More code reuse for RHTAP Multi-CI rego #1236
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lcarva
reviewed
Nov 26, 2024
| result := lib.result_helper(rego.metadata.chain(), [lib.quoted_values_string(_known_build_types)]) | ||
| } | ||
|
|
||
| _attestations := lib.rhtap_attestations |
There was a problem hiding this comment.
I'd love to see a policy rule that applies to all slsa provenance attestations regardless of the CI system (beyond RHTAP). It could, optionally, filter attestations based on some criteria that is driven purely by policy rule data. For example:
rule_data:
slsa_provenance_build_types:
- https://redhat.com/rhtap/slsa-build-types/jenkins-build/v1
- https://redhat.com/rhtap/slsa-build-types/gitlab-build/v1_attestations contains att if {
some att in input.attestations
# Ok to hard-code this I think since it should be v1 going forward.
att.statement.predicateType == slsa_provenance_predicate_type_v1
some build_type in lib.rule_data("slsa_provenance_build_types")
att.statement.predicate.buildDefinition.buildType == build_type
} We could use that today in Konflux as well if we wanted to.
There was a problem hiding this comment.
We do own/manage the config file that RHTAP users get, so we could include the rule data in that. 🤔 .
It's intended to handle the github, gitlab, and jenkins RHTAP attestation varieties, which will be removed in the next commit. Ref: https://issues.redhat.com/browse/EC-1032
This does strip out potentially useful Jenkins specific invocation id check, but let's not worry about that for now. Once we have a sensible plan for how to do this, we can bring it back fairly easily. Ref: https://issues.redhat.com/browse/EC-1032
simonbaird
force-pushed
the
rhtap-multi-ci-improvements
branch
from
224ee3b
to
1b86e43
Compare
I'm trying to move towards more generic rego, and this feels like a step in the right direction.
simonbaird
force-pushed
the
rhtap-multi-ci-improvements
branch
from
1b86e43
to
560af97
Compare
zregvart
approved these changes
Nov 27, 2024
Comment on lines
+39
to
+44
| _known_build_types := [_build_type(known_ci_type) | some known_ci_type in _known_ci_types] | ||
|
|
||
| _build_type(ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [ci_type]) | ||
|
|
||
| # RHTAP Multi-CI currently supports these environments | ||
| _known_ci_types := ["jenkins", "github", "gitlab"] |
There was a problem hiding this comment.
Let's not over complicate this
Suggested change
| _known_build_types := [_build_type(known_ci_type) | some known_ci_type in _known_ci_types] | |
| _build_type(ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [ci_type]) | |
| # RHTAP Multi-CI currently supports these environments | |
| _known_ci_types := ["jenkins", "github", "gitlab"] | |
| _known_build_types := [ | |
| "https://redhat.com/rhtap/slsa-build-types/jenkins-build/v1", | |
| "https://redhat.com/rhtap/slsa-build-types/github-build/v1", | |
| "https://redhat.com/rhtap/slsa-build-types/gitlab-build/v1", | |
| ] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.