feat: add support for policy parameters
This commit is contained in:
committed by
James Carnegie
parent
2856a952d5
commit
395b5fe114
1
.github/workflows/workflow.yaml
vendored
1
.github/workflows/workflow.yaml
vendored
@@ -118,6 +118,7 @@ jobs:
|
||||
--set tufRoot=staging \
|
||||
--set tufMetadataSource=https://docker.github.io/tuf-staging/metadata \
|
||||
--set tufTargetsSource=https://docker.github.io/tuf-staging/targets \
|
||||
--set parameters="mode=strict" \
|
||||
--namespace security \
|
||||
--wait --debug
|
||||
|
||||
|
||||
@@ -15,3 +15,4 @@
|
||||
|attestationStyle|lookup attestations from image index (`attached`) or `referrers`|`referrers`|
|
||||
|provider.timeout|timeout in seconds for gatekeeper external data request|`30`|
|
||||
|provider.tls.caBundle|base64 encoded CA cert for provider|`""`|
|
||||
|parameters|additional parameters to pass to the policy implementation|`""`|
|
||||
|
||||
@@ -57,6 +57,9 @@ spec:
|
||||
{{- if .Values.referrersRepo }}
|
||||
- --referrers-source={{ .Values.referrersRepo }}
|
||||
{{- end }}
|
||||
{{- if .Values.parameters }}
|
||||
- --parameters={{ .Values.parameters }}
|
||||
{{- end }}
|
||||
|
||||
ports:
|
||||
- containerPort: {{ .Values.port }}
|
||||
|
||||
@@ -22,6 +22,11 @@ tufTargetsSource: registry-1.docker.io/docker/tuf-targets
|
||||
|
||||
attestationStyle: referrers
|
||||
|
||||
# parameters for the the policy implementation
|
||||
# e.g. parameters: "mode=strict"
|
||||
|
||||
parameters: ""
|
||||
|
||||
provider:
|
||||
timeout: 30
|
||||
tls:
|
||||
|
||||
27
main.go
27
main.go
@@ -10,6 +10,7 @@ import (
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/docker/attest-provider/pkg/handler"
|
||||
@@ -47,6 +48,7 @@ var (
|
||||
|
||||
attestationStyle string
|
||||
referrersRepo string
|
||||
parameters nameValuePairs
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -61,6 +63,27 @@ var (
|
||||
version = ""
|
||||
)
|
||||
|
||||
type nameValuePairs map[string]string
|
||||
|
||||
func (nvp *nameValuePairs) String() string {
|
||||
return fmt.Sprintf("%v", *nvp)
|
||||
}
|
||||
|
||||
func (nvp *nameValuePairs) Set(value string) error {
|
||||
parts := strings.Split(value, ",")
|
||||
if len(parts) == 1 {
|
||||
return fmt.Errorf("invalid format, expected name=value")
|
||||
}
|
||||
for _, part := range parts {
|
||||
kv := strings.Split(part, "=")
|
||||
if len(kv) != 2 {
|
||||
return fmt.Errorf("invalid format, expected name=value")
|
||||
}
|
||||
(*nvp)[kv[0]] = kv[1]
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
var timeoutError = string(utils.GatekeeperError("operation timed out"))
|
||||
|
||||
func init() {
|
||||
@@ -82,6 +105,9 @@ func init() {
|
||||
flag.StringVar(&attestationStyle, "attestation-style", "referrers", "attestation style [referrers, attached]")
|
||||
flag.StringVar(&referrersRepo, "referrers-source", "", "repo from which to fetch Referrers for attestation lookup")
|
||||
|
||||
parameters = make(nameValuePairs)
|
||||
flag.Var(¶meters, "parameters", "policy parameters in name=value,name1,value1 format")
|
||||
|
||||
flag.Parse()
|
||||
}
|
||||
|
||||
@@ -105,6 +131,7 @@ func main() {
|
||||
PolicyCacheDir: policyCacheDir,
|
||||
AttestationStyle: attestationStyle,
|
||||
ReferrersRepo: referrersRepo,
|
||||
Parameters: parameters,
|
||||
})
|
||||
if err != nil {
|
||||
klog.ErrorS(err, "unable to create validate handler")
|
||||
|
||||
@@ -38,6 +38,7 @@ type ValidateHandlerOptions struct {
|
||||
|
||||
AttestationStyle string
|
||||
ReferrersRepo string
|
||||
Parameters map[string]string
|
||||
}
|
||||
|
||||
type validateHandler struct {
|
||||
@@ -83,6 +84,7 @@ func (h *validateHandler) newVerifier(ctx context.Context) (*attest.ImageVerifie
|
||||
AttestationStyle: mapping.AttestationStyle(h.opts.AttestationStyle),
|
||||
ReferrersRepo: h.opts.ReferrersRepo,
|
||||
Debug: true,
|
||||
Parameters: h.opts.Parameters,
|
||||
}
|
||||
verifier, err := attest.NewImageVerifier(ctx, policyOpts)
|
||||
if err != nil {
|
||||
|
||||
Reference in New Issue
Block a user