slsa-framework · laurentsimon · Aug 11, 2023 · Jul 31, 2023 · Jul 31, 2023 · Jul 31, 2023
diff --git a/cli/slsa-verifier/verify/verify_artifact.go b/cli/slsa-verifier/verify/verify_artifact.go
@@ -54,6 +54,7 @@ func (c *VerifyArtifactCommand) Exec(ctx context.Context, artifacts []string) (*
 			ExpectedVersionedTag:   c.SourceVersionTag,
 			ExpectedTag:            c.SourceTag,
 			ExpectedWorkflowInputs: c.BuildWorkflowInputs,
+			ExpectedBuilderPath:    "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/",
 		}
 
 		builderOpts := &options.BuilderOpts{

@@ -18,7 +18,8 @@ type ProvenanceOpts struct {
 	// ExpectedSourceURI is the expected source URI in the provenance.
 	ExpectedSourceURI string
 
-	// ExpectedBuilderID is the expected builder ID.
+	// ExpectedBuilderID is the expected builder ID that is parsed from the envelope
+	// of the provenance.
 	ExpectedBuilderID string
 
 	// ExpectedWorkflowInputs is a map of key=value inputs.
@@ -27,10 +28,13 @@ type ProvenanceOpts struct {
 	ExpectedPackageName *string
 
 	ExpectedPackageVersion *string
+
+	ExpectedBuilderPath string
 }
 
 // BuildOpts are the options for checking the builder.
 type BuilderOpts struct {
-	// ExpectedID is the expected builder ID.
+	// ExpectedID is the expected builder ID that is inputted
+	// at the command line by the user to be verified.
 	ExpectedID *string
 }
@@ -109,11 +109,27 @@
 		if _, ok := defaultTrustedBuilders[certBuilderID]; !ok {
 			return nil, false, fmt.Errorf("%w: %s with builderID provided: %t", serrors.ErrorUntrustedReusableWorkflow, certBuilderID, expectedBuilderID != nil)
 		}
+
 		// Construct the builderID using the certificate's builder's name and tag.
 		trustedBuilderID, err = utils.TrustedBuilderIDNew(certBuilderID+"@"+certTag, true)
 		if err != nil {
 			return nil, false, err
 		}
+
+		// Check if:
+		// - the builder in the cert is a BYOB builder
+		// - the caller trusts the BYOB builder
+		// If both are true, we don't match the user-provided builder ID
+		// against the certificate. Instead that will be done by the caller.
+		//
+		// If using a trusted delgator builder, then return the builderID and true
+		// for byob to enable non-compulsory flag for builder-id, which allows
+		// the user to use slsa-github-generator builders and not type the --builder-id
+		// flag on the command line.
+		if isTrustedDelegatorBuilder(trustedBuilderID, defaultTrustedBuilders) {
+			return trustedBuilderID, true, nil
+		}
+
 	} else {
 		// Verify the builderID.
 		// We only accept IDs on github.com.

@@ -477,6 +477,15 @@ func Test_verifyTrustedBuilderID(t *testing.T) {
 			defaults: defaultBYOBReusableWorkflows,
 			byob:     true,
 		},
+		{
+			// This is a BYOB workflow without an id that tests non-compulsory builder-id
+			// feature of slsa-verifier and expects byob to be true
+			name:     "generic delegator workflow no id",
+			path:     trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml",
+			tag:      "refs/tags/v1.2.3",
+			defaults: defaultBYOBReusableWorkflows,
+			byob:     true,
+		},
 		{
 			name:     "low perms delegator workflow short tag",
 			path:     trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml",
@@ -486,10 +495,13 @@ func Test_verifyTrustedBuilderID(t *testing.T) {
 			byob:     true,
 		},
 		{
+			// This is a BYOB workflow without an id that tests non-compulsory builder-id
+			// feature of slsa-verifier and expects byob to be true
 			name:     "low perms delegator workflow no ID provided",
 			path:     trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml",
 			tag:      "v1.2.3",
 			defaults: defaultBYOBReusableWorkflows,
+			byob:     true,
 		},
 		{
 			name:     "default mismatch against container defaults long tag",

@@ -58,6 +58,43 @@
 	return nil
 }
 
+// Inputs value in place of --BuilderID for builders of ExpectedPath such that the builderID for
+// the builders do not need to be inputted. Example: the expectedBuilderID will default to
+// the delegator builder ID for BYOB, this can verify actual BYOB builder for user without --builder-id flag.
+// Currently slsa-framework path is the only one supported for ExpectedBuilderPath.
+func verifyBuilderIDPath(prov iface.Provenance, builderOpts *options.BuilderOpts, provenanceOpts *options.ProvenanceOpts) error {
+	id, err := prov.BuilderID()
+	if err != nil {
+		return err
+	}
+
+	provBuilderID, err := utils.TrustedBuilderIDNew(id, false)
+	if err != nil {
+		return err
+	}
+
+	// This is the prefix to check for to verify that the builder is from expected builder path
+	// If this prefix is present, then the --builder-id flag is not needed at CLI command.
+	builder_path_prefix := provenanceOpts.ExpectedBuilderPath
+
+	if !(strings.HasPrefix(provBuilderID.Name(), builder_path_prefix)) {
+		return fmt.Errorf("%w: expected slsa-framework BYOB Builder ID in provenance in order to not input --builder-id at command line. Got: %q. Expected: %q", serrors.ErrorInvalidBuilderID, provBuilderID.Name(), builder_path_prefix)
+	}
+
+	// Only set if user input is empty and builder is one of expected builders of Expected Builder Path
+	if strings.HasPrefix(provBuilderID.Name(), builder_path_prefix) && builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" {
+		// Allocate temp string to set pointer, tempBuilderID, to set builderOpts.ExpectedID
+		var str string
+		str = provBuilderID.Name()
+
+		var tempBuilderID *string
+		tempBuilderID = &(str)
+		builderOpts.ExpectedID = tempBuilderID
+	}
+
+	return nil
+}
+
 // Verify Builder ID in provenance statement.
 // This function verifies the names match. If the expected builder ID contains a version,
 // it also verifies the versions match.
@@ -70,6 +107,7 @@
 	if err != nil {
 		return err
 	}
+
 	if err := provBuilderID.MatchesLoose(expectedBuilderID, true); err != nil {
 		return err
 	}
@@ -286,7 +324,8 @@
 }
 
 // VerifyProvenance verifies the provenance for the given DSSE envelope.
-func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool) error {
+func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts, trustedBuilderID *utils.TrustedBuilderID, byob bool,
+	builderOpts *options.BuilderOpts) error {
 	prov, err := slsaprovenance.ProvenanceFromEnvelope(trustedBuilderID.Name(), env)
 	if err != nil {
 		return err
@@ -297,7 +336,19 @@
 		if err := isValidDelegatorBuilderID(prov); err != nil {
 			return err
 		}
+
+		// If the --builder-id flag is empty and the builder used to build artifact is not from ExpectedBuilderPath
+		// then throw the error.
+		if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" {
+			// If the --builder-id is empty, check to see if is made with an Expected Builder
+			if err := verifyBuilderIDPath(prov, builderOpts, provenanceOpts); err != nil {
+				return err
+			}
+		}
+
+		provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID
 		// Note: `provenanceOpts.ExpectedBuilderID` is provided by the user.
+		// or is taken from the user if it matches expected builder and --builder-id is empty
 		if err := verifyBuilderIDLooseMatch(prov, provenanceOpts.ExpectedBuilderID); err != nil {
 			return err
 		}

@@ -71,15 +71,8 @@ func verifyEnvAndCert(env *dsse.Envelope,
 	// There is a corner-case to handle: if the verified builder ID from the cert
 	// is a delegator builder, the user MUST provide an expected builder ID
 	// and we MUST match it against the content of the provenance.
-	if byob {
-		if builderOpts.ExpectedID == nil || *builderOpts.ExpectedID == "" {
-			// NOTE: we will need to update the logic here once our default trusted builders
-			// are migrated to using BYOB.
-			return nil, nil, fmt.Errorf("%w: empty ID", serrors.ErrorInvalidBuilderID)
-		}
-		provenanceOpts.ExpectedBuilderID = *builderOpts.ExpectedID
-	}
-	if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob); err != nil {
+
+	if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob, builderOpts); err != nil {
 		return nil, nil, err
 	}