Merge pull request #32 from lcarva/HACBS-2556

Update policy data references and policy url checks
enterprise-contract · Sep 14, 2023 · 100b5a1 · 100b5a1
2 parents b215662 + 46676ed
commit 100b5a1
Show file tree

Hide file tree

Showing 12 changed files with 98 additions and 16 deletions.
diff --git a/Makefile b/Makefile
@@ -5,14 +5,14 @@ _default: all
 DATA_JSON=src/data.json
 
 POLICY_TEMPLATE=src/policy.yaml.tmpl
-POLICY_RHTAP_TEMPLATE='src/policy-rhtap.yaml.tmpl'
-POLICY_GITHUB_TEMPLATE='src/policy-github.yaml.tmpl'
+POLICY_RHTAP_TEMPLATE=src/policy-rhtap.yaml.tmpl
+POLICY_GITHUB_TEMPLATE=src/policy-github.yaml.tmpl
 
 ifndef GOMPLATE
 	GOMPLATE=gomplate
 endif
 
-%/policy.yaml: $(POLICY_TEMPLATE) $(DATA_JSON) Makefile
+%/policy.yaml: $(POLICY_TEMPLATE) $(DATA_JSON) $(POLICY_RHTAP_TEMPLATE) $(POLICY_GITHUB_TEMPLATE) Makefile
 	@mkdir -p $(*)
 	@env NAME=$(*) $(GOMPLATE) -d data=$(DATA_JSON) --file $< \
 		-t rhtap=$(POLICY_RHTAP_TEMPLATE) -t github=$(POLICY_GITHUB_TEMPLATE) \
@@ -25,7 +25,7 @@ README_RHTAP_TEMPLATE=src/README-rhtap.md.tmpl
 README_GITHUB_TEMPLATE=src/README-github.md.tmpl
 README_FILE=README.md
 
-$(README_FILE): $(README_TEMPLATE) $(DATA_JSON) Makefile
+$(README_FILE): $(README_TEMPLATE) $(DATA_JSON) $(README_RHTAP_TEMPLATE) $(README_GITHUB_TEMPLATE) Makefile
 	@$(GOMPLATE) -d data=$(DATA_JSON) --file $< \
 		-t rhtap=$(README_RHTAP_TEMPLATE) -t github=$(README_GITHUB_TEMPLATE) \
 		> $@

diff --git a/default/policy.yaml b/default/policy.yaml
@@ -24,7 +24,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include:

diff --git a/everything/policy.yaml b/everything/policy.yaml
@@ -24,7 +24,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include:

diff --git a/github-default/policy.yaml b/github-default/policy.yaml
@@ -13,8 +13,7 @@ sources:
     policy:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
-    data:
-      - github.com/enterprise-contract/ec-policies//data
+    data: []
 
 configuration:
   include:

diff --git a/hack/verify-policy-sources.sh b/hack/verify-policy-sources.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Verify the policy source URLs are valid.
+# Usage:
+#   verify-policy-sources.sh
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+ERRORS=false
+
+verify_url() {
+    url=$1
+    inspect_type=$2
+    echo -e "\n🕵️‍♀️ $url..."
+
+    set +e
+    info="$(ec inspect "${inspect_type}" --source "${url}" --output=json)"
+    inspect_status=$?
+    set -e
+    if [[ $inspect_status -ne 0 ]]; then
+        echo '❌ Unable to inspect policy URL'
+        ERRORS=true
+        return
+    else
+        echo '✅ Policy URL inspection successful'
+    fi
+
+    set +e
+    echo "${info}" | jq '.' > /dev/null
+    jq_status=$?
+    set -e
+    if [[ $jq_status -ne 0 ]]; then
+        echo '❌ Data from URL is not valid JSON'
+        ERRORS=true
+        return
+    else
+        echo '✅ Data from URL is valid JSON'
+    fi
+}
+
+policy_configs="$(< src/data.json yq '.[].name + "/policy.yaml"' -r)"
+
+policy_urls="$(yq eval '.sources[].policy[]' $policy_configs | grep -v -- '---' | sort -u)"
+for url in $policy_urls; do
+    verify_url "${url}" 'policy'
+done
+
+policy_data="$(yq eval '.sources[].data[]' $policy_configs | grep -v -- '---' | sort -u)"
+for url in $policy_data; do
+    verify_url "${url}" 'policy-data'
+done
+
+echo
+if [ $ERRORS = true ]; then
+    echo '😭 Errors were found'
+    exit 1
+fi
+
+echo '😺 Success!'
diff --git a/minimal/policy.yaml b/minimal/policy.yaml
@@ -26,7 +26,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include:

diff --git a/redhat/policy.yaml b/redhat/policy.yaml
@@ -24,7 +24,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include:

diff --git a/slsa1/policy.yaml b/slsa1/policy.yaml
@@ -26,7 +26,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include:

diff --git a/slsa2/policy.yaml b/slsa2/policy.yaml
@@ -26,7 +26,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include:

diff --git a/slsa3/policy.yaml b/slsa3/policy.yaml
@@ -24,7 +24,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include:

diff --git a/src/policy-github.yaml.tmpl b/src/policy-github.yaml.tmpl
@@ -17,8 +17,7 @@ sources:
     policy:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
-    data:
-      - github.com/enterprise-contract/ec-policies//data
+    data: []
 
 configuration:
   include:

diff --git a/src/policy-rhtap.yaml.tmpl b/src/policy-rhtap.yaml.tmpl
@@ -28,7 +28,8 @@ sources:
       - github.com/enterprise-contract/ec-policies//policy/lib
       - github.com/enterprise-contract/ec-policies//policy/release
     data:
-      - github.com/enterprise-contract/ec-policies//data
+      - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
+      - github.com/release-engineering/rhtap-ec-policy//data
 
 configuration:
   include: