Fix tag VSAs (#172)

* Fix tag VSAs

They weren't including the verifiedLevels from the other VSAs.

Also documenting how this works and updating the slsa-source-poc policy.

Signed-off-by: Tom Hennen <tomhennen@google.com>

* write verified levels when checking tag

Signed-off-by: Tom Hennen <tomhennen@google.com>

---------

Signed-off-by: Tom Hennen <tomhennen@google.com>

Author: TomHennen

DESIGN.md

@@ -217,14 +217,8 @@ then we need to ensure the _repository_ adheres to tag hygiene requirements.
 
 #### Tag Updates
 
-TODO: Update the policy to either require tag_hygiene be set explicitly or
-make it implicit if the policy is Level 3+.
-
-TODO: We should probably figure out if we want to issue tag prov or VSAs
-if Tag Hygiene isn't enabled.
-
 This control also gets evaluated when tags are updated.  When a tag is
-updated, if policy sets 'tag_hygiene', the tool will require the control
+updated, if the policy sets 'tag_hygiene', the tool will require the control
 is enabled.  If so, it will create [Tag Provenance](#tag-provenance) for
 the tag and it will _copy_ the `verifiedLevels` from VSAs previously
 issued for the commit being tagged into a new VSA that includes this
@@ -365,10 +359,24 @@ This amounts to public declaration of SLSA adoption and allows backsliding to be
         }
       ]
     }
-  ]
+  ],
+  "protected_tag": {
+    "tag_hygiene": true,
+    "Since": "2025-02-25T17:27:49.445Z"
+  }
 }
 ```
 
+### Protecting Tags
+
+By default this tool will only issue VSAs for tags at SLSA_SOURCE_LEVEL_1 _unless_
+there is an explicit `protected_tag` setting in the policy.  This serves as a
+declaration by the org that all tags are protected.
+
+The tool does not yet support protecting only some tags. Adding support is
+tracked in
+[this issue](https://github.com/slsa-framework/slsa-source-poc/issues/129).
+
 ### Org Specified Properties
 
 Policies also allow users to specify that the GitHub repo must have a rule requiring

policy/github.com/slsa-framework/slsa-source-poc/source-policy.json

@@ -13,5 +13,9 @@
         }
       ]
     }
-  ]
+  ],
+  "protected_tag": {
+    "tag_hygiene": true,
+    "Since": "2025-02-25T17:27:49.445Z"
+  }
 }

sourcetool/cmd/checktag.go

@@ -5,6 +5,7 @@ package cmd
 
 import (
 	"context"
+	"fmt"
 	"log"
 	"os"
 
@@ -94,6 +95,7 @@ func doCheckTag(args CheckTagArgs) {
 		log.Printf("unsigned prov: %s\n", unsignedProv)
 		log.Printf("unsigned vsa: %s\n", unsignedVsa)
 	}
+	fmt.Print(verifiedLevels)
 }
 
 func init() {

sourcetool/pkg/policy/policy.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"
 
@@ -409,11 +410,38 @@ func evaluateTagProv(tagPolicy *ProtectedTag, tagProvPred *attest.TagProvenanceP
 	if err != nil {
 		return slsa_types.SourceVerifiedLevels{}, fmt.Errorf("error computing tag immutability enforced: %w", err)
 	}
-	if len(computedControls) == 0 {
+	if len(computedControls) == 0 || tagPolicy == nil {
 		// If tag hygiene isn't enabled then we just return level 1.
 		return slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel1)}, nil
 	}
-	return computedControls, nil
+
+	// We have multiple summaries with their own verifiedLevels.
+	// There are probably duplicates. We need to return a single list.
+	// We also need to remove duplicate SLSA Source Levels since we can
