|
29 | 29 | analyze_repo_metadata, |
30 | 30 | ) |
31 | 31 | from verify_action_build.security import ( |
| 32 | + _fetch_release_asset_bytes, |
32 | 33 | _file_is_pure_data_fetch, |
33 | 34 | _find_binary_downloads_js, |
34 | 35 | _looks_like_in_tree_binary, |
35 | 36 | _parse_sha256sums, |
| 37 | + verify_trusted_download_provenance, |
36 | 38 | ) |
37 | 39 |
|
38 | 40 |
|
@@ -1668,6 +1670,322 @@ def test_many_binaries_truncates_in_message(self): |
1668 | 1670 | assert "17 more" in msg |
1669 | 1671 |
|
1670 | 1672 |
|
| 1673 | +class TestVerifyTrustedDownloadProvenance: |
| 1674 | + """Runtime check that backs the TRUSTED_DOWNLOAD_PROVENANCE escape |
| 1675 | + hatch. The config alone is not enough — at scan time we must confirm |
| 1676 | + the release repo publishes immutable releases AND has a valid |
| 1677 | + Sigstore attestation on at least one asset. |
| 1678 | + """ |
| 1679 | + |
| 1680 | + _CONFIG = { |
| 1681 | + "testorg/testaction": { |
| 1682 | + "release_repo": "testorg/testtool", |
| 1683 | + "rationale": "test rationale", |
| 1684 | + }, |
| 1685 | + } |
| 1686 | + |
| 1687 | + def test_no_config_returns_no_opinion(self): |
| 1688 | + # Action without an entry: returns (False, "") so the caller |
| 1689 | + # leaves the existing failure as-is. |
| 1690 | + passed, reason = verify_trusted_download_provenance("unknown", "action") |
| 1691 | + assert passed is False |
| 1692 | + assert reason == "" |
| 1693 | + |
| 1694 | + def test_release_fetch_failure(self): |
| 1695 | + with mock.patch.dict( |
| 1696 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1697 | + self._CONFIG, clear=True, |
| 1698 | + ): |
| 1699 | + with mock.patch( |
| 1700 | + "verify_action_build.security._fetch_release_metadata", |
| 1701 | + return_value=None, |
| 1702 | + ): |
| 1703 | + passed, reason = verify_trusted_download_provenance( |
| 1704 | + "testorg", "testaction", |
| 1705 | + ) |
| 1706 | + assert passed is False |
| 1707 | + assert "could not fetch latest release" in reason |
| 1708 | + assert "testorg/testtool" in reason |
| 1709 | + |
| 1710 | + def test_release_not_immutable_fails(self): |
| 1711 | + release = { |
| 1712 | + "tag_name": "v1.2.3", |
| 1713 | + "immutable": False, |
| 1714 | + "assets": [{"name": "tool.sbom.json", "size": 1024, "url": "u"}], |
| 1715 | + } |
| 1716 | + with mock.patch.dict( |
| 1717 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1718 | + self._CONFIG, clear=True, |
| 1719 | + ): |
| 1720 | + with mock.patch( |
| 1721 | + "verify_action_build.security._fetch_release_metadata", |
| 1722 | + return_value=release, |
| 1723 | + ): |
| 1724 | + passed, reason = verify_trusted_download_provenance( |
| 1725 | + "testorg", "testaction", |
| 1726 | + ) |
| 1727 | + assert passed is False |
| 1728 | + assert "NOT marked immutable" in reason |
| 1729 | + assert "v1.2.3" in reason |
| 1730 | + |
| 1731 | + def test_no_asset_downloadable_fails(self): |
| 1732 | + # Release is immutable but every asset download attempt fails — |
| 1733 | + # we can't run the attestation spot-check, so we can't accept |
| 1734 | + # the trust anchor. |
| 1735 | + release = {"tag_name": "v1.2.3", "immutable": True, "assets": []} |
| 1736 | + with mock.patch.dict( |
| 1737 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1738 | + self._CONFIG, clear=True, |
| 1739 | + ): |
| 1740 | + with mock.patch( |
