Skip to content

feat: support storage and use of custom rego engine hostnames#2315

Merged
migmartri merged 12 commits into
chainloop-dev:mainfrom
migmartri:2267-configurable-domains
Aug 8, 2025
Merged

feat: support storage and use of custom rego engine hostnames#2315
migmartri merged 12 commits into
chainloop-dev:mainfrom
migmartri:2267-configurable-domains

Conversation

@migmartri

@migmartri migmartri commented Aug 6, 2025

Copy link
Copy Markdown
Member

This PR allows to store, expose and use custom hostnames that can be used inside policies. If provided, they will be appended to the existing ones.

This PR includes

  • Org update API and CLI now to set the allowedHostnames
  • It's exposed in the org describe and att init response.
  • The result is stored in the crafting state and injected in the rego engine

closes #2267

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri requested review from Piskoo, javirln and jiparis August 6, 2025 21:21
Comment thread app/cli/internal/action/attestation_init.go
Comment thread app/cli/internal/action/action.go
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri changed the title chore: support storage and exposure of rego engine domains chore: support storage and exposure of rego engine hostnames Aug 6, 2025
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri changed the title chore: support storage and exposure of rego engine hostnames chore: support storage and use of custom rego engine hostnames Aug 7, 2025
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
policiesAllowedHostnames = result.GetPoliciesAllowedHostnames()

signingOpts := result.GetSigningOptions()
if signingOpts != nil {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is actually not needed, right? proto getters are always safe and work for nil receivers, so it's safe to do GetSigningOptions().GetTimestampAuthorityUrl() even if SigningOptions is nil

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me double check it

ID, Name string
CreatedAt *time.Time
PolicyViolationBlockingStrategy string
PolicyAllowedHostnames []string `json:"policyAllowedHostnames,omitempty"`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

accidental annotation?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope really, I wanted to hide this option if the default is set

type NewOrgUpdateOpts struct {
BlockOnPolicyViolation *bool
BlockOnPolicyViolation *bool
PoliciesAllowedHostnames *[]string

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks a bit weird. Slices are pointers already and are nil if no initialized. No need to create a pointer to a pointer. Just keep in mind that len([]string(nil)) is 0

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

checking, thanks

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated the pointer situation to leverage instead the duality of empty slice vs nil slice.

}

if opts.PoliciesAllowedHostnames != nil {
payload.PoliciesAllowedHostnames = *opts.PoliciesAllowedHostnames

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what I mean, *variable shouldn't be needed for slices, since they are pointers anyways.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is about making sure we can detect when we want to update the value vs empty it. In any case I've implemented the same by using slices

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri changed the title chore: support storage and use of custom rego engine hostnames feat: support storage and use of custom rego engine hostnames Aug 8, 2025
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri merged commit e0d32ff into chainloop-dev:main Aug 8, 2025
13 checks passed
@migmartri migmartri deleted the 2267-configurable-domains branch August 8, 2025 11:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat: allowed domains for http.send in Rego engine

2 participants