Skip to content

Commit f04956c

Browse files
author
Mark Bestavros
authored
Merge pull request #1604 from mbestavros/cli-data
Expose --extra-rule-data in v-e-c task
2 parents 3ce6dd4 + e257367 commit f04956c

4 files changed

Lines changed: 255 additions & 0 deletions

File tree

docs/modules/ROOT/pages/verify-enterprise-contract.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@ paths can be provided by using the `:` separator.
5757
*EFFECTIVE_TIME* (`string`):: Run policy checks with the provided time.
5858
+
5959
*Default*: `now`
60+
*EXTRA_RULE_DATA* (`string`):: Merge additional Rego variables into the policy data. Use syntax "key=value,key2=value2..."
6061

6162
== Results
6263

features/__snapshots__/task_validate_image.snap

Lines changed: 218 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -274,6 +274,100 @@ success: true
274274

275275
---
276276

277+
[Extra rule data provided to task:report - 1]
278+
components:
279+
- attestations:
280+
- predicateBuildType: tekton.dev/v1beta1/TaskRun
281+
predicateType: https://slsa.dev/provenance/v0.2
282+
signatures:
283+
- keyid: SHA256:RHajkr+wMEtGfT2CRFrQEhg/8MY2bDLXVg3F8IuI5nE
284+
sig: MEUCIHFVZeVR59n9UvN1dwF9Lh3Gv8XWLPDPIIJcnQ8e3TtvAiEA0z/5v6ggvmQyQ1EnYTJo9rwxOYuve4th4P/0639orLg=
285+
type: https://in-toto.io/Statement/v0.1
286+
- predicateBuildType: tekton.dev/v1beta1/PipelineRun
287+
predicateType: https://slsa.dev/provenance/v0.2
288+
signatures:
289+
- keyid: SHA256:RHajkr+wMEtGfT2CRFrQEhg/8MY2bDLXVg3F8IuI5nE
290+
sig: MEUCIQClx1zvZGvyRu5gCHiC+oWVZTmWJGQlocSZMnzx/5omZAIgUiLQuMm+USYE+H0PDn/xPSVVQjkhWjDc3fulkxVzlC0=
291+
type: https://in-toto.io/Statement/v0.1
292+
- predicateBuildType: tekton.dev/v1beta1/PipelineRun
293+
predicateType: https://slsa.dev/provenance/v0.2
294+
signatures:
295+
- keyid: SHA256:RHajkr+wMEtGfT2CRFrQEhg/8MY2bDLXVg3F8IuI5nE
296+
sig: MEUCIGS176zN5aoorLQMukjoCkHm7ocu7UhnKXLhzEdsgp4BAiEAviub3Lf4thLmSTU6ZqnEjw02kkrb9LKBBa1t8hVgAM4=
297+
type: https://in-toto.io/Statement/v0.1
298+
containerImage: quay.io/hacbs-contract-demo/golden-container@sha256:e76a4ae9dd8a52a0d191fd34ca133af5b4f2609536d32200a4a40a09fdc93a0d
299+
name: ""
300+
signatures:
301+
- keyid: ""
302+
sig: MEUCIFPod1d9HhGt+TEQPG4j+LINjkifCFFOFrE4jbkvexGGAiEAqSp3ROZUsIOwWro6Tv+lRiR7sdMR0U6Crs1ISuQhHtA=
303+
source: {}
304+
success: true
305+
successes:
306+
- metadata:
307+
code: builtin.attestation.signature_check
308+
description: The attestation signature matches available signing materials.
309+
title: Attestation signature check passed
310+
msg: Pass
311+
- metadata:
312+
code: builtin.attestation.syntax_check
313+
description: The attestation has correct syntax.
314+
title: Attestation syntax check passed
315+
msg: Pass
316+
- metadata:
317+
code: builtin.image.signature_check
318+
description: The image signature matches available signing materials.
319+
title: Image signature check passed
320+
msg: Pass
321+
- metadata:
322+
code: slsa_provenance_available.allowed_predicate_types_provided
323+
collections:
324+
- minimal
325+
- slsa3
326+
- redhat
327+
- policy_data
328+
description: Confirm the `allowed_predicate_types` rule data was provided, since
329+
it is required by the policy rules in this package.
330+
title: Allowed predicate types provided
331+
msg: Pass
332+
- metadata:
333+
code: slsa_provenance_available.attestation_predicate_type_accepted
334+
collections:
335+
- minimal
336+
- slsa3
337+
- redhat
338+
depends_on:
339+
- attestation_type.known_attestation_type
340+
description: Verify that the predicateType field of the attestation indicates
341+
the in-toto SLSA Provenance format was used to attest the PipelineRun.
342+
title: Expected attestation predicate type found
343+
msg: Pass
344+
ec-version: ${EC_VERSION}
345+
effective-time: "${TIMESTAMP}"
346+
key: |
347+
-----BEGIN PUBLIC KEY-----
348+
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp
349+
zN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==
350+
-----END PUBLIC KEY-----
351+
policy:
352+
configuration:
353+
include:
354+
- slsa_provenance_available
355+
publicKey: |-
356+
-----BEGIN PUBLIC KEY-----
357+
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp
358+
zN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==
359+
-----END PUBLIC KEY-----
360+
sources:
361+
- policy:
362+
- github.com/enterprise-contract/ec-policies//policy/release
363+
- github.com/enterprise-contract/ec-policies//policy/lib
364+
ruleData:
365+
key1: value1
366+
key2: value2
367+
success: true
368+
369+
---
370+
277371
[Initialize TUF fails:report - 1]
278372
${TIMESTAMP} Skipping step because a previous step failed
279373