| 1741 | + "verify_action_build.security._fetch_release_metadata", |
| 1742 | + return_value=release, |
| 1743 | + ): |
| 1744 | + with mock.patch( |
| 1745 | + "verify_action_build.security._fetch_release_asset_bytes", |
| 1746 | + return_value=(None, None), |
| 1747 | + ): |
| 1748 | + passed, reason = verify_trusted_download_provenance( |
| 1749 | + "testorg", "testaction", |
| 1750 | + ) |
| 1751 | + assert passed is False |
| 1752 | + assert "no asset could be downloaded" in reason |
| 1753 | + |
| 1754 | + def test_attestation_verify_failure(self): |
| 1755 | + release = { |
| 1756 | + "tag_name": "v2.12.2", |
| 1757 | + "immutable": True, |
| 1758 | + "assets": [{"name": "tool.sbom.json", "size": 340_000, "url": "u"}], |
| 1759 | + } |
| 1760 | + with mock.patch.dict( |
| 1761 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1762 | + self._CONFIG, clear=True, |
| 1763 | + ): |
| 1764 | + with mock.patch( |
| 1765 | + "verify_action_build.security._fetch_release_metadata", |
| 1766 | + return_value=release, |
| 1767 | + ): |
| 1768 | + with mock.patch( |
| 1769 | + "verify_action_build.security._fetch_release_asset_bytes", |
| 1770 | + return_value=("tool.sbom.json", b"sbom-bytes"), |
| 1771 | + ): |
| 1772 | + with mock.patch( |
| 1773 | + "verify_action_build.security._verify_via_gh_attestation", |
| 1774 | + return_value=False, |
| 1775 | + ): |
| 1776 | + passed, reason = verify_trusted_download_provenance( |
| 1777 | + "testorg", "testaction", |
| 1778 | + ) |
| 1779 | + assert passed is False |
| 1780 | + assert "gh attestation verify" in reason |
| 1781 | + assert "tool.sbom.json" in reason |
| 1782 | + |
| 1783 | + def test_happy_path(self): |
| 1784 | + # Immutable release + asset downloads + gh attestation verifies |
| 1785 | + # → escape hatch accepts the trust anchor. |
| 1786 | + release = { |
| 1787 | + "tag_name": "v2.12.2", |
| 1788 | + "immutable": True, |
| 1789 | + "assets": [{"name": "tool.sbom.json", "size": 340_000, "url": "u"}], |
| 1790 | + } |
| 1791 | + with mock.patch.dict( |
| 1792 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1793 | + self._CONFIG, clear=True, |
| 1794 | + ): |
| 1795 | + with mock.patch( |
| 1796 | + "verify_action_build.security._fetch_release_metadata", |
| 1797 | + return_value=release, |
| 1798 | + ): |
| 1799 | + with mock.patch( |
| 1800 | + "verify_action_build.security._fetch_release_asset_bytes", |
| 1801 | + return_value=("tool.sbom.json", b"sbom-bytes"), |
| 1802 | + ): |
| 1803 | + with mock.patch( |
| 1804 | + "verify_action_build.security._verify_via_gh_attestation", |
| 1805 | + return_value=True, |
| 1806 | + ): |
| 1807 | + passed, reason = verify_trusted_download_provenance( |
| 1808 | + "testorg", "testaction", |
| 1809 | + ) |
| 1810 | + assert passed is True |
| 1811 | + assert "GitHub-immutable" in reason |
| 1812 | + assert "Sigstore provenance" in reason |
| 1813 | + assert "tool.sbom.json" in reason |
| 1814 | + |
| 1815 | + |
| 1816 | +class TestFetchReleaseAssetBytes: |
| 1817 | + """Asset selection for the attestation spot-check: name-preference |
| 1818 | + ordering picks the cheapest valid probe (sbom > intoto > tarball > |
| 1819 | + zip); smallest-asset fallback only fires when no preference matches. |
| 1820 | + """ |
| 1821 | + |
| 1822 | + def test_prefers_sbom_over_tarball(self): |
| 1823 | + release = { |
