Merge pull request #857 from zregvart/pr/fix-multiple-untrusted-build…

…-tasks Fix function producing multiple outputs
enterprise-contract · Jan 10, 2024 · d84a406 · d84a406
2 parents 521c7d4 + 49d52d3
commit d84a406
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 10 deletions.
diff --git a/policy/release/slsa_build_scripted_build.rego b/policy/release/slsa_build_scripted_build.rego
@@ -19,7 +19,6 @@ import future.keywords.in
 import data.lib
 import data.lib.bundles
 import data.lib.image
-import data.lib.refs
 import data.lib.tkn
 
 # METADATA
@@ -134,15 +133,14 @@ deny contains result if {
 
 	# Find all the Tekton Bundle references from the Tasks that claim to have built the image being
 	# validated.
-	bundles := {bundle |
+	tasks := {build_task |
 		some attestation in lib.pipelinerun_attestations
 		some build_task in tkn.build_tasks(attestation)
 		digest := tkn.task_result(build_task, "IMAGE_DIGEST")
 		digest == expected_digest
-		bundle := refs.task_ref(build_task).bundle
 	}
 
-	error := trusted_build_task_error(bundles)
+	error := _trusted_build_task_error(tasks)
 	result := lib.result_helper(rego.metadata.chain(), [expected_ref, error])
 }
 
@@ -155,11 +153,17 @@ subject_digest(subject) := digest if {
 	digest := concat(":", [algorithm, value])
 }
 
-trusted_build_task_error(build_task_bundles) := error if {
-	count(build_task_bundles) == 0
+_trusted_build_task_error(tasks) := error if {
+	count(tasks) == 0
 	error := "No Pipeline Tasks built the image"
 } else := error if {
-	some task in bundles.unacceptable_task_bundle(lib.tasks_from_pipelinerun)
-	refs.task_ref(task).bundle in build_task_bundles
-	error := sprintf("Build Task %q is not trusted", [tkn.task_name(task)])
+	unacceptable_tasks := bundles.unacceptable_task_bundle(lib.tasks_from_pipelinerun)
+	unacceptable_build_tasks = unacceptable_tasks & tasks
+	count(unacceptable_build_tasks) > 0
+
+	names := {name |
+		some task in unacceptable_build_tasks
+		name := tkn.task_name(task)
+	}
+	error := sprintf("Build Task(s) %q are not trusted", [concat(",", names)])
 }
diff --git a/policy/release/slsa_build_scripted_build_test.rego b/policy/release/slsa_build_scripted_build_test.rego
@@ -398,7 +398,54 @@ test_image_built_by_trusted_task_not_trusted if {
 
 	expected := {{
 		"code": "slsa_build_scripted_build.image_built_by_trusted_task",
-		"msg": "Image \"some.image/foo:bar@sha256:123\" not built by a trusted task: Build Task \"buildah\" is not trusted",
+		# regal ignore:line-length
+		"msg": `Image "some.image/foo:bar@sha256:123" not built by a trusted task: Build Task(s) "buildah" are not trusted`,
+	}}
+
+	lib.assert_equal_results(expected, slsa_build_scripted_build.deny) with input.image as image
+		with input.attestations as [_mock_attestation(tasks)]
+}
+
+test_image_built_by_multiple_not_trusted_tasks if {
+	tasks := [
+		{
+			"results": [
+				{"name": "IMAGE_URL", "value": _image_url},
+				{"name": "IMAGE_DIGEST", "value": _image_digest},
+			],
+			"ref": {
+				"resolver": "bundles",
+				"params": [
+					{"name": "bundle", "value": mock_bundle},
+					{"name": "name", "value": "buildah-1"},
+					{"name": "kind", "value": "task"},
+				],
+			},
+			"steps": [{"entrypoint": "/bin/bash"}],
+		},
+		{
+			"results": [
+				{"name": "IMAGE_URL", "value": _image_url},
+				{"name": "IMAGE_DIGEST", "value": _image_digest},
+			],
+			"ref": {
+				"resolver": "bundles",
+				"params": [
+					{"name": "bundle", "value": mock_bundle},
+					{"name": "name", "value": "buildah-2"},
+					{"name": "kind", "value": "task"},
+				],
+			},
+			"steps": [{"entrypoint": "/bin/bash"}],
+		},
+	]
+
+	image := {"ref": _image_ref}
+
+	expected := {{
+		"code": "slsa_build_scripted_build.image_built_by_trusted_task",
+		# regal ignore:line-length
+		"msg": `Image "some.image/foo:bar@sha256:123" not built by a trusted task: Build Task(s) "buildah-1,buildah-2" are not trusted`,
 	}}
 
 	lib.assert_equal_results(expected, slsa_build_scripted_build.deny) with input.image as image