@enactprotocol/trust 2.0.0

package/tests/sigstore/policy.test.ts

@@ -0,0 +1,260 @@
+/**
+ * Tests for Sigstore trust policy module
+ */
+
+import { describe, expect, it } from "bun:test";
+import { ENACT_AUDIT_TYPE, ENACT_TOOL_TYPE } from "../../src/sigstore/attestation";
+import {
+  DEFAULT_TRUST_POLICY,
+  PERMISSIVE_POLICY,
+  STRICT_POLICY,
+  createIdentityRule,
+  createTrustPolicy,
+  deserializeTrustPolicy,
+  evaluateTrustPolicy,
+  isTrusted,
+  serializeTrustPolicy,
+} from "../../src/sigstore/policy";
+
+describe("Trust Policy", () => {
+  describe("Default Policies", () => {
+    it("should have default policy requiring tool attestation", () => {
+      expect(DEFAULT_TRUST_POLICY.name).toBe("default");
+      expect(DEFAULT_TRUST_POLICY.requiredAttestations).toContain(ENACT_TOOL_TYPE);
+      expect(DEFAULT_TRUST_POLICY.allowUnsigned).toBe(false);
+      expect(DEFAULT_TRUST_POLICY.minimumSLSALevel).toBe(0);
+    });
+
+    it("should have permissive policy allowing unsigned", () => {
+      expect(PERMISSIVE_POLICY.name).toBe("permissive");
+      expect(PERMISSIVE_POLICY.allowUnsigned).toBe(true);
+      expect(PERMISSIVE_POLICY.requiredAttestations).toEqual([]);
+    });
+
+    it("should have strict policy requiring auditor", () => {
+      expect(STRICT_POLICY.name).toBe("strict");
+      expect(STRICT_POLICY.requiredAttestations).toContain(ENACT_TOOL_TYPE);
+      expect(STRICT_POLICY.requiredAttestations).toContain(ENACT_AUDIT_TYPE);
+      expect(STRICT_POLICY.minimumSLSALevel).toBe(2);
+      expect(STRICT_POLICY.allowUnsigned).toBe(false);
+    });
+  });
+
+  describe("createTrustPolicy", () => {
+    it("should create policy with defaults", () => {
+      const policy = createTrustPolicy({ name: "my-policy" });
+
+      expect(policy.name).toBe("my-policy");
+      expect(policy.version).toBe("1.0");
+      expect(policy.trustedPublishers).toEqual([]);
+      expect(policy.trustedAuditors).toEqual([]);
+      expect(policy.allowUnsigned).toBe(false);
+    });
+
+    it("should override default values", () => {
+      const policy = createTrustPolicy({
+        name: "custom-policy",
+        allowUnsigned: true,
+        minimumSLSALevel: 2,
+        trustedPublishers: [{ name: "Test Publisher", type: "email", pattern: "*@example.com" }],
+      });
+
+      expect(policy.name).toBe("custom-policy");
+      expect(policy.allowUnsigned).toBe(true);
+      expect(policy.minimumSLSALevel).toBe(2);
+      expect(policy.trustedPublishers).toHaveLength(1);
+    });
+
+    it("should allow custom version", () => {
+      const policy = createTrustPolicy({
+        name: "versioned-policy",
+        version: "2.0",
+      });
+
+      expect(policy.version).toBe("2.0");
+    });
+  });
+
+  describe("createIdentityRule", () => {
+    it("should create email identity rule", () => {
+      const rule = createIdentityRule("My Team", "email", "*@myorg.com");
+
+      expect(rule.name).toBe("My Team");
+      expect(rule.type).toBe("email");
+      expect(rule.pattern).toBe("*@myorg.com");
+    });
+
+    it("should create GitHub workflow rule", () => {
+      const rule = createIdentityRule("GitHub CI", "github-workflow", "myorg/*", {
+        issuer: "https://token.actions.githubusercontent.com",
+      });
+
+      expect(rule.type).toBe("github-workflow");
+      expect(rule.pattern).toBe("myorg/*");
+      expect(rule.issuer).toBe("https://token.actions.githubusercontent.com");
+    });
+
+    it("should include required claims", () => {
+      const rule = createIdentityRule("Specific Workflow", "github-workflow", "myorg/repo", {
+        requiredClaims: {
+          ref: "refs/heads/main",
+          event_name: ["push", "workflow_dispatch"],
+        },
+      });
+
+      expect(rule.requiredClaims?.ref).toBe("refs/heads/main");
+      expect(rule.requiredClaims?.event_name).toEqual(["push", "workflow_dispatch"]);
+    });
+  });
+
+  describe("evaluateTrustPolicy", () => {
+    it("should trust empty bundles with permissive policy", async () => {
+      const result = await evaluateTrustPolicy([], PERMISSIVE_POLICY);
+
+      expect(result.trusted).toBe(true);
+      expect(result.trustLevel).toBe(0);
+      expect(result.details.warnings).toContain(
+        "No attestations found - trusting unsigned artifact"