| 1824 | + "assets": [ |
| 1825 | + {"name": "tool-linux-amd64.tar.gz", "size": 50_000_000, |
| 1826 | + "url": "https://api/tar"}, |
| 1827 | + {"name": "tool.sbom.json", "size": 340_000, |
| 1828 | + "url": "https://api/sbom"}, |
| 1829 | + ], |
| 1830 | + } |
| 1831 | + |
| 1832 | + captured_url = {} |
| 1833 | + |
| 1834 | + def fake_get(url, headers=None, timeout=None): |
| 1835 | + captured_url["url"] = url |
| 1836 | + resp = mock.Mock() |
| 1837 | + resp.ok = True |
| 1838 | + resp.content = b"sbom-bytes" |
| 1839 | + return resp |
| 1840 | + |
| 1841 | + with mock.patch( |
| 1842 | + "verify_action_build.security.requests.get", |
| 1843 | + side_effect=fake_get, |
| 1844 | + ): |
| 1845 | + name, content = _fetch_release_asset_bytes( |
| 1846 | + "org", "repo", release, (".sbom.json", ".tar.gz"), |
| 1847 | + ) |
| 1848 | + assert name == "tool.sbom.json" |
| 1849 | + assert content == b"sbom-bytes" |
| 1850 | + assert captured_url["url"] == "https://api/sbom" |
| 1851 | + |
| 1852 | + def test_falls_back_to_smallest_when_no_preference_matches(self): |
| 1853 | + # No asset matches the preference list — picks smallest by size. |
| 1854 | + release = { |
| 1855 | + "assets": [ |
| 1856 | + {"name": "big.bin", "size": 100_000_000, "url": "https://api/big"}, |
| 1857 | + {"name": "small.bin", "size": 1_000, "url": "https://api/small"}, |
| 1858 | + {"name": "medium.bin", "size": 10_000, "url": "https://api/medium"}, |
| 1859 | + ], |
| 1860 | + } |
| 1861 | + |
| 1862 | + captured_url = {} |
| 1863 | + |
| 1864 | + def fake_get(url, headers=None, timeout=None): |
| 1865 | + captured_url["url"] = url |
| 1866 | + resp = mock.Mock() |
| 1867 | + resp.ok = True |
| 1868 | + resp.content = b"x" |
| 1869 | + return resp |
| 1870 | + |
| 1871 | + with mock.patch( |
| 1872 | + "verify_action_build.security.requests.get", |
| 1873 | + side_effect=fake_get, |
| 1874 | + ): |
| 1875 | + name, content = _fetch_release_asset_bytes( |
| 1876 | + "org", "repo", release, (".sbom.json",), |
| 1877 | + ) |
| 1878 | + assert name == "small.bin" |
| 1879 | + assert captured_url["url"] == "https://api/small" |
| 1880 | + |
| 1881 | + def test_empty_assets_returns_none(self): |
| 1882 | + name, content = _fetch_release_asset_bytes( |
| 1883 | + "org", "repo", {"assets": []}, (".sbom.json",), |
| 1884 | + ) |
| 1885 | + assert name is None |
| 1886 | + assert content is None |
| 1887 | + |
| 1888 | + |
| 1889 | +class TestAnalyzeBinaryDownloadsTrustedDownloadEscapeHatch: |
| 1890 | + """The branch inside analyze_binary_downloads that reclassifies |
| 1891 | + unverified-download failures as warnings when the action has a |
| 1892 | + TRUSTED_DOWNLOAD_PROVENANCE entry AND the runtime provenance check |
| 1893 | + passes.""" |
| 1894 | + |
| 1895 | + _CONFIG = { |
| 1896 | + "testorg/testaction": { |
| 1897 | + "release_repo": "testorg/testtool", |
| 1898 | + "rationale": "linked upstream confirmation", |
| 1899 | + }, |
| 1900 | + } |
| 1901 | + |
| 1902 | + # Action.yml with one unverified runtime download — generates a |
| 1903 | + # failure under the normal rules; the escape hatch decides whether |
| 1904 | + # that failure stands or is reclassified. |
| 1905 | + _ACTION_YML = """\ |
| 1906 | +name: Test |
| 1907 | +runs: |
| 1908 | + using: composite |
| 1909 | + steps: |
| 1910 | + - name: Download tool |
