Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: load rego policies from OCI images #1478

Closed
wants to merge 1 commit into from
Closed

feat: load rego policies from OCI images #1478

wants to merge 1 commit into from

Conversation

developer-guy
Copy link
Member

@developer-guy developer-guy commented Feb 17, 2022
edited
Loading

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com

Summary

You can test this with the following path:

do not forget to install conftest to push rego policies suitable with their spec

$ echo "bar" > foo
$ cosign attest --key cosign.key --predicate foo devopps/alpine:3.15.0
$ cat policy.rego
package signature

allow[msg] {
 input.predicate.Data != "bar-test\n"
 msg := sprintf("unexpected data: %v", [input.Data])
}

EOF
$ conftest push --policy policy.rego ghcr.io/developer-guy/policy-rego
2022/02/17 19:23:58 pushing bundle to: ghcr.io/developer-guy/policy-rego:latest
2022/02/17 19:24:01 pushed bundle with digest: sha256:7278b4301eb15f3e16e12d38af512879c1d5df1bd88c7641b094716e7eb7e779

$ cosign verify-attestation --key cosign.pub --policy ghcr.io/developer-guy/policy-rego devopps/alpine:3.15.0
will be validating against Rego policies: [/var/folders/pf/6h9t0mnd4d342ncgpjq_3zl80000gp/T/crane-append3411930157]
There are 1 number of errors occurred during the validation:
- unexpected data: bar

Error: 1 validation errors occurred
main.go:46: error during command execution: 1 validation errors occurred

Ticket Link

Fixes #1361

Release Note

feat: load rego policies from OCI images

cc: @Dentrax

@developer-guy developer-guy force-pushed the feature/1361 branch 3 times, most recently from 90ad019 to 8fe2b91 Compare February 17, 2022 20:47
developer-guy
developer-guy commented Feb 17, 2022
View reviewed changes
cmd/cosign/cli/verify/verify_attestation.go
if err != nil {
return fmt.Errorf("reading image %q: %w", policyImageRef, err)
}
if len(policyImageSigs) == 0 {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc: @dlorenc

@developer-guy developer-guy force-pushed the feature/1361 branch 4 times, most recently from 5cebcc7 to 80be886 Compare February 22, 2022 13:19
@developer-guy developer-guy mentioned this pull request Feb 23, 2022
Closed
@dlorenc
Copy link
Member

dlorenc commented Feb 26, 2022

Sorry I'll get to this one this week!

@developer-guy developer-guy self-assigned this Mar 9, 2022
@developer-guy developer-guy mentioned this pull request Mar 15, 2022
Closed
@developer-guy @Dentrax
feat: load rego policies from OCI images
9bb302a 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
@codecov-commenter
Copy link

Codecov Report

Merging #1478 (9bb302a) into main (ae90c74) will decrease coverage by 0.19%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #1478      +/-   ##
==========================================
- Coverage   34.00%   33.81%   -0.20%     
==========================================
  Files         153      153              
  Lines        9981    10038      +57     
==========================================
  Hits         3394     3394              
- Misses       6208     6265      +57     
  Partials      379      379
Impacted Files Coverage Δ
cmd/cosign/cli/verify/verify_attestation.go 0.00% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ae90c74...9bb302a. Read the comment docs.

@github-actions
Copy link

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions
Copy link

github-actions bot commented Sep 1, 2022

This PR was closed because it has been stalled for 10 days with no activity.

@github-actions github-actions bot closed this Sep 1, 2022
@developer-guy
Copy link
Member Author

Can we re-open this one @dlorenc if you still consider it useful?

@developer-guy
Copy link
Member Author

kindly ping @dlorenc @hectorj2f

@hectorj2f hectorj2f reopened this Dec 22, 2022
@hectorj2f
Copy link
Contributor

@developer-guy Done!

@github-actions
Copy link

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions
Copy link

github-actions bot commented Feb 1, 2023

This PR was closed because it has been stalled for 10 days with no activity.

@github-actions github-actions bot closed this Feb 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc Awaiting requested review from dlorenc

Assignees

@developer-guy developer-guy

Labels
no-pr-activity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ability to load Rego or CUE policies over OCI registries
4 participants
@developer-guy @dlorenc @codecov-commenter @hectorj2f