From 20d4ab0c63ac4e36aee446c7ce60a3693a99def0 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 2 Nov 2023 13:51:48 +0100 Subject: [PATCH] Print traces and debug messages from OPA When running at trace log level the execution trace and debug messages will be printed to the log (stderr by default), and when running at the debug log level the execution traces will be omited. For example: ``` $ ec validate image --policy $POLICY --image $IMAGE --trace ... ime="2023-10-31T12:56:37+01:00" level=trace msg="[data.policy.release.attestation_task_bundle.warn] | | | Redo true" func=Run file=" conftest_evaluator.go:180" time="2023-10-31T12:56:37+01:00" level=trace msg="[data.policy.release.attestation_task_bundle.warn] | | Redo __local2965__ = data.lib.tasks_from_pipelinerun" func=Run file=" conftest_evaluator.go:180" time="2023-10-31T12:56:37+01:00" level=trace msg="[data.policy.release.attestation_task_bundle.warn] | | Redo __local2708__ = [{\"annotations\": {\"custom\": {\"collections\": [\"redhat\"], \"depends_on\": [\"attestation_type.known_attestation_type\"], \"failure_msg\": \"Pipeline task '%s' uses an out of date task bundle '%s'\", \"short_name\": \"task_ref_bundles_current\", \"solution\": \"A task bundle used is not the most recent. The most recent task bundles are defined as in xref:acceptable_bundles.adoc#_task_bundles[acceptable bundles] list.\"}, \"description\": \"For each Task in the SLSA Provenance attestation, check if the Tekton Bundle used is the most recent xref:acceptable_bundles.adoc#_task_bundles[acceptable bundle].\", \"scope\": \"rule\", \"title\": \"Task bundles are latest versions\"}, \"path\": [\"policy\", \"release\", \"attestation_task_bundle\", \"warn\"]}, {\"annotations\": {\"description\": \"To be able to reproduce and audit builds accurately it's important to know exactly what happened during the build. To do this Enterprise Contract requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks that built the image were defined in task bundles, and that the task bundles used are from the list of known and trusted bundles.\", \"scope\": \"package\", \"title\": \"Task bundle checks\"}, \"path\": [\"policy\", \"release\", \"attestation_task_bundle\"]}]" func=Run file=" conftest_evaluator.go:180" time="2023-10-31T12:56:37+01:00" level=trace msg="[data.policy.release.attestation_task_bundle.warn] | Unify set() = _" func=Run file=" conftest_evaluator.go:180" time="2023-10-31T12:56:37+01:00" level=trace msg="[data.policy.release.attestation_task_bundle.warn] | Exit data.policy.release.attestation_task_bundle.warn = _" func=Run file=" conftest_evaluator.go:180" time="2023-10-31T12:56:37+01:00" level=trace msg="[data.policy.release.attestation_task_bundle.warn] Redo data.policy.release.attestation_task_bundle.warn = _" func=Run file=" conftest_evaluator.go:180" time="2023-10-31T12:56:37+01:00" level=trace msg="[data.policy.release.attestation_task_bundle.warn] | Redo data.policy.release.attestation_task_bundle.warn = _" func=Run file=" conftest_evaluator.go:180" time="2023-10-31T12:56:37+01:00" level=debug msg="[data.policy.release.attestation_task_bundle.warn] /tmp/ec-work-321015487/policy/9af95111f/bundles.rego:31: HELLO\n" func=Run file=" conftest_evaluator.go:187" ``` ``` $ ec validate image --policy $POLICY --image $IMAGE --debug ... time="2023-10-31T12:56:37+01:00" level=debug msg="[data.policy.release.attestation_task_bundle.warn] /tmp/ec-work-321015487/policy/9af95111f/bundles.rego:31: HELLO\n" func=Run file=" conftest_evaluator.go:187" ``` --- features/__snapshots__/validate_image.snap | 165 +++++++++++++++++++++ features/validate_image.feature | 25 ++++ 2 files changed, 190 insertions(+) diff --git a/features/__snapshots__/validate_image.snap b/features/__snapshots__/validate_image.snap