| 1911 | + shell: bash |
| 1912 | + run: | |
| 1913 | + curl -fsSLO https://example.com/tool.tar.gz |
| 1914 | + tar xf tool.tar.gz |
| 1915 | +""" |
| 1916 | + |
| 1917 | + def test_passing_provenance_reclassifies_failures_to_warnings(self): |
| 1918 | + with mock.patch.dict( |
| 1919 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1920 | + self._CONFIG, clear=True, |
| 1921 | + ): |
| 1922 | + with mock.patch( |
| 1923 | + "verify_action_build.security.fetch_action_yml", |
| 1924 | + return_value=self._ACTION_YML, |
| 1925 | + ): |
| 1926 | + with mock.patch( |
| 1927 | + "verify_action_build.security.fetch_file_from_github", |
| 1928 | + return_value=None, |
| 1929 | + ): |
| 1930 | + with mock.patch( |
| 1931 | + "verify_action_build.security.verify_trusted_download_provenance", |
| 1932 | + return_value=(True, "testorg/testtool@v1 verified"), |
| 1933 | + ): |
| 1934 | + warnings, failures = analyze_binary_downloads( |
| 1935 | + "testorg", "testaction", "a" * 40, |
| 1936 | + ) |
| 1937 | + assert failures == [] |
| 1938 | + assert any("trusted via GitHub release provenance" in w for w in warnings) |
| 1939 | + |
| 1940 | + def test_failing_provenance_preserves_failures(self): |
| 1941 | + with mock.patch.dict( |
| 1942 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1943 | + self._CONFIG, clear=True, |
| 1944 | + ): |
| 1945 | + with mock.patch( |
| 1946 | + "verify_action_build.security.fetch_action_yml", |
| 1947 | + return_value=self._ACTION_YML, |
| 1948 | + ): |
| 1949 | + with mock.patch( |
| 1950 | + "verify_action_build.security.fetch_file_from_github", |
| 1951 | + return_value=None, |
| 1952 | + ): |
| 1953 | + with mock.patch( |
| 1954 | + "verify_action_build.security.verify_trusted_download_provenance", |
| 1955 | + return_value=(False, "release not immutable"), |
| 1956 | + ): |
| 1957 | + warnings, failures = analyze_binary_downloads( |
| 1958 | + "testorg", "testaction", "a" * 40, |
| 1959 | + ) |
| 1960 | + assert len(failures) >= 1 |
| 1961 | + assert any("tool.tar.gz" in f for f in failures) |
| 1962 | + |
| 1963 | + def test_no_config_entry_leaves_failures_alone(self): |
| 1964 | + # Action not in TRUSTED_DOWNLOAD_PROVENANCE: the escape hatch |
| 1965 | + # branch is skipped entirely and verify_trusted_download_provenance |
| 1966 | + # is never even consulted. |
| 1967 | + with mock.patch.dict( |
| 1968 | + "verify_action_build.security.TRUSTED_DOWNLOAD_PROVENANCE", |
| 1969 | + {}, clear=True, |
| 1970 | + ): |
| 1971 | + with mock.patch( |
| 1972 | + "verify_action_build.security.fetch_action_yml", |
| 1973 | + return_value=self._ACTION_YML, |
| 1974 | + ): |
| 1975 | + with mock.patch( |
| 1976 | + "verify_action_build.security.fetch_file_from_github", |
| 1977 | + return_value=None, |
| 1978 | + ): |
| 1979 | + with mock.patch( |
| 1980 | + "verify_action_build.security.verify_trusted_download_provenance", |
| 1981 | + ) as verify_mock: |
| 1982 | + warnings, failures = analyze_binary_downloads( |
| 1983 | + "other", "action", "a" * 40, |
| 1984 | + ) |
| 1985 | + assert len(failures) >= 1 |
| 1986 | + verify_mock.assert_not_called() |
| 1987 | + |
| 1988 | + |
1671 | 1989 | class _Patches: |
1672 | 1990 | """Tiny context manager that enters/exits a sequence of mock.patch |
1673 | 1991 | objects together — used by TestAnalyzeInTreeBinaries to keep the |
|
0 commit comments