Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion app/cli/cmd/organization_describe.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func contextTableOutput(config *action.ConfigContextItem) error {
gt.AppendSeparator()

if m := config.CurrentMembership; m != nil {
orgInfo := fmt.Sprintf("%s (role=%s)\nPolicy strategy=%s", m.Org.Name, m.Role, m.Org.PolicyViolationBlockingStrategy)
orgInfo := fmt.Sprintf("%s (role=%s)\nPolicy strategy: %s", m.Org.Name, m.Role, m.Org.PolicyViolationBlockingStrategy)
if len(m.Org.PolicyAllowedHostnames) > 0 {
orgInfo += fmt.Sprintf("\nPolicy allowed hostnames: %v", strings.Join(m.Org.PolicyAllowedHostnames, ", "))
}
Expand All @@ -60,6 +60,10 @@ func contextTableOutput(config *action.ConfigContextItem) error {
orgInfo += fmt.Sprintf("\nAPI token auto-revoke after: %s days inactive", *m.Org.APITokenMaxDaysInactive)
}

if m.Org.BlockAttestationsOnReleasedVersions {
orgInfo += "\nBlock attestations on released versions: enabled"
}

gt.AppendRow(table.Row{"Organization", orgInfo})
}

Expand Down
20 changes: 13 additions & 7 deletions app/cli/cmd/organization_update.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,14 @@ import (

func newOrganizationUpdateCmd() *cobra.Command {
var (
orgName string
blockOnPolicyViolation bool
policiesAllowedHostnames []string
preventImplicitWorkflowCreation bool
restrictContractCreation bool
apiTokenMaxDaysInactive string
enableAIAgentCollector bool
orgName string
blockOnPolicyViolation bool
policiesAllowedHostnames []string
preventImplicitWorkflowCreation bool
restrictContractCreation bool
apiTokenMaxDaysInactive string
enableAIAgentCollector bool
blockAttestationsOnReleasedVersions bool
)

cmd := &cobra.Command{
Expand Down Expand Up @@ -59,6 +60,10 @@ func newOrganizationUpdateCmd() *cobra.Command {
opts.EnableAIAgentCollector = &enableAIAgentCollector
}

if cmd.Flags().Changed("block-attestations-on-released-versions") {
opts.BlockAttestationsOnReleasedVersions = &blockAttestationsOnReleasedVersions
}

if cmd.Flags().Changed("api-token-max-days-inactive") {
days, err := strconv.Atoi(apiTokenMaxDaysInactive)
if err != nil {
Expand Down Expand Up @@ -90,5 +95,6 @@ func newOrganizationUpdateCmd() *cobra.Command {
cmd.Flags().BoolVar(&restrictContractCreation, "restrict-contract-creation", false, "restrict contract creation (org-level and project-level) to only organization admins (owner/admin roles)")
cmd.Flags().StringVar(&apiTokenMaxDaysInactive, "api-token-max-days-inactive", "", "maximum days of inactivity before API tokens are auto-revoked (e.g. '90', '0' to disable)")
cmd.Flags().BoolVar(&enableAIAgentCollector, "enable-ai-agent-collector", false, "enable automatic AI agent config collection during attestation init")
cmd.Flags().BoolVar(&blockAttestationsOnReleasedVersions, "block-attestations-on-released-versions", false, "reject new attestations pushed to project versions that are already released")
return cmd
}
17 changes: 9 additions & 8 deletions app/cli/documentation/cli-reference.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2908,14 +2908,15 @@ chainloop organization update [flags]
Options

```
--api-token-max-days-inactive string maximum days of inactivity before API tokens are auto-revoked (e.g. '90', '0' to disable)
--block set the default policy violation blocking strategy
--enable-ai-agent-collector enable automatic AI agent config collection during attestation init
-h, --help help for update
--name string organization name
--policies-allowed-hostnames strings set the allowed hostnames for the policy engine
--prevent-implicit-workflow-creation prevent workflows and projects from being created implicitly during attestation init
--restrict-contract-creation restrict contract creation (org-level and project-level) to only organization admins (owner/admin roles)
--api-token-max-days-inactive string maximum days of inactivity before API tokens are auto-revoked (e.g. '90', '0' to disable)
--block set the default policy violation blocking strategy
--block-attestations-on-released-versions reject new attestations pushed to project versions that are already released
--enable-ai-agent-collector enable automatic AI agent config collection during attestation init
-h, --help help for update
--name string organization name
--policies-allowed-hostnames strings set the allowed hostnames for the policy engine
--prevent-implicit-workflow-creation prevent workflows and projects from being created implicitly during attestation init
--restrict-contract-creation restrict contract creation (org-level and project-level) to only organization admins (owner/admin roles)
```

