feat: add support for policy parameters

This commit is contained in:
James Carnegie
2024-10-16 11:26:30 +01:00
committed by James Carnegie
parent 2856a952d5
commit 395b5fe114
6 changed files with 39 additions and 0 deletions

View File

@@ -118,6 +118,7 @@ jobs:
--set tufRoot=staging \
--set tufMetadataSource=https://docker.github.io/tuf-staging/metadata \
--set tufTargetsSource=https://docker.github.io/tuf-staging/targets \
--set parameters="mode=strict" \
--namespace security \
--wait --debug

View File

@@ -15,3 +15,4 @@
|attestationStyle|lookup attestations from image index (`attached`) or `referrers`|`referrers`|
|provider.timeout|timeout in seconds for gatekeeper external data request|`30`|
|provider.tls.caBundle|base64 encoded CA cert for provider|`""`|
|parameters|additional parameters to pass to the policy implementation|`""`|

View File

@@ -57,6 +57,9 @@ spec:
{{- if .Values.referrersRepo }}
- --referrers-source={{ .Values.referrersRepo }}
{{- end }}
{{- if .Values.parameters }}
- --parameters={{ .Values.parameters }}
{{- end }}
ports:
- containerPort: {{ .Values.port }}

View File

@@ -22,6 +22,11 @@ tufTargetsSource: registry-1.docker.io/docker/tuf-targets
attestationStyle: referrers
# parameters for the the policy implementation
# e.g. parameters: "mode=strict"
parameters: ""
provider:
timeout: 30
tls:

27
main.go
View File

@@ -10,6 +10,7 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
"time"
"github.com/docker/attest-provider/pkg/handler"
@@ -47,6 +48,7 @@ var (
attestationStyle string
referrersRepo string
parameters nameValuePairs
)
const (
@@ -61,6 +63,27 @@ var (
version = ""
)
type nameValuePairs map[string]string
func (nvp *nameValuePairs) String() string {
return fmt.Sprintf("%v", *nvp)
}
func (nvp *nameValuePairs) Set(value string) error {
parts := strings.Split(value, ",")
if len(parts) == 1 {
return fmt.Errorf("invalid format, expected name=value")
}
for _, part := range parts {
kv := strings.Split(part, "=")
if len(kv) != 2 {
return fmt.Errorf("invalid format, expected name=value")
}
(*nvp)[kv[0]] = kv[1]
}
return nil
}
var timeoutError = string(utils.GatekeeperError("operation timed out"))
func init() {
@@ -82,6 +105,9 @@ func init() {
flag.StringVar(&attestationStyle, "attestation-style", "referrers", "attestation style [referrers, attached]")
flag.StringVar(&referrersRepo, "referrers-source", "", "repo from which to fetch Referrers for attestation lookup")
parameters = make(nameValuePairs)
flag.Var(&parameters, "parameters", "policy parameters in name=value,name1,value1 format")
flag.Parse()
}
@@ -105,6 +131,7 @@ func main() {
PolicyCacheDir: policyCacheDir,
AttestationStyle: attestationStyle,
ReferrersRepo: referrersRepo,
Parameters: parameters,
})
if err != nil {
klog.ErrorS(err, "unable to create validate handler")

View File

@@ -38,6 +38,7 @@ type ValidateHandlerOptions struct {
AttestationStyle string
ReferrersRepo string
Parameters map[string]string
}
type validateHandler struct {
@@ -83,6 +84,7 @@ func (h *validateHandler) newVerifier(ctx context.Context) (*attest.ImageVerifie
AttestationStyle: mapping.AttestationStyle(h.opts.AttestationStyle),
ReferrersRepo: h.opts.ReferrersRepo,
Debug: true,
Parameters: h.opts.Parameters,
}
verifier, err := attest.NewImageVerifier(ctx, policyOpts)
if err != nil {