From d88c9c01a96063ae619b5c3bc18ce95002cfc196 Mon Sep 17 00:00:00 2001 From: Simon Baird Date: Fri, 22 Mar 2024 09:10:41 -0400 Subject: [PATCH] More hackery Will clean it up later. This demos slsa3 passing with ec validate input. --- hack/builtin-experiments/demo.sh | 43 +++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/hack/builtin-experiments/demo.sh b/hack/builtin-experiments/demo.sh index 6b371af22..e44793d02 100755 --- a/hack/builtin-experiments/demo.sh +++ b/hack/builtin-experiments/demo.sh @@ -43,18 +43,23 @@ INPUT_JSON='{ # A minimal ECP using local files # ec looks for specific subdirs under the source's root location # so that's why we have policy/policy and data/data -POLICY_JSON='{ - "sources": [ - { - "policy": [ - "'$LOCAL_DIR'/policy" - ], - "data": [ - "'$LOCAL_DIR'/data" - ] - } - ] -}' +POLICY_YAML=' +sources: + - policy: + - '$POLICY_DIR' + - github.com/simonbaird/ec-policies//policy/lib?ref=builtin-experiments + - github.com/simonbaird/ec-policies//policy/release?ref=builtin-experiments + + data: + - '$DATA_DIR' + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data + + config: + include: + - "sigstore" + - "@slsa3" +' # Public key for the signature of the image we're verifying PUBLIC_KEY="-----BEGIN PUBLIC KEY----- @@ -73,7 +78,8 @@ echo '{ # The acceptance test rego is pretty much prod-ready.. :) # Tweak one line to make it work with the sigstore_opts data we just created above sed \ - 's/^_sigstore_opts :=.*/_sigstore_opts := object.union(data.config.default_sigstore_opts, data.sigstore_opts)/' \ + -e 's/^_sigstore_opts :=.*/_sigstore_opts := object.union(data.config.default_sigstore_opts, data.sigstore_opts)/' \ + -e 's/^package sigstore/package policy.release.sigstore/' \ ${GIT_ROOT}/acceptance/examples/sigstore.rego \ > ${POLICY_DIR}/sigstore.rego @@ -83,7 +89,14 @@ echo "$INPUT_JSON" | yq -P echo -e "\n* EC results:\n" $EC validate input \ --file <(echo $INPUT_JSON) \ - --policy "$(echo $POLICY_JSON)" \ + --policy "$(echo "$POLICY_YAML" | yq -ojson)" \ --show-successes \ - --info \ | yq -P + +#echo "$INPUT_JSON" > i.json +#ec opa eval \ +# --input i.json \ +# 'data.lib._input_attestations' \ +# --data ${DATA_DIR} \ +# --data /home/sbaird/code/ec-policies/policy/lib \ +# --data /home/sbaird/code/ec-policies/policy/release | yq -P