test: add tests for v1.7.0 builders (#638)

* test: add tests for v1.7.0 builders

Signed-off-by: Asra Ali <asraa@google.com>

---------

Signed-off-by: Asra Ali <asraa@google.com>

cli/slsa-verifier/main_regression_test.go

@@ -74,6 +74,10 @@ func getBuildersAndVersions(t *testing.T,
 }
 
 func Test_runVerifyGHAArtifactPath(t *testing.T) {
+	// We cannot use t.Setenv due to parallelized tests.
+	// TODO(639): Remove this by regenerating multiple subjects test.
+	os.Setenv("SLSA_VERIFIER_TESTING", "1")
+
 	t.Parallel()
 	goBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml"
 	genericBuilder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"
@@ -1298,11 +1302,7 @@ func Test_runVerifyGCBArtifactImage(t *testing.T) {
 	}
 }
 
-// TODO(#485): Version the test-cases when a version for the builder is released.
 func Test_runVerifyGHAContainerBased(t *testing.T) {
-	// We cannot use t.Setenv due to parallelized tests.
-	os.Setenv("SLSA_VERIFIER_TESTING", "1")
-
 	t.Parallel()
 
 	tests := []struct {
@@ -1318,58 +1318,58 @@ func Test_runVerifyGHAContainerBased(t *testing.T) {
 	}{
 		{
 			name:      "valid main branch default",
-			artifacts: []string{"workflow_dispatch.main.default"},
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
 			source:    "github.com/slsa-framework/example-package",
 		},
 		{
 			name:        "versioned tag no match empty tag workflow_dispatch",
-			artifacts:   []string{"workflow_dispatch.main.default"},
+			artifacts:   []string{"binary-linux-amd64-workflow_dispatch"},
 			source:      "github.com/slsa-framework/example-package",
 			pversiontag: pString("v1"),
 			err:         serrors.ErrorInvalidRef,
 		},
 		{
 			name:      "tag no match empty tag workflow_dispatch",
-			artifacts: []string{"workflow_dispatch.main.default"},
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
 			source:    "github.com/slsa-framework/example-package",
 			ptag:      pString("v1.2.3"),
 			err:       serrors.ErrorInvalidRef,
 		},
 		{
 			name:      "wrong branch master",
-			artifacts: []string{"workflow_dispatch.main.default"},
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
 			source:    "github.com/slsa-framework/example-package",
 			pbranch:   pString("master"),
 			err:       serrors.ErrorMismatchBranch,
 		},
 		{
 			name:      "valid main branch set",
-			artifacts: []string{"workflow_dispatch.main.default"},
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
 			source:    "github.com/slsa-framework/example-package",
 			pbranch:   pString("main"),
 		},
 		{
 			name:       "valid main branch default - invalid builderID",
-			artifacts:  []string{"workflow_dispatch.main.default"},
+			artifacts:  []string{"binary-linux-amd64-workflow_dispatch"},
 			source:     "github.com/slsa-framework/example-package",
 			pBuilderID: pString("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/not-trusted.yml"),
 			err:        serrors.ErrorUntrustedReusableWorkflow,
 		},
 		{
 			name:      "wrong source append A",
-			artifacts: []string{"workflow_dispatch.main.default"},
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
 			source:    "github.com/slsa-framework/example-packageA",
 			err:       serrors.ErrorMismatchSource,
 		},
 		{
 			name:      "wrong source prepend A",
-			artifacts: []string{"workflow_dispatch.main.default"},
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
 			source:    "Agithub.com/slsa-framework/example-package",
 			err:       serrors.ErrorMismatchSource,
 		},
 		{
 			name:      "wrong source middle A",
-			artifacts: []string{"workflow_dispatch.main.default"},
+			artifacts: []string{"binary-linux-amd64-workflow_dispatch"},
 			source:    "github.com/Aslsa-framework/example-package",
 			err:       serrors.ErrorMismatchSource,
 		},
@@ -1399,14 +1399,10 @@ func Test_runVerifyGHAContainerBased(t *testing.T) {
 				builder := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml"
 
 				refName := "@refs/tags/"
-				if sv == "main" {
-					refName = "@refs/heads/"
-				}
-				// TODO(#485): Add pString(builder + "@" + sv) when migrating to tagged builders
-				// and remove main builder test.
 				builderIDs := []*string{
 					pString(builder + refName + sv),
 					pString(builder),
+					pString(builder + "@" + sv),
 					nil,
 				}
 

cli/slsa-verifier/testdata/gha_container-based/main/workflow_dispatch.main.default

@@ -1,4 +0,0 @@
-# Simple command for generating a file.
-command = ["cp", ".github/configs-docker/config.toml", "config.toml"]
-# Path to the file generated by the command above.
-artifact_path = "config.toml"

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch.digest

@@ -0,0 +1 @@
+sha256:ca6221e2d0def24e302530f727689a2ab8539a690c740527db33a520284cf141

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/blobs/sha256/3b6bc85571318f9aaba55a5eb599a946b7492c0dfd8b5952760d0b5ce88e1558

