Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add rego policy support #1817

Merged
merged 2 commits into from
Apr 29, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions pkg/policy/eval.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"fmt"

"cuelang.org/go/cue/cuecontext"
"github.com/sigstore/cosign/pkg/cosign/rego"

"knative.dev/pkg/logging"
)
Expand All @@ -42,7 +43,7 @@ func EvaluatePolicyAgainstJSON(ctx context.Context, name, policyType string, pol
case "rego":
regoValidationErr := evaluateRego(ctx, jsonBytes, policyBody)
if regoValidationErr != nil {
return fmt.Errorf("failed evaluating rego policy for type %s", name)
return fmt.Errorf("failed evaluating rego policy for type %s: %s", name, regoValidationErr.Error()) // nolint
}
default:
return fmt.Errorf("sorry Type %s is not supported yet", policyType)
Expand Down Expand Up @@ -73,9 +74,8 @@ func evaluateCue(ctx context.Context, attestation []byte, evaluator string) erro

// evaluateRego evaluates a rego policy `evaluator` against `attestation`
func evaluateRego(ctx context.Context, attestation []byte, evaluator string) error {
// TODO(vaikas) Fix this
// The existing stuff wants files, and it doesn't work. There must be
// a way to load it from a []byte like we can do with cue. Tomorrows problem
// regoValidationErrs := rego.ValidateJSON(payload, regoPolicies)
return fmt.Errorf("TODO(vaikas): Don't know how to this from bytes yet")
logging.FromContext(ctx).Infof("Evaluating attestation: %s", string(attestation))
logging.FromContext(ctx).Infof("Evaluating evaluator: %s", evaluator)

return rego.ValidateJSONWithModuleInput(attestation, evaluator)
}
34 changes: 32 additions & 2 deletions pkg/policy/eval_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,8 +167,38 @@ func TestEvalPolicy(t *testing.T) {
keylesssignature: {
signatures: list.MaxItems(1) & list.MinItems(1)
}
}`,
}}
}`}, {
name: "Rego cluster image policy main policy, checks out",
json: cipAttestation,
policyType: "rego",
policyFile: `package sigstore
default isCompliant = false
isCompliant {
attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
count(attestationsKeylessATT) == 1
attestationsKeyATT := input.authorityMatches.keyatt.attestations
count(attestationsKeyATT) == 1
keySignature := input.authorityMatches.keysignature.signatures
count(keySignature) == 1
}`,
},
{
name: "Rego cluster image policy main policy, fails",
json: cipAttestation,
policyType: "rego",
wantErr: true,
wantErrSub: `failed evaluating rego policy for type Rego cluster image policy main policy, fails: policy is not compliant for query 'isCompliant = data.sigstore.isCompliant'`,
policyFile: `package sigstore
default isCompliant = false
isCompliant {
attestationsKeylessATT := input.authorityMatches.keylessatt.attestations
count(attestationsKeylessATT) == 2
attestationsKeyATT := input.authorityMatches.keyatt.attestations
count(attestationsKeyATT) == 1
keySignature := input.authorityMatches.keysignature.signatures
count(keySignature) == 1
}`,
}}
for _, tc := range tests {
ctx := context.Background()
err := EvaluatePolicyAgainstJSON(ctx, tc.name, tc.policyType, tc.policyFile, []byte(tc.json))
Expand Down