-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More code reuse for RHTAP Multi-CI rego #1236
More code reuse for RHTAP Multi-CI rego #1236
Conversation
result := lib.result_helper(rego.metadata.chain(), [lib.quoted_values_string(_known_build_types)]) | ||
} | ||
|
||
_attestations := lib.rhtap_attestations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd love to see a policy rule that applies to all slsa provenance attestations regardless of the CI system (beyond RHTAP). It could, optionally, filter attestations based on some criteria that is driven purely by policy rule data. For example:
rule_data:
slsa_provenance_build_types:
- https://redhat.com/rhtap/slsa-build-types/jenkins-build/v1
- https://redhat.com/rhtap/slsa-build-types/gitlab-build/v1
_attestations contains att if {
some att in input.attestations
# Ok to hard-code this I think since it should be v1 going forward.
att.statement.predicateType == slsa_provenance_predicate_type_v1
some build_type in lib.rule_data("slsa_provenance_build_types")
att.statement.predicate.buildDefinition.buildType == build_type
}
We could use that today in Konflux as well if we wanted to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We do own/manage the config file that RHTAP users get, so we could include the rule data in that. 🤔 .
1b86e43
to
560af97
Compare
_known_build_types := [_build_type(known_ci_type) | some known_ci_type in _known_ci_types] | ||
|
||
_build_type(ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [ci_type]) | ||
|
||
# RHTAP Multi-CI currently supports these environments | ||
_known_ci_types := ["jenkins", "github", "gitlab"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's not over complicate this
_known_build_types := [_build_type(known_ci_type) | some known_ci_type in _known_ci_types] | |
_build_type(ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [ci_type]) | |
# RHTAP Multi-CI currently supports these environments | |
_known_ci_types := ["jenkins", "github", "gitlab"] | |
_known_build_types := [ | |
"https://redhat.com/rhtap/slsa-build-types/jenkins-build/v1", | |
"https://redhat.com/rhtap/slsa-build-types/github-build/v1", | |
"https://redhat.com/rhtap/slsa-build-types/gitlab-build/v1", | |
] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this diff, but I think I wanna use _known_ci_types
and _build_type
elsewhere, so it might be weird to not use them when defining _known_build_types. 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did make a little refactor commit for it, but decided I didn't like it.
The single package handles the github, gitlab, and jenkins RHTAP attestation varieties in a single package and replaces the three separate rhtap packages. Note: - This patch does remove a potentially useful Jenkins specific invocation id check, but it will be added back in the next commit. - We're no longer using code in lib.attestations. This fits with thei goal of creating more generic rego that doesn't make assumptions about Tekton Chains. - Only SLSA v1.0 format attestations are supported by the RHTAP rego, since we know that's what RHTAP produces. Ref: https://issues.redhat.com/browse/EC-1032
Use schema validation to confirm that the expected fields are present rather than writing separate rules for each field we want to check. Ref: https://issues.redhat.com/browse/EC-1032
560af97
to
b3ddaa6
Compare
New revision uses |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
A fixup for enterprise-contract#1236 which introduced the rhtap-multi-ci collection and deprecated the rhtap-{jenkins,gitlab,github} collections, (two of which hadn't been included in the docs yet anyhow). Ref: https://issues.redhat.com/browse/EC-1032
Ref: EC-1032