policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Cue policy in test file for two attestations does not work.

Open vaikas opened this issue 2 years ago • 3 comments

Description The following is a CIP policy json that's being evaluated:

{
  "authorityMatches": {
    "keyatt": {
      "signatures": null,
      "attestations": {
        "custom-match-predicate": [
          {
            "subject": "",
            "issuer": ""
          }
        ]
      }
    },
    "keylesssignature": {
      "signatures": [
        {
          "subject": "https://kubernetes.io/namespaces/default/serviceaccounts/default",
          "issuer": "https://kubernetes.default.svc/"
        }
      ],
      "attestations": null
    },
    "keysignature": {
      "signatures": [
        {
          "subject": "",
          "issuer": ""
        }
      ],
      "attestations": null
    }
  }
}

It is incorrectly passing with this policy file here: https://github.com/sigstore/policy-controller/blob/main/test/testdata/policy-controller/e2e/cip-requires-two-signatures-and-two-attestations.yaml And in particular here: https://github.com/sigstore/policy-controller/blob/main/test/testdata/policy-controller/e2e/cip-requires-two-signatures-and-two-attestations.yaml#L95

Version

vaikas avatar Aug 04 '22 20:08 vaikas

I believe this has been fixed!

hectorj2f avatar Jan 30 '23 13:01 hectorj2f

Awesome, is this test passing if you uncomment this? https://github.com/sigstore/policy-controller/blob/main/test/e2e_test_cluster_image_policy_with_attestations.sh#L229

vaikas avatar Jan 30 '23 14:01 vaikas

This may help here: https://tip.cuelang.org/play/?id=--Ep9vOrwU1#cue@export@cue

vaikas avatar Apr 11 '23 02:04 vaikas