@@ -416,6 +510,12 @@ TUF_MIRROR not set. Skipping TUF root initialization.
416510
}
417511
---
418512

513+
[Extra rule data provided to task:results - 1]
514+
{
515+
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
516+
}
517+
---
518+
419519
[Initialize TUF succeeds:results - 1]
420520
{
421521
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
@@ -861,6 +961,124 @@ true
861961
}
862962
---
863963

964+
[Extra rule data provided to task:report-json - 1]
965+
{
966+
"success": true,
967+
"components": [
968+
{
969+
"name": "",
970+
"containerImage": "quay.io/hacbs-contract-demo/golden-container@sha256:e76a4ae9dd8a52a0d191fd34ca133af5b4f2609536d32200a4a40a09fdc93a0d",
971+
"source": {},
972+
"successes": [
973+
{
974+
"msg": "Pass",
975+
"metadata": {
976+
"code": "builtin.attestation.signature_check",
977+
"description": "The attestation signature matches available signing materials.",
978+
"title": "Attestation signature check passed"
979+
}
980+
},
981+
{
982+
"msg": "Pass",
983+
"metadata": {
984+
"code": "builtin.attestation.syntax_check",
985+
"description": "The attestation has correct syntax.",
986+
"title": "Attestation syntax check passed"
987+
}
988+
},
989+
{
990+
"msg": "Pass",
991+
"metadata": {
992+
"code": "builtin.image.signature_check",
993+
"description": "The image signature matches available signing materials.",
994+
"title": "Image signature check passed"
995+
}
996+
},
997+
{
998+
"msg": "Pass",
999+
"metadata": {
1000+
"code": "slsa_provenance_available.attestation_predicate_type_accepted",
1001+
"collections": [
1002+
"minimal",
1003+
"slsa1",
1004+
"slsa2",
1005+
"slsa3",
1006+
"redhat"
1007+
],
1008+
"depends_on": [
1009+
"attestation_type.known_attestation_type"
1010+
],
1011+
"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.",
1012+
"title": "Expected attestation predicate type found"
1013+
}
1014+
}
1015+
],
1016+
"success": true,
1017+
"signatures": [
1018+
{
1019+
"keyid": "",
1020+
"sig": "MEUCIFPod1d9HhGt+TEQPG4j+LINjkifCFFOFrE4jbkvexGGAiEAqSp3ROZUsIOwWro6Tv+lRiR7sdMR0U6Crs1ISuQhHtA="
1021+
}
1022+
],
1023+
"attestations": [
1024+
{
1025+
"type": "https://in-toto.io/Statement/v0.1",
1026+
"predicateType": "https://slsa.dev/provenance/v0.2",
1027+
"predicateBuildType": "tekton.dev/v1beta1/TaskRun",
1028+
"signatures": [
1029+
{
1030+
"keyid": "SHA256:RHajkr+wMEtGfT2CRFrQEhg/8MY2bDLXVg3F8IuI5nE",
1031+
"sig": "MEUCIHFVZeVR59n9UvN1dwF9Lh3Gv8XWLPDPIIJcnQ8e3TtvAiEA0z/5v6ggvmQyQ1EnYTJo9rwxOYuve4th4P/0639orLg="
1032+
}
1033+
]
1034+
},
1035+
{
1036+
"type": "https://in-toto.io/Statement/v0.1",
1037+
"predicateType": "https://slsa.dev/provenance/v0.2",
1038+
"predicateBuildType": "tekton.dev/v1beta1/PipelineRun",
1039+
"signatures": [
1040+
{
1041+
"keyid": "SHA256:RHajkr+wMEtGfT2CRFrQEhg/8MY2bDLXVg3F8IuI5nE",
1042+
"sig": "MEUCIQClx1zvZGvyRu5gCHiC+oWVZTmWJGQlocSZMnzx/5omZAIgUiLQuMm+USYE+H0PDn/xPSVVQjkhWjDc3fulkxVzlC0="
1043+
}
1044+
]
1045+
},
1046+
{
1047+
"type": "https://in-toto.io/Statement/v0.1",
1048+
"predicateType": "https://slsa.dev/provenance/v0.2",
1049+
"predicateBuildType": "tekton.dev/v1beta1/PipelineRun",
1050+
"signatures": [
1051+
{
1052+
"keyid": "SHA256:RHajkr+wMEtGfT2CRFrQEhg/8MY2bDLXVg3F8IuI5nE",
1053+
"sig": "MEUCIGS176zN5aoorLQMukjoCkHm7ocu7UhnKXLhzEdsgp4BAiEAviub3Lf4thLmSTU6ZqnEjw02kkrb9LKBBa1t8hVgAM4="
1054+
}
1055+
]
1056+
}
1057+
]
1058+
}
1059+
],
1060+
"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\n-----END PUBLIC KEY-----\n",
1061+
"policy": {
1062+
"sources": [
1063+
{
1064+
"policy": [
1065+
"github.com/enterprise-contract/ec-policies//policy/release",
1066+
"github.com/enterprise-contract/ec-policies//policy/lib"
1067+
]
1068+
}
1069+
],
1070+
"configuration": {
1071+
"include": [
1072+
"slsa_provenance_available"
1073+
]
1074+
},
1075+
"publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\n-----END PUBLIC KEY-----"
1076+
},
1077+
"ec-version": "${EC_VERSION}",
1078+
"effective-time": "${TIMESTAMP}"
1079+
}
1080+
---
1081+
8641082
[Initialize TUF succeeds:report-json - 1]
8651083
{
8661084
"success": true,

