From 0d20bd77fe072307e9fe50afab58b4a8ec308545 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Mon, 11 Aug 2025 11:56:55 +0200 Subject: [PATCH 1/2] feat(policy-devel): support providing allowed hostnames Signed-off-by: Miguel Martinez --- app/cli/cmd/policy_develop_eval.go | 23 +++++++++++-------- .../internal/action/policy_develop_eval.go | 22 ++++++++++-------- app/cli/internal/policydevel/eval.go | 21 ++++++++++------- 3 files changed, 38 insertions(+), 28 deletions(-) diff --git a/app/cli/cmd/policy_develop_eval.go b/app/cli/cmd/policy_develop_eval.go index fcaf9891d..4e5409942 100644 --- a/app/cli/cmd/policy_develop_eval.go +++ b/app/cli/cmd/policy_develop_eval.go @@ -26,11 +26,12 @@ import ( func newPolicyDevelopEvalCmd() *cobra.Command { var ( - materialPath string - kind string - annotations []string - policyPath string - inputs []string + materialPath string + kind string + annotations []string + policyPath string + inputs []string + allowedHostnames []string ) cmd := &cobra.Command{ @@ -44,11 +45,12 @@ evaluates the policy against the provided material or attestation.`, chainloop policy eval --policy policy.yaml --material sbom.json --kind SBOM_CYCLONEDX_JSON --annotation key1=value1,key2=value2 --input key3=value3`, RunE: func(_ *cobra.Command, _ []string) error { opts := &action.PolicyEvalOpts{ - MaterialPath: materialPath, - Kind: kind, - Annotations: parseKeyValue(annotations), - PolicyPath: policyPath, - Inputs: parseKeyValue(inputs), + MaterialPath: materialPath, + Kind: kind, + Annotations: parseKeyValue(annotations), + PolicyPath: policyPath, + Inputs: parseKeyValue(inputs), + AllowedHostnames: allowedHostnames, } policyEval, err := action.NewPolicyEval(opts, actionOpts) @@ -71,6 +73,7 @@ evaluates the policy against the provided material or attestation.`, cmd.Flags().StringSliceVar(&annotations, "annotation", []string{}, "Key-value pairs of material annotations (key=value)") cmd.Flags().StringVarP(&policyPath, "policy", "p", "policy.yaml", "Path to custom policy file") cmd.Flags().StringSliceVar(&inputs, "input", []string{}, "Key-value pairs of policy inputs (key=value)") + cmd.Flags().StringSliceVar(&allowedHostnames, "allowed-hostnames", []string{}, "Additional hostnames allowed for http.send requests in policies") return cmd } diff --git a/app/cli/internal/action/policy_develop_eval.go b/app/cli/internal/action/policy_develop_eval.go index ba3f736d4..d4d22ba7c 100644 --- a/app/cli/internal/action/policy_develop_eval.go +++ b/app/cli/internal/action/policy_develop_eval.go @@ -22,11 +22,12 @@ import ( ) type PolicyEvalOpts struct { - MaterialPath string - Kind string - Annotations map[string]string - PolicyPath string - Inputs map[string]string + MaterialPath string + Kind string + Annotations map[string]string + PolicyPath string + Inputs map[string]string + AllowedHostnames []string } type PolicyEvalResult struct { @@ -50,11 +51,12 @@ func NewPolicyEval(opts *PolicyEvalOpts, actionOpts *ActionsOpts) (*PolicyEval, func (action *PolicyEval) Run() ([]*PolicyEvalResult, error) { evalOpts := &policydevel.EvalOptions{ - PolicyPath: action.opts.PolicyPath, - MaterialKind: action.opts.Kind, - Annotations: action.opts.Annotations, - MaterialPath: action.opts.MaterialPath, - Inputs: action.opts.Inputs, + PolicyPath: action.opts.PolicyPath, + MaterialKind: action.opts.Kind, + Annotations: action.opts.Annotations, + MaterialPath: action.opts.MaterialPath, + Inputs: action.opts.Inputs, + AllowedHostnames: action.opts.AllowedHostnames, } // Evaluate policy diff --git a/app/cli/internal/policydevel/eval.go b/app/cli/internal/policydevel/eval.go index 561f7a69b..eb7393888 100644 --- a/app/cli/internal/policydevel/eval.go +++ b/app/cli/internal/policydevel/eval.go @@ -29,11 +29,12 @@ import ( ) type EvalOptions struct { - PolicyPath string - MaterialKind string - Annotations map[string]string - MaterialPath string - Inputs map[string]string + PolicyPath string + MaterialKind string + Annotations map[string]string + MaterialPath string + Inputs map[string]string + AllowedHostnames []string } type EvalResult struct { @@ -58,7 +59,7 @@ func Evaluate(opts *EvalOptions, logger zerolog.Logger) ([]*EvalResult, error) { material.Annotations = opts.Annotations // 3. Verify material against policy - result, err := verifyMaterial(schema, material, opts.MaterialPath, &logger) + result, err := verifyMaterial(schema, material, opts.MaterialPath, opts.AllowedHostnames, &logger) if err != nil { return nil, err } @@ -81,8 +82,12 @@ func createCraftingSchema(policyPath string, inputs map[string]string) (*v1.Craf }, nil } -func verifyMaterial(schema *v1.CraftingSchema, material *v12.Attestation_Material, materialPath string, logger *zerolog.Logger) ([]*EvalResult, error) { - v := policies.NewPolicyVerifier(schema, nil, logger) +func verifyMaterial(schema *v1.CraftingSchema, material *v12.Attestation_Material, materialPath string, allowedHostnames []string, logger *zerolog.Logger) ([]*EvalResult, error) { + var opts []policies.PolicyVerifierOption + if len(allowedHostnames) > 0 { + opts = append(opts, policies.WithAllowedHostnames(allowedHostnames...)) + } + v := policies.NewPolicyVerifier(schema, nil, logger, opts...) policyEvs, err := v.VerifyMaterial(context.Background(), material, materialPath) if err != nil { return nil, err From bdeb0dbda5712d5bcf503dc6a423c1390c19fbe6 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Date: Mon, 11 Aug 2025 12:07:49 +0200 Subject: [PATCH 2/2] fix reference Signed-off-by: Miguel Martinez --- app/cli/documentation/cli-reference.mdx | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/app/cli/documentation/cli-reference.mdx b/app/cli/documentation/cli-reference.mdx index e50a97435..61e361423 100755 --- a/app/cli/documentation/cli-reference.mdx +++ b/app/cli/documentation/cli-reference.mdx @@ -2810,12 +2810,13 @@ chainloop policy eval --policy policy.yaml --material sbom.json --kind SBOM_CYCL Options ``` ---annotation strings Key-value pairs of material annotations (key=value) --h, --help help for eval ---input strings Key-value pairs of policy inputs (key=value) ---kind string Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"] ---material string Path to material or attestation file --p, --policy string Path to custom policy file (default "policy.yaml") +--allowed-hostnames strings Additional hostnames allowed for http.send requests in policies +--annotation strings Key-value pairs of material annotations (key=value) +-h, --help help for eval +--input strings Key-value pairs of policy inputs (key=value) +--kind string Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"] +--material string Path to material or attestation file +-p, --policy string Path to custom policy file (default "policy.yaml") ``` Options inherited from parent commands