| 28 | } |
| 29 | |
| 30 | func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, error) { |
| 31 | // initialize the enforcement criteria with the provided PredicateType |
| 32 | c := verification.EnforcementCriteria{ |
| 33 | PredicateType: opts.PredicateType, |
| 34 | } |
| 35 | |
| 36 | // set the owner value by checking the repo and owner options |
| 37 | var owner string |
| 38 | if opts.Repo != "" { |
| 39 | // we expect the repo argument to be in the format <OWNER>/<REPO> |
| 40 | splitRepo := strings.Split(opts.Repo, "/") |
| 41 | // if Repo is provided but owner is not, set the OWNER portion of the Repo value |
| 42 | // to Owner |
| 43 | owner = splitRepo[0] |
| 44 | } else { |
| 45 | // otherwise use the user provided owner value |
| 46 | owner = opts.Owner |
| 47 | } |
| 48 | |
| 49 | // Set the SANRegex and SAN values using the provided options |
| 50 | // First check if the opts.SANRegex or opts.SAN values are provided |
| 51 | if opts.SANRegex != "" || opts.SAN != "" { |
| 52 | c.SANRegex = opts.SANRegex |
| 53 | c.SAN = opts.SAN |
| 54 | } else if opts.SignerRepo != "" { |
| 55 | // next check if opts.SignerRepo was provided |
| 56 | signedRepoRegex := expandToGitHubURLRegex(opts.Tenant, opts.SignerRepo) |
| 57 | c.SANRegex = signedRepoRegex |
| 58 | } else if opts.SignerWorkflow != "" { |
| 59 | validatedWorkflowRegex, err := validateSignerWorkflow(opts.Hostname, opts.SignerWorkflow) |
| 60 | if err != nil { |
| 61 | return verification.EnforcementCriteria{}, err |
| 62 | } |
| 63 | c.SANRegex = validatedWorkflowRegex |
| 64 | } else if opts.Repo != "" { |
| 65 | // if the user has not provided the SAN, SANRegex, SignerRepo, or SignerWorkflow options |
| 66 | // then we default to the repo option |
| 67 | c.SANRegex = expandToGitHubURLRegex(opts.Tenant, opts.Repo) |
| 68 | } else { |
| 69 | // if opts.Repo was not provided, we fall back to the opts.Owner value |
| 70 | c.SANRegex = expandToGitHubURLRegex(opts.Tenant, owner) |
| 71 | } |
| 72 | |
| 73 | // if the DenySelfHostedRunner option is set to true, set the |
| 74 | // RunnerEnvironment extension to the GitHub hosted runner value |
| 75 | if opts.DenySelfHostedRunner { |
| 76 | c.Certificate.RunnerEnvironment = verification.GitHubRunner |
| 77 | } else { |
| 78 | // if Certificate.RunnerEnvironment value is set to the empty string |
| 79 | // through the second function argument, |
| 80 | // no certificate matching will happen on the RunnerEnvironment field |
| 81 | c.Certificate.RunnerEnvironment = "" |
| 82 | } |
| 83 | |
| 84 | // If the Repo option is provided, set the SourceRepositoryURI extension |
| 85 | if opts.Repo != "" { |
| 86 | c.Certificate.SourceRepositoryURI = expandToGitHubURL(opts.Tenant, opts.Repo) |
| 87 | } |