index acf80a6a4..4910fa55b 100755 --- a/features/__snapshots__/validate_image.snap +++ b/features/__snapshots__/validate_image.snap @@ -3245,3 +3245,168 @@ Error: 1 error occurred: [fetch OCI blob:stderr - 1] --- + +[tracing and debug logging:stdout - 1] +{ + "success": true, + "components": [ + { + "name": "Unnamed", + "containerImage": "${REGISTRY}/acceptance/trace-debug@sha256:${REGISTRY_acceptance/trace-debug:latest_DIGEST}", + "source": {}, + "successes": [ + { + "msg": "Pass", + "metadata": { + "code": "builtin.attestation.signature_check" + } + }, + { + "msg": "Pass", + "metadata": { + "code": "builtin.attestation.syntax_check" + } + }, + { + "msg": "Pass", + "metadata": { + "code": "builtin.image.signature_check" + } + }, + { + "msg": "Pass", + "metadata": { + "code": "main.debuggy" + } + } + ], + "success": true, + "signatures": [ + { + "keyid": "", + "sig": "${IMAGE_SIGNATURE_acceptance/trace-debug}" + } + ], + "attestations": [ + { + "type": "https://in-toto.io/Statement/v0.1", + "predicateType": "https://slsa.dev/provenance/v0.2", + "predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2", + "signatures": [ + { + "keyid": "", + "sig": "${ATTESTATION_SIGNATURE_acceptance/trace-debug}" + } + ] + } + ] + } + ], + "key": "${trace_debug_PUBLIC_KEY_JSON}", + "policy": { + "sources": [ + { + "policy": [ + "git::https://${GITHOST}/git/trace-debug.git" + ] + } + ], + "rekorUrl": "${REKOR}", + "publicKey": "${trace_debug_PUBLIC_KEY}" + }, + "ec-version": "${EC_VERSION}", + "effective-time": "${TIMESTAMP}" +} +--- + +[tracing and debug logging:stderr - 1] +time="2023-11-02T13:40:08+01:00" level=debug msg="Generating application snapshot from image reference ${REGISTRY}/acceptance/trace-debug" func=DetermineInputSpec file=" input.go:131" +time="2023-11-02T13:40:08+01:00" level=debug msg="Read EnterpriseContractPolicy as k8s resource" func=loadPolicy file=" policy.go:239" +time="2023-11-02T13:40:08+01:00" level=debug msg="Config loaded from file: ${TEMP}/645258996.kubeconfig\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="Initialized Kubernetes client" func=loadPolicy file=" policy.go:245" +time="2023-11-02T13:40:08+01:00" level=debug msg="Raw policy reference: \"acceptance/ec-policy\"" func=FetchEnterpriseContractPolicy file=" client.go:105" +time="2023-11-02T13:40:08+01:00" level=debug msg="Parsed policy reference: acceptance/ec-policy" func=FetchEnterpriseContractPolicy file=" client.go:111" +time="2023-11-02T13:40:08+01:00" level=debug msg="curl -v -XGET -H \"User-Agent: ec_linux_amd64/v0.0.0 (linux/amd64) kubernetes/$Format\" -H \"Accept: application/json\" 'http://apiserver.localhost:34678/apis/appstudio.redhat.com/v1alpha1/namespaces/acceptance/enterprisecontractpolicies/ec-policy'\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="HTTP Trace: DNS Lookup for apiserver.localhost resolved to [{::1 } {127.0.0.1 }]\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="HTTP Trace: Dial to tcp:[::1]:34678 failed: dial tcp [::1]:34678: connect: connection refused\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="HTTP Trace: Dial to tcp:127.0.0.1:34678 succeed\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="GET http://apiserver.localhost:34678/apis/appstudio.redhat.com/v1alpha1/namespaces/acceptance/enterprisecontractpolicies/ec-policy 200 OK in 11 milliseconds\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="HTTP Statistics: DNSLookup 1 ms Dial 0 ms TLSHandshake 0 ms ServerProcessing 8 ms Duration 11 ms\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="Response Headers:\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg=" Content-Type: application/json\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg=" Matched-Stub-Id: 8b9b0804-61a6-4892-bbea-95290a369e36\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg=" Vary: Accept-Encoding, User-Agent\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="Response Body:\n00000000 7b 0a 09 09 09 09 22 61 70 69 56 65 72 73 69 6f |{.....