@@ -0,0 +1,19 @@
+{
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "schemaVersion": 2,
+  "config": {
+    "mediaType": "application/vnd.oci.image.config.v1+json",
+    "digest": "sha256:a1abac53d6ea6d96603b6de85da053079ed7c86d2be4249b071cca747f588461",
+    "size": 167
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.in-toto+json",
+      "digest": "sha256:5df72ae6c51fcff1ee6bf5d3807841fd0490907ec0c2329f9559134ed48faeed",
+      "size": 14169,
+      "annotations": {
+        "in-toto.io/predicate-type": "https://slsa.dev/provenance/v0.2"
+      }
+    }
+  ]
+}

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/blobs/sha256/590e0b6222ec244abc2806e267ec3fff1c77ab4a38d0c642ab7fed04855c0bb5

@@ -0,0 +1 @@
+{"architecture":"amd64","config":{"User":"0","Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"],"Entrypoint":["/app"],"WorkingDir":"/","Labels":{"org.opencontainers.image.created":"2023-06-07T14:40:46.596Z","org.opencontainers.image.description":"","org.opencontainers.image.licenses":"Apache-2.0","org.opencontainers.image.revision":"62cb1f1e485829bafe8bbec8b9900c0cb7624fe7","org.opencontainers.image.source":"https://github.com/slsa-framework/example-package","org.opencontainers.image.title":"example-package","org.opencontainers.image.url":"https://github.com/slsa-framework/example-package","org.opencontainers.image.version":"main"},"OnBuild":null},"created":"2023-06-07T14:41:12.803853761Z","history":[{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"0001-01-01T00:00:00Z"},{"created":"2023-06-07T14:41:12.803853761Z","created_by":"COPY /app/app /app # buildkit","comment":"buildkit.dockerfile.v0"},{"created":"2023-06-07T14:41:12.803853761Z","created_by":"ENTRYPOINT [\"/app\"]","comment":"buildkit.dockerfile.v0","empty_layer":true}],"moby.buildkit.buildinfo.v1":"eyJmcm9udGVuZCI6ImRvY2tlcmZpbGUudjAiLCJzb3VyY2VzIjpbeyJ0eXBlIjoiZG9ja2VyLWltYWdlIiwicmVmIjoiZG9ja2VyLmlvL2xpYnJhcnkvZ29sYW5nOjEuMjBAc2hhMjU2OjY5MGU0MTM1YmYyYTQ1NzFhNTcyYmZkNWRkZmE4MDZiMWNiOWMzZGVhMDQ0NmViYWRhZjMyYmMyZWEwOWQ0ZjkiLCJwaW4iOiJzaGEyNTY6NjkwZTQxMzViZjJhNDU3MWE1NzJiZmQ1ZGRmYTgwNmIxY2I5YzNkZWEwNDQ2ZWJhZGFmMzJiYzJlYTA5ZDRmOSJ9LHsidHlwZSI6ImRvY2tlci1pbWFnZSIsInJlZiI6Imdjci5pby9kaXN0cm9sZXNzL3N0YXRpY0BzaGEyNTY6NzE5OGEzNTdmZjNhOGVmNzUwYjA0MTMyNDg3Mzk2MGNmMjE1M2MxMWNjNTBhYmI5ZDhkNWY4YmIwODlmNmI0ZSIsInBpbiI6InNoYTI1Njo3MTk4YTM1N2ZmM2E4ZWY3NTBiMDQxMzI0ODczOTYwY2YyMTUzYzExY2M1MGFiYjlkOGQ1ZjhiYjA4OWY2YjRlIn0seyJ0eXBlIjoiZ2l0IiwicmVmIjoiaHR0cHM6Ly9naXRodWIuY29tL3Nsc2EtZnJhbWV3b3JrL2V4YW1wbGUtcGFja2FnZS5naXQjNjJjYjFmMWU0ODU4MjliYWZlOGJiZWM4Yjk5MDBjMGNiNzYyNGZlNyIsInBpbiI6IjYyY2IxZjFlNDg1ODI5YmFmZThiYmVjOGI5OTAwYzBjYjc2MjRmZTcifV19","os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:e023e0e48e6e29e90e519f4dd356d058ff2bffbd16e28b802f3b8f93aa4ccb17","sha256:6fbdf253bbc2490dcfede5bdb58ca0db63ee8aff565f6ea9f918f3bce9e2d5aa","sha256:7bea6b893187b14fc0a759fe5f8972d1292a9c0554c87cbf485f0947c26b8a05","sha256:ff5700ec54186528cbae40f54c24b1a34fb7c01527beaa1232868c16e2353f52","sha256:d52f02c6501c9c4410568f0bf6ff30d30d8290f57794c308fe36ea78393afac2","sha256:e624a5370eca2b8266e74d179326e2a8767d361db14d13edd9fb57e408731784","sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849","sha256:d2d7ec0f6756eb51cf1602c6f8ac4dd811d3d052661142e0110357bf0b581457","sha256:4cb10dd2545bd173858450b80853b850e49608260f1a0789e0d0b39edf12f500","sha256:ed089d1abe26528b53cac6ff540996a9bdb1d0f71763f985cbe0f38213134cb3"]}}

