diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index f9705bc..7a170c0 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -118,6 +118,7 @@ jobs: --set tufRoot=staging \ --set tufMetadataSource=https://docker.github.io/tuf-staging/metadata \ --set tufTargetsSource=https://docker.github.io/tuf-staging/targets \ + --set parameters="mode=strict" \ --namespace security \ --wait --debug diff --git a/charts/attest-provider/README.md b/charts/attest-provider/README.md index 5b71ae2..d75dd01 100644 --- a/charts/attest-provider/README.md +++ b/charts/attest-provider/README.md @@ -15,3 +15,4 @@ |attestationStyle|lookup attestations from image index (`attached`) or `referrers`|`referrers`| |provider.timeout|timeout in seconds for gatekeeper external data request|`30`| |provider.tls.caBundle|base64 encoded CA cert for provider|`""`| +|parameters|additional parameters to pass to the policy implementation|`""`| diff --git a/charts/attest-provider/templates/attest-provider-deployment.yaml b/charts/attest-provider/templates/attest-provider-deployment.yaml index a150688..828423c 100644 --- a/charts/attest-provider/templates/attest-provider-deployment.yaml +++ b/charts/attest-provider/templates/attest-provider-deployment.yaml @@ -57,6 +57,9 @@ spec: {{- if .Values.referrersRepo }} - --referrers-source={{ .Values.referrersRepo }} {{- end }} + {{- if .Values.parameters }} + - --parameters={{ .Values.parameters }} + {{- end }} ports: - containerPort: {{ .Values.port }} diff --git a/charts/attest-provider/values.yaml b/charts/attest-provider/values.yaml index 3e7f590..4cf18e1 100644 --- a/charts/attest-provider/values.yaml +++ b/charts/attest-provider/values.yaml @@ -22,6 +22,11 @@ tufTargetsSource: registry-1.docker.io/docker/tuf-targets attestationStyle: referrers +# parameters for the the policy implementation +# e.g. parameters: "mode=strict" + +parameters: "" + provider: timeout: 30 tls: diff --git a/main.go b/main.go index 522e3c2..529ebe7 100644 --- a/main.go +++ b/main.go @@ -10,6 +10,7 @@ import ( "net/http" "os" "path/filepath" + "strings" "time" "github.com/docker/attest-provider/pkg/handler" @@ -47,6 +48,7 @@ var ( attestationStyle string referrersRepo string + parameters nameValuePairs ) const ( @@ -61,6 +63,27 @@ var ( version = "" ) +type nameValuePairs map[string]string + +func (nvp *nameValuePairs) String() string { + return fmt.Sprintf("%v", *nvp) +} + +func (nvp *nameValuePairs) Set(value string) error { + parts := strings.Split(value, ",") + if len(parts) == 1 { + return fmt.Errorf("invalid format, expected name=value") + } + for _, part := range parts { + kv := strings.Split(part, "=") + if len(kv) != 2 { + return fmt.Errorf("invalid format, expected name=value") + } + (*nvp)[kv[0]] = kv[1] + } + return nil +} + var timeoutError = string(utils.GatekeeperError("operation timed out")) func init() { @@ -82,6 +105,9 @@ func init() { flag.StringVar(&attestationStyle, "attestation-style", "referrers", "attestation style [referrers, attached]") flag.StringVar(&referrersRepo, "referrers-source", "", "repo from which to fetch Referrers for attestation lookup") + parameters = make(nameValuePairs) + flag.Var(¶meters, "parameters", "policy parameters in name=value,name1,value1 format") + flag.Parse() } @@ -105,6 +131,7 @@ func main() { PolicyCacheDir: policyCacheDir, AttestationStyle: attestationStyle, ReferrersRepo: referrersRepo, + Parameters: parameters, }) if err != nil { klog.ErrorS(err, "unable to create validate handler") diff --git a/pkg/handler/validate.go b/pkg/handler/validate.go index 6ad1659..fa78cf4 100644 --- a/pkg/handler/validate.go +++ b/pkg/handler/validate.go @@ -38,6 +38,7 @@ type ValidateHandlerOptions struct { AttestationStyle string ReferrersRepo string + Parameters map[string]string } type validateHandler struct { @@ -83,6 +84,7 @@ func (h *validateHandler) newVerifier(ctx context.Context) (*attest.ImageVerifie AttestationStyle: mapping.AttestationStyle(h.opts.AttestationStyle), ReferrersRepo: h.opts.ReferrersRepo, Debug: true, + Parameters: h.opts.Parameters, } verifier, err := attest.NewImageVerifier(ctx, policyOpts) if err != nil {