Skip to content

feat(contract): reject attestation level policies in materials#2484

Closed
Piskoo wants to merge 1 commit into
chainloop-dev:mainfrom
Piskoo:add-material-kind-policy-validation
Closed

feat(contract): reject attestation level policies in materials#2484
Piskoo wants to merge 1 commit into
chainloop-dev:mainfrom
Piskoo:add-material-kind-policy-validation

Conversation

@Piskoo

@Piskoo Piskoo commented Oct 27, 2025

Copy link
Copy Markdown
Contributor

This PR adds validation to contract creation and update, that prevents assigning policies that contain execution path for kind ATTESTATION on material level.

Example:

For sbom-present policy

apiVersion: workflowcontract.chainloop.dev/v1
kind: Policy
metadata:
  name: sbom-present
  description: desc
spec:
  policies:
    - kind: ATTESTATION
      path: sbom-present.rego

Valid contract

schema_version: v1
policies:
  attestation:
    - ref: sbom-present

Passes, the contract is created/updated

Invalid contract

schema_version: v1
policies:
  materials:
    - ref: sbom-present

Returns

ERR validation error: attestation policy "sbom-present" cannot be attached to materials
exit status 1

Already existing contracts are unaffected, invalid contract will also fail if raw contract is given during att init in --contract flag.

Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo marked this pull request as ready for review October 27, 2025 13:31

// Check if any policy has kind ATTESTATION - this is not allowed for material-level policies
for _, policySpec := range policies {
if policySpec.GetKind() == schemav1.CraftingSchema_Material_ATTESTATION {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to review this because we support providing ATTESTATION as material type. But maybe the key here is to make sure it's not the only option. cc/ @jiparis

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ATTESTATION policies can be designed to run against an attestation material, or against the attestation itself (or both), but I don't think we have enough information at this point to know it, even if it's the only execution path.

In my opinion, we have two options:

  • change the semantics so that ATTESTATION materials are not allowed anymore (what this PR is implementing).
  • or some kind of metadata in the policy that allow policy authors to specify how the policy should be run.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also "double check" if the users' intention was to apply attestation policy to a material, to do that we could require a selector

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What policies do we have that use an attestation as the material?

@Piskoo Piskoo marked this pull request as draft November 10, 2025 08:40
@github-actions

Copy link
Copy Markdown
Contributor

This pull request is stale because it has been open for 60 days with no activity. It will be closed in 7 days if no further activity occurs.

@github-actions github-actions Bot added the Stale label Feb 23, 2026
@github-actions

github-actions Bot commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

This pull request was closed because it has been inactive for 7 days since being marked as stale. Feel free to reopen if it is still relevant.

@github-actions github-actions Bot closed this Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants