Skip to content

Commit

Permalink
feat: add rego policy support
Browse files Browse the repository at this point in the history
Signed-off-by: hectorj2f <hectorf@vmware.com>
  • Loading branch information
hectorj2f committed Apr 29, 2022
1 parent 4f02c2d commit 86228ea
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 8 deletions.
12 changes: 6 additions & 6 deletions pkg/policy/eval.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"fmt"

"cuelang.org/go/cue/cuecontext"
"github.com/sigstore/cosign/pkg/cosign/rego"

"knative.dev/pkg/logging"
)
Expand All @@ -42,7 +43,7 @@ func EvaluatePolicyAgainstJSON(ctx context.Context, name, policyType string, pol
case "rego":
regoValidationErr := evaluateRego(ctx, jsonBytes, policyBody)
if regoValidationErr != nil {
return fmt.Errorf("failed evaluating rego policy for type %s", name)
return fmt.Errorf("failed evaluating rego policy for type %s: %w", name, regoValidationErr.Error())
}
default:
return fmt.Errorf("sorry Type %s is not supported yet", policyType)
Expand Down Expand Up @@ -73,9 +74,8 @@ func evaluateCue(ctx context.Context, attestation []byte, evaluator string) erro

// evaluateRego evaluates a rego policy `evaluator` against `attestation`
func evaluateRego(ctx context.Context, attestation []byte, evaluator string) error {
// TODO(vaikas) Fix this
// The existing stuff wants files, and it doesn't work. There must be
// a way to load it from a []byte like we can do with cue. Tomorrows problem
// regoValidationErrs := rego.ValidateJSON(payload, regoPolicies)
return fmt.Errorf("TODO(vaikas): Don't know how to this from bytes yet")
logging.FromContext(ctx).Infof("Evaluating attestation: %s", string(attestation))
logging.FromContext(ctx).Infof("Evaluating evaluator: %s", evaluator)

return rego.ValidateJSONWithModuleInput(attestation, evaluator)
}
34 changes: 32 additions & 2 deletions pkg/policy/eval_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,8 +167,38 @@ func TestEvalPolicy(t *testing.T) {
keylesssignature: {
signatures: list.MaxItems(1) & list.MinItems(1)
}
}`,
}}
}`}, {
name: "Rego cluster image policy main policy, checks out",
json: cipAttestation,
policyType: "rego",
policyFile: `package sigstore
default isCompliant = false
isCompliant {
attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
count(attestationsKeylessATT) == 1
attestationsKeyATT := input.authorityMatches.keyatt.attestations
count(attestationsKeyATT) == 1
keySignature := input.authorityMatches.keysignature.signatures
count(keySignature) == 1
}`,
},
{
name: "Rego cluster image policy main policy, fails",
json: cipAttestation,
policyType: "rego",
wantErr: true,
wantErrSub: `failed evaluating rego policy for type Rego cluster image policy main policy, fails: policy is not compliant for query 'isCompliant = data.sigstore.isCompliant'`,
policyFile: `package sigstore
default isCompliant = false
isCompliant {
attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
count(attestationsKeylessATT) == 2
attestationsKeyATT := input.authorityMatches.keyatt.attestations
count(attestationsKeyATT) == 1
keySignature := input.authorityMatches.keysignature.signatures
count(keySignature) == 1
}`,
}}
for _, tc := range tests {
ctx := context.Background()
err := EvaluatePolicyAgainstJSON(ctx, tc.name, tc.policyType, tc.policyFile, []byte(tc.json))
Expand Down

0 comments on commit 86228ea

Please sign in to comment.