MCPcopy
hub / github.com/cli/cli / newEnforcementCriteria

Function newEnforcementCriteria

pkg/cmd/attestation/verify/policy.go:30–108  ·  view source on GitHub ↗
(opts *Options)

Source from the content-addressed store, hash-verified

28}
29
30func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, error) {
31 // initialize the enforcement criteria with the provided PredicateType
32 c := verification.EnforcementCriteria{
33 PredicateType: opts.PredicateType,
34 }
35
36 // set the owner value by checking the repo and owner options
37 var owner string
38 if opts.Repo != "" {
39 // we expect the repo argument to be in the format <OWNER>/<REPO>
40 splitRepo := strings.Split(opts.Repo, "/")
41 // if Repo is provided but owner is not, set the OWNER portion of the Repo value
42 // to Owner
43 owner = splitRepo[0]
44 } else {
45 // otherwise use the user provided owner value
46 owner = opts.Owner
47 }
48
49 // Set the SANRegex and SAN values using the provided options
50 // First check if the opts.SANRegex or opts.SAN values are provided
51 if opts.SANRegex != "" || opts.SAN != "" {
52 c.SANRegex = opts.SANRegex
53 c.SAN = opts.SAN
54 } else if opts.SignerRepo != "" {
55 // next check if opts.SignerRepo was provided
56 signedRepoRegex := expandToGitHubURLRegex(opts.Tenant, opts.SignerRepo)
57 c.SANRegex = signedRepoRegex
58 } else if opts.SignerWorkflow != "" {
59 validatedWorkflowRegex, err := validateSignerWorkflow(opts.Hostname, opts.SignerWorkflow)
60 if err != nil {
61 return verification.EnforcementCriteria{}, err
62 }
63 c.SANRegex = validatedWorkflowRegex
64 } else if opts.Repo != "" {
65 // if the user has not provided the SAN, SANRegex, SignerRepo, or SignerWorkflow options
66 // then we default to the repo option
67 c.SANRegex = expandToGitHubURLRegex(opts.Tenant, opts.Repo)
68 } else {
69 // if opts.Repo was not provided, we fall back to the opts.Owner value
70 c.SANRegex = expandToGitHubURLRegex(opts.Tenant, owner)
71 }
72
73 // if the DenySelfHostedRunner option is set to true, set the
74 // RunnerEnvironment extension to the GitHub hosted runner value
75 if opts.DenySelfHostedRunner {
76 c.Certificate.RunnerEnvironment = verification.GitHubRunner
77 } else {
78 // if Certificate.RunnerEnvironment value is set to the empty string
79 // through the second function argument,
80 // no certificate matching will happen on the RunnerEnvironment field
81 c.Certificate.RunnerEnvironment = ""
82 }
83
84 // If the Repo option is provided, set the SourceRepositoryURI extension
85 if opts.Repo != "" {
86 c.Certificate.SourceRepositoryURI = expandToGitHubURL(opts.Tenant, opts.Repo)
87 }

Callers 2

runVerifyFunction · 0.85

Calls 3

expandToGitHubURLRegexFunction · 0.85
validateSignerWorkflowFunction · 0.85
expandToGitHubURLFunction · 0.85

Tested by 1