From 295f9e30ff0b74bbc9790dad0f4d388fe56712f8 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Thu, 14 Sep 2023 09:08:18 -0400 Subject: [PATCH 1/3] Update data sources https://issues.redhat.com/browse/HACBS-2556 Signed-off-by: Luiz Carvalho --- default/policy.yaml | 3 ++- everything/policy.yaml | 3 ++- github-default/policy.yaml | 3 +-- minimal/policy.yaml | 3 ++- redhat/policy.yaml | 3 ++- slsa1/policy.yaml | 3 ++- slsa2/policy.yaml | 3 ++- slsa3/policy.yaml | 3 ++- src/policy-github.yaml.tmpl | 3 +-- src/policy-rhtap.yaml.tmpl | 3 ++- 10 files changed, 18 insertions(+), 12 deletions(-) diff --git a/default/policy.yaml b/default/policy.yaml index 88313c0..c73f504 100644 --- a/default/policy.yaml +++ b/default/policy.yaml @@ -24,7 +24,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: diff --git a/everything/policy.yaml b/everything/policy.yaml index feb53b9..8304c75 100644 --- a/everything/policy.yaml +++ b/everything/policy.yaml @@ -24,7 +24,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: diff --git a/github-default/policy.yaml b/github-default/policy.yaml index 0040bd8..2557e2b 100644 --- a/github-default/policy.yaml +++ b/github-default/policy.yaml @@ -13,8 +13,7 @@ sources: policy: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release - data: - - github.com/enterprise-contract/ec-policies//data + data: [] configuration: include: diff --git a/minimal/policy.yaml b/minimal/policy.yaml index 17adcfb..3dc3c54 100644 --- a/minimal/policy.yaml +++ b/minimal/policy.yaml @@ -26,7 +26,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: diff --git a/redhat/policy.yaml b/redhat/policy.yaml index c5861e8..b8be0b2 100644 --- a/redhat/policy.yaml +++ b/redhat/policy.yaml @@ -24,7 +24,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: diff --git a/slsa1/policy.yaml b/slsa1/policy.yaml index bd6e62c..95bfe37 100644 --- a/slsa1/policy.yaml +++ b/slsa1/policy.yaml @@ -26,7 +26,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: diff --git a/slsa2/policy.yaml b/slsa2/policy.yaml index b9c732d..d4a70b4 100644 --- a/slsa2/policy.yaml +++ b/slsa2/policy.yaml @@ -26,7 +26,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: diff --git a/slsa3/policy.yaml b/slsa3/policy.yaml index 664988f..a5d1188 100644 --- a/slsa3/policy.yaml +++ b/slsa3/policy.yaml @@ -24,7 +24,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: diff --git a/src/policy-github.yaml.tmpl b/src/policy-github.yaml.tmpl index 1810621..5dab83a 100644 --- a/src/policy-github.yaml.tmpl +++ b/src/policy-github.yaml.tmpl @@ -17,8 +17,7 @@ sources: policy: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release - data: - - github.com/enterprise-contract/ec-policies//data + data: [] configuration: include: diff --git a/src/policy-rhtap.yaml.tmpl b/src/policy-rhtap.yaml.tmpl index 4f2e000..da58c91 100644 --- a/src/policy-rhtap.yaml.tmpl +++ b/src/policy-rhtap.yaml.tmpl @@ -28,7 +28,8 @@ sources: - github.com/enterprise-contract/ec-policies//policy/lib - github.com/enterprise-contract/ec-policies//policy/release data: - - github.com/enterprise-contract/ec-policies//data + - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest + - github.com/release-engineering/rhtap-ec-policy//data configuration: include: From a1815288b6c9f4be4fef7733dcdf54adb34afd63 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Thu, 14 Sep 2023 09:08:52 -0400 Subject: [PATCH 2/3] Add script to verify policy source URLs Signed-off-by: Luiz Carvalho --- hack/verify-policy-sources.sh | 76 +++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100755 hack/verify-policy-sources.sh diff --git a/hack/verify-policy-sources.sh b/hack/verify-policy-sources.sh new file mode 100755 index 0000000..e8b5fcf --- /dev/null +++ b/hack/verify-policy-sources.