diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eebd14d..32f1996 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: CLI release +name: CLI publish on: # For manual tests. @@ -18,4 +18,4 @@ jobs: uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.10.0 with: go-version-file: "./cmd/evaluator/go.mod" - config-file: .github/workflows/release/slsa-evaluator.yml + config-file: .github/workflows/publish/slsa-evaluator.yml diff --git a/README.md b/README.md index 78d8858..ab9ed38 100644 --- a/README.md +++ b/README.md @@ -9,14 +9,14 @@ - [What is provenance?](#what-is-provenance) - [What is slsa-policy?](#what-is-slsa-repo) - [Setup](#setup) - - [Release policy](#release-policy) + - [Publish policy](#publish-policy) - [Org setup](#org-setup) - [Policy setup](#policy-setup) - [Pre-submit validation](#pre-submit-validation) - - [Release service](#release-service) + - [Publish service](#publish-service) - [Team setup](#team-setup) - [Policy definition](#policy-definition) - - [Call the release service](#call-the-release-service) + - [Call the publish service](#call-the-publish-service) - [Deployment policy](#deployment-policy) - [Org setup](#org-setup-1) - [Policy setup](#policy-setup-1) @@ -69,7 +69,7 @@ slsa-policy is a Go library, a CLI and a set of GitHub Actions to implement sour ## Setup -### Release policy +### Publish policy #### Org setup @@ -85,55 +85,55 @@ slsa-policy is a Go library, a CLI and a set of GitHub Actions to implement sour 1. Limit any bypass actors to those that are strictly necessary (i.e. break glass). 1. Require review from [CODEOWNERS](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#additional-settings). 1. Add team maintainers as contributors to the repository. Give them `write` access. Do *NOT* give them admin access. Note that you can do that later when teams create their first policy, see [Policy definition](#policy-definition). -1. Create a folder to store the release policies. See an example [here](https://github.com/laurentsimon/slsa-org/tree/main/policies/release/). -1. Create a file with your trusted roots. See example [org.json](https://github.com/laurentsimon/slsa-org/tree/main/policies/release/org.json). +1. Create a folder to store the publish policies. See an example [here](https://github.com/laurentsimon/slsa-org/tree/main/policies/publish/). +1. Create a file with your trusted roots. See example [org.json](https://github.com/laurentsimon/slsa-org/tree/main/policies/publish/org.json). ##### Pre-submit validation To validate the policy files, run the binary as: ```bash -cd policies/release -$ go run . release validate org.json . +cd policies/publish +$ go run . publish validate org.json . ``` TODO: we need pre-submits when new files are created, to ensure the appropriate owners are added to CODEOWNERS. -##### Release service +##### Publish service -You need to define a workflow that your teams will call when they want to release their container images. This workflow is responsible for evaluating the release policy. See an example [image-releaser.yml](https://github.com/laurentsimon/slsa-org/blob/main/.github/workflows/image-releaser.yml) +You need to define a workflow that your teams will call when they want to publish their container images. This workflow is responsible for evaluating the publish policy. See an example [image-publishr.yml](https://github.com/laurentsimon/slsa-org/blob/main/.github/workflows/image-publishr.yml) In the workflow above, the CLI is called as follows: ```bash -cd policies/release +cd policies/publish # This is passed by the caller, e.g. dev or prod. env="${{ inputs.environment }}" -go run . release evaluate org.json . "${image}" "${env}" +go run . publish evaluate org.json . "${image}" "${env}" ``` #### Team setup ##### Policy definition -Teams create their policy files under the folder defined by their organization in [Policy setup](#policy-setup). See an example of a policy in [echo-server.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/release/echo-server.json). +Teams create their policy files under the folder defined by their organization in [Policy setup](#policy-setup). See an example of a policy in [echo-server.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/publish/echo-server.json). When a team creates a new file or folder: 1. If not already done in [Org setup](#org-setup), org administrators should add team members as contributors and give them `write` access. Do *NOT* gives them admin access. 1. Update the CODEOWNERS file to give permissions to the team members who own the package. This allows teams to edit their policies without requiring reviews by the organization admnistrators. -##### Call the release service +##### Call the publish service -When publishing containers, teams must call the release policy service service [image-releaser.yml](https://github.com/laurentsimon/slsa-org/blob/main/.github/workflows/image-releaser.yml) defined in the org's [Release service](#release-service) section. See an example [deploy-image.yml](https://github.com/laurentsimon/slsa-project/blob/main/.github/workflows/deploy-image.yml). This workflows would be called with environment set as "staging" first. One staging tests have passed, it may be called with "prod" environment. Note that the environment must match one the values defined in the policy definition [echo-server.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/release/echo-server.json). +When publishing containers, teams must call the publish policy service service [image-publishr.yml](https://github.com/laurentsimon/slsa-org/blob/main/.github/workflows/image-publishr.yml) defined in the org's [Publish service](#publish-service) section. See an example [deploy-image.yml](https://github.com/laurentsimon/slsa-project/blob/main/.github/workflows/deploy-image.yml). This workflows would be called with environment set as "staging" first. One staging tests have passed, it may be called with "prod" environment. Note that the environment must match one the values defined in the policy definition [echo-server.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/publish/echo-server.json). -After the workflow has successfully run, you may manually verify the release attestation via: +After the workflow has successfully run, you may manually verify the publish attestation via: ```bash # NOTE: change image to your image. $ image=docker.io/laurentsimon/slsa-project-echo-server@sha256:4378b3d11e11ede0f64946e588c590e460e44f90c8a7921ad2cb7b04aaf298d4 -$ creator_id=https://github.com/laurentsimon/slsa-org/.github/workflows/image-releaser.yml@refs/heads/main -$ type=https://slsa.dev/release/v0.1 +$ creator_id=https://github.com/laurentsimon/slsa-org/.github/workflows/image-publishr.yml@refs/heads/main +$ type=https://slsa.dev/publish/v0.1 $ cosign verify-attestation "${image}" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity "${creator_id}" @@ -198,9 +198,9 @@ When a team creates a new file or folder: ##### Call the deployment service -Before submitting a request to deploy containers, teams must call the deployment policy service [image-deployer.yml](https://github.com/laurentsimon/slsa-org/blob/main/.github/workflows/image-deployer.yml) defined in the org's [Deployment service](#deployment-service) section. See an example [deploy-image.yml](https://github.com/laurentsimon/slsa-project/blob/main/.github/workflows/deploy-image.yml). This may be called with "staging" environment first to allow the container to run on the staging service account defined in [servers-staging.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/deployment/servers-staging.json). Once all staging tests have passed, it may be called with "prod" environment. Note that the environment must match one the values defined in the release policy file [servers-prod.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/deployment/servers-prod.json) and the deployment policy file [echo-server.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/release/echo-server.json). +Before submitting a request to deploy containers, teams must call the deployment policy service [image-deployer.yml](https://github.com/laurentsimon/slsa-org/blob/main/.github/workflows/image-deployer.yml) defined in the org's [Deployment service](#deployment-service) section. See an example [deploy-image.yml](https://github.com/laurentsimon/slsa-project/blob/main/.github/workflows/deploy-image.yml). This may be called with "staging" environment first to allow the container to run on the staging service account defined in [servers-staging.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/deployment/servers-staging.json). Once all staging tests have passed, it may be called with "prod" environment. Note that the environment must match one the values defined in the publish policy file [servers-prod.