+      );
+    });
+
+    it("should reject empty bundles with default policy", async () => {
+      const result = await evaluateTrustPolicy([], DEFAULT_TRUST_POLICY);
+
+      expect(result.trusted).toBe(false);
+      expect(result.trustLevel).toBe(0);
+      expect(result.details.violations).toContain(
+        "No attestations found and policy requires signed artifacts"
+      );
+    });
+  });
+
+  describe("isTrusted", () => {
+    it("should return boolean for quick check", async () => {
+      const result = await isTrusted([], PERMISSIVE_POLICY);
+      expect(result).toBe(true);
+    });
+
+    it("should use default policy when not specified", async () => {
+      const result = await isTrusted([]);
+      expect(result).toBe(false);
+    });
+  });
+
+  describe("serializeTrustPolicy", () => {
+    it("should serialize policy to JSON", () => {
+      const policy = createTrustPolicy({
+        name: "test-policy",
+        trustedPublishers: [{ name: "Publisher", type: "email", pattern: "*@example.com" }],
+      });
+
+      const json = serializeTrustPolicy(policy);
+      const parsed = JSON.parse(json);
+
+      expect(parsed.name).toBe("test-policy");
+      expect(parsed.trustedPublishers).toHaveLength(1);
+    });
+
+    it("should format JSON with indentation", () => {
+      const json = serializeTrustPolicy(DEFAULT_TRUST_POLICY);
+
+      expect(json).toContain("\n");
+      expect(json).toContain("  ");
+    });
+  });
+
+  describe("deserializeTrustPolicy", () => {
+    it("should deserialize valid JSON", () => {
+      const json = JSON.stringify({
+        name: "deserialized-policy",
+        version: "1.5",
+        trustedPublishers: [],
+        trustedAuditors: [],
+      });
+
+      const policy = deserializeTrustPolicy(json);
+
+      expect(policy.name).toBe("deserialized-policy");
+      expect(policy.version).toBe("1.5");
+    });
+
+    it("should apply defaults for missing fields", () => {
+      const json = JSON.stringify({
+        name: "minimal-policy",
+        trustedPublishers: [],
+        trustedAuditors: [],
+      });
+
+      const policy = deserializeTrustPolicy(json);
+
+      expect(policy.allowUnsigned).toBe(false);
+      expect(policy.cacheResults).toBe(true);
+    });
+
+    it("should throw on missing name", () => {
+      const json = JSON.stringify({
+        trustedPublishers: [],
+        trustedAuditors: [],
+      });
+
+      expect(() => deserializeTrustPolicy(json)).toThrow("missing or invalid name");
+    });
+
+    it("should throw on missing trustedPublishers", () => {
+      const json = JSON.stringify({
+        name: "bad-policy",
+        trustedAuditors: [],
+      });
+
+      expect(() => deserializeTrustPolicy(json)).toThrow("trustedPublishers must be an array");
+    });
+
+    it("should throw on missing trustedAuditors", () => {
+      const json = JSON.stringify({
+        name: "bad-policy",
+        trustedPublishers: [],
+      });
+
+      expect(() => deserializeTrustPolicy(json)).toThrow("trustedAuditors must be an array");
+    });
+
+    it("should roundtrip serialize/deserialize", () => {
+      const original = createTrustPolicy({
+        name: "roundtrip-policy",
+        version: "2.0",
+        minimumSLSALevel: 2,
+        trustedPublishers: [{ name: "Publisher", type: "email", pattern: "*@example.com" }],
+        trustedAuditors: [{ name: "Auditor", type: "github-workflow", pattern: "auditor-org/*" }],
+      });
+
+      const json = serializeTrustPolicy(original);
+      const restored = deserializeTrustPolicy(json);
+
+      expect(restored.name).toBe(original.name);
+      expect(restored.version).toBe(original.version);
+      expect(restored.minimumSLSALevel).toBe(original.minimumSLSALevel);
+      expect(restored.trustedPublishers).toEqual(original.trustedPublishers);
+      expect(restored.trustedAuditors).toEqual(original.trustedAuditors);
+    });
+  });
+
+  describe("Pattern Matching", () => {
+    // These tests verify the internal pattern matching behavior through policy evaluation
+    // We test by creating policies with specific patterns and checking if they would match
+
+    it("should support wildcard patterns", () => {
+      const rule = createIdentityRule("Wildcard", "email", "*@example.com");