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/blobs/sha256/664e0d6fa6c052d40d47532cc3c2de3717b531c3ac11fed35e7cbb82fb801ead

@@ -0,0 +1,61 @@
+{
+  "mediaType": "application/vnd.oci.image.manifest.v1+json",
+  "schemaVersion": 2,
+  "config": {
+    "mediaType": "application/vnd.oci.image.config.v1+json",
+    "digest": "sha256:590e0b6222ec244abc2806e267ec3fff1c77ab4a38d0c642ab7fed04855c0bb5",
+    "size": 3028
+  },
+  "layers": [
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:a7ca0d9ba68fdce7e15bc0952d3e898e970548ca24d57698725836c039086639",
+      "size": 103732
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:fe5ca62666f04366c8e7f605aa82997d71320183e99962fa76b3209fdfbb8b58",
+      "size": 21202
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:b02a7525f878e61fc1ef8a7405a2cc17f866e8de222c1c98fd6681aff6e509db",
+      "size": 716491
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:fcb6f6d2c9986d9cd6a2ea3cc2936e5fc613e09f1af9042329011e43057f3265",
+      "size": 317
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:e8c73c638ae9ec5ad70c49df7e484040d889cca6b4a9af056579c3d058ea93f0",
+      "size": 198
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:1e3d9b7d145208fa8fa3ee1c9612d0adaac7255f1bbc9ddea7e461e0b317805c",
+      "size": 113
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:4aa0ea1413d37a58615488592a0b827ea4b2e48fa5a77cf707d0e35f025e613f",
+      "size": 385
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:7c881f9ab25e0d86562a123b5fb56aebf8aa0ddd7d48ef602faf8d1e7cf43d8c",
+      "size": 355
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:5627a970d25e752d971a501ec7e35d0d6fdcd4a3ce9e958715a686853024794a",
+      "size": 130562
+    },
+    {
+      "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
+      "digest": "sha256:d8fea4b4260b2a1df26c2e2fb952ddedc47413053d56900175b81485282bb8f2",
+      "size": 647977
+    }
+  ]
+}

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/blobs/sha256/a1abac53d6ea6d96603b6de85da053079ed7c86d2be4249b071cca747f588461

@@ -0,0 +1 @@
+{"architecture":"unknown","os":"unknown","config":{},"rootfs":{"type":"layers","diff_ids":["sha256:5df72ae6c51fcff1ee6bf5d3807841fd0490907ec0c2329f9559134ed48faeed"]}}

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/blobs/sha256/ca6221e2d0def24e302530f727689a2ab8539a690c740527db33a520284cf141

@@ -0,0 +1,28 @@
+{
+  "mediaType": "application/vnd.oci.image.index.v1+json",
+  "schemaVersion": 2,
+  "manifests": [
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:664e0d6fa6c052d40d47532cc3c2de3717b531c3ac11fed35e7cbb82fb801ead",
+      "size": 2183,
+      "platform": {
+        "architecture": "amd64",
+        "os": "linux"
+      }
+    },
+    {
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "digest": "sha256:3b6bc85571318f9aaba55a5eb599a946b7492c0dfd8b5952760d0b5ce88e1558",
+      "size": 567,
+      "annotations": {
+        "vnd.docker.reference.digest": "sha256:664e0d6fa6c052d40d47532cc3c2de3717b531c3ac11fed35e7cbb82fb801ead",
+        "vnd.docker.reference.type": "attestation-manifest"
+      },
+      "platform": {
+        "architecture": "unknown",
+        "os": "unknown"
+      }
+    }
+  ]
+}

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/blobs/sha256/df5a248d9e4fd1aa3a8d5f693f9ba04ff10855966fb3cd7030cc33647d98ce2e

@@ -0,0 +1 @@
+{"architecture":"","created":"2023-06-07T14:43:07.862588422Z","history":[{"created":"0001-01-01T00:00:00Z"}],"os":"","rootfs":{"type":"layers","diff_ids":["sha256:4a1b72c77c15781687300c3b0362513b5b040ac33dcaee4e245c24621d494d4d"]},"config":{}}

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/index.json

@@ -0,0 +1,21 @@
+{
+   "schemaVersion": 2,
+   "manifests": [
+      {
+         "mediaType": "application/vnd.oci.image.index.v1+json",
+         "size": 856,
+         "digest": "sha256:ca6221e2d0def24e302530f727689a2ab8539a690c740527db33a520284cf141",
+         "annotations": {
+            "kind": "dev.cosignproject.cosign/imageIndex"
+         }
+      },
+      {
+         "mediaType": "application/vnd.oci.image.manifest.v1+json",
+         "size": 10368,
+         "digest": "sha256:dbc658f204833d5ffcad9bf9c47a5af6cd39eea875f0a69879ae4850237ab777",
+         "annotations": {
+            "kind": "dev.cosignproject.cosign/atts"
+         }
+      }
+   ]
+}

cli/slsa-verifier/testdata/gha_generic_container/v1.7.0/container_workflow_dispatch/oci-layout

@@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}