Merge pull request #2347 from joejstuart/volatile-exceptions

Support image ref and digest

Author: joejstuart

acceptance/go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/cucumber/godog v0.15.0
 	github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f
 	github.com/doiit/picocolors v1.0.1
-	github.com/enterprise-contract/enterprise-contract-controller/api v0.1.71
+	github.com/enterprise-contract/enterprise-contract-controller/api v0.1.79
 	github.com/evanphx/json-patch/v5 v5.9.0
 	github.com/gkampitakis/go-snaps v0.5.7
 	github.com/go-git/go-billy/v5 v5.6.0

acceptance/go.sum

@@ -305,6 +305,8 @@ github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/enterprise-contract/enterprise-contract-controller/api v0.1.71 h1:vQg7B+fR885wn2eZmRqNI9VoWDIGUAlgtgEtQiap0mc=
 github.com/enterprise-contract/enterprise-contract-controller/api v0.1.71/go.mod h1:zkK1IrRezUgKGK4tkN9hJtpu8NVqjKTMh4EshxXOi3g=
+github.com/enterprise-contract/enterprise-contract-controller/api v0.1.79 h1:3w1Yjakmg7bD4/EM+xvALQzSaBNcuL4CLjf0EH/0qys=
+github.com/enterprise-contract/enterprise-contract-controller/api v0.1.79/go.mod h1:zkK1IrRezUgKGK4tkN9hJtpu8NVqjKTMh4EshxXOi3g=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=

features/__snapshots__/validate_image.snap

@@ -880,7 +880,8 @@ Error: success criteria not met
         "config": {
           "include": [
             "@stamps",
-            "filtering.always_pass"
+            "filtering.always_pass",
+            "filtering.always_fail"
           ]
         },
         "volatileConfig": {
@@ -909,6 +910,108 @@ Error: success criteria not met
 
 ---
 
+[policy rule filtering on imageUrl:stdout - 1]
+{
+  "success": true,
+  "components": [
+    {
+      "name": "Unnamed",
+      "containerImage": "${REGISTRY}/acceptance/ec-happy-day@sha256:${REGISTRY_acceptance/ec-happy-day:latest_DIGEST}",
+      "source": {},
+      "successes": [
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "builtin.attestation.signature_check"
+          }
+        },
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "builtin.attestation.syntax_check"
+          }
+        },
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "builtin.image.signature_check"
+          }
+        },
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "filtering.always_pass"
+          }
+        },
+        {
+          "msg": "Pass",
+          "metadata": {
+            "code": "filtering.always_pass_with_collection"
+          }
+        }
+      ],
+      "success": true,
+      "signatures": [
+        {
+          "keyid": "",
+          "sig": "${IMAGE_SIGNATURE_acceptance/ec-happy-day}"
+        }
+      ],
+      "attestations": [
+        {
+          "type": "https://in-toto.io/Statement/v0.1",
+          "predicateType": "https://slsa.dev/provenance/v0.2",
+          "predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
+          "signatures": [
+            {
+              "keyid": "",
+              "sig": "${ATTESTATION_SIGNATURE_acceptance/ec-happy-day}"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "key": "${known_PUBLIC_KEY_JSON}",
+  "policy": {
+    "sources": [
+      {
+        "policy": [
+          "git::${GITHOST}/git/happy-day-policy.git?ref=${LATEST_COMMIT}"
+        ],
+        "config": {
+          "include": [
+            "@stamps",
+            "filtering.always_pass",
+            "filtering.always_fail"
+          ]
+        },
+        "volatileConfig": {
+          "exclude": [
+            {
+              "value": "filtering.always_fail",
+              "imageUrl": "${REGISTRY}/acceptance/ec-happy-day"
+            },
+            {
+              "value": "filtering.always_fail_with_collection",
+              "imageUrl": "${REGISTRY}/acceptance/ec-happy-day"
+            }
+          ]
+        }
+      }
+    ],
+    "rekorUrl": "${REKOR}",
+    "publicKey": "${known_PUBLIC_KEY}"
+  },
+  "ec-version": "${EC_VERSION}",
+  "effective-time": "${TIMESTAMP}"
+}
+---
+
+[policy rule filtering on imageUrl:stderr - 1]
+
+---
+
 [application snapshot reference:stdout - 1]
 {
   "success": true,

