Verify input image/platform against attestation subjects before passing to rego (#148)

* feat: verify subjects before passing to rego
2024-09-04 10:20:00 +01:00
parent 41847ef238
commit 48e58a9115
7 changed files with 333 additions and 35 deletions
--- a/attestation/mock.go
+++ b/attestation/mock.go
@@ -7,8 +7,15 @@ import (
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 )

+// ensure MockResolver implements Resolver.
+var _ oci.ImageDetailsResolver = MockResolver{}
+
 type MockResolver struct {
-	Envs []*Envelope
+	Envs         []*Envelope
+	Image        string
+	PlatformFn   func() (*v1.Platform, error)
+	DescriptorFn func() (*v1.Descriptor, error)
+	ImangeNameFn func() (string, error)
 }

 func (r MockResolver) Attestations(_ context.Context, _ string) ([]*Envelope, error) {
@@ -16,10 +23,19 @@ func (r MockResolver) Attestations(_ context.Context, _ string) ([]*Envelope, er
 }

 func (r MockResolver) ImageName(_ context.Context) (string, error) {
+	if r.Image != "" {
+		return r.Image, nil
+	}
+	if r.ImangeNameFn != nil {
+		return r.ImangeNameFn()
+	}
 	return "library/alpine:latest", nil
 }

 func (r MockResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error) {
+	if r.DescriptorFn != nil {
+		return r.DescriptorFn()
+	}
 	digest, err := v1.NewHash("sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620")
 	if err != nil {
 		return nil, err
@@ -32,6 +48,9 @@ func (r MockResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error)
 }

 func (r MockResolver) ImagePlatform(_ context.Context) (*v1.Platform, error) {
+	if r.PlatformFn != nil {
+		return r.PlatformFn()
+	}
 	return oci.ParsePlatform("linux/amd64")
 }

--- a/attestation/referrers.go
+++ b/attestation/referrers.go
@@ -10,6 +10,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )

+// ensure ReferrersResolver implements Resolver.
+var _ Resolver = &ReferrersResolver{}
+
 type ReferrersResolver struct {
 	referrersRepo string
 	oci.ImageDetailsResolver
--- a/attestation/registry.go
+++ b/attestation/registry.go
@@ -10,6 +10,9 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )

+// ensure RegistryResolver implements Resolver.
+var _ Resolver = &RegistryResolver{}
+
 type RegistryResolver struct {
 	*oci.RegistryImageDetailsResolver
 	*Manifest