+	// only include one. We'll include the highest.
+	// There's probably a faster way to do this, or a library that could
+	// be used, I don't think it would be very readable.
+	verifiedLevels := slsa_types.SourceVerifiedLevels{}
+	highestSlsaLevel := slsa_types.SlsaSourceLevel1
+	for _, summary := range tagProvPred.VsaSummaries {
+		for _, level := range summary.VerifiedLevels {
+			verifiedLevels = append(verifiedLevels, level)
+			if slsa_types.IsSlsaSourceLevel(level) &&
+				slsa_types.IsLevelHigherOrEqualTo(slsa_types.SlsaSourceLevel(level), highestSlsaLevel) {
+				highestSlsaLevel = slsa_types.SlsaSourceLevel(level)
+			}
+		}
+	}
+	// Sort (to keep order deterministic) and compact to remove dup
+	slices.Sort(verifiedLevels)
+	verifiedLevels = slices.Compact(verifiedLevels)
+
+	// Now delete anything that is a SLSA source level but isn't the highest one.
+	verifiedLevels = slices.DeleteFunc(verifiedLevels, func(level slsa_types.ControlName) bool {
+		return slsa_types.IsSlsaSourceLevel(level) && level != slsa_types.ControlName(highestSlsaLevel)
+	})
+
+	return verifiedLevels, nil
 }
 
 type PolicyEvaluator struct {

sourcetool/pkg/policy/policy_test.go

@@ -299,6 +299,113 @@ func TestEvaluateSourceProv_Failure(t *testing.T) {
 	}
 }
 
+func createVsaSummary(ref string, verifiedLevels []slsa_types.ControlName) attest.VsaSummary {
+	return attest.VsaSummary{
+		SourceRefs:     []string{ref},
+		VerifiedLevels: verifiedLevels,
+	}
+}
+
+func TestEvaluateTagProv_Success(t *testing.T) {
+	// Controls for mock provenance
+	tagHygieneEarlier := slsa_types.Control{Name: slsa_types.TagHygiene, Since: earlierFixedTime}
+	origL2ReviewedSummary := createVsaSummary("refs/heads/orig", []slsa_types.ControlName{
+		slsa_types.ControlName(slsa_types.SlsaSourceLevel2), slsa_types.ReviewEnforced})
+	mainL3Summary := createVsaSummary("refs/heads/main", []slsa_types.ControlName{
+		slsa_types.ControlName(slsa_types.SlsaSourceLevel3)})
+
+	tests := []struct {
+		name               string
+		protectedTagPolicy *ProtectedTag
+		vsaSummaries       []attest.VsaSummary
+		expectedLevels     slsa_types.SourceVerifiedLevels
+	}{
+		{
+			name: "Policy has protected_tag setting, and enabled",
+			protectedTagPolicy: &ProtectedTag{
+				Since:      fixedTime,
+				TagHygiene: true,
+			},
+			vsaSummaries:   []attest.VsaSummary{origL2ReviewedSummary},
+			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ReviewEnforced, slsa_types.ControlName(slsa_types.SlsaSourceLevel2)},
+		},
+		{
+			name: "Policy has protected_tag setting, and multiple summaries",
+			protectedTagPolicy: &ProtectedTag{
+				Since:      fixedTime,
+				TagHygiene: true,
+			},
+			vsaSummaries: []attest.VsaSummary{origL2ReviewedSummary, mainL3Summary},
+			// The spec says we MUST NOT return multiple levels per track in a VSA...
+			expectedLevels: slsa_types.SourceVerifiedLevels{
+				slsa_types.ReviewEnforced, slsa_types.ControlName(slsa_types.SlsaSourceLevel3)},
+		},
+		{
+			name: "Policy has protected_tag setting, and it's not enabled",
+			protectedTagPolicy: &ProtectedTag{
+				Since:      fixedTime,
+				TagHygiene: false,
+			},
+			vsaSummaries:   []attest.VsaSummary{origL2ReviewedSummary},
+			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel1)},
+		},
+		{
+			name: "Policy has protected_tag setting, and it's earlier than the control",