+      expect(rule.pattern).toBe("*@example.com");
+    });
+
+    it("should support single character wildcard", () => {
+      const rule = createIdentityRule("Single Char", "email", "user?@example.com");
+      expect(rule.pattern).toBe("user?@example.com");
+    });
+
+    it("should support exact match", () => {
+      const rule = createIdentityRule("Exact", "email", "specific@example.com");
+      expect(rule.pattern).toBe("specific@example.com");
+    });
+  });
+});

package/tests/sigstore/signing.test.ts

@@ -0,0 +1,220 @@
+/**
+ * Tests for Sigstore signing module
+ */
+
+import { describe, expect, it } from "bun:test";
+import {
+  FULCIO_PUBLIC_URL,
+  OIDC_ISSUERS,
+  REKOR_PUBLIC_URL,
+  TSA_PUBLIC_URL,
+  detectOIDCProvider,
+  extractCertificateFromBundle,
+  extractIdentityFromBundle,
+  extractOIDCIdentity,
+  getOIDCTokenFromEnvironment,
+} from "../../src/sigstore/signing";
+import type { SigstoreBundle } from "../../src/sigstore/types";
+
+// Helper to create test bundles - using unknown to bypass complex sigstore types
+function createTestBundle(overrides: Record<string, unknown> = {}): SigstoreBundle {
+  return {
+    mediaType: "application/vnd.dev.sigstore.bundle.v0.3+json",
+    verificationMaterial: {
+      tlogEntries: [],
+      timestampVerificationData: undefined,
+    },
+    ...overrides,
+  } as unknown as SigstoreBundle;
+}
+
+describe("Sigstore Signing", () => {
+  describe("Constants", () => {
+    it("should export correct Fulcio URL", () => {
+      expect(FULCIO_PUBLIC_URL).toBe("https://fulcio.sigstore.dev");
+    });
+
+    it("should export correct Rekor URL", () => {
+      expect(REKOR_PUBLIC_URL).toBe("https://rekor.sigstore.dev");
+    });
+
+    it("should export correct TSA URL", () => {
+      expect(TSA_PUBLIC_URL).toBe("https://timestamp.sigstore.dev");
+    });
+
+    it("should export OIDC issuer URLs for all providers", () => {
+      expect(OIDC_ISSUERS.github).toBe("https://token.actions.githubusercontent.com");
+      expect(OIDC_ISSUERS.google).toBe("https://accounts.google.com");
+      expect(OIDC_ISSUERS.microsoft).toBe("https://login.microsoftonline.com");
+      expect(OIDC_ISSUERS.gitlab).toBe("https://gitlab.com");
+      expect(OIDC_ISSUERS.custom).toBe("");
+    });
+  });
+
+  describe("detectOIDCProvider", () => {
+    it("should detect GitHub provider", () => {
+      expect(detectOIDCProvider("https://token.actions.githubusercontent.com")).toBe("github");
+    });
+
+    it("should detect Google provider", () => {
+      expect(detectOIDCProvider("https://accounts.google.com")).toBe("google");
+    });
+
+    it("should detect Microsoft provider", () => {
+      expect(detectOIDCProvider("https://login.microsoftonline.com/tenant")).toBe("microsoft");
+    });
+
+    it("should detect GitLab provider", () => {
+      expect(detectOIDCProvider("https://gitlab.com")).toBe("gitlab");
+    });
+
+    it("should return custom for unknown issuers", () => {
+      expect(detectOIDCProvider("https://unknown-issuer.com")).toBe("custom");
+    });
+  });
+
+  describe("extractOIDCIdentity", () => {
+    // Create a valid JWT token for testing
+    function createTestJWT(claims: Record<string, unknown>): string {
+      const header = { alg: "RS256", typ: "JWT" };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
+      const payloadB64 = Buffer.from(JSON.stringify(claims)).toString("base64url");
+      const signature = "fake-signature";
+      return `${headerB64}.${payloadB64}.${signature}`;
+    }
+
+    it("should extract identity from GitHub OIDC token", () => {
+      const token = createTestJWT({
+        iss: "https://token.actions.githubusercontent.com",
+        sub: "repo:owner/repo:ref:refs/heads/main",
+        email: "test@example.com",
+        repository: "owner/repo",
+        ref: "refs/heads/main",
+        event_name: "push",
+      });
+
+      const identity = extractOIDCIdentity(token);
+
+      expect(identity.provider).toBe("github");
+      expect(identity.issuer).toBe("https://token.actions.githubusercontent.com");
+      expect(identity.email).toBe("test@example.com");
+      expect(identity.workflowRepository).toBe("owner/repo");
+      expect(identity.workflowRef).toBe("refs/heads/main");
+      expect(identity.workflowTrigger).toBe("push");