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/deployment/servers-prod.json) and the deployment policy file [echo-server.json](https://github.com/laurentsimon/slsa-org/blob/main/policies/publish/echo-server.json). -After the workflow has successfully run, you may manually verify the release attestation via: +After the workflow has successfully run, you may manually verify the publish attestation via: ```bash # NOTE: change image to your image. diff --git a/actions/installer/action.yml b/actions/installer/action.yml index 1cf54f6..7eda96a 100644 --- a/actions/installer/action.yml +++ b/actions/installer/action.yml @@ -26,7 +26,7 @@ runs: echo "GH_ACTION_REPOSITORY: ${GH_ACTION_REPOSITORY}" echo "PWD: $PWD" - - name: Download the release binary + - name: Download the publish binary id: download shell: bash working-directory: ${{ steps.working_dir.outputs.name }} @@ -44,7 +44,7 @@ runs: exit 1 fi ref="${GH_ACTION_REF}" - gh release -R "${GH_ACTION_REPOSITORY}" download "${ref}" -p "binary-linux-amd64*" + gh publish -R "${GH_ACTION_REPOSITORY}" download "${ref}" -p "binary-linux-amd64*" chmod u+x binary-linux-amd64 echo "ref=${ref}" >> "$GITHUB_OUTPUT" diff --git a/cmd/evaluator/internal/deployment/evaluate/evaluate.go b/cmd/evaluator/internal/deployment/evaluate/evaluate.go index 691ef91..fd94e60 100644 --- a/cmd/evaluator/internal/deployment/evaluate/evaluate.go +++ b/cmd/evaluator/internal/deployment/evaluate/evaluate.go @@ -60,7 +60,7 @@ func Run(cli string, args []string) error { // Evaluate the policy. opts := deployment.AttestationVerificationOption{ - Verifier: newReleaseVerifier(), + Verifier: newPublishVerifier(), } digests := intoto.DigestSet{ digestsArr[0]: digestsArr[1], @@ -71,7 +71,7 @@ func Run(cli string, args []string) error { return result.Error() } - // Create a release attestation and sign it. + // Create a publish attestation and sign it. // TODO(#3): do not attach the attestation, so that caller can do it however they want. // TODO(#2): add policy. att, err := result.AttestationNew() diff --git a/cmd/evaluator/internal/deployment/evaluate/release_verifier.go b/cmd/evaluator/internal/deployment/evaluate/publish_verifier.go similarity index 57% rename from cmd/evaluator/internal/deployment/evaluate/release_verifier.go rename to cmd/evaluator/internal/deployment/evaluate/publish_verifier.go index 34ac66b..8656d18 100644 --- a/cmd/evaluator/internal/deployment/evaluate/release_verifier.go +++ b/cmd/evaluator/internal/deployment/evaluate/publish_verifier.go @@ -9,34 +9,34 @@ import ( "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils/crypto" "github.com/laurentsimon/slsa-policy/pkg/deployment" - "github.com/laurentsimon/slsa-policy/pkg/release" + "github.com/laurentsimon/slsa-policy/pkg/publish" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) -type releaseVerifier struct { - deployment.AttestationVerifierReleaseOptions +type publishVerifier struct { + deployment.AttestationVerifierPublishOptions } -func newReleaseVerifier() *releaseVerifier { - return &releaseVerifier{} +func newPublishVerifier() *publishVerifier { + return &publishVerifier{} } -func (v *releaseVerifier) validate() error { +func (v *publishVerifier) validate() error { // Validate the identities. - if err := crypto.ValidateIdentity(v.AttestationVerifierReleaseOptions.ReleaserID, - v.AttestationVerifierReleaseOptions.ReleaserIDRegex); err != nil { + if err := crypto.ValidateIdentity(v.AttestationVerifierPublishOptions.PublishrID, + v.AttestationVerifierPublishOptions.PublishrIDRegex); err != nil { return err } // Validate the build level. - if v.AttestationVerifierReleaseOptions.BuildLevel <= 0 || v.AttestationVerifierReleaseOptions.BuildLevel > 4 { - return fmt.Errorf("build level (%d) must be between 1 and 4", v.AttestationVerifierReleaseOptions.BuildLevel) + if v.AttestationVerifierPublishOptions.BuildLevel <= 0 || v.AttestationVerifierPublishOptions.BuildLevel > 4 { + return fmt.Errorf("build level (%d) must be between 1 and 4", v.AttestationVerifierPublishOptions.BuildLevel) } return nil } -func (v *releaseVerifier) setOptions(opts deployment.AttestationVerifierReleaseOptions) error { +func (v *publishVerifier) setOptions(opts deployment.AttestationVerifierPublishOptions) error { // Set the options. - v.AttestationVerifierReleaseOptions = opts + v.AttestationVerifierPublishOptions = opts // Validate the options. if err := v.validate(); err != nil { return err @@ -44,7 +44,7 @@ func (v *releaseVerifier) setOptions(opts deployment.AttestationVerifierReleaseO return nil } -func (v *releaseVerifier) verifySignature(imageName string, digests intoto.DigestSet) (string, []byte, error) { +func (v *publishVerifier) verifySignature(imageName string, digests intoto.DigestSet) (string, []byte, error) { // Validate the image. if strings.Contains(imageName, "@") || strings.Contains(imageName, ":") { return "", nil, fmt.Errorf("invalid image name (%q)", imageName) @@ -58,32 +58,32 @@ func (v *releaseVerifier) verifySignature(imageName string, digests intoto.Diges fmt.Println("imageURI:", imageURI) // Verify the signature. - fullReleaserID, attBytes, err := crypto.VerifySignature(imageURI, v.AttestationVerifierReleaseOptions.ReleaserID, - v.AttestationVerifierReleaseOptions.ReleaserIDRegex) + fullPublishrID, attBytes, err := crypto.VerifySignature(imageURI, v.AttestationVerifierPublishOptions.PublishrID, + v.AttestationVerifierPublishOptions.PublishrIDRegex) if err != nil { - return "", nil, fmt.Errorf("failed to verify image (%q) with releaser ID (%q) releaser ID regex (%q): %v", - imageURI, v.AttestationVerifierReleaseOptions.ReleaserID, v.AttestationVerifierReleaseOptions.ReleaserIDRegex, err) + return "", nil, fmt.Errorf("failed to verify image (%q) with publishr ID (%q) publishr ID regex (%q): %v", + imageURI, v.AttestationVerifierPublishOptions.PublishrID, v.AttestationVerifierPublishOptions.PublishrIDRegex, err) } - return fullReleaserID, attBytes, nil + return fullPublishrID, attBytes, nil } -func (v *releaseVerifier) verifyAttestationContent(attBytes []byte, imageName string, digests intoto.DigestSet, environment []string) (*string, error) { +func (v *publishVerifier) verifyAttestationContent(attBytes []byte, imageName string, digests intoto.DigestSet, environment []string) (*string, error) { attReader := io.NopCloser(bytes.NewReader(attBytes)) - verification, err := release.VerificationNew(attReader, &utils.PackageHelper{}) + verification, err := publish.VerificationNew(attReader, &utils.PackageHelper{}) if err != nil { return nil, fmt.Errorf("failed to create verifier for image (%q) and env (%q): %w", imageName, environment, err) } // Build level verification. - levelOpts := []release.VerificationOption{ - release.IsSlsaBuildLevelOrAbove(v.AttestationVerifierReleaseOptions.BuildLevel), + levelOpts := []publish.VerificationOption{ + publish.IsSlsaBuildLevelOrAbove(v.AttestationVerifierPublishOptions.BuildLevel), } // If environment is present, we must verify it. var errList []error if len(environment) > 0 { for i := range environment { penv := &environment[i] - opts := append(levelOpts, release.IsPackageEnvironment(*penv)) + opts := append(levelOpts, publish.IsPackageEnvironment(*penv)) // WARNING: We must ensure that the imageName follows the format defined in the policy. // This is the case, since our policy expect an image as registry/image. if err := verification.Verify(digests, imageName, opts...); err != nil { @@ -92,8 +92,8 @@ func (v *releaseVerifier) verifyAttestationContent(attBytes []byte, imageName st continue } // Success. - utils.Log("Image (%q) verified with releaser ID (%q) and releaser ID regex (%q) and env (%q)\n", - imageName, v.AttestationVerifierReleaseOptions.ReleaserID, v.AttestationVerifierReleaseOptions.ReleaserIDRegex, *penv) + utils.Log("Image (%q) verified with publishr ID (%q) and publishr ID regex (%q) and env (%q)\n", + imageName, v.AttestationVerifierPublishOptions.PublishrID, v.AttestationVerifierPublishOptions.PublishrIDRegex, *penv) return penv, nil } // We could not verify the attestation. @@ -104,12 +104,12 @@ func (v *releaseVerifier) verifyAttestationContent(attBytes []byte, imageName st if err := verification.Verify(digests, imageName, levelOpts...); err != nil { return nil, fmt.Errorf("failed to verify image (%q) and env (%q): %w", imageName, environment, err) } - utils.Log("Image (%q) verified with releaser ID (%q) and releaser ID regex (%q) and nil env\n", - imageName, v.AttestationVerifierReleaseOptions.ReleaserID, v.AttestationVerifierReleaseOptions.ReleaserIDRegex) + utils.Log("Image (%q) verified with publishr ID (%q) and publishr ID regex (%q) and nil env\n", + imageName, v.AttestationVerifierPublishOptions.PublishrID, v.AttestationVerifierPublishOptions.PublishrIDRegex) return nil, nil } -func (v *releaseVerifier) VerifyReleaseAttestation(digests intoto.DigestSet, imageName string, environment []string, opts deployment.AttestationVerifierReleaseOptions) (*string, error) { +func (v *publishVerifier) VerifyPublishAttestation(digests intoto.DigestSet, imageName string, environment []string, opts deployment.AttestationVerifierPublishOptions) (*string, error) { if err := v.setOptions(opts); err != nil { return nil, err } diff --git a/cmd/evaluator/internal/release/evaluate/build_verifier.go b/cmd/evaluator/internal/publish/evaluate/build_verifier.go similarity index 100% rename from