Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 33 additions & 23 deletions app/cli/cmd/attestation_push.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,29 +138,8 @@ func newAttestationPushCmd() *cobra.Command {
return fmt.Errorf("failed to render output: %w", err)
}

// Block if any of the policies has been configured as a gate
for _, evaluations := range res.Status.PolicyEvaluations {
for _, eval := range evaluations {
if len(eval.Violations) > 0 && eval.Gate {
if bypassPolicyCheck {
logger.Warn().Msg(exceptionBypassPolicyCheck)
continue
}
return NewGateError(eval.Name)
}
}
}

// Do a final check in case the operator has configured the attestation to be blocked on any policy violation
if res.Status.MustBlockOnPolicyViolations {
if bypassPolicyCheck {
logger.Warn().Msg(exceptionBypassPolicyCheck)
return nil
}

if res.Status.HasPolicyViolations {
return ErrBlockedByPolicyViolation
}
if err := validatePolicyEnforcement(res.Status, bypassPolicyCheck); err != nil {
return err
}

return nil
Expand Down Expand Up @@ -199,3 +178,34 @@ func NewGateError(policyName string) error {
func (e *GateError) Error() string {
return fmt.Sprintf("the policy %q is configured as a gate and has violations", e.PolicyName)
}

func validatePolicyEnforcement(status *action.AttestationStatusResult, bypassPolicyCheck bool) error {
// Block if any of the policies has been configured as a gate.
for _, evaluations := range status.PolicyEvaluations {
for _, eval := range evaluations {
if len(eval.Violations) > 0 && eval.Gate {
if bypassPolicyCheck {
logger.Warn().Msg(exceptionBypassPolicyCheck)
continue
}

return NewGateError(eval.Name)
}
}
}

// Do a final check in case the operator has configured the attestation
// to be blocked on any policy violation.
if status.MustBlockOnPolicyViolations {
if bypassPolicyCheck {
logger.Warn().Msg(exceptionBypassPolicyCheck)
return nil
}

if status.HasPolicyViolations {
return ErrBlockedByPolicyViolation
}
}

return nil
}
70 changes: 70 additions & 0 deletions app/cli/cmd/attestation_push_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
//
// Copyright 2026 The Chainloop Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cmd

import (
"testing"

"github.com/chainloop-dev/chainloop/app/cli/pkg/action"
"github.com/stretchr/testify/require"
)

func TestValidatePolicyEnforcement(t *testing.T) {
t.Run("does not block when strategy is advisory and policy is not gated", func(t *testing.T) {
status := &action.AttestationStatusResult{
PolicyEvaluations: map[string][]*action.PolicyEvaluation{
"materials": {
{
Name: "cdx-fresh",
Gate: false,
Violations: []*action.PolicyViolation{
{Message: "policy violation"},
},
},
},
},
HasPolicyViolations: true,
MustBlockOnPolicyViolations: false,
}

err := validatePolicyEnforcement(status, false)
require.NoError(t, err)
})

t.Run("returns gate error when strategy is advisory and policy is gated", func(t *testing.T) {
status := &action.AttestationStatusResult{
PolicyEvaluations: map[string][]*action.PolicyEvaluation{
"materials": {
{
Name: "cdx-fresh",
Gate: true,
Violations: []*action.PolicyViolation{
{Message: "policy violation"},
},
},
},
},
HasPolicyViolations: true,
MustBlockOnPolicyViolations: false,
}

err := validatePolicyEnforcement(status, false)
require.Error(t, err)
var gateErr *GateError
require.ErrorAs(t, err, &gateErr)
require.Equal(t, "cdx-fresh", gateErr.PolicyName)
})
}
Loading