Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 15 additions & 2 deletions app/controlplane/cmd/wire.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,12 +138,13 @@ func newAuthAllowList(conf *conf.Bootstrap) *pkgConf.AllowList {
var cacheProviderSet = wire.NewSet(
newMembershipsCache,
newClaimsCache,
newPolicyEvalBundleCache,
)

func newClaimsCache(conn *nats.Conn, logger log.Logger) (cache.Cache[*jwt.MapClaims], error) {
l := log.NewHelper(logger)
backend := "memory"
opts := []cache.Option{cache.WithTTL(10 * time.Second), cache.WithLogger(&kratosLogAdapter{h: l})}
opts := []cache.Option{cache.WithTTL(10 * time.Second), cache.WithLogger(&kratosLogAdapter{h: l}), cache.WithDescription("Cache for JWT claims")}
if conn != nil {
backend = "nats"
opts = append(opts, cache.WithNATS(conn, "chainloop-jwt-claims"))
Expand All @@ -155,7 +156,7 @@ func newClaimsCache(conn *nats.Conn, logger log.Logger) (cache.Cache[*jwt.MapCla
func newMembershipsCache(conn *nats.Conn, logger log.Logger) (cache.Cache[*entities.Membership], error) {
l := log.NewHelper(logger)
backend := "memory"
opts := []cache.Option{cache.WithTTL(time.Second), cache.WithLogger(&kratosLogAdapter{h: l})}
opts := []cache.Option{cache.WithTTL(time.Second), cache.WithLogger(&kratosLogAdapter{h: l}), cache.WithDescription("Cache for org memberships")}
if conn != nil {
backend = "nats"
opts = append(opts, cache.WithNATS(conn, "chainloop-memberships"))
Expand All @@ -164,6 +165,18 @@ func newMembershipsCache(conn *nats.Conn, logger log.Logger) (cache.Cache[*entit
return cache.New[*entities.Membership](opts...)
}

func newPolicyEvalBundleCache(conn *nats.Conn, logger log.Logger) (cache.Cache[[]byte], error) {
l := log.NewHelper(logger)
backend := "memory"
opts := []cache.Option{cache.WithTTL(24 * time.Hour), cache.WithLogger(&kratosLogAdapter{h: l}), cache.WithDescription("Cache for policy evaluation bundles from CAS")}
if conn != nil {
backend = "nats"
opts = append(opts, cache.WithNATS(conn, "chainloop-policy-eval-bundles"))
}
l.Infow("msg", "cache initialized", "bucket", "chainloop-policy-eval-bundles", "backend", backend, "ttl", "24h")
return cache.New[[]byte](opts...)
}

// kratosLogAdapter adapts kratos log.Helper (Debugw(...interface{})) to cache.Logger (Debugw(string, ...any)).
type kratosLogAdapter struct{ h *log.Helper }

Expand Down
29 changes: 25 additions & 4 deletions app/controlplane/cmd/wire_gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 1 addition & 6 deletions app/controlplane/internal/service/attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -533,7 +533,7 @@ func (s *AttestationService) GetPolicyGroup(ctx context.Context, req *cpAPI.Atte
}}, nil
}

func bizAttestationToPb(att *biz.Attestation) (*cpAPI.AttestationItem, error) {
func bizAttestationToPb(att *biz.Attestation, predicate chainloop.NormalizablePredicate) (*cpAPI.AttestationItem, error) {
if att == nil || att.Envelope == nil {
return nil, nil
}
Expand All @@ -543,11 +543,6 @@ func bizAttestationToPb(att *biz.Attestation) (*cpAPI.AttestationItem, error) {
return nil, err
}

predicate, err := chainloop.ExtractPredicate(att.Envelope)
if err != nil {
return nil, fmt.Errorf("error extracting predicate from attestation: %w", err)
}

materials, err := extractMaterials(predicate.GetMaterials())
if err != nil {
return nil, fmt.Errorf("error extracting materials from attestation: %w", err)
Expand Down
78 changes: 76 additions & 2 deletions app/controlplane/internal/service/workflowrun.go
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
//
// Copyright 2024-2025 The Chainloop Authors.
// Copyright 2024-2026 The Chainloop Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand All @@ -16,6 +16,7 @@
package service

import (
"bytes"
"context"
"fmt"
"slices"
Expand All @@ -25,9 +26,12 @@ import (
"github.com/chainloop-dev/chainloop/app/controlplane/pkg/authz"
"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
"github.com/chainloop-dev/chainloop/app/controlplane/pkg/pagination"
chainloop "github.com/chainloop-dev/chainloop/pkg/attestation/renderer/chainloop"
"github.com/chainloop-dev/chainloop/pkg/cache"
"github.com/chainloop-dev/chainloop/pkg/credentials"
errors "github.com/go-kratos/kratos/v2/errors"
"github.com/google/uuid"
intoto "github.com/in-toto/attestation/go/v1"
"google.golang.org/protobuf/types/known/timestamppb"
)

Expand All @@ -40,6 +44,9 @@ type WorkflowRunService struct {
workflowContractUseCase *biz.WorkflowContractUseCase
projectUseCase *biz.ProjectUseCase
credsReader credentials.Reader
casClient biz.CASClient
casMappingUC *biz.CASMappingUseCase
policyEvalCache cache.Cache[[]byte]
}

type NewWorkflowRunServiceOpts struct {
Expand All @@ -48,6 +55,9 @@ type NewWorkflowRunServiceOpts struct {
WorkflowContractUC *biz.WorkflowContractUseCase
ProjectUC *biz.ProjectUseCase
CredsReader credentials.Reader
CASClient biz.CASClient
CASMappingUC *biz.CASMappingUseCase
PolicyEvalCache cache.Cache[[]byte]
Opts []NewOpt
}