Options inherited from parent commands
Expand Down
1 change: 1 addition & 0 deletions app/cli/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ func errorInfo(err error, logger zerolog.Logger) (string, int) {
if errors.As(err, &gs) {
knownCodes := []codes.Code{
codes.AlreadyExists, codes.InvalidArgument, codes.NotFound, codes.PermissionDenied,
codes.FailedPrecondition,
}

grpcStatus := gs.GRPCStatus()
Expand Down
30 changes: 16 additions & 14 deletions app/cli/pkg/action/membership_list.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,15 @@ type MembershipList struct {
}

type OrgItem struct {
ID string `json:"id"`
Name string `json:"name"`
CreatedAt *time.Time `json:"createdAt"`
PolicyViolationBlockingStrategy string `json:"policyViolationBlockingStrategy"`
PolicyAllowedHostnames []string `json:"policyAllowedHostnames,omitempty"`
PreventImplicitWorkflowCreation bool `json:"preventImplicitWorkflowCreation"`
APITokenMaxDaysInactive *string `json:"apiTokenMaxDaysInactive,omitempty"`
EnableAIAgentCollector bool `json:"enableAiAgentCollector"`
ID string `json:"id"`
Name string `json:"name"`
CreatedAt *time.Time `json:"createdAt"`
PolicyViolationBlockingStrategy string `json:"policyViolationBlockingStrategy"`
PolicyAllowedHostnames []string `json:"policyAllowedHostnames,omitempty"`
PreventImplicitWorkflowCreation bool `json:"preventImplicitWorkflowCreation"`
APITokenMaxDaysInactive *string `json:"apiTokenMaxDaysInactive,omitempty"`
EnableAIAgentCollector bool `json:"enableAiAgentCollector"`
BlockAttestationsOnReleasedVersions bool `json:"blockAttestationsOnReleasedVersions"`
}

type MembershipItem struct {
Expand Down Expand Up @@ -134,12 +135,13 @@ func (action *MembershipList) ListMembers(ctx context.Context, page int, pageSiz

func pbOrgItemToAction(in *pb.OrgItem) *OrgItem {
i := &OrgItem{
ID: in.Id,
Name: in.Name,
CreatedAt: toTimePtr(in.CreatedAt.AsTime()),
PolicyAllowedHostnames: in.PolicyAllowedHostnames,
PreventImplicitWorkflowCreation: in.PreventImplicitWorkflowCreation,
EnableAIAgentCollector: in.EnableAiAgentCollector,
ID: in.Id,
Name: in.Name,
CreatedAt: toTimePtr(in.CreatedAt.AsTime()),
PolicyAllowedHostnames: in.PolicyAllowedHostnames,
PreventImplicitWorkflowCreation: in.PreventImplicitWorkflowCreation,
EnableAIAgentCollector: in.EnableAiAgentCollector,
BlockAttestationsOnReleasedVersions: in.BlockAttestationsOnReleasedVersions,
}

if in.DefaultPolicyViolationStrategy == pb.OrgItem_POLICY_VIOLATION_BLOCKING_STRATEGY_BLOCK {
Expand Down
3 changes: 3 additions & 0 deletions app/cli/pkg/action/org_update.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ type NewOrgUpdateOpts struct {
APITokenMaxDaysInactive *int
// EnableAIAgentCollector enables automatic AI agent config collection during attestation init
EnableAIAgentCollector *bool
// BlockAttestationsOnReleasedVersions rejects new attestations pushed to project versions that are already released
BlockAttestationsOnReleasedVersions *bool
}

func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdateOpts) (*OrgItem, error) {
Expand All @@ -51,6 +53,7 @@ func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdat
PreventImplicitWorkflowCreation: opts.PreventImplicitWorkflowCreation,
RestrictContractCreationToOrgAdmins: opts.RestrictContractCreation,
EnableAiAgentCollector: opts.EnableAIAgentCollector,
BlockAttestationsOnReleasedVersions: opts.BlockAttestationsOnReleasedVersions,
}

if opts.PoliciesAllowedHostnames != nil {
Expand Down
21 changes: 16 additions & 5 deletions app/controlplane/api/controlplane/v1/organization.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions app/controlplane/api/controlplane/v1/organization.proto
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,9 @@ message OrganizationServiceUpdateRequest {

// Enable automatic AI agent config collection during attestation init
optional bool enable_ai_agent_collector = 8;

// Reject new attestations pushed to project versions that are already released (prerelease == false)
optional bool block_attestations_on_released_versions = 9;
}

message OrganizationServiceUpdateResponse {
Expand Down
18 changes: 14 additions & 4 deletions app/controlplane/api/controlplane/v1/response_messages.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions app/controlplane/api/controlplane/v1/response_messages.proto
Original file line number Diff line number Diff line change
Expand Up @@ -391,6 +391,8 @@ message OrgItem {
optional int32 api_token_max_days_inactive = 9;
// Whether AI agent config collection is automatically enabled during attestation init
bool enable_ai_agent_collector = 10;
// Whether new attestations are rejected on project versions that are already released (prerelease == false)
bool block_attestations_on_released_versions = 11;

enum PolicyViolationBlockingStrategy {
POLICY_VIOLATION_BLOCKING_STRATEGY_UNSPECIFIED = 0;
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading