artifact-attestations-opa-provider/validation/from-org-with-signer-constraint-template.yaml at main · github/artifact-attestations-opa-provider · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sexternaldatafromorgwithsigner
spec:
  crd:
    spec:
      names:
        kind: K8sExternalDataFromOrgWithSigner
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sexternaldata

        violation[{"msg": msg}] {
          images := [img | img = input.review.object.spec.containers[_].image]
          response := external_data({"provider": "artifact-attestations-opa-provider", "keys": images})
          response_with_error(response)
          msg := sprintf("invalid response: %v", [response])
        }

        response_with_error(response) {
          count(response.errors) > 0
        }

        response_with_error(response) {
          count(response.system_error) > 0
        }

        response_with_error(response) {
          not fromOrgWithSigner(response, ["your-org-1", "your-org-2"], ["your-org-1/your-repo"])
        }

        fromOrgWithSigner(resp, orgs, signerRepos) {
          some i, j, k, l, m
          provenance := "https://slsa.dev/provenance/v1"
          issuer := "https://token.actions.githubusercontent.com"

          provenance == resp.responses[i][j][k].statement.predicateType
          issuer == resp.responses[i][j][k].signature.certificate.issuer
          orgUri := resp.responses[i][j][k].signature.certificate.sourceRepositoryOwnerURI
          signerUri := resp.responses[i][j][k].signature.certificate.buildSignerURI
          # Verify source owner org is allowed
          endswith(orgUri, concat("", ["/", orgs[l]]))
          # Verify signer org is allowed
          # Remove the path to the repo, workflow and ref
          # find the occurence of `/.github/` and trim everything after it
          p := indexof(signerUri, "/.github/")
          signerRepoTrim := substring(signerUri, 0, p)
          # add back the / prefix to get proper delimiter when doing comparison
          signerRepo := concat("", ["/", signerRepoTrim])
          endswith(signerRepo, concat("", ["/", signerRepos[m]]))
        }