search

enterprise-contract / ec-cli

Enterprise Contract command line interface
https://enterprisecontract.dev/docs/ec-cli/main/index.html
Apache License 2.0
27 stars 28 forks source link

Empty policy rule selection does not cause failure #1554

Open lcarva opened 4 months ago

lcarva commented 4 months ago

Consider the following policy config:

---
publicKey: |
  -----BEGIN PUBLIC KEY-----
  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA
  naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==
  -----END PUBLIC KEY-----
sources:
 - config:
    include:
    - spam
   data:
   - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
   - github.com/release-engineering/rhtap-ec-policy//data
   policy:
   - oci::quay.io/enterprise-contract/ec-release-policy:latest

Notice how it includes the non-existing spam package. If we use this policy during validation, ec report success:

🐚 ec validate image --ignore-rekor --policy policy-dummy.yaml --image quay.io/redhat-appstudio/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25 --output yaml --show-successes
components:
 - attestations:
  - predicateBuildType: tekton.dev/v1beta1/TaskRun
    predicateType: https://slsa.dev/provenance/v0.2
    signatures:
    - keyid: SHA256:IhiN7gY</ins>Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY
      sig: MEUCIQDcgZIwEkLFqD7U9HrobgEC8Jo7wm<ins>xJ5AoyO3qg</ins>aj8QIgb9xDpjYGRMmpVk<ins>QATeVKlHonzBiu51HtT3J</ins>lQXPXc=
    type: https://in-toto.io/Statement/v0.1
  - predicateBuildType: tekton.dev/v1beta1/PipelineRun
    predicateType: https://slsa.dev/provenance/v0.2
    signatures:
    - keyid: SHA256:IhiN7gY<ins>Z3uSSd7tmj6w5Zfhqafzdhm3DZjIvGc6iYY
      sig: MEYCIQDKSihaAR/zAhJhR5GCqleDvfUUtvRw61vk0YeTBAnOSQIhAKa09B4yEfaSJronmWBFbu5cVPNxm17CMl/PElEz1POa
    type: https://in-toto.io/Statement/v0.1
  containerImage: quay.io/redhat-appstudio/ec-golden-image@sha256:304040ca1911aa4d911bd7c6d6d07193c57dc49dbc43e63828b42ab204fb1b25
  name: Unnamed
  signatures:
  - keyid: ""
    sig: MEUCIQD86lmOqCovYZDPKm0XxxsLgDQcFIFAv</ins>QZxrFSHmCvQAIgTd1I005ox8MfABqsAen6PZEyg2MCEQNBCx1NLS3V0JQ=
  source: {}
  success: true
  successes:
  - metadata:
      code: builtin.attestation.signature_check
    msg: Pass
  - metadata:
      code: builtin.attestation.syntax_check
    msg: Pass
  - metadata:
      code: builtin.image.signature_check
    msg: Pass
ec-version: v0.3.2727-5682f93
effective-time: "2024-04-23T13:28:51.736545442Z"
key: |
  -----BEGIN PUBLIC KEY-----
  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA
  naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT<ins>g==
  -----END PUBLIC KEY-----
policy:
  publicKey: |
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA
    naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT</ins>g==
    -----END PUBLIC KEY-----
  sources:
  - config:
      include:
      - spam
    data:
    - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
    - github.com/release-engineering/rhtap-ec-policy//data
    name: Default
    policy:
    - oci::quay.io/enterprise-contract/ec-release-policy:latest
success: true

EC should error out if no policy rules were actually selected and the list of source groups is not empty.

lcarva commented 4 months ago

As discussed in the community meeting, let's go ahead with implementing this proposal.