search

enterprise-contract / ec-cli

Enterprise Contract command line interface
https://enterprisecontract.dev/docs/ec-cli/main/index.html
Apache License 2.0
26 stars 23 forks source link

ec validate input errs when policy sets publicKey #1528

Open lcarva opened 2 months ago

lcarva commented 2 months ago

With a policy.yaml that specifies a publicKey, e.g.:

publicKey: k8s://openshift-pipelines/public-key
sources:
- data:
  - ...
  policy:
  - ...

The ec validate input command always fails:

Error: 1 error occurred:
    * error validating file input.json: no check options or sig verifier configured

With the --debug flag:

DEBU[0000] helpers.go:80 readPolicyConfigurationFile Loaded policy.yaml as policyConfiguration    
DEBU[0000] policy.go:394 parseEffectiveTime Chosen to use effective time of `now`, using current time 2024-04-15T18:44:38Z 
DEBU[0000] policy.go:309 loadPolicy Read EnterpriseContractPolicy as YAML        
DEBU[0000] policy.go:314 loadPolicy Unable to parse EnterpriseContractPolicy from "configuration:\n  # exclude:\n  # - tasks.required_tasks_found:prefetch-dependencies\n  # - hermetic_build_task.build_task_hermetic\n  # - test.no_test_warnings\n  # - redhat_manifests.redhat_manifests_missing\n  # - labels.required_labels\n  # - rpm_ostree_task.builder_image_param\n  # - sbom_cyclonedx.found\n  # - test.no_failed_tests\n  # include:\n  # - '@redhat'\n  include:\n  - attestation_task_bundle\ndescription: Rules for shipping content to registry.redhat.io\npublicKey: k8s://openshift-pipelines/public-key\nsources:\n- data:\n  - github.com/release-engineering/rhtap-ec-policy//data\n  - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest\n  name: Release Policies\n  policy:\n  # - oci::quay.io/enterprise-contract/ec-release-policy:latest\n  - /home/lucarval/src/enterprise-contract/ec-policies/policy/lib\n  - /home/lucarval/src/enterprise-contract/ec-policies/policy/release\n  # ruleData:\n  #   allowed_registry_prefixes:\n  #   - registry.access.redhat.com/\n  #   - registry.redhat.io/\n  #   - quay.io/rh-osbs/ubi9\n  #   - localhost/rhtap-final-image\n  #   allowed_rpm_ostree_builder_image_prefixes:\n  #   - quay.io/centos-bootc/bootc-image-builder\n" 
DEBU[0000] policy.go:315 loadPolicy Attempting to parse as EnterpriseContractPolicySpec 
DEBU[0000] validate.go:37 ValidateInput Current input filePath: "input.json"         
DEBU[0000] validate.go:67 detectInput unable to detect input as JSON               
DEBU[0000] validate.go:75 detectInput unable to detect input as YAML               
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"/home/lucarval/src/enterprise-contract/ec-policies/policy/lib", Kind:"policy"} 
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"/home/lucarval/src/enterprise-contract/ec-policies/policy/release", Kind:"policy"} 
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"github.com/release-engineering/rhtap-ec-policy//data", Kind:"data"} 
DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest", Kind:"data"} 
DEBU[0000] conftest_evaluator.go:277 NewConftestEvaluatorWithNamespace Created work dir /tmp/ec-work-678054144      
DEBU[0000] policy.go:380 EffectiveTime Using effective time: 2024-04-15T18:44:38Z   
DEBU[0000] input.go:58 NewInput Failed to initialize the conftest evaluator! 
DEBU[0000] validate.go:46 ValidateInput Failed to create input!                      
Error: 1 error occurred:
    * error validating file input.json: no check options or sig verifier configured

Git bisect tells me this started with commit https://github.com/enterprise-contract/ec-cli/commit/117055d2a0a47af0dd63f9f763c9b243f646d803.

Remove publicKey from the policy bypasses the issue.

zregvart commented 2 months ago

Perhaps fetching configuration out of the policy could be made lazily, i.e. only try to access the public key if it is required for validation.