+    });
+
+    it("should extract identity from Google OIDC token", () => {
+      const token = createTestJWT({
+        iss: "https://accounts.google.com",
+        sub: "123456789",
+        email: "user@gmail.com",
+      });
+
+      const identity = extractOIDCIdentity(token);
+
+      expect(identity.provider).toBe("google");
+      expect(identity.issuer).toBe("https://accounts.google.com");
+      expect(identity.subject).toBe("123456789");
+      expect(identity.email).toBe("user@gmail.com");
+    });
+
+    it("should throw on invalid JWT format", () => {
+      expect(() => extractOIDCIdentity("not-a-jwt")).toThrow("Invalid JWT format");
+    });
+
+    it("should throw on invalid JWT with only two parts", () => {
+      expect(() => extractOIDCIdentity("header.payload")).toThrow("Invalid JWT format");
+    });
+
+    it("should throw on invalid payload", () => {
+      const invalidToken = "aGVhZGVy.aW52YWxpZA==.c2lnbmF0dXJl";
+      expect(() => extractOIDCIdentity(invalidToken)).toThrow("Failed to decode JWT payload");
+    });
+  });
+
+  describe("getOIDCTokenFromEnvironment", () => {
+    it("should return undefined for github without env var", () => {
+      const originalEnv = process.env.ACTIONS_ID_TOKEN;
+      process.env.ACTIONS_ID_TOKEN = undefined;
+
+      const token = getOIDCTokenFromEnvironment("github");
+      expect(token).toBeUndefined();
+
+      if (originalEnv) process.env.ACTIONS_ID_TOKEN = originalEnv;
+    });
+
+    it("should return undefined for gitlab without env vars", () => {
+      const originalV2 = process.env.CI_JOB_JWT_V2;
+      const originalV1 = process.env.CI_JOB_JWT;
+      process.env.CI_JOB_JWT_V2 = undefined;
+      process.env.CI_JOB_JWT = undefined;
+
+      const token = getOIDCTokenFromEnvironment("gitlab");
+      expect(token).toBeUndefined();
+
+      if (originalV2) process.env.CI_JOB_JWT_V2 = originalV2;
+      if (originalV1) process.env.CI_JOB_JWT = originalV1;
+    });
+
+    it("should return undefined for custom provider", () => {
+      const token = getOIDCTokenFromEnvironment("custom");
+      expect(token).toBeUndefined();
+    });
+  });
+
+  describe("extractCertificateFromBundle", () => {
+    it("should return undefined for bundle without certificate", () => {
+      const bundle = createTestBundle();
+
+      const cert = extractCertificateFromBundle(bundle);
+      expect(cert).toBeUndefined();
+    });
+
+    it("should extract certificate from bundle with rawBytes", () => {
+      const rawBytes = Buffer.from("test-certificate-data").toString("base64");
+
+      const bundle = createTestBundle({
+        verificationMaterial: {
+          certificate: { rawBytes },
+          tlogEntries: [],
+          timestampVerificationData: undefined,
+        },
+      });
+
+      const cert = extractCertificateFromBundle(bundle);
+
+      expect(cert).toBeDefined();
+      expect(cert?.certificateChain).toHaveLength(1);
+      expect(cert?.certificateChain[0]).toContain("-----BEGIN CERTIFICATE-----");
+      expect(cert?.certificateChain[0]).toContain("-----END CERTIFICATE-----");
+      expect(cert?.issuer).toBe("sigstore");
+    });
+  });
+
+  describe("extractIdentityFromBundle", () => {
+    it("should return undefined for bundle without certificate", () => {
+      const bundle = createTestBundle();
+
+      const identity = extractIdentityFromBundle(bundle);
+      expect(identity).toBeUndefined();
+    });
+
+    it("should return identity from bundle with certificate", () => {
+      const rawBytes = Buffer.from("test-certificate-data").toString("base64");
+
+      const bundle = createTestBundle({
+        verificationMaterial: {
+          certificate: { rawBytes },
+          tlogEntries: [],
+          timestampVerificationData: undefined,
+        },
+      });
+
+      const identity = extractIdentityFromBundle(bundle);
+
+      // The simplified implementation returns a default identity
+      expect(identity).toBeDefined();
+      expect(identity?.provider).toBe("custom");
+    });
+  });
+});

package/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "extends": "../../tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "composite": true,
+    "noEmit": false
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist", "tests"]
+}