Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cosigned: Unify cue data and policy before evaluating it #1793

Merged
merged 8 commits into from Apr 26, 2022
Merged

cosigned: Unify cue data and policy before evaluating it #1793

merged 8 commits into from Apr 26, 2022

Conversation

hectorj2f
Copy link
Contributor

Summary

This PR adds code to compile both the policy and attestations data, then unify both cue files and finally validate them. The recommendation is to avoid using cuejson.Validate which expects the cue to be self-contained and applied as a schema to the JSON.

Ticket Link

Fixes

Release Note

@hectorj2f hectorj2f self-assigned this Apr 23, 2022
@codecov-commenter
Copy link

codecov-commenter commented Apr 23, 2022
edited

Codecov Report

Merging #1793 (7a87d68) into main (133ce88) will decrease coverage by 0.00%.
The diff coverage is 60.00%.

@@            Coverage Diff             @@
##             main    #1793      +/-   ##
==========================================
- Coverage   32.70%   32.70%   -0.01%     
==========================================
  Files         147      147              
  Lines        9300     9313      +13     
==========================================
+ Hits         3042     3046       +4     
- Misses       5903     5909       +6     
- Partials      355      358       +3
Impacted Files Coverage Δ
pkg/policy/eval.go 52.50% <60.00%> (+0.64%) ⬆️
pkg/cosign/tuf/client.go 61.68% <0.00%> (-0.82%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 133ce88...7a87d68. Read the comment docs.

@hectorj2f hectorj2f force-pushed the unify_cue_data_and_policy branch 2 times, most recently from f80b402 to 7625488 Compare April 23, 2022 19:00
@vaikas
Copy link
Contributor

vaikas commented Apr 23, 2022

Can we try removing this and test if it now passes? 🤩
https://github.com/sigstore/cosign/blob/main/test/e2e_test_cluster_image_policy_with_attestations.sh#L213

@hectorj2f hectorj2f changed the title WIP: Unify cue data and policy before evaluating it cosigned: Unify cue data and policy before evaluating it Apr 23, 2022
@hectorj2f hectorj2f force-pushed the unify_cue_data_and_policy branch 4 times, most recently from e027cff to 7a87d68 Compare April 25, 2022 22:14
hectorj2f added 8 commits April 26, 2022 01:21
chore: update cue policy evaluation
86b2687 
Signed-off-by: hectorj2f <hectorf@vmware.com>
chore: change cue policy for the cip
55474d3 
Signed-off-by: hectorj2f <hectorf@vmware.com>
chore: avoid using names with hyphens
dd85d74 
Signed-off-by: hectorj2f <hectorf@vmware.com>
test: add unit tests for the eval policy func
8bb1f21 
Signed-off-by: hectorj2f <hectorf@vmware.com>
test: delete job before creating it
237000a 
Signed-off-by: hectorj2f <hectorf@vmware.com>
test: add statement to check the length of a struct
e8e4b0a 
Signed-off-by: hectorj2f <hectorf@vmware.com>
test: add more unit tests for eval policy
3e0db84 
Signed-off-by: hectorj2f <hectorf@vmware.com>
fix: wrong redirected file directory
2923f3d 
Signed-off-by: hectorj2f <hectorf@vmware.com>
@hectorj2f hectorj2f added the enhancement New feature or request label Apr 26, 2022
@hectorj2f
Copy link
Contributor Author

@vaikas @dlorenc This PR is ready for a review.

@hectorj2f hectorj2f requested a review from cpanato April 26, 2022 10:12
cpanato
cpanato approved these changes Apr 26, 2022
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you

@hectorj2f hectorj2f merged commit db323cd into sigstore:main Apr 26, 2022
@hectorj2f hectorj2f deleted the unify_cue_data_and_policy branch April 26, 2022 14:26
@github-actions github-actions bot added this to the v1.8.0 milestone Apr 26, 2022
vaikas
vaikas reviewed Apr 26, 2022
View reviewed changes
Copy link
Contributor

@vaikas vaikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for grinding through this!!!

pkg/policy/eval_test.go Show resolved Hide resolved
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@mlieberman85
cosigned: Unify cue data and policy before evaluating it (sigstore#1793)
d965457 
* chore: update cue policy evaluation

Signed-off-by: hectorj2f <hectorf@vmware.com>

* chore: change cue policy for the cip

Signed-off-by: hectorj2f <hectorf@vmware.com>

* chore: avoid using names with hyphens

Signed-off-by: hectorj2f <hectorf@vmware.com>

* test: add unit tests for the eval policy func

Signed-off-by: hectorj2f <hectorf@vmware.com>

* test: delete job before creating it

Signed-off-by: hectorj2f <hectorf@vmware.com>

* test: add statement to check the length of a struct

Signed-off-by: hectorj2f <hectorf@vmware.com>

* test: add more unit tests for eval policy

Signed-off-by: hectorj2f <hectorf@vmware.com>

* fix: wrong redirected file directory

Signed-off-by: hectorj2f <hectorf@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vaikas vaikas vaikas left review comments

@cpanato cpanato cpanato approved these changes

@dlorenc dlorenc Awaiting requested review from dlorenc

Assignees

@hectorj2f hectorj2f

Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.8.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hectorj2f @codecov-commenter @vaikas @cpanato