\"apiVersio|\n00000010 6e 22 3a 20 22 61 70 70 73 74 75 64 69 6f 2e 72 |n\": \"appstudio.r|\n00000020 65 64 68 61 74 2e 63 6f 6d 2f 76 31 61 6c 70 68 |edhat.com/v1alph|\n00000030 61 31 22 2c 0a 09 09 09 09 22 6b 69 6e 64 22 3a |a1\",.....\"kind\":|\n00000040 20 22 45 6e 74 65 72 70 72 69 73 65 43 6f 6e 74 | \"EnterpriseCont|\n00000050 72 61 63 74 50 6f 6c 69 63 79 22 2c 0a 09 09 09 |ractPolicy\",....|\n00000060 09 22 6d 65 74 61 64 61 74 61 22 3a 20 7b 0a 09 |.\"metadata\": {..|\n00000070 09 09 09 20 20 22 6e 61 6d 65 22 3a 20 22 65 63 |... \"name\": \"ec|\n00000080 2d 70 6f 6c 69 63 79 22 2c 0a 09 09 09 09 20 20 |-policy\",..... |\n00000090 22 6e 61 6d 65 73 70 61 63 65 22 3a 20 22 61 63 |\"namespace\": \"ac|\n000000a0 63 65 70 74 61 6e 63 65 22 0a 09 09 09 09 7d 2c |ceptance\".....},|\n000000b0 0a 09 09 09 09 22 73 70 65 63 22 3a 20 7b 0a 20 |.....\"spec\": {. |\n000000c0 20 22 73 6f 75 72 63 65 73 22 3a 20 5b 0a 20 20 | \"sources\": [. |\n000000d0 20 20 7b 0a 20 20 20 20 20 20 22 70 6f 6c 69 63 | {. \"polic|\n000000e0 79 22 3a 20 5b 0a 20 20 20 20 20 20 20 20 22 67 |y\": [. \"g|\n000000f0 69 74 3a 3a 68 74 74 70 73 3a 2f 2f 6c 6f 63 61 |it::https://loca|\n00000100 6c 68 6f 73 74 3a 33 34 36 38 34 2f 67 69 74 2f |lhost:34684/git/|\n00000110 74 72 61 63 65 2d 64 65 62 75 67 2e 67 69 74 22 |trace-debug.git\"|\n00000120 0a 20 20 20 20 20 20 5d 0a 20 20 20 20 7d 0a 20 |. ]. }. |\n00000130 20 5d 0a 7d 0a 09 09 09 20 20 7d | ].}.... }|\n" func=Info file=" logging.go:157" +time="2023-11-02T13:40:08+01:00" level=debug msg="Policy successfully fetched from cluster: v1alpha1.EnterpriseContractPolicy{TypeMeta:v1.TypeMeta{Kind:\"EnterpriseContractPolicy\", APIVersion:\"appstudio.redhat.com/v1alpha1\"}, ObjectMeta:v1.ObjectMeta{Name:\"ec-policy\", GenerateName:\"\", Namespace:\"acceptance\", SelfLink:\"\", UID:\"\", ResourceVersion:\"\", Generation:0, CreationTimestamp:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), DeletionTimestamp:, DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string(nil), OwnerReferences:[]v1.OwnerReference(nil), Finalizers:[]string(nil), ManagedFields:[]v1.ManagedFieldsEntry(nil)}, Spec:v1alpha1.EnterpriseContractPolicySpec{Name:\"\", Description:\"\", Sources:[]v1alpha1.Source{v1alpha1.Source{Name:\"\", Policy:[]string{\"git::https://${GITHOST}/git/trace-debug.git\"}, Data:[]string(nil), RuleData:(*v1.JSON)(nil), Config:(*v1alpha1.SourceConfig)(nil), VolatileConfig:(*v1alpha1.VolatileSourceConfig)(nil)}}, Configuration:(*v1alpha1.EnterpriseContractPolicyConfiguration)(nil), RekorUrl:\"\", PublicKey:\"\", Identity:(*v1alpha1.Identity)(nil)}, Status:v1alpha1.EnterpriseContractPolicyStatus{}}" func=FetchEnterpriseContractPolicy file=" client.go:128" +time="2023-11-02T13:40:08+01:00" level=debug msg="Updated rekor URL in policy to \"${REKOR}\"" func=NewPolicy file=" policy.go:174" +time="2023-11-02T13:40:08+01:00" level=debug msg="Updated public key in policy to \"${trace_debug_PUBLIC_KEY}\"" func=NewPolicy file=" policy.go:181" +time="2023-11-02T13:40:08+01:00" level=debug msg="Chosen to use effective time of `now`, using current time ${TIMESTAMP}" func=parseEffectiveTime file=" policy.go:291" +time="2023-11-02T13:40:08+01:00" level=debug msg="Using long-lived key workflow" func=checkOpts file=" policy.go:325" +time="2023-11-02T13:40:08+01:00" level=debug msg="Rekor client created, url \"${REKOR}\"" func=checkOpts file=" policy.go:368" +time="2023-11-02T13:40:08+01:00" level=debug msg="Retrieved Rekor public keys" func=checkOpts