From ae9f81585684d7e60a5c7ffec5bc4849fe35c7bd Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Fri, 8 Aug 2025 23:59:05 +0200 Subject: [PATCH] fix: pass allowed hostnames during group verification Signed-off-by: Miguel Martinez --- pkg/attestation/crafter/crafter.go | 6 +++--- pkg/policies/policy_groups.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/attestation/crafter/crafter.go b/pkg/attestation/crafter/crafter.go index 8b46de107..5639822fe 100644 --- a/pkg/attestation/crafter/crafter.go +++ b/pkg/attestation/crafter/crafter.go @@ -616,7 +616,7 @@ func (c *Crafter) addMaterial(ctx context.Context, m *schemaapi.CraftingSchema_M }) // Validate policy groups - pgv := policies.NewPolicyGroupVerifier(c.CraftingState.InputSchema, c.attClient, c.Logger) + pgv := policies.NewPolicyGroupVerifier(c.CraftingState.InputSchema, c.attClient, c.Logger, policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...)) policyGroupResults, err := pgv.VerifyMaterial(ctx, mt, value) if err != nil { return nil, fmt.Errorf("error applying policy groups to material: %w", err) @@ -657,13 +657,13 @@ func (c *Crafter) addMaterial(ctx context.Context, m *schemaapi.CraftingSchema_M // EvaluateAttestationPolicies evaluates the attestation-level policies and stores them in the attestation state func (c *Crafter) EvaluateAttestationPolicies(ctx context.Context, attestationID string, statement *intoto.Statement) error { // evaluate attestation-level policies - pv := policies.NewPolicyVerifier(c.CraftingState.InputSchema, c.attClient, c.Logger) + pv := policies.NewPolicyVerifier(c.CraftingState.InputSchema, c.attClient, c.Logger, policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...)) policyEvaluations, err := pv.VerifyStatement(ctx, statement) if err != nil { return fmt.Errorf("evaluating policies in statement: %w", err) } - pgv := policies.NewPolicyGroupVerifier(c.CraftingState.InputSchema, c.attClient, c.Logger) + pgv := policies.NewPolicyGroupVerifier(c.CraftingState.InputSchema, c.attClient, c.Logger, policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...)) policyGroupResults, err := pgv.VerifyStatement(ctx, statement) if err != nil { return fmt.Errorf("evaluating policy groups in statement: %w", err) diff --git a/pkg/policies/policy_groups.go b/pkg/policies/policy_groups.go index ddacfb597..42014844a 100644 --- a/pkg/policies/policy_groups.go +++ b/pkg/policies/policy_groups.go @@ -40,9 +40,9 @@ type PolicyGroupVerifier struct { var _ Verifier = (*PolicyGroupVerifier)(nil) -func NewPolicyGroupVerifier(schema *v1.CraftingSchema, client v13.AttestationServiceClient, logger *zerolog.Logger) *PolicyGroupVerifier { +func NewPolicyGroupVerifier(schema *v1.CraftingSchema, client v13.AttestationServiceClient, logger *zerolog.Logger, opts ...PolicyVerifierOption) *PolicyGroupVerifier { return &PolicyGroupVerifier{schema: schema, client: client, logger: logger, - PolicyVerifier: NewPolicyVerifier(schema, client, logger)} + PolicyVerifier: NewPolicyVerifier(schema, client, logger, opts...)} } // VerifyMaterial evaluates a material against groups of policies defined in the schema