+			protectedTagPolicy: &ProtectedTag{
+				Since:      earlierFixedTime,
+				TagHygiene: false,
+			},
+			vsaSummaries:   []attest.VsaSummary{origL2ReviewedSummary},
+			expectedLevels: slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel1)},
+		},
+		{
+			name:               "Policy has no protected_tag setting",
+			protectedTagPolicy: nil,
+			vsaSummaries:       []attest.VsaSummary{origL2ReviewedSummary},
+			expectedLevels:     slsa_types.SourceVerifiedLevels{slsa_types.ControlName(slsa_types.SlsaSourceLevel1)},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Valid Provenance Predicate (attest.SourceProvenancePred)
+			tagProvPred := attest.TagProvenancePred{
+				Controls:     slsa_types.Controls{tagHygieneEarlier},
+				VsaSummaries: tt.vsaSummaries,
+			}
+
+			provenanceStatement := createStatementForTest(t, tagProvPred, attest.TagProvPredicateType)
+
+			pb := ProtectedBranch{
+				Name:                  "main",
+				TargetSlsaSourceLevel: slsa_types.SlsaSourceLevel2,
+				RequireReview:         true,
+				Since:                 fixedTime,
+			}
+			rp := createTestPolicy(pb)
+			rp.ProtectedTag = tt.protectedTagPolicy
+
+			expectedPolicyFilePath := createTempPolicyFile(t, rp)
+			defer os.Remove(expectedPolicyFilePath)
+			pe := &PolicyEvaluator{UseLocalPolicy: expectedPolicyFilePath}
+
+			ghConn := newTestGhBranchConnection("local", "local", "main")
+
+			verifiedLevels, policyPath, err := pe.EvaluateTagProv(context.Background(), ghConn, provenanceStatement)
+
+			if err != nil {
+				t.Errorf("EvaluateTagProv() error = %v, want nil", err)
+			}
+			if policyPath != expectedPolicyFilePath {
+				t.Errorf("EvaluateTagProv() policyPath = %q, want %q", policyPath, expectedPolicyFilePath)
+			}
+			if !slices.Equal(verifiedLevels, tt.expectedLevels) {
+				t.Errorf("EvaluateTagProv() verifiedLevels = %v, want %v", verifiedLevels, tt.expectedLevels)
+			}
+		})
+	}
+}
+
 func TestEvaluateControl_Success(t *testing.T) {
 	// Controls
 	continuityEnforcedEarlier := slsa_types.Control{Name: slsa_types.ContinuityEnforced, Since: earlierFixedTime}
@@ -555,7 +662,7 @@ func assertProtectedBranchEquals(t *testing.T, got *ProtectedBranch, expected Pr
 		if ignoreSince && actual.Since != (time.Time{}) { // Add note only if Since was ignored AND original got.Since was not zero
 			errorMessage.WriteString(fmt.Sprintf("\n(Note: 'Since' field was ignored in comparison as requested. Original Expected.Since: %v, Original Got.Since: %v)", expected.Since, actual.Since))
 		}
-		t.Errorf(errorMessage.String())
+		t.Error(errorMessage.String())
 	}
 }
 

sourcetool/pkg/slsa_types/slsa_types.go

@@ -1,6 +1,7 @@
 package slsa_types
 
 import (
+	"slices"
 	"time"
 )
 
@@ -21,6 +22,16 @@ const (
 	AllowedOrgPropPrefix                     = "ORG_SOURCE_"
 )
 
+func IsSlsaSourceLevel(control ControlName) bool {
+	return slices.Contains(
+		[]ControlName{
+			ControlName(SlsaSourceLevel1),
+			ControlName(SlsaSourceLevel2),
+			ControlName(SlsaSourceLevel3),
+			ControlName(SlsaSourceLevel4)},
+		control)
+}
+
 func IsLevelHigherOrEqualTo(level1, level2 SlsaSourceLevel) bool {
 	// There's probably some fancy stuff we can get in to, but...
 	// it just so happens that these level strings should sort the way we want.