chainloop icon indicating copy to clipboard operation
chainloop copied to clipboard
verified publisher icon chainloop-dev

feat(policies): policy groups provider API

Open jiparis opened this issue 1 year ago • 0 comments

This PR adds a new endpoint to query remote policy groups through the providers API. Note that configuration is done through the existing policy_providers key, but /policies and /groups is added by the logic.

policy_providers:
  - name: chainloop
    default: true
    host: http://localhost:8002/v1 # instead of http://localhost:8002/v1/policies

Given this contract:

schemaVersion: v1
materials: []
policyGroups:
  - ref: sbom-quality

It will use a policy group provided by an external source:

✗ cldev wf contract update --name myproject-mywf --contract test/contract-group.yaml
WRN API contacted in insecure mode
WRN Both user credentials and $CHAINLOOP_TOKEN set. Ignoring $CHAINLOOP_TOKEN.
INF Contract updated!
┌────────────────────────────────────────────┐
│ Contract                                   │
├──────────────────────┬─────────────────────┤
│ Name                 │ myproject-mywf      │
├──────────────────────┼─────────────────────┤
│ Description          │                     │
├──────────────────────┼─────────────────────┤
│ Associated Workflows │                     │
├──────────────────────┼─────────────────────┤
│ Revision number      │ 12                  │
├──────────────────────┼─────────────────────┤
│ Revision Created At  │ 03 Oct 24 16:12 UTC │
└──────────────────────┴─────────────────────┘
┌────────────────────────┐
│ schemaVersion: v1      │
│ materials: []          │
│ policyGroups:          │
│   - ref: sbom-quality  │
│                        │
└────────────────────────┘

When adding a SBOM material, it will evaluated the corresponding policies from the group (as it can be seen in the debug messages):

➜  cldev att add --value test/cyclonedx.json
WRN API contacted in insecure mode
...
DBG loading policy group "sbom-quality" using *policies.ChainloopGroupLoader
DBG loading policy spec "cyclonedx-banned-licenses" using *policies.ChainloopLoader
DBG loading policy spec "cyclonedx-banned-components" using *policies.ChainloopLoader
DBG loading policy spec "cyclonedx-freshness" using *policies.ChainloopLoader
DBG loading policy spec "cyclonedx-banned-licenses" using *policies.ChainloopLoader
INF evaluating policy cyclonedx-banned-licenses against material-1727973358194536000
DBG loading policy spec "cyclonedx-banned-components" using *policies.ChainloopLoader
INF evaluating policy cyclonedx-banned-components against material-1727973358194536000
DBG loading policy spec "cyclonedx-freshness" using *policies.ChainloopLoader
INF evaluating policy cyclonedx-freshness against material-1727973358194536000
WRN found policy violations (cyclonedx-freshness) for material-1727972910786176000
WRN  - SBOM created at: 2024-07-23T15:58:37+00:00 which is too old (freshness limit set to 30 days)
WRN found policy violations (cyclonedx-freshness) for material-1727973358194536000
WRN  - SBOM created at: 2024-07-23T15:58:37+00:00 which is too old (freshness limit set to 30 days)
DBG added to state key=material-1727973358194536000
INF material kind detected kind=SBOM_CYCLONEDX_JSON
INF material added to attestation

jiparis avatar Oct 03 '24 12:10 jiparis