More code reuse for RHTAP Multi-CI rego #1236
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lcarva
reviewed
Nov 26, 2024
| result := lib.result_helper(rego.metadata.chain(), [lib.quoted_values_string(_known_build_types)]) | ||
| } | ||
|
|
||
| _attestations := lib.rhtap_attestations |
There was a problem hiding this comment.
I'd love to see a policy rule that applies to all slsa provenance attestations regardless of the CI system (beyond RHTAP). It could, optionally, filter attestations based on some criteria that is driven purely by policy rule data. For example:
rule_data:
slsa_provenance_build_types:
- https://redhat.com/rhtap/slsa-build-types/jenkins-build/v1
- https://redhat.com/rhtap/slsa-build-types/gitlab-build/v1_attestations contains att if {
some att in input.attestations
# Ok to hard-code this I think since it should be v1 going forward.
att.statement.predicateType == slsa_provenance_predicate_type_v1
some build_type in lib.rule_data("slsa_provenance_build_types")
att.statement.predicate.buildDefinition.buildType == build_type
} We could use that today in Konflux as well if we wanted to.
There was a problem hiding this comment.
We do own/manage the config file that RHTAP users get, so we could include the rule data in that. 🤔 .
simonbaird
force-pushed
the
rhtap-multi-ci-improvements
branch
2 times, most recently
from
1b86e43 to
560af97
Compare
zregvart
approved these changes
Nov 27, 2024
Comment on lines
39
to
116
| _known_build_types := [_build_type(known_ci_type) | some known_ci_type in _known_ci_types] | ||
|
|
||
| _build_type(ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [ci_type]) | ||
|
|
||
| # RHTAP Multi-CI currently supports these environments | ||
| _known_ci_types := ["jenkins", "github", "gitlab"] |
There was a problem hiding this comment.
Let's not over complicate this
Suggested change
| _known_build_types := [_build_type(known_ci_type) | some known_ci_type in _known_ci_types] | |
| _build_type(ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [ci_type]) | |
| # RHTAP Multi-CI currently supports these environments | |
| _known_ci_types := ["jenkins", "github", "gitlab"] | |
| _known_build_types := [ | |
| "https://redhat.com/rhtap/slsa-build-types/jenkins-build/v1", | |
| "https://redhat.com/rhtap/slsa-build-types/github-build/v1", | |
| "https://redhat.com/rhtap/slsa-build-types/gitlab-build/v1", | |
| ] |
There was a problem hiding this comment.
I like this diff, but I think I wanna use _known_ci_types and _build_type elsewhere, so it might be weird to not use them when defining _known_build_types. 🤔
There was a problem hiding this comment.
I did make a little refactor commit for it, but decided I didn't like it.
The single package handles the github, gitlab, and jenkins RHTAP attestation varieties in a single package and replaces the three separate rhtap packages. Note: - This patch does remove a potentially useful Jenkins specific invocation id check, but it will be added back in the next commit. - We're no longer using code in lib.attestations. This fits with thei goal of creating more generic rego that doesn't make assumptions about Tekton Chains. - Only SLSA v1.0 format attestations are supported by the RHTAP rego, since we know that's what RHTAP produces. Ref: https://issues.redhat.com/browse/EC-1032
Use schema validation to confirm that the expected fields are present rather than writing separate rules for each field we want to check. Ref: https://issues.redhat.com/browse/EC-1032
simonbaird
force-pushed
the
rhtap-multi-ci-improvements
branch
from
560af97 to
b3ddaa6
Compare
|
New revision uses |
simonbaird
added a commit
to simonbaird/ec-policies
that referenced
this pull request
Dec 9, 2024
A fixup for enterprise-contract#1236 which introduced the rhtap-multi-ci collection and deprecated the rhtap-{jenkins,gitlab,github} collections, (two of which hadn't been included in the docs yet anyhow). Ref: https://issues.redhat.com/browse/EC-1032
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ref: EC-1032