file=" policy.go:374" +time="2023-11-02T13:40:08+01:00" level=debug msg="Validating image ${REGISTRY}/acceptance/trace-debug" func=ValidateImage file=" validate.go:39" +time="2023-11-02T13:40:08+01:00" level=debug msg="Parsed image url ${REGISTRY}/acceptance/trace-debug" func=SetImageURL file=" application_snapshot_image.go:162" +time="2023-11-02T13:40:08+01:00" level=debug msg="Fetching policy source group ''" func=NewApplicationSnapshotImage file=" application_snapshot_image.go:92" +time="2023-11-02T13:40:08+01:00" level=debug msg="policySource: &source.PolicyUrl{Url:\"git::https://${GITHOST}/git/trace-debug.git\", Kind:\"policy\"}" func=NewApplicationSnapshotImage file=" application_snapshot_image.go:100" +time="2023-11-02T13:40:08+01:00" level=debug msg="Created work dir ${TEMP}/ec-work-${RANDOM}" func=NewConftestEvaluatorWithNamespace file=" conftest_evaluator.go:268" +time="2023-11-02T13:40:08+01:00" level=debug msg="Using effective time: ${TIMESTAMP}" func=EffectiveTime file=" policy.go:277" +time="2023-11-02T13:40:08+01:00" level=debug msg="Writing config data to ${TEMP}/ec-work-${RANDOM}/data/config.json: \"{\\n \\\"config\\\": {\\n \\\"policy\\\": {\\n \\\"when_ns\\\": 1698928808464336154\\n }\\n }\\n}\"" func=createConfigJSON file=" conftest_evaluator.go:667" +time="2023-11-02T13:40:08+01:00" level=debug msg="Network access from rego policies disabled" func=strictCapabilities file=" conftest_evaluator.go:869" +time="2023-11-02T13:40:08+01:00" level=debug msg="Access to some rego built-in functions disabled: [http.send net.lookup_ip_addr opa.runtime]" func=strictCapabilities file=" conftest_evaluator.go:885" +time="2023-11-02T13:40:08+01:00" level=debug msg="Capabilities file written to ${TEMP}/ec-work-${RANDOM}/capabilities.json" func=createCapabilitiesFile file=" conftest_evaluator.go:712" +time="2023-11-02T13:40:08+01:00" level=debug msg="Conftest test runner created" func=NewConftestEvaluatorWithNamespace file=" conftest_evaluator.go:278" +time="2023-11-02T13:40:08+01:00" level=debug msg="Conftest evaluator initialized" func=NewApplicationSnapshotImage file=" application_snapshot_image.go:109" +time="2023-11-02T13:40:08+01:00" level=debug msg="Resp: &{MediaType:application/vnd.docker.distribution.manifest.v2+json Size:765 Digest:sha256:${REGISTRY_acceptance/trace-debug:latest_DIGEST} Data:[] URLs:[] Annotations:map[] Platform: ArtifactType:}" func=ValidateImageAccess file=" application_snapshot_image.go:151" +time="2023-11-02T13:40:08+01:00" level=debug msg="Image URL is accessible" func=SetImageAccessibleCheckFromError file=" output.go:104" +time="2023-11-02T13:40:08+01:00" level=debug msg="Resolved image to ${REGISTRY}/acceptance/trace-debug@sha256:${REGISTRY_acceptance/trace-debug:latest_DIGEST}" func=resolveAndSetImageUrl file=" validate.go:146" +time="2023-11-02T13:40:08+01:00" level=debug msg="Parsed image url ${REGISTRY}/acceptance/trace-debug@sha256:${REGISTRY_acceptance/trace-debug:latest_DIGEST}" func=SetImageURL file=" application_snapshot_image.go:162" +time="2023-11-02T13:40:08+01:00" level=debug msg="Image signature check passed" func=SetImageSignatureCheckFromError file=" output.go:129" +time="2023-11-02T13:40:08+01:00" level=debug msg="Found attestation with predicateType: https://slsa.dev/provenance/v0.2" func=ValidateAttestationSignature file=" application_snapshot_image.go:249" +time="2023-11-02T13:40:08+01:00" level=debug msg="Attestation signature check passed" func=SetAttestationSignatureCheckFromError file=" output.go:154" +time="2023-11-02T13:40:08+01:00" level=debug msg="Attempting to validate an attestation with predicateType https://slsa.dev/provenance/v0.2" func=ValidateAttestationSyntax file=" application_snapshot_image.go:293" +time="2023-11-02T13:40:08+01:00" level=debug