Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide all components as additional input to policy check #1737

Merged
merged 1 commit into from
Jul 4, 2024
Merged

Provide all components as additional input to policy check #1737

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions cmd/validate/image.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ import (
validate_utils "github.com/enterprise-contract/ec-cli/internal/validate"
)

type imageValidationFunc func(context.Context, app.SnapshotComponent, policy.Policy, []evaluator.Evaluator, bool) (*output.Output, error)
type imageValidationFunc func(context.Context, app.SnapshotComponent, *app.SnapshotSpec, policy.Policy, []evaluator.Evaluator, bool) (*output.Output, error)

var newConftestEvaluator = evaluator.NewConftestEvaluator

Expand Down Expand Up @@ -320,7 +320,7 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
for comp := range jobs {
log.Debugf("Worker %d got a component %q", id, comp.ContainerImage)
ctx := cmd.Context()
out, err := validate(ctx, comp, data.policy, evaluators, data.info)
out, err := validate(ctx, comp, data.spec, data.policy, evaluators, data.info)
res := result{
err: err,
component: applicationsnapshot.Component{
Expand Down
2 changes: 1 addition & 1 deletion cmd/validate/image_integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ func TestEvaluatorLifecycle(t *testing.T) {
newConftestEvaluator = evaluator.NewConftestEvaluator
})

validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, evaluators []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, evaluators []evaluator.Evaluator, _ bool) (*output.Output, error) {
for _, e := range evaluators {
_, _, err := e.Evaluate(ctx, []string{})
require.NoError(t, err)
Expand Down
28 changes: 14 additions & 14 deletions cmd/validate/image_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ func Test_determineInputSpec(t *testing.T) {
}

func Test_ValidateImageCommand(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -336,7 +336,7 @@ func Test_ValidateImageCommand(t *testing.T) {
}

func Test_ValidateImageCommandImages(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -458,7 +458,7 @@ func Test_ValidateImageCommandImages(t *testing.T) {

func Test_ValidateImageCommandKeyless(t *testing.T) {
called := false
validateImageCmd := validateImageCmd(func(_ context.Context, _ app.SnapshotComponent, p policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validateImageCmd := validateImageCmd(func(_ context.Context, _ app.SnapshotComponent, _ *app.SnapshotSpec, p policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
assert.Equal(t, cosign.Identity{
Issuer: "my-certificate-oidc-issuer",
Subject: "my-certificate-identity",
Expand Down Expand Up @@ -503,7 +503,7 @@ func Test_ValidateImageCommandKeyless(t *testing.T) {
}

func Test_ValidateImageCommandYAMLPolicyFile(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -621,7 +621,7 @@ spec:
}

func Test_ValidateImageCommandJSONPolicyFile(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -700,7 +700,7 @@ configuration:
}

func Test_ValidateImageCommandExtraData(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -825,7 +825,7 @@ spec:
}

func Test_ValidateImageCommandEmptyPolicyFile(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -893,7 +893,7 @@ func Test_ValidateImageCommandEmptyPolicyFile(t *testing.T) {

func Test_ValidateImageErrorLog(t *testing.T) {
// TODO: Enhance this test to cover other Error Log messages
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -1057,7 +1057,7 @@ func Test_ValidateErrorCommand(t *testing.T) {
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
validate := func(context.Context, app.SnapshotComponent, policy.Policy, []evaluator.Evaluator, bool) (*output.Output, error) {
validate := func(context.Context, app.SnapshotComponent, *app.SnapshotSpec, policy.Policy, []evaluator.Evaluator, bool) (*output.Output, error) {
return nil, errors.New("expected")
}

Expand Down Expand Up @@ -1087,7 +1087,7 @@ func Test_ValidateErrorCommand(t *testing.T) {
}

func Test_FailureImageAccessibility(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: false,
Expand Down Expand Up @@ -1158,7 +1158,7 @@ func Test_FailureImageAccessibility(t *testing.T) {
}

func Test_FailureOutput(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: false,
Expand Down Expand Up @@ -1227,7 +1227,7 @@ func Test_FailureOutput(t *testing.T) {
}

func Test_WarningOutput(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -1301,7 +1301,7 @@ func Test_WarningOutput(t *testing.T) {
}

func Test_FailureImageAccessibilityNonStrict(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down Expand Up @@ -1369,7 +1369,7 @@ func Test_FailureImageAccessibilityNonStrict(t *testing.T) {
}

func TestValidateImageCommand_RunE(t *testing.T) {
validate := func(_ context.Context, component app.SnapshotComponent, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
validate := func(_ context.Context, component app.SnapshotComponent, _ *app.SnapshotSpec, _ policy.Policy, _ []evaluator.Evaluator, _ bool) (*output.Output, error) {
return &output.Output{
ImageSignatureCheck: output.VerificationStatus{
Passed: true,
Expand Down
33 changes: 33 additions & 0 deletions features/__snapshots__/validate_image.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2547,6 +2547,17 @@ ${__________known_PUBLIC_KEY}
}
},
"source": {}
},
"snapshot": {
"application": "",
"components": [
{
"name": "Unnamed",
"containerImage": "${REGISTRY}/acceptance/policy-input-output",
"source": {}
}
],
"artifacts": {}
}
}
---
Expand Down Expand Up @@ -2899,6 +2910,17 @@ Error: success criteria not met
}
},
"source": {}
},
"snapshot": {
"application": "",
"components": [
{
"name": "Unnamed",
"containerImage": "${REGISTRY}/acceptance/image",
"source": {}
}
],
"artifacts": {}
}
}
---
Expand Down Expand Up @@ -3241,6 +3263,17 @@ Error: success criteria not met
}
},
"source": {}
},
"snapshot": {
"application": "",
"components": [
{
"name": "Unnamed",
"containerImage": "${REGISTRY}/acceptance/image",
"source": {}
}
],
"artifacts": {}
}
}
---
Expand Down
128 changes: 128 additions & 0 deletions ...tion_target/application_snapshot_image/__snapshots__/application_snapshot_image_test.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,22 @@
"image": {
"ref": "registry.io/repository/image:tag",
"source": {}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Expand Down Expand Up @@ -77,6 +93,22 @@
"image": {
"ref": "registry.io/repository/image:tag",
"source": {}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Expand Down Expand Up @@ -118,6 +150,22 @@
}
],
"source": {}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Expand All @@ -133,6 +181,22 @@
},
"ref": "registry.io/repository/image:tag",
"source": {}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Expand All @@ -151,6 +215,22 @@
},
"ref": "registry.io/repository/image:tag",
"source": {}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Expand Down Expand Up @@ -194,6 +274,22 @@
"image": {
"ref": "registry.io/repository/image:tag",
"source": {}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Expand Down Expand Up @@ -221,6 +317,22 @@
"image": {
"ref": "registry.io/repository/image:tag",
"source": {}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Expand All @@ -236,6 +348,22 @@
"url": "git.local/repository"
}
}
},
"snapshot": {
"application": "",
"artifacts": {},
"components": [
{
"containerImage": "registry.io/repository/image:tag",
"name": "",
"source": {}
},
{
"containerImage": "registry.io/other-repository/image2:tag",
"name": "",
"source": {}
}
]
}
}
---
Loading
Loading