Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try extracting attestations in rego #939

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
+47 −2
Draft

Try extracting attestations in rego #939

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 47 additions & 2 deletions policy/release/lib/attestations.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,14 @@ pipelinerun_attestations := att if {
}

pipelinerun_slsa_provenance02 := [att |
some att in input.attestations
some att in _input_attestations
att.statement.predicate.buildType in pipelinerun_att_build_types
]

# TODO: Make this work with pipelinerun_attestations above so policy rules can be
# written for either.
pipelinerun_slsa_provenance_v1 := [att |
some att in input.attestations
some att in _input_attestations
att.statement.predicateType == "https://slsa.dev/provenance/v1"

att.statement.predicate.buildDefinition.buildType in slsav1_pipelinerun_att_build_types
Expand Down Expand Up @@ -134,3 +134,48 @@ task_succeeded(name) if {
task := task_in_pipelinerun(name)
task.status == "Succeeded"
}

_input_attestations := atts if {
# For ec validate image.
# We might not want this in the long term, but let's try to detect
# how we're being called. This is the "normal" situation when user
# runs `ec validate image` - the attestations were fetched already and
# are available in the input.
atts := input.attestations
} else := atts if {
# For ec validate input.
# This is the new experimental part - extract the attestations at
# evaluation time
_default_sigstore_opts := {
"certificate_identity": "",
"certificate_identity_regexp": "",
"certificate_oidc_issuer": "",
"certificate_oidc_issuer_regexp": "",
"ignore_rekor": false,
"public_key": "",
"rekor_url": "",
}

# See hack/builtin-experiments/demo.sh in the ec-cli repo
_sigstore_opts := object.union(_default_sigstore_opts, data.sigstore_opts)

# Coerce into string since I think that is required
_image_ref := sprintf("%s", [input.image.ref])

# Get the attestations
info := ec.sigstore.verify_attestation(_image_ref, _sigstore_opts)

# This doesn't work for some reason.
# Todo: Fix this and add more checks here probably.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's the challenge with this approach. It's hard to propagate errors. You have to explicitly look for them.

#count(info.errors) == 0

atts := [a |
some att in info.attestations
a := {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm if conversion is needed, I probably messed up the output of ec.sigstore.verify_attestation.

"statement": att.statement,
# Fix me: I think the keys inside this are slightly different to
# what we're expecting, e.g. "signature" instead of "sig"
"signatures": att.signatures,
}
]
} else := []
Loading