features/validate_image.feature

@@ -452,7 +452,47 @@ Feature: evaluate enterprise contract
             ]
           },
           "config": {
-            "include": ["@stamps", "filtering.always_pass"]
+            "include": ["@stamps", "filtering.always_pass", "filtering.always_fail"]
+          },
+          "policy": [
+            "git::https://${GITHOST}/git/happy-day-policy.git"
+          ]
+        }
+      ]
+    }
+    """
+    When ec command is run with "validate image --image ${REGISTRY}/acceptance/ec-happy-day --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes --output json"
+     Then the exit status should be 0
+    Then the output should match the snapshot
+
+  Scenario: policy rule filtering on imageUrl
+    Given a key pair named "known"
+    Given an image named "acceptance/ec-happy-day"
+    Given a valid image signature of "acceptance/ec-happy-day" image signed by the "known" key
+    Given a valid Rekor entry for image signature of "acceptance/ec-happy-day"
+    Given a valid attestation of "acceptance/ec-happy-day" signed by the "known" key
+    Given a valid Rekor entry for attestation of "acceptance/ec-happy-day"
+    Given a git repository named "happy-day-policy" with
+      | filtering.rego | examples/filtering.rego |
+    Given policy configuration named "ec-policy" with specification
+    """
+    {
+      "sources": [
+        {
+          "volatileConfig": {
+            "exclude": [
+              {
+                "value": "filtering.always_fail",
+                "imageUrl": "${REGISTRY}/acceptance/ec-happy-day"
+              },
+              {
+                "value": "filtering.always_fail_with_collection",
+                "imageUrl": "${REGISTRY}/acceptance/ec-happy-day"
+              }
+            ]
+          },
+          "config": {
+            "include": ["@stamps", "filtering.always_pass", "filtering.always_fail"]
           },
           "policy": [
             "git::https://${GITHOST}/git/happy-day-policy.git"

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a
 	github.com/conforma/go-gather v1.0.1
-	github.com/enterprise-contract/enterprise-contract-controller/api v0.1.71
+	github.com/enterprise-contract/enterprise-contract-controller/api v0.1.79
 	github.com/evanphx/json-patch v5.9.0+incompatible
 	github.com/gkampitakis/go-snaps v0.5.7
 	github.com/go-git/go-git/v5 v5.13.2

go.sum

@@ -547,8 +547,8 @@ github.com/emicklei/proto v1.13.2 h1:z/etSFO3uyXeuEsVPzfl56WNgzcvIr42aQazXaQmFZY
 github.com/emicklei/proto v1.13.2/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/enterprise-contract/enterprise-contract-controller/api v0.1.71 h1:vQg7B+fR885wn2eZmRqNI9VoWDIGUAlgtgEtQiap0mc=
-github.com/enterprise-contract/enterprise-contract-controller/api v0.1.71/go.mod h1:zkK1IrRezUgKGK4tkN9hJtpu8NVqjKTMh4EshxXOi3g=
+github.com/enterprise-contract/enterprise-contract-controller/api v0.1.79 h1:3w1Yjakmg7bD4/EM+xvALQzSaBNcuL4CLjf0EH/0qys=
+github.com/enterprise-contract/enterprise-contract-controller/api v0.1.79/go.mod h1:zkK1IrRezUgKGK4tkN9hJtpu8NVqjKTMh4EshxXOi3g=
 github.com/enterprise-contract/go-containerregistry v0.20.3-0.20241118083807-8c8ea269355e h1:Rti5Q7fdkzIMO+lRLAFaBSReLpNx4yTdq+u6PRJv1Tw=
 github.com/enterprise-contract/go-containerregistry v0.20.3-0.20241118083807-8c8ea269355e/go.mod h1:QTzGuUYojyBy1anZvBPMhwXRE0LGZPIcpmn3K8DHYrw=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=

internal/evaluation_target/application_snapshot_image/application_snapshot_image.go

@@ -277,6 +277,10 @@ func (a *ApplicationSnapshotImage) ResolveDigest(ctx context.Context) (string, e
 	return digest, nil
 }
 
+func (a *ApplicationSnapshotImage) ImageReference(ctx context.Context) string {
+	return a.reference.String()
+}
+
 type attestationData struct {
 	Statement  json.RawMessage             `json:"statement"`
 	Signatures []signature.EntitySignature `json:"signatures,omitempty"`

internal/evaluator/criteria.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	ecc "github.com/enterprise-contract/enterprise-contract-controller/api/v1alpha1"
+	"github.com/google/go-containerregistry/pkg/name"
 	log "github.com/sirupsen/logrus"
 )
 
@@ -63,12 +64,38 @@ func (c *Criteria) addArray(key string, values []string) {
 	}
 }
 
+// This accepts an image ref with digest
+// and looks up the image url and digest separately.
 func (c *Criteria) get(key string) []string {
+	ref, err := name.ParseReference(key)
+	if err != nil {
+		log.Debugf("error parsing target image url: %q", key)
+		return c.defaultItems
+	}
+
+	// Collect keys to look up: always the repository name,
+	// and if available, the digest string.
+	keys := []string{ref.Context().Name()}
+	if digestRef, ok := ref.(name.Digest); ok {
+		keys = append(keys, digestRef.DigestStr())
+	} else {
+		log.Debugf("no digest found for reference: %q", ref)
+	}
+
+	var items []string
+	for _, k := range keys {
+		items = append(items, c.getWithKey(k)...)
+	}
+
+	// Add any exceptions that pertain to all images.
+	return append(items, c.defaultItems...)
+}
+
+func (c *Criteria) getWithKey(key string) []string {
 	if items, ok := c.digestItems[key]; ok {
-		items = append(items, c.defaultItems...)
 		return items
 	}
-	return c.defaultItems
+	return []string{}
 }
 