features/task_validate_image.feature

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,37 @@ Feature: Verify Enterprise Contract Tekton Tasks
3535
And the task logs for step "report" should match the snapshot
3636
And the task results should match the snapshot
3737

38+
Scenario: Extra rule data provided to task
39+
Given a working namespace
40+
Given a cluster policy with content:
41+
```
42+
{
43+
"publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\n-----END PUBLIC KEY-----",
44+
"sources": [
45+
{
46+
"policy": [
47+
"github.com/enterprise-contract/ec-policies//policy/release",
48+
"github.com/enterprise-contract/ec-policies//policy/lib"
49+
]
50+
}
51+
],
52+
"configuration": {
53+
"include": [
54+
"slsa_provenance_available"
55+
]
56+
}
57+
}
58+
```
59+
When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
60+
| IMAGES | {"components": [{"containerImage": "quay.io/hacbs-contract-demo/golden-container@sha256:e76a4ae9dd8a52a0d191fd34ca133af5b4f2609536d32200a4a40a09fdc93a0d"}]} |
61+
| POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME} |
62+
| STRICT | true |
63+
| IGNORE_REKOR | true |
64+
| EXTRA_RULE_DATA | key1=value1,key2=value2 |
65+
Then the task should succeed
66+
And the task logs for step "report" should match the snapshot
67+
And the task results should match the snapshot
68+
3869
Scenario: Initialize TUF succeeds
3970
Given a working namespace
4071
Given a cluster policy with content:

tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,10 @@ spec:
110110
type: string
111111
description: Run policy checks with the provided time.
112112
default: "now"
113+
- name: EXTRA_RULE_DATA
114+
type: string
115+
description: Merge additional Rego variables into the policy data. Use syntax "key=value,key2=value2..."
116+
default: ""
113117

114118
workspaces:
115119
- name: data
@@ -170,6 +174,7 @@ spec:
170174
- "--strict=false"
171175
- "--show-successes"
172176
- "--effective-time=$(params.EFFECTIVE_TIME)"
177+
- "--extra-rule-data=$(params.EXTRA_RULE_DATA)"
173178
- "--output"
174179
- "yaml=$(params.HOMEDIR)/report.yaml"
175180
- "--output"

0 commit comments

Comments
 (0)