Expand All @@ -59,9 +69,56 @@ func NewWorkflowRunService(opts *NewWorkflowRunServiceOpts) *WorkflowRunService
workflowContractUseCase: opts.WorkflowContractUC,
projectUseCase: opts.ProjectUC,
credsReader: opts.CredsReader,
casClient: opts.CASClient,
casMappingUC: opts.CASMappingUC,
policyEvalCache: opts.PolicyEvalCache,
}
}

type casResolvedPredicate struct {
chainloop.NormalizablePredicate
evals map[string][]*chainloop.PolicyEvaluation
}

func (p *casResolvedPredicate) GetPolicyEvaluations() map[string][]*chainloop.PolicyEvaluation {
return p.evals
}

func (s *WorkflowRunService) resolvePolicyEvaluations(
ctx context.Context,
ref *intoto.ResourceDescriptor,
orgID uuid.UUID,
) (map[string][]*chainloop.PolicyEvaluation, error) {
if ref == nil {
return nil, nil
}

hexDigest, ok := ref.Digest["sha256"]
if !ok {
return nil, fmt.Errorf("no sha256 digest in policy evaluations ref")
}
digest := fmt.Sprintf("sha256:%s", hexDigest)

if cached, found, err := s.policyEvalCache.Get(ctx, digest); err == nil && found {
Comment thread
cubic-dev-ai[bot] marked this conversation as resolved.
return chainloop.PolicyEvaluationsFromBundle(cached)
}

mapping, err := s.casMappingUC.FindCASMappingForDownloadByOrg(ctx, digest, []uuid.UUID{orgID}, nil)
if err != nil {
return nil, fmt.Errorf("finding CAS mapping: %w", err)
}

var buf bytes.Buffer
if err := s.casClient.Download(ctx, string(mapping.CASBackend.Provider), mapping.CASBackend.SecretName, &buf, digest); err != nil {
return nil, fmt.Errorf("downloading policy eval bundle: %w", err)
}

data := buf.Bytes()
_ = s.policyEvalCache.Set(ctx, digest, data)

return chainloop.PolicyEvaluationsFromBundle(data)
}

func (s *WorkflowRunService) List(ctx context.Context, req *pb.WorkflowRunServiceListRequest) (*pb.WorkflowRunServiceListResponse, error) {
currentOrg, err := requireCurrentOrg(ctx)
if err != nil {
Expand Down Expand Up @@ -185,7 +242,24 @@ func (s *WorkflowRunService) View(ctx context.Context, req *pb.WorkflowRunServic
verificationResult = bizVerificationToPb(vr)
}

attestation, err := bizAttestationToPb(run.Attestation)
var predicate chainloop.NormalizablePredicate
if run.Attestation != nil && run.Attestation.Envelope != nil {
predicate, err = chainloop.ExtractPredicate(run.Attestation.Envelope)
if err != nil {
return nil, handleUseCaseErr(err, s.log)
}

if ref := predicate.GetPolicyEvaluationsRef(); ref != nil {
resolved, resolveErr := s.resolvePolicyEvaluations(ctx, ref, run.Workflow.OrgID)
if resolveErr != nil {
s.log.Warnw("msg", "failed to resolve policy evaluations from CAS, using inline", "err", resolveErr)
} else if resolved != nil {
predicate = &casResolvedPredicate{NormalizablePredicate: predicate, evals: resolved}
}
}
}

attestation, err := bizAttestationToPb(run.Attestation, predicate)
if err != nil {
return nil, handleUseCaseErr(err, s.log)
}
Expand Down
27 changes: 21 additions & 6 deletions pkg/attestation/renderer/chainloop/v02.go
Original file line number Diff line number Diff line change
Expand Up @@ -288,12 +288,27 @@ func (r *RendererV02) predicate() (*structpb.Struct, error) {
return predicate, nil
}

// collect all policy evaluations grouped by material and returns if there is a policy violation
func mappedPolicyEvaluations(att *v1.Attestation) (map[string][]*PolicyEvaluation, bool, error) {
var hasPolicyViolations bool
result := map[string][]*PolicyEvaluation{}
return groupEvaluations(att.GetPolicyEvaluations())
}

// PolicyEvaluationsFromBundle deserializes a PolicyEvaluationBundle from protojson bytes
// and returns evaluations grouped by material name.
func PolicyEvaluationsFromBundle(data []byte) (map[string][]*PolicyEvaluation, error) {
var bundle v1.PolicyEvaluationBundle
if err := protojson.Unmarshal(data, &bundle); err != nil {
return nil, fmt.Errorf("unmarshaling policy evaluation bundle: %w", err)
}

evals, _, err := groupEvaluations(bundle.GetEvaluations())
return evals, err
}

func groupEvaluations(evals []*v1.PolicyEvaluation) (map[string][]*PolicyEvaluation, bool, error) {
var hasViolations bool
result := make(map[string][]*PolicyEvaluation)

for _, p := range att.GetPolicyEvaluations() {
for _, p := range evals {
keyName := p.MaterialName
if keyName == "" {
keyName = AttPolicyEvaluation
Expand All @@ -305,13 +320,13 @@ func mappedPolicyEvaluations(att *v1.Attestation) (map[string][]*PolicyEvaluatio
}

if len(ev.Violations) > 0 {
hasPolicyViolations = true
hasViolations = true
}

result[keyName] = append(result[keyName], ev)
}

return result, hasPolicyViolations, nil
return result, hasViolations, nil
}

func renderEvaluation(ev *v1.PolicyEvaluation) (*PolicyEvaluation, error) {
Expand Down
Loading
Loading