 func computeIncludeExclude(src ecc.Source, p ConfigProvider) (*Criteria, *Criteria) {
@@ -86,33 +113,8 @@ func computeIncludeExclude(src ecc.Source, p ConfigProvider) (*Criteria, *Criter
 
 	vc := src.VolatileConfig
 	if vc != nil {
-		at := p.EffectiveTime()
-		filter := func(items *Criteria, volatileCriteria []ecc.VolatileCriteria) *Criteria {
-			for _, c := range volatileCriteria {
-				from, err := time.Parse(time.RFC3339, c.EffectiveOn)
-				if err != nil {
-					if c.EffectiveOn != "" {
-						log.Warnf("unable to parse time for criteria %q, was given %q: %v", c.Value, c.EffectiveOn, err)
-					}
-					from = at
-				}
-				until, err := time.Parse(time.RFC3339, c.EffectiveUntil)
-				if err != nil {
-					if c.EffectiveUntil != "" {
-						log.Warnf("unable to parse time for criteria %q, was given %q: %v", c.Value, c.EffectiveUntil, err)
-					}
-					until = at
-				}
-				if until.Compare(at) >= 0 && from.Compare(at) <= 0 {
-					items.addItem(c.ImageRef, c.Value)
-				}
-			}
-
-			return items
-		}
-
-		include = filter(include, vc.Include)
-		exclude = filter(exclude, vc.Exclude)
+		include = collectVolatileConfigItems(include, vc.Include, p)
+		exclude = collectVolatileConfigItems(exclude, vc.Exclude, p)
 	}
 
 	if policyConfig := p.Spec().Configuration; include.len() == 0 && exclude.len() == 0 && policyConfig != nil {
@@ -130,3 +132,37 @@ func computeIncludeExclude(src ecc.Source, p ConfigProvider) (*Criteria, *Criter
 
 	return include, exclude
 }
+
+func collectVolatileConfigItems(items *Criteria, volatileCriteria []ecc.VolatileCriteria, p ConfigProvider) *Criteria {
+	at := p.EffectiveTime()
+	for _, c := range volatileCriteria {
+		from, err := time.Parse(time.RFC3339, c.EffectiveOn)
+		if err != nil {
+			if c.EffectiveOn != "" {
+				log.Warnf("unable to parse time for criteria %q, was given %q: %v", c.Value, c.EffectiveOn, err)
+			}
+			from = at
+		}
+		until, err := time.Parse(time.RFC3339, c.EffectiveUntil)
+		if err != nil {
+			if c.EffectiveUntil != "" {
+				log.Warnf("unable to parse time for criteria %q, was given %q: %v", c.Value, c.EffectiveUntil, err)
+			}
+			until = at
+		}
+		if until.Compare(at) >= 0 && from.Compare(at) <= 0 {
+			// DEPRECATED: use c.ImageDigest instead
+			if c.ImageRef != "" {
+				items.addItem(c.ImageRef, c.Value)
+			} else if c.ImageUrl != "" {
+				items.addItem(c.ImageUrl, c.Value)
+			} else if c.ImageDigest != "" {
+				items.addItem(c.ImageDigest, c.Value)
+			} else {
+				items.addItem("", c.Value)
+			}
+		}
+	}
+
+	return items
+}

internal/evaluator/criteria_test.go

@@ -209,17 +209,50 @@ func TestAddArray(t *testing.T) {
 func TestGet(t *testing.T) {
 	c := &Criteria{
 		digestItems: map[string][]string{
-			"key1": {"item1", "item2"},
+			"quay.io/test/ec-test": {"item"},
+			"sha256:2c5e3b2f1e2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c": {"item-digest"},
 		},
 		defaultItems: []string{"default1", "default2"},
 	}
+	tests := []struct {
+		name     string
+		key      string
+		expected []string
+	}{
+		{
+			name:     "test with image ref",
+			key:      "quay.io/test/ec-test",
+			expected: []string{"item", "default1", "default2"},
+		},
+		{
+			name:     "test with image ref and tag",
+			key:      "quay.io/test/ec-test:latest",
+			expected: []string{"item", "default1", "default2"},
+		},
+		{
+			name:     "test with image digest",
+			key:      "quay.io/test/ec@sha256:2c5e3b2f1e2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c",
+			expected: []string{"item-digest", "default1", "default2"},
+		},
+		{
+			name:     "test key doesn't exist",
+			key:      "unknown",
+			expected: []string{"default1", "default2"},
+		},
+		{
+			name:     "test with image and bad digest",
+			key:      "quay.io/test/ec-test@sha256:2c5e3b2f1e2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d",
+			expected: []string{"default1", "default2"},
+		},
+		{
+			name:     "test with image not set",
+			expected: []string{"default1", "default2"},
+		},
+	}
 
-	// Test getting items for a key that exists
-	expectedItems := []string{"item1", "item2", "default1", "default2"}
-	assert.ElementsMatch(t, expectedItems, c.get("key1"))
-
-	// Test getting items for a key that does not exist
-	expectedDefaultItems := []string{"default1", "default2"}
-	assert.ElementsMatch(t, expectedDefaultItems, c.get("key2"))
-
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.expected, c.get(tt.key))
+		})
+	}
 }