msg="Statement schema was validated successfully against the https://slsa.dev/provenance/v0.2 schema" func=ValidateAttestationSyntax file=" application_snapshot_image.go:299" +time="2023-11-02T13:40:08+01:00" level=debug msg="Attestation syntax check passed" func=SetAttestationSyntaxCheckFromError file=" output.go:179" +time="2023-11-02T13:40:08+01:00" level=debug msg="Failed to evaluate JSON Pointer /predicate/metadata/buildFinishedOn for attestation at 0" func=determineAttestationTime file=" validate.go:177" +time="2023-11-02T13:40:08+01:00" level=debug msg="Found 1 attestations" func=ValidateImage file=" validate.go:89" +time="2023-11-02T13:40:08+01:00" level=debug msg="Attempting to write 1 attestations to input file" func=WriteInputFile file=" application_snapshot_image.go:424" +time="2023-11-02T13:40:08+01:00" level=debug msg="Created dir ${TEMP}/ecp_input.${RANDOM}" func=WriteInputFile file=" application_snapshot_image.go:460" +time="2023-11-02T13:40:08+01:00" level=debug msg="Done preparing input file:\n${TEMP}/ecp_input.${RANDOM}/input.json" func=WriteInputFile file=" application_snapshot_image.go:479" +time="2023-11-02T13:40:08+01:00" level=debug msg="Downloading policy files from source url git::https://${GITHOST}/git/trace-debug.git to destination ${TEMP}/ec-work-${RANDOM}/policy/7fc959d61" func=GetPolicy file=" source.go:74" +time="2023-11-02T13:40:08+01:00" level=debug msg="Downloading git::https://${GITHOST}/git/trace-debug.git to ${TEMP}/ec-work-${RANDOM}/policy/7fc959d61" func=Download file=" downloader.go:54" +time="2023-11-02T13:40:09+01:00" level=debug msg="runner: &evaluator.conftestRunner{TestRunner:runner.TestRunner{Trace:false, Strict:false, Capabilities:\"${TEMP}/ec-work-${RANDOM}/capabilities.json\", Policy:[]string{\"${TEMP}/ec-work-${RANDOM}/policy\"}, Data:[]string{\"${TEMP}/ec-work-${RANDOM}/data\"}, Update:[]string(nil), Ignore:\"\", Parser:\"\", Namespace:[]string(nil), AllNamespaces:true, FailOnWarn:false, NoColor:false, NoFail:true, SuppressExceptions:false, ShowBuiltinErrors:false, Combine:false, Quiet:false, Output:\"json\"}}" func=Evaluate file=" conftest_evaluator.go:374" +time="2023-11-02T13:40:09+01:00" level=debug msg="inputs: []string{\"${TEMP}/ecp_input.${RANDOM}/input.json\"}" func=Evaluate file=" conftest_evaluator.go:375" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.exception[_][_] == \"\"] Enter __localq0__ = data.main.exception[_][_]; equal(__localq0__, \"\", _); _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.exception[_][_] == \"\"] | Eval __localq0__ = data.main.exception[_][_]" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.exception[_][_] == \"\"] | Unify __localq0__ = data.main.exception[_][_]" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.exception[_][_] == \"\"] | Fail __localq0__ = data.main.exception[_][_]" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] Enter data.main.deny = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | Eval data.main.deny = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | Unify data.main.deny = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | Index data.main.deny (matched 1 rule)" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | Enter data.main.deny" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Eval __local2__ = {__local1__ | __local1__ = \"here we are\"}" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Unify __local2__ = {__local1__ | __local1__ = \"here we are\"}" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Enter __local1__ = \"here we are\"" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | | Eval __local1__ = \"here we are\"" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | | Unify __local1__ = \"here we