cmd/evaluator/internal/release/evaluate/build_verifier.go rename to cmd/evaluator/internal/publish/evaluate/build_verifier.go diff --git a/cmd/evaluator/internal/release/evaluate/evaluate.go b/cmd/evaluator/internal/publish/evaluate/evaluate.go similarity index 80% rename from cmd/evaluator/internal/release/evaluate/evaluate.go rename to cmd/evaluator/internal/publish/evaluate/evaluate.go index dc0b1ac..af3a89c 100644 --- a/cmd/evaluator/internal/release/evaluate/evaluate.go +++ b/cmd/evaluator/internal/publish/evaluate/evaluate.go @@ -5,20 +5,20 @@ import ( "os" "strings" - "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/release/validate" + "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/publish/validate" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils/crypto" - "github.com/laurentsimon/slsa-policy/pkg/release" + "github.com/laurentsimon/slsa-policy/pkg/publish" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" "github.com/laurentsimon/slsa-policy/pkg/utils/iterator/files_reader" ) func usage(cli string) { msg := "" + - "Usage: %s release evaluate orgPath projectsPath packageName [optional:environment]\n" + + "Usage: %s publish evaluate orgPath projectsPath packageName [optional:environment]\n" + "\n" + "Example:\n" + - "%s release evaluate ./path/to/policy/org ./path/to/policy/projects laurentsimon/echo-server@sha256:xxxx prod\n" + + "%s publish evaluate ./path/to/policy/org ./path/to/policy/projects laurentsimon/echo-server@sha256:xxxx prod\n" + "\n" fmt.Fprintf(os.Stderr, msg, cli, cli) os.Exit(1) @@ -52,16 +52,16 @@ func Run(cli string, args []string) error { // Create a policy. projectsReader := files_reader.FromPaths(projectsPath) organizationReader, err := os.Open(orgPath) - pol, err := release.PolicyNew(organizationReader, projectsReader, &utils.PackageHelper{}, release.SetValidator(&validate.PolicyValidator{})) + pol, err := publish.PolicyNew(organizationReader, projectsReader, &utils.PackageHelper{}, publish.SetValidator(&validate.PolicyValidator{})) if err != nil { return fmt.Errorf("failed to create policy: %w", err) } // Evaluate the policy. - opts := release.AttestationVerificationOption{ + opts := publish.AttestationVerificationOption{ Verifier: newBuildVerifier(), } - reqOpts := release.RequestOption{ + reqOpts := publish.RequestOption{ Environment: env, } digests := intoto.DigestSet{ @@ -73,7 +73,7 @@ func Run(cli string, args []string) error { return result.Error() } - // Create a release attestation and sign it. + // Create a publish attestation and sign it. // TODO(#3): do not attach the attestation, so that caller can do it however they want. // TODO(#2): add policy. att, err := result.AttestationNew() diff --git a/cmd/evaluator/internal/release/release.go b/cmd/evaluator/internal/publish/publish.go similarity index 72% rename from cmd/evaluator/internal/release/release.go rename to cmd/evaluator/internal/publish/publish.go index 8b04fbc..3677586 100644 --- a/cmd/evaluator/internal/release/release.go +++ b/cmd/evaluator/internal/publish/publish.go @@ -1,16 +1,16 @@ -package release +package publish import ( "os" - "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/release/evaluate" - "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/release/validate" + "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/publish/evaluate" + "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/publish/validate" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils" ) func usage(cli string) { msg := "" + - "Usage: %s release [options]\n" + + "Usage: %s publish [options]\n" + "\n" + "Available options:\n" + "validate \t\tValidate the policy files\n" + diff --git a/cmd/evaluator/internal/release/validate/validate.go b/cmd/evaluator/internal/publish/validate/validate.go similarity index 71% rename from cmd/evaluator/internal/release/validate/validate.go rename to cmd/evaluator/internal/publish/validate/validate.go index 2496a94..48d6150 100644 --- a/cmd/evaluator/internal/release/validate/validate.go +++ b/cmd/evaluator/internal/publish/validate/validate.go @@ -5,16 +5,16 @@ import ( "os" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils" - "github.com/laurentsimon/slsa-policy/pkg/release" + "github.com/laurentsimon/slsa-policy/pkg/publish" "github.com/laurentsimon/slsa-policy/pkg/utils/iterator/files_reader" ) func usage(cli string) { msg := "" + - "Usage: %s release validate orgPath projectsPath\n" + + "Usage: %s publish validate orgPath projectsPath\n" + "\n" + "Example:\n" + - "%s release validate ./path/to/policy/org ./path/to/policy/projects\n" + + "%s publish validate ./path/to/policy/org ./path/to/policy/projects\n" + "\n" fmt.Fprintf(os.Stderr, msg, cli, cli) os.Exit(1) @@ -22,7 +22,7 @@ func usage(cli string) { type PolicyValidator struct{} -func (v *PolicyValidator) ValidatePackage(pkg release.ValidationPackage) error { +func (v *PolicyValidator) ValidatePackage(pkg publish.ValidationPackage) error { return utils.ValidatePolicyPackage(pkg.Name, pkg.Environment.AnyOf) } @@ -41,7 +41,7 @@ func Run(cli string, args []string) error { // Create a policy. This will validate the files. projectsReader := files_reader.FromPaths(projectsPath) organizationReader, err := os.Open(orgPath) - _, err = release.PolicyNew(organizationReader, projectsReader, &utils.PackageHelper{}, release.SetValidator(&PolicyValidator{})) + _, err = publish.PolicyNew(organizationReader, projectsReader, &utils.PackageHelper{}, publish.SetValidator(&PolicyValidator{})) if err != nil { return err } diff --git a/cmd/evaluator/internal/utils/crypto/crypto.go b/cmd/evaluator/internal/utils/crypto/crypto.go index 1bc8147..05c1966 100644 --- a/cmd/evaluator/internal/utils/crypto/crypto.go +++ b/cmd/evaluator/internal/utils/crypto/crypto.go @@ -7,7 +7,7 @@ import ( "time" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils" - "github.com/laurentsimon/slsa-policy/pkg/release" + "github.com/laurentsimon/slsa-policy/pkg/publish" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" clisign "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" @@ -154,37 +154,37 @@ func attach(immutableImage string, att Attestation, bundle *cbundle.RekorBundle, return ociremote.WriteAttestations(digest.Repository, newSE, ociremoteOpts...) } -func ValidateIdentity(releaserID, releaserIDRegex string) error { - if (releaserID != "" && releaserIDRegex != "") || - (releaserID == "" && releaserIDRegex == "") { - return fmt.Errorf("only one of releaserID (%q) and releaserIDRegex (%q) must be set", releaserID, releaserIDRegex) +func ValidateIdentity(publishrID, publishrIDRegex string) error { + if (publishrID != "" && publishrIDRegex != "") || + (publishrID == "" && publishrIDRegex == "") { + return fmt.Errorf("only one of publishrID (%q) and publishrIDRegex (%q) must be set", publishrID, publishrIDRegex) } return nil } -func getIdentity(releaserID, releaserIDRegex string) (*cosign.Identity, error) { - if err := ValidateIdentity(releaserID, releaserIDRegex); err != nil { +func getIdentity(publishrID, publishrIDRegex string) (*cosign.Identity, error) { + if err := ValidateIdentity(publishrID, publishrIDRegex); err != nil { return nil, err } - if releaserID != "" { + if publishrID != "" { return &cosign.Identity{ Issuer: githubIssuer, - Subject: releaserID, + Subject: publishrID, }, nil } return &cosign.Identity{ Issuer: githubIssuer, - SubjectRegExp: releaserIDRegex, + SubjectRegExp: publishrIDRegex, }, nil } // VerifySignature verifies the signature of an attestation. -func VerifySignature(immutableImage string, releaserID, releaserIDRegex string) (string, []byte, error) { +func VerifySignature(immutableImage string, publishrID, publishrIDRegex string) (string, []byte, error) { ctx, cancel := context.WithTimeout(context.Background(), time.Duration(30*time.Second)) defer cancel() var err error - identity, err := getIdentity(releaserID, releaserIDRegex) + identity, err := getIdentity(publishrID, publishrIDRegex) if err != nil { return "", nil, err } @@ -238,7 +238,7 @@ func VerifySignature(immutableImage string, releaserID, releaserIDRegex string) } var errList []error for _, vp := range verified { - payload, predicateType, err := cpolicy.AttestationToPayloadJSON(ctx, release.PredicateType(), vp) + payload, predicateType, err := cpolicy.AttestationToPayloadJSON(ctx, publish.PredicateType(), vp) if err != nil { errList = append(errList, fmt.Errorf("failed to convert to consumable policy validation: %w", err)) continue @@ -247,12 +247,12 @@ func VerifySignature(immutableImage string, releaserID, releaserIDRegex string) // This is not the predicate type we're looking for. continue } - if release.PredicateType() != predicateType { + if publish.PredicateType() != predicateType { errList = append(errList, fmt.Errorf("internal error. predicate ype (%q) != attestation type (%q)", - predicateType, release.PredicateType())) + predicateType, publish.PredicateType())) continue } - return releaserID, payload, nil + return publishrID, payload, nil } return "", nil, fmt.Errorf("failed to verify: %v", errList) } diff --git a/cmd/evaluator/main.go b/cmd/evaluator/main.go index d51fc06..ffbaf6b 