.`
`29`	`30`	`// Otherwise, only the name needs to match.`
`30`	`31`	// `allowRef: true` indicates that the matching need not be an eaxct
`@@ -39,7 +40,7 @@ func (b *TrustedBuilderID) MatchesLoose(builderID string, allowRef bool) error {`
`39`	`40`
`40`	`41`	`if name != b.name {`
`41`	`42`	`return fmt.Errorf("%w: expected name '%s', got '%s'", serrors.ErrorMismatchBuilderID,`
`42`		`- name, b.name)`
	`43`	`+ b.name, name)`
`43`	`44`	`}`
`44`	`45`
`45`	`46`	`if version != "" && version != b.version {`
`@@ -55,7 +56,7 @@ func (b *TrustedBuilderID) MatchesLoose(builderID string, allowRef bool) error {`
`55`	`56`	`return nil`
`56`	`57`	`}`
`57`	`58`
`58`		`-// Matches matches the builderID string against the reference builderID.`
	`59`	`+// MatchesFull matches the builderID string against the reference builderID.`
`59`	`60`	`// Both the name and versions are always verified.`
`60`	`61`	`func (b *TrustedBuilderID) MatchesFull(builderID string, allowRef bool) error {`
`61`	`62`	`name, version, err := ParseBuilderID(builderID, false)`
`@@ -65,7 +66,7 @@ func (b *TrustedBuilderID) MatchesFull(builderID string, allowRef bool) error {`
`65`	`66`
`66`	`67`	`if name != b.name {`
`67`	`68`	`return fmt.Errorf("%w: expected name '%s', got '%s'", serrors.ErrorMismatchBuilderID,`
`68`		`- name, b.name)`
	`69`	`+ b.name, name)`
`69`	`70`	`}`
`70`	`71`
`71`	`72`	`if version != b.version {`
`@@ -81,14 +82,17 @@ func (b *TrustedBuilderID) MatchesFull(builderID string, allowRef bool) error {`
`81`	`82`	`return nil`
`82`	`83`	`}`
`83`	`84`
	`85`	`+// Name returns the trusted builder's name.`
`84`	`86`	`func (b *TrustedBuilderID) Name() string {`
`85`	`87`	`return b.name`
`86`	`88`	`}`
`87`	`89`
	`90`	`+// Version returns the trusted builder's version reference if any.`
`88`	`91`	`func (b *TrustedBuilderID) Version() string {`
`89`	`92`	`return b.version`
`90`	`93`	`}`
`91`	`94`
	`95`	`+// String returns the full trusted builder ID as a string.`
`92`	`96`	`func (b *TrustedBuilderID) String() string {`
`93`	`97`	`if b.version == "" {`
`94`	`98`	`return b.name`