diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go index 8e92439ea..f9e592e5c 100644 --- a/verifiers/internal/gha/provenance.go +++ b/verifiers/internal/gha/provenance.go @@ -294,17 +294,39 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error { if err != nil { return err } + parts := strings.Split(id, "@") if len(parts) != 2 { return fmt.Errorf("%w: %s", serrors.ErrorInvalidBuilderID, id) } + builderRef := parts[1] // Exception for JReleaser builders. // See https://github.com/slsa-framework/slsa-github-generator/issues/2035#issuecomment-1579963802. if strings.HasPrefix(parts[0], JReleaserRepository) { - return utils.IsValidJreleaserBuilderTag(parts[1]) + return utils.IsValidJreleaserBuilderTag(builderRef) } - return utils.IsValidBuilderTag(parts[1], false) + + sourceURI, err := prov.SourceURI() + if err != nil { + return err + } + + uri, _, err := utils.ParseGitURIAndRef(sourceURI) + if err != nil { + return err + } + // Exception to enable e2e tests for BYOB builders referenced at main. + normalizedE2eRepoURI := utils.NormalizeGitURI(httpsGithubCom + e2eTestRepository) + normalizedURI := utils.NormalizeGitURI(uri) + if normalizedURI == normalizedE2eRepoURI && options.TestingEnabled() { + // Allow verification on the main branch to support e2e tests. + if builderRef == "refs/heads/main" { + return nil + } + } + + return utils.IsValidBuilderTag(builderRef, false) } // builderID returns the trusted builder ID from the provenance. diff --git a/verifiers/internal/gha/provenance_test.go b/verifiers/internal/gha/provenance_test.go index 7fbb31a18..eb0c4e7c2 100644 --- a/verifiers/internal/gha/provenance_test.go +++ b/verifiers/internal/gha/provenance_test.go @@ -403,45 +403,76 @@ func Test_verifySourceURI(t *testing.T) { } func Test_isValidDelegatorBuilderID(t *testing.T) { - t.Parallel() tests := []struct { - name string - builderID string - err error + name string + builderID string + sourceURI string + testingEnabled bool + err error }{ { name: "no @", builderID: "some/builderID", + sourceURI: "git+" + httpsGithubCom + e2eTestRepository, err: serrors.ErrorInvalidBuilderID, }, { name: "invalid ref", builderID: "some/builderID@v1.2.3", + sourceURI: "git+" + httpsGithubCom + e2eTestRepository, err: serrors.ErrorInvalidRef, }, { name: "invalid ref not tag", builderID: "some/builderID@refs/head/v1.2.3", + sourceURI: "git+" + httpsGithubCom + e2eTestRepository, err: serrors.ErrorInvalidRef, }, { name: "invalid ref not full semver", builderID: "some/builderID@refs/heads/v1.2", + sourceURI: "git+" + httpsGithubCom + e2eTestRepository, err: serrors.ErrorInvalidRef, }, { name: "valid builder", + sourceURI: "git+" + httpsGithubCom + e2eTestRepository, builderID: "some/builderID@refs/tags/v1.2.3", }, + { + name: "invalid builder ref not e2e repo with testing enabled", + sourceURI: "git+" + httpsGithubCom + "some/repo", + builderID: "some/builderID@refs/heads/main", + testingEnabled: true, + err: serrors.ErrorInvalidRef, + }, + { + name: "invalid builder ref e2e repo with testing enabled", + sourceURI: "git+" + httpsGithubCom + e2eTestRepository, + builderID: "some/builderID@refs/heads/main", + testingEnabled: true, + }, + { + name: "invalid builder ref e2e repo", + sourceURI: "git+" + httpsGithubCom + e2eTestRepository, + builderID: "some/builderID@refs/heads/main", + err: serrors.ErrorInvalidRef, + }, } for _, tt := range tests { tt := tt // Re-initializing variable so it is not changed while executing the closure below t.Run(tt.name, func(t *testing.T) { - t.Parallel() - prov := &testProvenance{ builderID: tt.builderID, + sourceURI: tt.sourceURI, + } + + if tt.testingEnabled { + t.Setenv("SLSA_VERIFIER_TESTING", "1") + } else { + // Ensure that the variable is not set. + t.Setenv("SLSA_VERIFIER_TESTING", "") } err := isValidDelegatorBuilderID(prov)