100644 --- a/cmd/evaluator/main.go +++ b/cmd/evaluator/main.go @@ -4,7 +4,7 @@ import ( "os" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/deployment" - "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/release" + "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/publish" "github.com/laurentsimon/slsa-policy/cli/evaluator/internal/utils" ) @@ -13,7 +13,7 @@ func usage(prog string) { "Usage: %s [command]\n" + "\n" + "Available commands:\n" + - "release \t\tOperation on release policy\n" + + "publish \t\tOperation on publish policy\n" + "deployment \t\tOperation on deployment policy\n" + "\n" utils.Log(msg, prog) @@ -33,8 +33,8 @@ func main() { switch arguments[0] { default: usage(os.Args[0]) - case "release": - if err := release.Run(os.Args[0], arguments[1:]); err != nil { + case "publish": + if err := publish.Run(os.Args[0], arguments[1:]); err != nil { utils.Log(err.Error() + "\n") os.Exit(2) } diff --git a/cmd/evaluator/testdata/deployment/org.json b/cmd/evaluator/testdata/deployment/org.json index 6ecca82..92f38ad 100644 --- a/cmd/evaluator/testdata/deployment/org.json +++ b/cmd/evaluator/testdata/deployment/org.json @@ -1,9 +1,9 @@ { "format":1, "roots":{ - "release":[ + "publish":[ { - "id":"https://github.com/laurentsimon/slsa-org/.github/workflows/image-releaser.yml@refs/heads/main", + "id":"https://github.com/laurentsimon/slsa-org/.github/workflows/image-publishr.yml@refs/heads/main", "build":{ "max_slsa_level": 3 } diff --git a/pkg/deployment/deployment.go b/pkg/deployment/deployment.go index 086368e..5904308 100644 --- a/pkg/deployment/deployment.go +++ b/pkg/deployment/deployment.go @@ -11,22 +11,22 @@ import ( "github.com/laurentsimon/slsa-policy/pkg/utils/iterator" ) -// AttestationVerifierReleaseOptions defines options for -// verifying a release attestation. -type AttestationVerifierReleaseOptions struct { - // One of ReleaserID or ReleaserIDRegex must be set. - ReleaserID, ReleaserIDRegex string +// AttestationVerifierPublishOptions defines options for +// verifying a publish attestation. +type AttestationVerifierPublishOptions struct { + // One of PublishrID or PublishrIDRegex must be set. + PublishrID, PublishrIDRegex string BuildLevel int } // AttestationVerifier defines an interface to verify attestations. type AttestationVerifier interface { - // Release attestation verification. The string returned contains the value of the environment, if present. - VerifyReleaseAttestation(digests intoto.DigestSet, packageURI string, environment []string, opts AttestationVerifierReleaseOptions) (*string, error) + // Publish attestation verification. The string returned contains the value of the environment, if present. + VerifyPublishAttestation(digests intoto.DigestSet, packageURI string, environment []string, opts AttestationVerifierPublishOptions) (*string, error) } // AttestationVerificationOption defines the configuration to verify -// release attestations. +// publish attestations. type AttestationVerificationOption struct { Verifier AttestationVerifier } @@ -46,16 +46,16 @@ type internal_verifier struct { opts AttestationVerificationOption } -func (i *internal_verifier) VerifyReleaseAttestation(digests intoto.DigestSet, packageURI string, - environment []string, releaserID string, buildLevel int) (*string, error) { +func (i *internal_verifier) VerifyPublishAttestation(digests intoto.DigestSet, packageURI string, + environment []string, publishrID string, buildLevel int) (*string, error) { if i.opts.Verifier == nil { return nil, fmt.Errorf("%w: verifier is nil", errs.ErrorInvalidInput) } - opts := AttestationVerifierReleaseOptions{ - ReleaserID: releaserID, + opts := AttestationVerifierPublishOptions{ + PublishrID: publishrID, BuildLevel: buildLevel, } - return i.opts.Verifier.VerifyReleaseAttestation(digests, packageURI, environment, opts) + return i.opts.Verifier.VerifyPublishAttestation(digests, packageURI, environment, opts) } // This is a class to forward calls between internal @@ -114,7 +114,7 @@ func (p *Policy) setValidator(validator PolicyValidator) error { // Evaluate evalues the deployment policy. func (p *Policy) Evaluate(digests intoto.DigestSet, policyPackageName string, policyID string, opts AttestationVerificationOption) PolicyEvaluationResult { protection, err := p.policy.Evaluate(digests, policyPackageName, policyID, - options.ReleaseVerification{ + options.PublishVerification{ Verifier: &internal_verifier{ opts: opts, }, diff --git a/pkg/deployment/deployment_test.go b/pkg/deployment/deployment_test.go index 5daac51..aefa881 100644 --- a/pkg/deployment/deployment_test.go +++ b/pkg/deployment/deployment_test.go @@ -92,20 +92,20 @@ func Test_AttestationNew(t *testing.T) { } // Attestation verifier. -func NewE2eAttestationVerifier(digests intoto.DigestSet, packageName, env, releaserID string, buildLevel int) AttestationVerifier { - return &attestationVerifier{digests: digests, packageName: packageName, env: env, releaserID: releaserID, buildLevel: buildLevel} +func NewE2eAttestationVerifier(digests intoto.DigestSet, packageName, env, publishrID string, buildLevel int) AttestationVerifier { + return &attestationVerifier{digests: digests, packageName: packageName, env: env, publishrID: publishrID, buildLevel: buildLevel} } type attestationVerifier struct { packageName string - releaserID string + publishrID string buildLevel int env string digests intoto.DigestSet } -func (v *attestationVerifier) VerifyReleaseAttestation(digests intoto.DigestSet, packageName string, env []string, opts AttestationVerifierReleaseOptions) (*string, error) { - if opts.BuildLevel == v.buildLevel && packageName == v.packageName && opts.ReleaserID == v.releaserID && +func (v *attestationVerifier) VerifyPublishAttestation(digests intoto.DigestSet, packageName string, env []string, opts AttestationVerifierPublishOptions) (*string, error) { + if opts.BuildLevel == v.buildLevel && packageName == v.packageName && opts.PublishrID == v.publishrID && common.MapEq(digests, v.digests) && ((v.env != "" && len(env) > 0 && slices.Contains(env, v.env)) || (v.env == "" && len(env) == 0)) { @@ -114,7 +114,7 @@ func (v *attestationVerifier) VerifyReleaseAttestation(digests intoto.DigestSet, } return &v.env, nil } - return nil, fmt.Errorf("%w: cannot verify package Name (%q) releaser ID (%q) env (%q) buildLevel (%d)", errs.ErrorVerification, packageName, opts.ReleaserID, env, opts.BuildLevel) + return nil, fmt.Errorf("%w: cannot verify package Name (%q) publishr ID (%q) env (%q) buildLevel (%d)", errs.ErrorVerification, packageName, opts.PublishrID, env, opts.BuildLevel) } func newPolicyValidator(pass bool) PolicyValidator { @@ -138,8 +138,8 @@ func Test_e2e(t *testing.T) { "sha256": "val256", "sha512": "val512", } - releaserID1 := "releaser_id1" - releaserID2 := "releaser_id2" + publishrID1 := "publishr_id1" + publishrID2 := "publishr_id2" packageName1 := "package_uri1" packageName2 := "package_uri2" packageName3 := "package_uri3" @@ -151,15 +151,15 @@ func Test_e2e(t *testing.T) { org := organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(2), }, }, { - ID: releaserID2, + ID: publishrID2, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, @@ -227,7 +227,7 @@ func Test_e2e(t *testing.T) { policyID string env string buildLevel int - releaserID string + publishrID string principalURI string expected error errorEvaluate error @@ -248,7 +248,7 @@ func Test_e2e(t *testing.T) { packageName: packageName1, principalURI: pricipalURI2, // Data that the verifier will use. - releaserID: releaserID2, + publishrID: publishrID2, buildLevel: buildLevel3, }, { @@ -264,7 +264,7 @@ func Test_e2e(t *testing.T) { packageName: packageName1, principalURI: pricipalURI2, // Data that the verifier will use. - releaserID: releaserID2, + publishrID: publishrID2, buildLevel: buildLevel3, errorEvaluate: errs.ErrorVerification, errorAttestation: errs.ErrorInternal, @@ -328,7 +328,7 @@ func Test_e2e(t *testing.T) { packageName: packageName1, principalURI: pricipalURI2, // Data that the verifier will use. - releaserID: releaserID2, + publishrID: publishrID2, buildLevel: buildLevel3, errorEvaluate: errs.ErrorVerification, errorAttestation: errs.ErrorInternal, @@ -347,7 +347,7 @@ func Test_e2e(t *testing.T) { packageName: packageName1, principalURI: pricipalURI2, // Data that the verifier will use. - releaserID: releaserID2, + publishrID: publishrID2, buildLevel: buildLevel3, errorEvaluate: errs.ErrorVerification, errorAttestation: errs.ErrorInternal, @@ -410,7 +410,7 @@ func Test_e2e(t *testing.T) { packageName: packageName1, principalURI: pricipalURI2, // Data that the verifier will use. - releaserID: releaserID2, + publishrID: publishrID2, buildLevel: buildLevel3, }, { @@ -427,7 +427,7 @@ func Test_e2e(t *testing.T) { packageName: packageName1, principalURI: pricipalURI2, // Data that the verifier will use. - releaserID: releaserID1, // NOTE: mismatch releaser ID. + publishrID: publishrID1, // NOTE: mismatch publishr ID. buildLevel: buildLevel3, errorEvaluate: errs.ErrorVerification, errorAttestation: errs.ErrorInternal, @@ -473,7 +473,7 @@ func Test_e2e(t *testing.T) { if err != nil { t.Fatalf("failed to create policy: %v", err) } - verifier := NewE2eAttestationVerifier(tt.digests, tt.packageName, tt.env, tt.releaserID, tt.buildLevel) + verifier := NewE2eAttestationVerifier(tt.digests, tt.packageName, tt.env, tt.publishrID, tt.buildLevel) opts := AttestationVerificationOption{ Verifier: verifier, } diff --git a/pkg/deployment/internal/common/tests.go b/pkg/deployment/internal/common/tests.go index 7604cc2..8717c5a 100644 --- a/pkg/deployment/internal/common/tests.go +++ b/pkg/deployment/internal/common/tests.go @@ -51,20 +51,20 @@ func (iter *bytesIterator) Error() error { } // Attestation verifier. -func NewAttestationVerifier(digests intoto.DigestSet, packageName, env, releaserID string, buildLevel int) options.AttestationVerifier { - return &attestationVerifier{digests: digests, packageName: packageName, releaserID: releaserID, env: env, buildLevel: buildLevel} +func NewAttestationVerifier(digests intoto.DigestSet, packageName, env, publishrID string, buildLevel int) options.AttestationVerifier { + return &attestationVerifier{digests: digests, packageName: packageName, publishrID: publishrID, env: env, buildLevel: buildLevel} } type attestationVerifier struct { packageName string - releaserID string + publishrID string buildLevel int env string digests intoto.DigestSet } -func (v *attestationVerifier) VerifyReleaseAttestation(digests intoto.DigestSet, packageName string, env []string, releaserID string, buildLevel int) (*string, error) { - if buildLevel <= v.buildLevel && packageName == v.packageName && releaserID == v.releaserID && +func (v *attestationVerifier) VerifyPublishAttestation(digests intoto.DigestSet, packageName string, env []string, publishrID string, buildLevel int) (*string, error) { + if buildLevel <= v.buildLevel && packageName == v.packageName && publishrID == v.publishrID && MapEq(digests, v.digests) && ((v.env != "" && len(env) > 0 && slices.Contains(env, v.env)) || (v.env == "" && len(env) == 0)) { @@ -73,7 +73,7 @@ func (v *attestationVerifier) VerifyReleaseAttestation(digests intoto.DigestSet, } return &v.env, nil } - return nil, fmt.Errorf("%w: cannot verify package Name (%q) releaser ID (%q) env (%q) buildLevel (%d)", errs.ErrorVerification, packageName, releaserID, env, buildLevel) + return nil, fmt.Errorf("%w: cannot verify package Name (%q) publishr ID (%q) env (%q) buildLevel (%d)", errs.ErrorVerification, packageName, publishrID, env, buildLevel) } func MapEq(m1, m2 map[string]string) bool { diff --git a/pkg/deployment/internal/options/options.go b/pkg/deployment/internal/options/options.go index 39a0c9b..1d0e94f 100644 --- a/pkg/deployment/internal/options/options.go +++ b/pkg/deployment/internal/options/options.go @@ -4,13 +4,13 @@ import "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" // AttestationVerifier defines an interface to verify attestations. type AttestationVerifier interface { - // Release attestations. The string returned contains the value of the environment, if present. - VerifyReleaseAttestation(digests intoto.DigestSet, packageName string, environment []string, releaserID string, buildLevel int) (*string, error) + // Publish attestations. The string returned contains the value of the environment, if present. + VerifyPublishAttestation(digests intoto.DigestSet, packageName string, environment []string, publishrID string, buildLevel int) (*string, error) } -// ReleaseVerification defines the configuration to verify -// release attestations. -type ReleaseVerification struct { +// PublishVerification defines the configuration to verify +// publish attestations. +type PublishVerification struct { Verifier AttestationVerifier } diff --git a/pkg/deployment/internal/organization/organization.go b/pkg/deployment/internal/organization/organization.go index cddcbb6..03cffa2 100644 --- a/pkg/deployment/internal/organization/organization.go +++ b/pkg/deployment/internal/organization/organization.go @@ -15,9 +15,9 @@ import ( type Root struct { ID string `json:"id"` Build Build `json:"build"` - // TODO: Have a field to indicate which package Names the releaser is allowed to + // TODO: Have a field to indicate which package Names the publishr is allowed to // attest to. This assumes every organization has a central registry to make their - // releases accessible. + // publishs accessible. } // Build defines the build metadata. @@ -27,7 +27,7 @@ type Build struct { // Roots defines a set of truted roots. type Roots struct { - Release []Root `json:"release"` + Publish []Root `json:"publish"` } // Policy defines the policy. @@ -59,7 +59,7 @@ func (p *Policy) validate() error { if err := p.validateFormat(); err != nil { return err } - if err := p.validateReleaseRoots(); err != nil { + if err := p.validatePublishRoots(); err != nil { return err } return nil @@ -73,34 +73,34 @@ func (p *Policy) validateFormat() error { return nil } -func (p *Policy) validateReleaseRoots() error { - // There must be at least one release root. - if len(p.Roots.Release) == 0 { - return fmt.Errorf("[organization] %w: release's roots are not defined", errs.ErrorInvalidField) +func (p *Policy) validatePublishRoots() error { + // There must be at least one publish root. + if len(p.Roots.Publish) == 0 { + return fmt.Errorf("[organization] %w: publish's roots are not defined", errs.ErrorInvalidField) } // Each root must have all its fields defined. // Also validate that // 2) the ids do not repeat ids := make(map[string]bool) - for i := range p.Roots.Release { - release := &p.Roots.Release[i] + for i := range p.Roots.Publish { + publish := &p.Roots.Publish[i] // ID must be defined and non-empty. - if release.ID == "" { - return fmt.Errorf("[organization] %w: release's id is empty", errs.ErrorInvalidField) + if publish.ID == "" { + return fmt.Errorf("[organization] %w: publish's id is empty", errs.ErrorInvalidField) } // ID must be unique. - if _, exists := ids[release.ID]; exists { - return fmt.Errorf("[organization] %w: release's name (%q) is defined more than once", errs.ErrorInvalidField, release.ID) + if _, exists := ids[publish.ID]; exists { + return fmt.Errorf("[organization] %w: publish's name (%q) is defined more than once", errs.ErrorInvalidField, publish.ID) } - ids[release.ID] = true + ids[publish.ID] = true // Build Level must be defined. - if release.Build.MaxSlsaLevel == nil { - return fmt.Errorf("[organization] %w: release's max_slsa_level is not defined", errs.ErrorInvalidField) + if publish.Build.MaxSlsaLevel == nil { + return fmt.Errorf("[organization] %w: publish's max_slsa_level is not defined", errs.ErrorInvalidField) } // Level must be in the corre range. - if *release.Build.MaxSlsaLevel < 0 || *release.Build.MaxSlsaLevel > 4 { - return fmt.Errorf("[organization] %w: release's max_slsa_level is invalid (%d). Must satisfy 0 <= slsa_level <= 4", - errs.ErrorInvalidField, *release.Build.MaxSlsaLevel) + if *publish.Build.MaxSlsaLevel < 0 || *publish.Build.MaxSlsaLevel > 4 { + return fmt.Errorf("[organization] %w: publish's max_slsa_level is invalid (%d). Must satisfy 0 <= slsa_level <= 4", + errs.ErrorInvalidField, *publish.Build.MaxSlsaLevel) } } return nil @@ -108,17 +108,17 @@ func (p *Policy) validateReleaseRoots() error { func (p *Policy) MaxBuildSlsaLevel() int { max := -1 - for i := range p.Roots.Release { - releaser := &p.Roots.Release[i] - if *releaser.Build.MaxSlsaLevel > max { - max = *releaser.Build.MaxSlsaLevel + for i := range p.Roots.Publish { + publishr := &p.Roots.Publish[i] + if *publishr.Build.MaxSlsaLevel > max { + max = *publishr.Build.MaxSlsaLevel } } return max } // Evaluate evaluates the policy. -func (p *Policy) Evaluate(digests intoto.DigestSet, packageName string, releaseOpts options.ReleaseVerification) error { +func (p *Policy) Evaluate(digests intoto.DigestSet, packageName string, publishOpts options.PublishVerification) error { // Nothing to do. return nil } diff --git a/pkg/deployment/internal/organization/organization_test.go b/pkg/deployment/internal/organization/organization_test.go index c31f1b6..b89e46a 100644 --- a/pkg/deployment/internal/organization/organization_test.go +++ b/pkg/deployment/internal/organization/organization_test.go @@ -68,7 +68,7 @@ func Test_MaxBuildSlsaLevel(t *testing.T) { level: 4, policy: Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { Build: Build{ MaxSlsaLevel: common.AsPointer(4), @@ -93,7 +93,7 @@ func Test_MaxBuildSlsaLevel(t *testing.T) { level: 2, policy: Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { Build: Build{ MaxSlsaLevel: common.AsPointer(2), @@ -118,7 +118,7 @@ func Test_MaxBuildSlsaLevel(t *testing.T) { level: -1, policy: Policy{ Roots: Roots{ - Release: []Root{}, + Publish: []Root{}, }, }, }, @@ -135,7 +135,7 @@ func Test_MaxBuildSlsaLevel(t *testing.T) { } } -func Test_validateReleaseRoots(t *testing.T) { +func Test_validatePublishRoots(t *testing.T) { t.Parallel() tests := []struct { @@ -152,7 +152,7 @@ func Test_validateReleaseRoots(t *testing.T) { name: "one root with empty id", policy: &Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { Build: Build{ MaxSlsaLevel: common.AsPointer(3), @@ -167,9 +167,9 @@ func Test_validateReleaseRoots(t *testing.T) { name: "one root with empty level", policy: &Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { - ID: "releaser id", + ID: "publishr id", }, }, }, @@ -180,9 +180,9 @@ func Test_validateReleaseRoots(t *testing.T) { name: "one root with negative level", policy: &Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { - ID: "releaser id", + ID: "publishr id", Build: Build{ MaxSlsaLevel: common.AsPointer(-1), }, @@ -196,9 +196,9 @@ func Test_validateReleaseRoots(t *testing.T) { name: "one root with level greater than 4", policy: &Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { - ID: "releaser id", + ID: "publishr id", Build: Build{ MaxSlsaLevel: common.AsPointer(5), }, @@ -212,9 +212,9 @@ func Test_validateReleaseRoots(t *testing.T) { name: "one root with valid fields", policy: &Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { - ID: "releaser id", + ID: "publishr id", Build: Build{ MaxSlsaLevel: common.AsPointer(3), }, @@ -227,15 +227,15 @@ func Test_validateReleaseRoots(t *testing.T) { name: "two roots with valid fields", policy: &Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { - ID: "releaser id", + ID: "publishr id", Build: Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: "releaser id2", + ID: "publishr id2", Build: Build{ MaxSlsaLevel: common.AsPointer(3), }, @@ -248,15 +248,15 @@ func Test_validateReleaseRoots(t *testing.T) { name: "two roots with same id", policy: &Policy{ Roots: Roots{ - Release: []Root{ + Publish: []Root{ { - ID: "releaser id", + ID: "publishr id", Build: Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: "releaser id", + ID: "publishr id", Build: Build{ MaxSlsaLevel: common.AsPointer(3), }, @@ -272,7 +272,7 @@ func Test_validateReleaseRoots(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() - err := tt.policy.validateReleaseRoots() + err := tt.policy.validatePublishRoots() if diff := cmp.Diff(tt.expected, err, cmpopts.EquateErrors()); diff != "" { t.Fatalf("unexpected err (-want +got): \n%s", diff) } @@ -297,7 +297,7 @@ func Test_Evaluate(t *testing.T) { tt := tt // Re-initializing variable so it is not changed while executing the closure below t.Run(tt.name, func(t *testing.T) { t.Parallel() - err := tt.policy.Evaluate(intoto.DigestSet{}, "any_package_name", options.ReleaseVerification{}) + err := tt.policy.Evaluate(intoto.DigestSet{}, "any_package_name", options.PublishVerification{}) if diff := cmp.Diff(tt.expected, err); diff != "" { t.Fatalf("unexpected err (-want +got): \n%s", diff) } diff --git a/pkg/deployment/internal/policy.go b/pkg/deployment/internal/policy.go index 4574249..6bec677 100644 --- a/pkg/deployment/internal/policy.go +++ b/pkg/deployment/internal/policy.go @@ -32,7 +32,7 @@ func PolicyNew(org io.ReadCloser, projects iterator.NamedReadCloserIterator, val }, nil } -func (p *Policy) Evaluate(digests intoto.DigestSet, packageName, policyID string, releaseOpts options.ReleaseVerification) (*project.Protection, error) { +func (p *Policy) Evaluate(digests intoto.DigestSet, packageName, policyID string, publishOpts options.PublishVerification) (*project.Protection, error) { if packageName == "" { return nil, fmt.Errorf("%w: package name is empty", errs.ErrorInvalidInput) } @@ -49,13 +49,13 @@ func (p *Policy) Evaluate(digests intoto.DigestSet, packageName, policyID string } // Evaluate the org policy. - err := p.orgPolicy.Evaluate(digests, packageName, releaseOpts) + err := p.orgPolicy.Evaluate(digests, packageName, publishOpts) if err != nil { return nil, err } // Evaluate the project policy. - protection, err := projectPolicy.Evaluate(digests, packageName, p.orgPolicy, releaseOpts) + protection, err := projectPolicy.Evaluate(digests, packageName, p.orgPolicy, publishOpts) if err != nil { return nil, err } diff --git a/pkg/deployment/internal/policy_test.go b/pkg/deployment/internal/policy_test.go index 0e5c69b..ac70886 100644 --- a/pkg/deployment/internal/policy_test.go +++ b/pkg/deployment/internal/policy_test.go @@ -18,8 +18,8 @@ import ( func Test_PolicyNew(t *testing.T) { t.Parallel() - releaserID1 := "releaser_id1" - releaserID2 := "releaser_id2" + publishrID1 := "publishr_id1" + publishrID2 := "publishr_id2" packageName1 := "package_name1" packageName2 := "package_name2" packageName3 := "package_name3" @@ -29,15 +29,15 @@ func Test_PolicyNew(t *testing.T) { org := organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: releaserID2, + ID: publishrID2, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(2), }, @@ -112,15 +112,15 @@ func Test_PolicyNew(t *testing.T) { org: organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(1), }, }, { - ID: releaserID2, + ID: publishrID2, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(1), }, @@ -404,15 +404,15 @@ func Test_PolicyNew(t *testing.T) { expected: errs.ErrorInvalidField, org: organization.Policy{ Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(2), }, @@ -423,20 +423,20 @@ func Test_PolicyNew(t *testing.T) { projects: projects, }, { - name: "release id reuse", + name: "publish id reuse", expected: errs.ErrorInvalidField, org: organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(2), }, @@ -447,14 +447,14 @@ func Test_PolicyNew(t *testing.T) { projects: projects, }, { - name: "empty releaser id", + name: "empty publishr id", expected: errs.ErrorInvalidField, org: organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, @@ -470,20 +470,20 @@ func Test_PolicyNew(t *testing.T) { projects: projects, }, { - name: "empty releaser build level", + name: "empty publishr build level", expected: errs.ErrorInvalidField, org: organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: releaserID2, + ID: publishrID2, }, }, }, @@ -544,15 +544,15 @@ func Test_Evaluate(t *testing.T) { digests intoto.DigestSet buildLevel int packageName string - releaserID string + publishrID string env string } digests := intoto.DigestSet{ "sha256": "val256", "sha512": "val512", } - releaserID1 := "releaser_id1" - releaserID2 := "releaser_id2" + publishrID1 := "publishr_id1" + publishrID2 := "publishr_id2" packageName1 := "package_name1" packageName2 := "package_name2" packageName3 := "package_name3" @@ -564,15 +564,15 @@ func Test_Evaluate(t *testing.T) { org := organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(2), }, }, { - ID: releaserID2, + ID: publishrID2, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, @@ -632,7 +632,7 @@ func Test_Evaluate(t *testing.T) { vopts := dummyVerifierOpts{ digests: digests, buildLevel: buildLevel, - releaserID: releaserID2, + publishrID: publishrID2, packageName: packageName1, env: "prod", } @@ -722,7 +722,7 @@ func Test_Evaluate(t *testing.T) { policyID: policyID2, verifierOpts: dummyVerifierOpts{ digests: digests, - releaserID: releaserID2, + publishrID: publishrID2, packageName: packageName1, buildLevel: buildLevel, }, @@ -782,7 +782,7 @@ func Test_Evaluate(t *testing.T) { policyID: policyID2, verifierOpts: dummyVerifierOpts{ digests: digests, - releaserID: releaserID2, + publishrID: publishrID2, packageName: packageName1, }, org: org, @@ -929,15 +929,15 @@ func Test_Evaluate(t *testing.T) { org: organization.Policy{ Format: 1, Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: releaserID2, + ID: publishrID2, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(2), }, @@ -1026,8 +1026,8 @@ func Test_Evaluate(t *testing.T) { } // Create the verifier. verifier := common.NewAttestationVerifier(tt.verifierOpts.digests, tt.packageName, - tt.verifierOpts.env, tt.verifierOpts.releaserID, tt.verifierOpts.buildLevel) - opts := options.ReleaseVerification{ + tt.verifierOpts.env, tt.verifierOpts.publishrID, tt.verifierOpts.buildLevel) + opts := options.PublishVerification{ Verifier: verifier, } Protection, err := policy.Evaluate(tt.digests, tt.packageName, tt.policyID, opts) diff --git a/pkg/deployment/internal/project/project.go b/pkg/deployment/internal/project/project.go index d7b493e..2370b71 100644 --- a/pkg/deployment/internal/project/project.go +++ b/pkg/deployment/internal/project/project.go @@ -139,9 +139,9 @@ func (p *Policy) validatePackages() error { } func (p *Policy) validateBuildRequirements(maxBuildLevel int) error { - // SLSA releaser + // SLSA publishr // 1) must be set - // 2) must contain one a level that is satisfiable by the releasers defined in the org-policy. + // 2) must contain one a level that is satisfiable by the publishrs defined in the org-policy. if maxBuildLevel < 0 || maxBuildLevel > 4 { return fmt.Errorf("[project] %w: build's level is invalid (%d). Must satisfy 0 <= slsa_level <= 4", errs.ErrorInvalidField, maxBuildLevel) @@ -191,8 +191,8 @@ func FromReaders(readers iterator.NamedReadCloserIterator, orgPolicy organizatio // Evaluate evaluates a policy. func (p *Policy) Evaluate(digests intoto.DigestSet, packageName string, - orgPolicy organization.Policy, releaseOpts options.ReleaseVerification) (*Protection, error) { - if releaseOpts.Verifier == nil { + orgPolicy organization.Policy, publishOpts options.PublishVerification) (*Protection, error) { + if publishOpts.Verifier == nil { return