chore: change cue policy for the cip

Signed-off-by: hectorj2f <hectorf@vmware.com>
sigstore · Apr 23, 2022 · f80b402 · f80b402
1 parent 98c6c45
commit f80b402
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 42 deletions.
diff --git a/pkg/policy/eval.go b/pkg/policy/eval.go
@@ -56,15 +56,15 @@ func evaluateCue(ctx context.Context, attestation []byte, evaluator string) erro
 	cueCtx := cuecontext.New()
 	cueEvaluator := cueCtx.CompileString(evaluator)
 	if cueEvaluator.Err() != nil {
-		return fmt.Errorf("failed to compile the cue policy with error: %v", cueEvaluator.Err())
+		return fmt.Errorf("failed to compile the cue policy with error: %@", cueEvaluator.Err())
 	}
 	cueAtt := cueCtx.CompileBytes(attestation)
 	if cueAtt.Err() != nil {
-		return fmt.Errorf("failed to compile the attestation data with error: %v", cueAtt.Err())
+		return fmt.Errorf("failed to compile the attestation data with error: %@", cueAtt.Err())
 	}
 	result := cueEvaluator.Unify(cueAtt)
 	if err := result.Validate(); err != nil {
-		return fmt.Errorf("failed to evaluate the policy with error: %v", err)
+		return fmt.Errorf("failed to evaluate the policy with error: %@", err)
 	}
 	return nil
 }

diff --git a/test/testdata/cosigned/e2e/cip-requires-two-signatures-and-two-attestations.yaml b/test/testdata/cosigned/e2e/cip-requires-two-signatures-and-two-attestations.yaml
@@ -95,48 +95,21 @@ spec:
   policy:
     type: cue
     data: |
-      if len(authorityMatches."keyless-att".attestations) < 2 {
-        keylessAttestationsErr: "error"
-        keylessAttestationsErr: "Did not get both keyless attestations"
-      }
-      if len(authorityMatches."key-att".attestations) < 1 {
-        keyAttestationsErr: 1
-        keyAttestationsErr: "Did not get key attestation"
-      }
-      if len(authorityMatches."keyless-signature".signatures) < 1 {
-        keylessSignatureErr: 1
-        keylessSignatureErr: "Did not get keyless signature"
-      }
-      if len(authorityMatches."key-signature".signatures) < 1 {
-        keySignatureErr: 1
-        keySignatureErr: "Did not get key signature"
-      }
+      package sigstore
+      import "struct"
+      import "list"
+
       authorityMatches: {
         key-att: {
-          attestations: {
-            "vuln-key": [
-              {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-            ]
-          }
-        }
+          attestations: struct.MaxFields(1) & struct.MinFields(1)
+        },
+        key-signature: {
+          signatures: list.MaxItems(1) & list.MinItems(1)
+        },
         keyless-att: {
-          attestations: {
-            "vuln-keyless": [
-              {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-            ],
-            "custom-keyless": [
-              {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-            ],
-          }
-        }
+          attestations: struct.MinFields(2) & struct.MaxFields(2)
+        },
         keyless-signature: {
-          signatures: [
-            {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-          ]
-        }
-        key-signature: {
-          signatures: [
-            {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-          ]
+          signatures: list.MaxItems(1) & list.MinItems(1)
         }
       }