Allow one of the build tasks producing the subject

enterprise-contract · Nov 23, 2023 · 9651b88 · 9651b88
1 parent f3a866e
commit 9651b88
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 12 deletions.
diff --git a/policy/release/slsa_build_scripted_build.rego b/policy/release/slsa_build_scripted_build.rego
@@ -76,7 +76,7 @@ deny contains result if {
 #   IMAGE_URL values from the build task.
 # custom:
 #   short_name: subject_build_task_matches
-#   failure_msg: The attestation subject, %q, does not match the build task image, %q
+#   failure_msg: The attestation subject, %q, does not match any of the images built
 #   solution: >-
 #     Make sure the subject in the attestation matches the 'IMAGE_URL' and 'IMAGE_DIGEST'
 #     results from the build task. The format for the subject should be 'IMAGE_URL@IMAGE_DIGEST'.
@@ -88,19 +88,28 @@ deny contains result if {
 #
 deny contains result if {
 	some attestation in lib.pipelinerun_attestations
-	some build_task in tkn.build_tasks(attestation)
-
 	some subject in attestation.statement.subject
 
+	build_tasks := tkn.build_tasks(attestation)
+
+	count(build_tasks) > 0
+
 	subject_image_ref := concat("@", [subject.name, subject_digest(subject)])
-	result_image_ref := concat("@", [
-		tkn.task_result(build_task, "IMAGE_URL"),
-		tkn.task_result(build_task, "IMAGE_DIGEST"),
-	])
 
-	not image.equal_ref(subject_image_ref, result_image_ref)
+	matched := [subject_image_ref |
+		some build_task in build_tasks
+
+		result_image_ref := concat("@", [
+			tkn.task_result(build_task, "IMAGE_URL"),
+			tkn.task_result(build_task, "IMAGE_DIGEST"),
+		])
+
+		image.equal_ref(subject_image_ref, result_image_ref)
+	]
+
+	count(matched) == 0
 
-	result := lib.result_helper(rego.metadata.chain(), [subject_image_ref, result_image_ref])
+	result := lib.result_helper(rego.metadata.chain(), [subject_image_ref])
 }
 
 task_steps(task) := steps if {

diff --git a/policy/release/slsa_build_scripted_build_test.rego b/policy/release/slsa_build_scripted_build_test.rego
@@ -187,8 +187,7 @@ test_subject_mismatch if {
 
 	expected := {{
 		"code": "slsa_build_scripted_build.subject_build_task_matches",
-		# regal ignore:line-length
-		"msg": `The attestation subject, "some.image/foo:bar@sha256:123", does not match the build task image, "some.image/foo:bar@sha256:anotherdigest"`,
+		"msg": `The attestation subject, "some.image/foo:bar@sha256:123", does not match any of the images built`,
 	}}
 
 	lib.assert_equal_results(
@@ -254,7 +253,7 @@ test_subject_with_tag_and_digest_mismatch_digest_fails if {
 	expected := {{
 		"code": "slsa_build_scripted_build.subject_build_task_matches",
 		# regal ignore:line-length
-		"msg": `The attestation subject, "registry.io/repository/image@sha256:unexpected", does not match the build task image, "registry.io/repository/image:tag@sha256:digest"`,
+		"msg": `The attestation subject, "registry.io/repository/image@sha256:unexpected", does not match any of the images built`,
 	}}
 
 	lib.assert_equal_results(expected, slsa_build_scripted_build.deny) with input.attestations as [{"statement": {