slsa-framework · laurentsimon · Aug 16, 2023 · Aug 15, 2023 · Aug 15, 2023 · Aug 15, 2023
@@ -294,17 +294,39 @@ func isValidDelegatorBuilderID(prov iface.Provenance) error {
 	if err != nil {
 		return err
 	}
+
 	parts := strings.Split(id, "@")
 	if len(parts) != 2 {
 		return fmt.Errorf("%w: %s", serrors.ErrorInvalidBuilderID, id)
 	}
+	builderRef := parts[1]
 
 	// Exception for JReleaser builders.
 	// See https://github.com/slsa-framework/slsa-github-generator/issues/2035#issuecomment-1579963802.
 	if strings.HasPrefix(parts[0], JReleaserRepository) {
-		return utils.IsValidJreleaserBuilderTag(parts[1])
+		return utils.IsValidJreleaserBuilderTag(builderRef)
 	}
-	return utils.IsValidBuilderTag(parts[1], false)
+
+	sourceURI, err := prov.SourceURI()
+	if err != nil {
+		return err
+	}
+
+	uri, _, err := utils.ParseGitURIAndRef(sourceURI)
+	if err != nil {
+		return err
+	}
+	// Exception to enable e2e tests for BYOB builders referenced at main.
+	normalizedE2eRepoURI := utils.NormalizeGitURI(httpsGithubCom + e2eTestRepository)
+	normalizedURI := utils.NormalizeGitURI(uri)
+	if normalizedURI == normalizedE2eRepoURI && options.TestingEnabled() {
+		// Allow verification on the main branch to support e2e tests.
+		if builderRef == "refs/heads/main" {
+			return nil
+		}
+	}
+
+	return utils.IsValidBuilderTag(builderRef, false)
 }
 
 // builderID returns the trusted builder ID from the provenance.

@@ -403,45 +403,76 @@ func Test_verifySourceURI(t *testing.T) {
 }
 
 func Test_isValidDelegatorBuilderID(t *testing.T) {
-	t.Parallel()
 	tests := []struct {
-		name      string
-		builderID string
-		err       error
+		name           string
+		builderID      string
+		sourceURI      string
+		testingEnabled bool
+		err            error
 	}{
 		{
 			name:      "no @",
 			builderID: "some/builderID",
+			sourceURI: "git+" + httpsGithubCom + e2eTestRepository,
 			err:       serrors.ErrorInvalidBuilderID,
 		},
 		{
 			name:      "invalid ref",
 			builderID: "some/builderID@v1.2.3",
+			sourceURI: "git+" + httpsGithubCom + e2eTestRepository,
 			err:       serrors.ErrorInvalidRef,
 		},
 		{
 			name:      "invalid ref not tag",
 			builderID: "some/builderID@refs/head/v1.2.3",
+			sourceURI: "git+" + httpsGithubCom + e2eTestRepository,
 			err:       serrors.ErrorInvalidRef,
 		},
 		{
 			name:      "invalid ref not full semver",
 			builderID: "some/builderID@refs/heads/v1.2",
+			sourceURI: "git+" + httpsGithubCom + e2eTestRepository,
 			err:       serrors.ErrorInvalidRef,
 		},
 		{
 			name:      "valid builder",
+			sourceURI: "git+" + httpsGithubCom + e2eTestRepository,
 			builderID: "some/builderID@refs/tags/v1.2.3",
 		},
+		{
+			name:           "invalid builder ref not e2e repo with testing enabled",
+			sourceURI:      "git+" + httpsGithubCom + "some/repo",
+			builderID:      "some/builderID@refs/heads/main",
+			testingEnabled: true,
+			err:            serrors.ErrorInvalidRef,
+		},
+		{
+			name:           "invalid builder ref e2e repo with testing enabled",
+			sourceURI:      "git+" + httpsGithubCom + e2eTestRepository,
+			builderID:      "some/builderID@refs/heads/main",
+			testingEnabled: true,
+		},
+		{
+			name:      "invalid builder ref e2e repo",
+			sourceURI: "git+" + httpsGithubCom + e2eTestRepository,
+			builderID: "some/builderID@refs/heads/main",
+			err:       serrors.ErrorInvalidRef,
+		},
 	}
 
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-
 			prov := &testProvenance{
 				builderID: tt.builderID,
+				sourceURI: tt.sourceURI,
+			}
+
+			if tt.testingEnabled {
+				t.Setenv("SLSA_VERIFIER_TESTING", "1")
+			} else {
+				// Ensure that the variable is not set.
+				t.Setenv("SLSA_VERIFIER_TESTING", "")
 			}
 
 			err := isValidDelegatorBuilderID(prov)