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +# Copyright The Enterprise Contract Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +# Verify the policy source URLs are valid. +# Usage: +# verify-policy-sources.sh + +set -o errexit +set -o pipefail +set -o nounset + +ERRORS=false + +verify_url() { + url=$1 + inspect_type=$2 + echo -e "\nšŸ•µļøā€ā™€ļø $url..." + + set +e + info="$(ec inspect "${inspect_type}" --source "${url}" --output=json)" + inspect_status=$? + set -e + if [[ $inspect_status -ne 0 ]]; then + echo 'āŒ Unable to inspect policy URL' + ERRORS=true + return + else + echo 'āœ… Policy URL inspection successful' + fi + + set +e + echo "${info}" | jq '.' > /dev/null + jq_status=$? + set -e + if [[ $jq_status -ne 0 ]]; then + echo 'āŒ Data from URL is not valid JSON' + ERRORS=true + return + else + echo 'āœ… Data from URL is valid JSON' + fi +} + +policy_configs="$(< src/data.json yq '.[].name + "/policy.yaml"' -r)" + +policy_urls="$(yq eval '.sources[].policy[]' $policy_configs | grep -v -- '---' | sort -u)" +for url in $policy_urls; do + verify_url "${url}" 'policy' +done + +policy_data="$(yq eval '.sources[].data[]' $policy_configs | grep -v -- '---' | sort -u)" +for url in $policy_data; do + verify_url "${url}" 'policy-data' +done + +echo +if [ $ERRORS = true ]; then + echo 'šŸ˜­ Errors were found' + exit 1 +fi + +echo 'šŸ˜ŗ Success!' From 46676ed37b4a3a71f6d9a960a9e11493d0edba66 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Thu, 14 Sep 2023 09:16:50 -0400 Subject: [PATCH 3/3] Makefile rebuild on changes to env templates Signed-off-by: Luiz Carvalho --- Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index f47278b..c642a3e 100644 --- a/Makefile +++ b/Makefile @@ -5,14 +5,14 @@ _default: all DATA_JSON=src/data.json POLICY_TEMPLATE=src/policy.yaml.tmpl -POLICY_RHTAP_TEMPLATE='src/policy-rhtap.yaml.tmpl' -POLICY_GITHUB_TEMPLATE='src/policy-github.yaml.tmpl' +POLICY_RHTAP_TEMPLATE=src/policy-rhtap.yaml.tmpl +POLICY_GITHUB_TEMPLATE=src/policy-github.yaml.tmpl ifndef GOMPLATE GOMPLATE=gomplate endif -%/policy.yaml: $(POLICY_TEMPLATE) $(DATA_JSON) Makefile +%/policy.yaml: $(POLICY_TEMPLATE) $(DATA_JSON) $(POLICY_RHTAP_TEMPLATE) $(POLICY_GITHUB_TEMPLATE) Makefile @mkdir -p $(*) @env NAME=$(*) $(GOMPLATE) -d data=$(DATA_JSON) --file $< \ -t rhtap=$(POLICY_RHTAP_TEMPLATE) -t github=$(POLICY_GITHUB_TEMPLATE) \ @@ -25,7 +25,7 @@ README_RHTAP_TEMPLATE=src/README-rhtap.md.tmpl README_GITHUB_TEMPLATE=src/README-github.md.tmpl README_FILE=README.md -$(README_FILE): $(README_TEMPLATE) $(DATA_JSON) Makefile +$(README_FILE): $(README_TEMPLATE) $(DATA_JSON) $(README_RHTAP_TEMPLATE) $(README_GITHUB_TEMPLATE) Makefile @$(GOMPLATE) -d data=$(DATA_JSON) --file $< \ -t rhtap=$(README_RHTAP_TEMPLATE) -t github=$(README_GITHUB_TEMPLATE) \ > $@