Add platform filtering support to mapping.yml #167
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #167 +/- ##
==========================================
+ Coverage 69.46% 69.58% +0.11%
==========================================
Files 44 44
Lines 2505 2528 +23
==========================================
+ Hits 1740 1759 +19
- Misses 475 477 +2
- Partials 290 292 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -1,4 +1,4 @@ | |||
| package config | |||
| package mapping | |||
| - path: doi/policy.rego | ||
| rules: | ||
| - pattern: "^docker[.]io/library/(.*)$" | ||
| platforms: ["linux/amd64"] |
There was a problem hiding this comment.
Should there be a test with two values?
There was a problem hiding this comment.
well, it's an array, so I think the same paths will be exercised...happy to add one if you like?
| @@ -55,7 +55,12 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re | |||
| return nil, fmt.Errorf("failed to resolve image name: %w", err) | |||
| } | |||
| policyResolver := policy.NewResolver(verifier.tufClient, verifier.opts) | |||
| resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName) | |||
|
|
|||
| platform, err := detailsResolver.ImagePlatform(ctx) | |||
There was a problem hiding this comment.
Is platform used anywhere?
There was a problem hiding this comment.
There was a problem hiding this comment.
That's how the input image platform makes it down to the policy
There was a problem hiding this comment.
@whalelines For better or worse, it would actually be a compiler error if it wasn't!
| case rule.PolicyID == "" && rule.Replacement == "": | ||
| return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern) | ||
| case rule.PolicyID != "" && rule.Replacement != "": | ||
| return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern) | ||
| case rule.PolicyID != "": | ||
| policy := mappings.Policies[rule.PolicyID] | ||
| if policy != nil { | ||
| return &PolicyMatch{ | ||
| MatchType: MatchTypePolicy, | ||
| Policy: policy, | ||
| Rule: rule, | ||
| MatchedName: imageName, | ||
| }, nil | ||
| } |
There was a problem hiding this comment.
This code seems very familiar. Does it exist somewhere else?
There was a problem hiding this comment.
this was a move from the policy package.
| @@ -55,7 +55,12 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re | |||
| return nil, fmt.Errorf("failed to resolve image name: %w", err) | |||
| } | |||
| policyResolver := policy.NewResolver(verifier.tufClient, verifier.opts) | |||
| resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName) | |||
|
|
|||
| platform, err := detailsResolver.ImagePlatform(ctx) | |||
There was a problem hiding this comment.
@whalelines For better or worse, it would actually be a compiler error if it wasn't!
This will help us roll out policy platform by platform, and control the amount of historical image signing we will need
e.g. only
linux/amd64images will be matched by the rule below:configpackage tomapping, and move matching code over there frompolicypackage