Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add rego policy support #1817

Merged
merged 2 commits into from Apr 29, 2022
Merged

feat: add rego policy support #1817

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
86228ea
feat: add rego policy support
Apr 29, 2022
0434671
chore: add nolint to error msg
Apr 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 6 additions & 6 deletions pkg/policy/eval.go
View file
Open in desktop
Expand Up @@ -20,6 +20,7 @@ import (
"fmt"

"cuelang.org/go/cue/cuecontext"
"github.com/sigstore/cosign/pkg/cosign/rego"

"knative.dev/pkg/logging"
)
Expand All @@ -42,7 +43,7 @@ func EvaluatePolicyAgainstJSON(ctx context.Context, name, policyType string, pol
case "rego":
regoValidationErr := evaluateRego(ctx, jsonBytes, policyBody)
if regoValidationErr != nil {
return fmt.Errorf("failed evaluating rego policy for type %s", name)
return fmt.Errorf("failed evaluating rego policy for type %s: %s", name, regoValidationErr.Error()) // nolint
}
default:
return fmt.Errorf("sorry Type %s is not supported yet", policyType)
Expand Down Expand Up @@ -73,9 +74,8 @@ func evaluateCue(ctx context.Context, attestation []byte, evaluator string) erro

// evaluateRego evaluates a rego policy `evaluator` against `attestation`
func evaluateRego(ctx context.Context, attestation []byte, evaluator string) error {
// TODO(vaikas) Fix this
// The existing stuff wants files, and it doesn't work. There must be
// a way to load it from a []byte like we can do with cue. Tomorrows problem
// regoValidationErrs := rego.ValidateJSON(payload, regoPolicies)
return fmt.Errorf("TODO(vaikas): Don't know how to this from bytes yet")
logging.FromContext(ctx).Infof("Evaluating attestation: %s", string(attestation))
logging.FromContext(ctx).Infof("Evaluating evaluator: %s", evaluator)

return rego.ValidateJSONWithModuleInput(attestation, evaluator)
}
34 changes: 32 additions & 2 deletions pkg/policy/eval_test.go
View file
Open in desktop
Expand Up @@ -167,8 +167,38 @@ func TestEvalPolicy(t *testing.T) {
keylesssignature: {
signatures: list.MaxItems(1) & list.MinItems(1)
}
}`,
}}
}`}, {
name: "Rego cluster image policy main policy, checks out",
json: cipAttestation,
policyType: "rego",
policyFile: `package sigstore
default isCompliant = false
isCompliant {
attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
count(attestationsKeylessATT) == 1
attestationsKeyATT := input.authorityMatches.keyatt.attestations
count(attestationsKeyATT) == 1
keySignature := input.authorityMatches.keysignature.signatures
count(keySignature) == 1
}`,
},
{
name: "Rego cluster image policy main policy, fails",
json: cipAttestation,
policyType: "rego",
wantErr: true,
wantErrSub: `failed evaluating rego policy for type Rego cluster image policy main policy, fails: policy is not compliant for query 'isCompliant = data.sigstore.isCompliant'`,
policyFile: `package sigstore
default isCompliant = false
isCompliant {
attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
count(attestationsKeylessATT) == 2
attestationsKeyATT := input.authorityMatches.keyatt.attestations
count(attestationsKeyATT) == 1
keySignature := input.authorityMatches.keysignature.signatures
count(keySignature) == 1
}`,
}}
for _, tc := range tests {
ctx := context.Background()
err := EvaluatePolicyAgainstJSON(ctx, tc.name, tc.policyType, tc.policyFile, []byte(tc.json))
Expand Down