nil, fmt.Errorf("[project] %w: verifier is empty", errs.ErrorInvalidInput) } @@ -208,28 +208,28 @@ func (p *Policy) Evaluate(digests intoto.DigestSet, packageName string, env := pkg.Environment.AnyOf - // Verify with each releaser. + // Verify with each publishr. // WARNING: the hidden assumption is that the verifier is aware of which - // package Names can be attested to by which releaser. - // TODO: Instead of iterating thru all releasers, the org policy may contain + // package Names can be attested to by which publishr. + // TODO: Instead of iterating thru all publishrs, the org policy may contain // a trusted mapping. var allErrs []error - for i := range orgPolicy.Roots.Release { - releaser := &orgPolicy.Roots.Release[i] - // Filter out the releasers that don't match the SLSA build level requirement + for i := range orgPolicy.Roots.Publish { + publishr := &orgPolicy.Roots.Publish[i] + // Filter out the publishrs that don't match the SLSA build level requirement // in the policy. - if *releaser.Build.MaxSlsaLevel < *p.BuildRequirements.RequireSlsaLevel { + if *publishr.Build.MaxSlsaLevel < *p.BuildRequirements.RequireSlsaLevel { continue } // We have a candidate. - verifiedEnv, err := releaseOpts.Verifier.VerifyReleaseAttestation(digests, packageName, env, releaser.ID, *p.BuildRequirements.RequireSlsaLevel) + verifiedEnv, err := publishOpts.Verifier.VerifyPublishAttestation(digests, packageName, env, publishr.ID, *p.BuildRequirements.RequireSlsaLevel) if err != nil { // Verification failed, continue. allErrs = append(allErrs, err) continue } - // Verification of release attestation succeeded. + // Verification of publish attestation succeeded. // Sanity check. if err := validateEnv(env, verifiedEnv); err != nil { diff --git a/pkg/deployment/internal/project/project_test.go b/pkg/deployment/internal/project/project_test.go index b356fbe..9ce730c 100644 --- a/pkg/deployment/internal/project/project_test.go +++ b/pkg/deployment/internal/project/project_test.go @@ -431,11 +431,11 @@ func Test_Evaluate(t *testing.T) { digests intoto.DigestSet buildLevel int packageName string - releaserID string + publishrID string env string } - releaserID1 := "releaser_id1" - releaserID2 := "releaser_id2" + publishrID1 := "publishr_id1" + publishrID2 := "publishr_id2" packageName1 := "package_name1" packageName2 := "package_name2" digests := intoto.DigestSet{ @@ -444,15 +444,15 @@ func Test_Evaluate(t *testing.T) { } org := organization.Policy{ Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(3), }, }, { - ID: releaserID2, + ID: publishrID2, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(2), }, @@ -485,7 +485,7 @@ func Test_Evaluate(t *testing.T) { buildLevel := 3 vopts := dummyVerifierOpts{ digests: digests, - releaserID: releaserID2, + publishrID: publishrID2, packageName: packageName1, buildLevel: buildLevel, env: "prod", @@ -590,15 +590,15 @@ func Test_Evaluate(t *testing.T) { digests: digests, org: organization.Policy{ Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { - ID: releaserID1, + ID: publishrID1, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(1), }, }, { - ID: releaserID2, + ID: publishrID2, Build: organization.Build{ MaxSlsaLevel: common.AsPointer(1), }, @@ -612,7 +612,7 @@ func Test_Evaluate(t *testing.T) { name: "env mismatch", expected: errs.ErrorVerification, verifierOpts: dummyVerifierOpts{ - releaserID: releaserID2, + publishrID: publishrID2, packageName: "package_name", env: "staging", }, @@ -630,9 +630,9 @@ func Test_Evaluate(t *testing.T) { var verifier options.AttestationVerifier if !tt.noVerifier { verifier = common.NewAttestationVerifier(tt.verifierOpts.digests, tt.packageName, - tt.verifierOpts.env, tt.verifierOpts.releaserID, tt.verifierOpts.buildLevel) + tt.verifierOpts.env, tt.verifierOpts.publishrID, tt.verifierOpts.buildLevel) } - opts := options.ReleaseVerification{ + opts := options.PublishVerification{ Verifier: verifier, } protection, err := tt.policy.Evaluate(tt.digests, tt.packageName, tt.org, opts) @@ -819,7 +819,7 @@ func Test_FromReaders(t *testing.T) { // Create the org policy (only the maxBuildLevel is needed). orgPolicy := organization.Policy{ Roots: organization.Roots{ - Release: []organization.Root{ + Publish: []organization.Root{ { Build: organization.Build{ MaxSlsaLevel: common.AsPointer(tt.maxBuildLevel - 1), diff --git a/pkg/release/attestation.go b/pkg/publish/attestation.go similarity index 92% rename from pkg/release/attestation.go rename to pkg/publish/attestation.go index e7d90e6..089e62f 100644 --- a/pkg/release/attestation.go +++ b/pkg/publish/attestation.go @@ -1,4 +1,4 @@ -package release +package publish import ( "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" @@ -28,6 +28,6 @@ type properties map[string]interface{} const ( statementType = "https://in-toto.io/Statement/v1" - predicateType = "https://slsa.dev/release/v0.1" + predicateType = "https://slsa.dev/publish/v0.1" buildLevelProperty = "slsa.dev/build/level" ) diff --git a/pkg/release/create.go b/pkg/publish/create.go similarity index 99% rename from pkg/release/create.go rename to pkg/publish/create.go index 11070de..c32d25b 100644 --- a/pkg/release/create.go +++ b/pkg/publish/create.go @@ -1,4 +1,4 @@ -package release +package publish import ( "encoding/json" diff --git a/pkg/release/create_test.go b/pkg/publish/create_test.go similarity index 98% rename from pkg/release/create_test.go rename to pkg/publish/create_test.go index eebe83a..71279a1 100644 --- a/pkg/release/create_test.go +++ b/pkg/publish/create_test.go @@ -1,4 +1,4 @@ -package release +package publish import ( "testing" @@ -6,7 +6,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/common" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/common" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) diff --git a/pkg/release/internal/common/tests.go b/pkg/publish/internal/common/tests.go similarity index 97% rename from pkg/release/internal/common/tests.go rename to pkg/publish/internal/common/tests.go index fd9ba10..39f73d2 100644 --- a/pkg/release/internal/common/tests.go +++ b/pkg/publish/internal/common/tests.go @@ -6,7 +6,7 @@ import ( "io" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" "github.com/laurentsimon/slsa-policy/pkg/utils/iterator" ) diff --git a/pkg/release/internal/options/options.go b/pkg/publish/internal/options/options.go similarity index 93% rename from pkg/release/internal/options/options.go rename to pkg/publish/internal/options/options.go index 2cb382c..7c1d56d 100644 --- a/pkg/release/internal/options/options.go +++ b/pkg/publish/internal/options/options.go @@ -7,7 +7,7 @@ import ( // AttestationVerifier defines an interface to verify attestations. type AttestationVerifier interface { // Build attestations. - VerifyBuildAttestation(digests intoto.DigestSet, releaseName, builderID, sourceName string) error + VerifyBuildAttestation(digests intoto.DigestSet, publishName, builderID, sourceName string) error } // BuildVerification defines the configuration to verify diff --git a/pkg/release/internal/organization/organization.go b/pkg/publish/internal/organization/organization.go similarity index 98% rename from pkg/release/internal/organization/organization.go rename to pkg/publish/internal/organization/organization.go index 1a3d512..2aa8333 100644 --- a/pkg/release/internal/organization/organization.go +++ b/pkg/publish/internal/organization/organization.go @@ -7,7 +7,7 @@ import ( "io/ioutil" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) diff --git a/pkg/release/internal/organization/organization_test.go b/pkg/publish/internal/organization/organization_test.go similarity index 99% rename from pkg/release/internal/organization/organization_test.go rename to pkg/publish/internal/organization/organization_test.go index 572a766..93c0609 100644 --- a/pkg/release/internal/organization/organization_test.go +++ b/pkg/publish/internal/organization/organization_test.go @@ -10,8 +10,8 @@ import ( "github.com/google/go-cmp/cmp/cmpopts" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/common" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/common" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) diff --git a/pkg/release/internal/policy.go b/pkg/publish/internal/policy.go similarity index 90% rename from pkg/release/internal/policy.go rename to pkg/publish/internal/policy.go index e707445..fdee96d 100644 --- a/pkg/release/internal/policy.go +++ b/pkg/publish/internal/policy.go @@ -5,9 +5,9 @@ import ( "io" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/organization" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/project" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/organization" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/project" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" "github.com/laurentsimon/slsa-policy/pkg/utils/iterator" ) diff --git a/pkg/release/internal/policy_test.go b/pkg/publish/internal/policy_test.go similarity index 98% rename from pkg/release/internal/policy_test.go rename to pkg/publish/internal/policy_test.go index a850e91..59e9632 100644 --- a/pkg/release/internal/policy_test.go +++ b/pkg/publish/internal/policy_test.go @@ -10,10 +10,10 @@ import ( "github.com/google/go-cmp/cmp/cmpopts" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/common" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/organization" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/project" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/common" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/organization" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/project" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) diff --git a/pkg/release/internal/project/project.go b/pkg/publish/internal/project/project.go similarity index 98% rename from pkg/release/internal/project/project.go rename to pkg/publish/internal/project/project.go index 01a986e..bc689c7 100644 --- a/pkg/release/internal/project/project.go +++ b/pkg/publish/internal/project/project.go @@ -8,8 +8,8 @@ import ( "slices" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/organization" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/organization" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" "github.com/laurentsimon/slsa-policy/pkg/utils/iterator" ) diff --git a/pkg/release/internal/project/project_test.go b/pkg/publish/internal/project/project_test.go similarity index 98% rename from pkg/release/internal/project/project_test.go rename to pkg/publish/internal/project/project_test.go index c948a7a..ec4e963 100644 --- a/pkg/release/internal/project/project_test.go +++ b/pkg/publish/internal/project/project_test.go @@ -8,9 +8,9 @@ import ( "github.com/google/go-cmp/cmp/cmpopts" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/common" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/organization" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/common" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/organization" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) diff --git a/pkg/release/package.go b/pkg/publish/package.go similarity index 97% rename from pkg/release/package.go rename to pkg/publish/package.go index ba5bd7a..c040222 100644 --- a/pkg/release/package.go +++ b/pkg/publish/package.go @@ -1,4 +1,4 @@ -package release +package publish import "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" diff --git a/pkg/release/release.go b/pkg/publish/release.go similarity index 94% rename from pkg/release/release.go rename to pkg/publish/release.go index 6ff1720..bb77336 100644 --- a/pkg/release/release.go +++ b/pkg/publish/release.go @@ -1,12 +1,12 @@ -package release +package publish import ( "fmt" "io" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/options" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/options" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" "github.com/laurentsimon/slsa-policy/pkg/utils/iterator" ) @@ -29,7 +29,7 @@ type RequestOption struct { Environment *string } -// Policy defines the release policy. +// Policy defines the publish policy. type Policy struct { policy *internal.Policy validator options.PolicyValidator @@ -71,7 +71,7 @@ func (i *internal_validator) ValidatePackage(pkg options.ValidationPackage) erro }) } -// New creates a release policy. +// New creates a publish policy. func PolicyNew(org io.ReadCloser, projects iterator.ReadCloserIterator, packageHelper PackageHelper, opts ...PolicyOption) (*Policy, error) { // Initialize a policy with caller options. p := new(Policy) @@ -109,7 +109,7 @@ func (p *Policy) setValidator(validator PolicyValidator) error { return nil } -// Evaluate evalues the release policy. +// Evaluate evalues the publish policy. func (p *Policy) Evaluate(digests intoto.DigestSet, policyPackageName string, reqOpts RequestOption, opts AttestationVerificationOption) PolicyEvaluationResult { level, err := p.policy.Evaluate(digests, policyPackageName, diff --git a/pkg/release/release_test.go b/pkg/publish/release_test.go similarity index 98% rename from pkg/release/release_test.go rename to pkg/publish/release_test.go index 03f8162..eecc59e 100644 --- a/pkg/release/release_test.go +++ b/pkg/publish/release_test.go @@ -1,4 +1,4 @@ -package release +package publish import ( "bytes" @@ -9,9 +9,9 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/common" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/organization" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/project" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/common" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/organization" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/project" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) diff --git a/pkg/release/result.go b/pkg/publish/result.go similarity index 95% rename from pkg/release/result.go rename to pkg/publish/result.go index 2ac1c80..6e7f29b 100644 --- a/pkg/release/result.go +++ b/pkg/publish/result.go @@ -1,4 +1,4 @@ -package release +package publish import ( "fmt" @@ -17,7 +17,7 @@ type PolicyEvaluationResult struct { evaluated bool } -// Attestation creates a release attestation. +// Attestation creates a publish attestation. func (r PolicyEvaluationResult) AttestationNew(options ...AttestationCreationOption) (*Creation, error) { if r.Error() != nil { return nil, fmt.Errorf("%w: evaluation failed. Cannot create attestation", errs.ErrorInternal) diff --git a/pkg/release/test_utils.go b/pkg/publish/test_utils.go similarity index 98% rename from pkg/release/test_utils.go rename to pkg/publish/test_utils.go index 987d4aa..a8ea415 100644 --- a/pkg/release/test_utils.go +++ b/pkg/publish/test_utils.go @@ -1,4 +1,4 @@ -package release +package publish import ( "fmt" diff --git a/pkg/release/validator.go b/pkg/publish/validator.go similarity index 96% rename from pkg/release/validator.go rename to pkg/publish/validator.go index 775055e..ce755fe 100644 --- a/pkg/release/validator.go +++ b/pkg/publish/validator.go @@ -1,4 +1,4 @@ -package release +package publish // ValidationPackage defines the structure holding // package information to be validated. diff --git a/pkg/release/verify.go b/pkg/publish/verify.go similarity index 96% rename from pkg/release/verify.go rename to pkg/publish/verify.go index 742fc9d..73f21ae 100644 --- a/pkg/release/verify.go +++ b/pkg/publish/verify.go @@ -1,4 +1,4 @@ -package release +package publish import ( "encoding/json" @@ -44,7 +44,7 @@ func (v *Verification) Verify(digests intoto.DigestSet, policyPackageName string } // Predicate type. if v.attestation.Header.PredicateType != predicateType { - return fmt.Errorf("%w: attestation predicate type (%q) != release type (%q)", errs.ErrorMismatch, + return fmt.Errorf("%w: attestation predicate type (%q) != publish type (%q)", errs.ErrorMismatch, v.attestation.Header.PredicateType, predicateType) } // Subjects and digests. @@ -195,7 +195,7 @@ func validateLevel(level int) error { func (v *Verification) attestationLevel() (int, error) { if v.attestation.Predicate.Properties == nil { - return 0, fmt.Errorf("%w: release properties are empty", errs.ErrorMismatch) + return 0, fmt.Errorf("%w: publish properties are empty", errs.ErrorMismatch) } value, exists := v.attestation.Predicate.Properties[buildLevelProperty] if !exists { diff --git a/pkg/release/verify_test.go b/pkg/publish/verify_test.go similarity index 98% rename from pkg/release/verify_test.go rename to pkg/publish/verify_test.go index f609178..f1241d4 100644 --- a/pkg/release/verify_test.go +++ b/pkg/publish/verify_test.go @@ -1,4 +1,4 @@ -package release +package publish import ( "bytes" @@ -9,7 +9,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/laurentsimon/slsa-policy/pkg/errs" - "github.com/laurentsimon/slsa-policy/pkg/release/internal/common" + "github.com/laurentsimon/slsa-policy/pkg/publish/internal/common" "github.com/laurentsimon/slsa-policy/pkg/utils/intoto" ) @@ -114,7 +114,7 @@ func Test_Verify(t *testing.T) { PredicateType: predicateType, Subjects: subjects, } - releaseProperties := map[string]interface{}{ + publishProperties := map[string]interface{}{ buildLevelProperty: 3, } packageName := "package_name" @@ -130,7 +130,7 @@ func Test_Verify(t *testing.T) { pred := predicate{ CreationTime: intoto.Now(), Package: packageDesc, - Properties: releaseProperties, + Properties: publishProperties, } att := attestation{ Header: header, @@ -230,7 +230,7 @@ func Test_Verify(t *testing.T) { Registry: packageRegistry, Environment: packageEnv, }, - Properties: releaseProperties, + Properties: publishProperties, }, }, buildLevel: buildLevel, @@ -251,7 +251,7 @@ func Test_Verify(t *testing.T) { Predicate: predicate{ CreationTime: intoto.Now(), // NOTE: no package set so empty URI. - Properties: releaseProperties, + Properties: publishProperties, }, }, buildLevel: buildLevel, @@ -473,7 +473,7 @@ func Test_Verify(t *testing.T) { Registry: packageRegistry, Version: packageVersion, }, - Properties: releaseProperties, + Properties: publishProperties, }, }, buildLevel: buildLevel, @@ -502,7 +502,7 @@ func Test_Verify(t *testing.T) { Name: packageName, Registry: packageRegistry, }, - Properties: releaseProperties, + Properties: publishProperties, }, }, buildLevel: buildLevel,