are\"" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | | Exit __local1__ = \"here we are\"" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Redo __local1__ = \"here we are\"" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | | Redo __local1__ = \"here we are\"" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Unify {\"here we are\"} = __local2__" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Eval internal.print([__local2__])" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Eval false" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Unify false = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Fail false" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Redo internal.print([__local2__])" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | | Redo __local2__ = {__local1__ | __local1__ = \"here we are\"}" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | Unify set() = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | Exit data.main.deny = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] Redo data.main.deny = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=trace msg="[data.main.deny] | Redo data.main.deny = _" func=Run file=" conftest_evaluator.go:180" +time="2023-11-02T13:40:09+01:00" level=debug msg="[data.main.deny] ${TEMP}/ec-work-${RANDOM}/policy/7fc959d61/main.rego:13: here we are\n" func=Run file=" conftest_evaluator.go:187" +time="2023-11-02T13:40:09+01:00" level=debug msg="Using effective time: ${TIMESTAMP}" func=EffectiveTime file=" policy.go:277" +time="2023-11-02T13:40:09+01:00" level=debug msg="Evaluation result at 0: evaluator.Outcome{FileName:\"${TEMP}/ecp_input.${RANDOM}/input.json\", Namespace:\"main\", Successes:[]evaluator.Result{evaluator.Result{Message:\"\", Metadata:map[string]interface {}(nil), Outputs:[]string(nil)}}, Skipped:[]evaluator.Result(nil), Warnings:[]evaluator.Result(nil), Failures:[]evaluator.Result(nil), Exceptions:[]evaluator.Result(nil)}" func=Evaluate file=" conftest_evaluator.go:393" +time="2023-11-02T13:40:09+01:00" level=debug msg="Conftest policy check complete" func=ValidateImage file=" validate.go:124" +time="2023-11-02T13:40:09+01:00" level=debug msg="Using effective time: ${TIMESTAMP}" func=EffectiveTime file=" policy.go:277" + +--- diff --git a/features/validate_image.feature b/features/validate_image.feature index 5b4f9897e..61417ee0c 100644 --- a/features/validate_image.feature +++ b/features/validate_image.feature @@ -896,3 +896,28 @@ Feature: evaluate enterprise contract When ec command is run with "validate image --image ${REGISTRY}/acceptance/fetch-oci-blob --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes" Then the exit status should be 0 Then the output should match the snapshot + + Scenario: tracing and debug logging + Given a key pair named "trace_debug" + Given an image named "acceptance/trace-debug" + Given a valid image signature of "acceptance/trace-debug" image signed by the "trace_debug" key + Given a valid Rekor entry for image signature of "acceptance/trace-debug" + Given a valid attestation of "acceptance/trace-debug" signed by the "trace_debug" key + Given a valid Rekor entry for attestation of "acceptance/trace-debug" + Given a git repository named "trace-debug" with + | main.rego | examples/trace_debug.rego | + Given policy configuration named "ec-policy" with specification + """ + { + "sources": [ + { + "policy": [ + "git::https://${GITHOST}/git/trace-debug.git" + ] + } + ] + } + """ + When ec command is run with "validate image --image ${REGISTRY}/acceptance/trace-debug --policy acceptance/ec-policy --public-key ${trace_debug_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes --trace" + Then the exit status should be 0 + Then the output should match the snapshot