-
Notifications
You must be signed in to change notification settings - Fork 44
fix(examples): update example policies and test script #2378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
174 changes: 87 additions & 87 deletions
174
docs/examples/policies/json-field-validator/policy.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,91 +1,91 @@ | ||
| apiVersion: workflowcontract.chainloop.dev/v1 | ||
| kind: Policy | ||
| metadata: | ||
| name: json-field-validator | ||
| description: Validates specific fields in JSON evidence | ||
| name: json-field-validator | ||
| description: Validates specific fields in JSON evidence | ||
| spec: | ||
| policies: | ||
| - embedded: | | ||
| package main | ||
|
|
||
| import rego.v1 | ||
|
|
||
| result := { | ||
| "skipped": skipped, | ||
| "violations": violations, | ||
| "skip_reason": skip_reason, | ||
| "ignore": ignore, | ||
| } | ||
|
|
||
| default skip_reason := "" | ||
|
|
||
| skip_reason := m if { | ||
| not valid_input | ||
| m := "invalid input" | ||
| } | ||
|
|
||
| default skipped := true | ||
|
|
||
| skipped := false if valid_input | ||
|
|
||
| default ignore := false | ||
|
|
||
| # Valid if EVIDENCE material is provided | ||
| valid_input if { | ||
| input.chainloop_metadata.annotations["chainloop.material.type"] == "EVIDENCE" | ||
| } | ||
|
|
||
| # Policy inputs | ||
| required_field := input.args.required_field | ||
| expected_value := input.args.expected_value | ||
| field_pattern := input.args.field_pattern | ||
|
|
||
| # Helper function to access nested field value using dot notation | ||
| field_value(obj, path) := obj if not contains(path, ".") | ||
|
|
||
| field_value(obj, path) := result if { | ||
| contains(path, ".") | ||
| path_parts := split(path, ".") | ||
| result := object.get(obj, path_parts, null) | ||
| } | ||
|
|
||
| # Helper function to check if field exists | ||
| field_exists(obj, path) if field_value(obj, path) | ||
|
|
||
| field_exists(obj, path) := false if not field_value(obj, path) | ||
|
|
||
| # Generic field validation - works with any field path | ||
| violations contains msg if { | ||
| required_field | ||
| expected_value | ||
| value := field_value(input, required_field) | ||
| value | ||
| sprintf("%v", [value]) != expected_value | ||
| msg := sprintf("Field '%s' is '%v', expected '%s'", [required_field, value, expected_value]) | ||
| } | ||
|
|
||
| # Pattern validation for any field | ||
| violations contains msg if { | ||
| required_field | ||
| field_pattern | ||
| value := field_value(input, required_field) | ||
| value | ||
| not regex.match(field_pattern, sprintf("%v", [value])) | ||
| msg := sprintf("Field '%s' value '%v' does not match pattern '%s'", [required_field, value, field_pattern]) | ||
| } | ||
|
|
||
| # Required field validation | ||
| violations contains msg if { | ||
| required_field | ||
| not field_exists(input, required_field) | ||
| msg := sprintf("Required field '%s' is missing or null", [required_field]) | ||
| } | ||
| kind: EVIDENCE | ||
| inputs: | ||
| - name: required_field | ||
| description: Field to validate (dot notation supported, e.g., 'application.name') | ||
| required: true | ||
| - name: expected_value | ||
| description: Expected value for the field (optional, use with field validation) | ||
| - name: field_pattern | ||
| description: Regex pattern to validate field value (optional, use with pattern validation) | ||
| policies: | ||
| - embedded: | | ||
| package main | ||
|
|
||
| import rego.v1 | ||
|
|
||
| result := { | ||
| "skipped": skipped, | ||
| "violations": violations, | ||
| "skip_reason": skip_reason, | ||
| "ignore": ignore, | ||
| } | ||
|
|
||
| default skip_reason := "" | ||
|
|
||
| skip_reason := m if { | ||
| not valid_input | ||
| m := "invalid input" | ||
| } | ||
|
|
||
| default skipped := true | ||
|
|
||
| skipped := false if valid_input | ||
|
|
||
| default ignore := false | ||
|
|
||
| # Valid if EVIDENCE material is provided | ||
| valid_input if { | ||
| input.chainloop_metadata.annotations["chainloop.material.type"] == "EVIDENCE" | ||
| } | ||
|
|
||
| # Policy inputs | ||
| required_field := input.args.required_field | ||
| expected_value := input.args.expected_value | ||
| field_pattern := input.args.field_pattern | ||
|
|
||
| # Helper function to access nested field value using dot notation | ||
| field_value(obj, path) := obj if not contains(path, ".") | ||
|
|
||
| field_value(obj, path) := result if { | ||
| contains(path, ".") | ||
| path_parts := split(path, ".") | ||
| result := object.get(obj, path_parts, null) | ||
| } | ||
|
|
||
| # Helper function to check if field exists | ||
| field_exists(obj, path) if field_value(obj, path) | ||
|
|
||
| field_exists(obj, path) := false if not field_value(obj, path) | ||
|
|
||
| # Generic field validation - works with any field path | ||
| violations contains msg if { | ||
| required_field | ||
| expected_value | ||
| value := field_value(input, required_field) | ||
| value | ||
| sprintf("%v", [value]) != expected_value | ||
| msg := sprintf("Field '%s' is '%v', expected '%s'", [required_field, value, expected_value]) | ||
| } | ||
|
|
||
| # Pattern validation for any field | ||
| violations contains msg if { | ||
| required_field | ||
| field_pattern | ||
| value := field_value(input, required_field) | ||
| value | ||
| not regex.match(field_pattern, sprintf("%v", [value])) | ||
| msg := sprintf("Field '%s' value '%v' does not match pattern '%s'", [required_field, value, field_pattern]) | ||
| } | ||
|
|
||
| # Required field validation | ||
| violations contains msg if { | ||
| required_field | ||
| not field_exists(input, required_field) | ||
| msg := sprintf("Required field '%s' is missing or null", [required_field]) | ||
| } | ||
| kind: EVIDENCE | ||
| inputs: | ||
| - name: required_field | ||
| description: Field to validate (dot notation supported, e.g., 'application.name') | ||
| required: true | ||
| - name: expected_value | ||
| description: Expected value for the field (optional, use with field validation) | ||
| - name: field_pattern | ||
| description: Regex pattern to validate field value (optional, use with pattern validation) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,66 +1,66 @@ | ||
| apiVersion: workflowcontract.chainloop.dev/v1 | ||
| kind: Policy | ||
| metadata: | ||
| name: sbom-freshness | ||
| description: Validates that SBOM timestamp is within acceptable age limit | ||
| name: sbom-freshness | ||
| description: Validates that SBOM timestamp is within acceptable age limit | ||
| spec: | ||
| policies: | ||
| - embedded: | | ||
| package main | ||
| policies: | ||
| - embedded: | | ||
| package main | ||
|
|
||
| import rego.v1 | ||
| import rego.v1 | ||
|
|
||
| result := { | ||
| "skipped": skipped, | ||
| "violations": violations, | ||
| "skip_reason": skip_reason, | ||
| "ignore": ignore, | ||
| } | ||
| result := { | ||
| "skipped": skipped, | ||
| "violations": violations, | ||
| "skip_reason": skip_reason, | ||
| "ignore": ignore, | ||
| } | ||
|
|
||
| default skip_reason := "" | ||
| default skip_reason := "" | ||
|
|
||
| skip_reason := m if { | ||
| not valid_input | ||
| m := "invalid input" | ||
| } | ||
| skip_reason := m if { | ||
| not valid_input | ||
| m := "invalid input" | ||
| } | ||
|
|
||
| default skipped := true | ||
| default skipped := true | ||
|
|
||
| skipped := false if valid_input | ||
| skipped := false if valid_input | ||
|
|
||
| default ignore := false | ||
| default ignore := false | ||
|
|
||
| # Valid if SBOM_CYCLONEDX_JSON material is provided | ||
| valid_input if { | ||
| input.chainloop_metadata.annotations["chainloop.material.type"] == "SBOM_CYCLONEDX_JSON" | ||
| } | ||
| # Valid if SBOM_CYCLONEDX_JSON material is provided | ||
| valid_input if { | ||
| input.chainloop_metadata.annotations["chainloop.material.type"] == "SBOM_CYCLONEDX_JSON" | ||
| } | ||
|
|
||
| # Default freshness limit (30 days) | ||
| default freshness_days := 30 | ||
| # Default freshness limit (30 days) | ||
| default freshness_days := 30 | ||
|
|
||
| # Policy inputs - convert string to number | ||
| freshness_days := to_number(input.args.freshness_days) if input.args.freshness_days | ||
| # Policy inputs - convert string to number | ||
| freshness_days := to_number(input.args.freshness_days) if input.args.freshness_days | ||
|
|
||
| # Time calculations | ||
| nanosecs_per_second := (1000 * 1000) * 1000 | ||
| nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second | ||
| maximum_age := freshness_days * nanosecs_per_day | ||
| # Time calculations | ||
| nanosecs_per_second := (1000 * 1000) * 1000 | ||
| nanosecs_per_day := ((24 * 60) * 60) * nanosecs_per_second | ||
| maximum_age := freshness_days * nanosecs_per_day | ||
|
|
||
| # SBOM freshness validation | ||
| violations contains msg if { | ||
| input.metadata.timestamp | ||
| sbom_ns := time.parse_rfc3339_ns(input.metadata.timestamp) | ||
| exceeding := time.now_ns() - (sbom_ns + maximum_age) | ||
| exceeding > 0 | ||
| msg := sprintf("SBOM created at %s is too old (age limit: %d days)", [input.metadata.timestamp, freshness_days]) | ||
| } | ||
| # SBOM freshness validation | ||
| violations contains msg if { | ||
| input.metadata.timestamp | ||
| sbom_ns := time.parse_rfc3339_ns(input.metadata.timestamp) | ||
| exceeding := time.now_ns() - (sbom_ns + maximum_age) | ||
| exceeding > 0 | ||
| msg := sprintf("SBOM created at %s is too old (age limit: %d days)", [input.metadata.timestamp, freshness_days]) | ||
| } | ||
|
|
||
| # Missing timestamp validation | ||
| violations contains msg if { | ||
| not input.metadata.timestamp | ||
| msg := "SBOM metadata.timestamp field is missing or null" | ||
| } | ||
| kind: SBOM_CYCLONEDX_JSON | ||
| inputs: | ||
| - name: freshness_days | ||
| description: Maximum age for SBOM in days | ||
| # Missing timestamp validation | ||
| violations contains msg if { | ||
| not input.metadata.timestamp | ||
| msg := "SBOM metadata.timestamp field is missing or null" | ||
| } | ||
| kind: SBOM_CYCLONEDX_JSON | ||
| inputs: | ||
| - name: freshness_days | ||
| description: Maximum age for SBOM in days |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi! could you give some color on why we need this?
thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apparently
((TESTS_PASSED++))uses post increment so here it returns 0 which causes the script to exit (bash expr).((++TESTS_PASSED))would fix that as well but as defensive measure I've used|| truesince from what I understood from other tests that use this utils, it is meant to return exit code with
test_summary.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but is this issue related to your change? Why wasn't it failing before? Out of curiosity what's the root cause
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, it was failing before, I'm not sure which released version caused it to not work, unless it wasn't working since the beginning