From f3c8017996834376ffa67626044df1f5ed24a851 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 21 Sep 2023 14:41:34 +0200 Subject: [PATCH] Add the `name` property Refactors the `src/data.json` to be an object instead of an array, this way the keys are guaranteed to be unique. Separates the notion of the directory vs name, now the directory (key in the top level object) can be different than the name. Ref. https://issues.redhat.com/browse/HACBS-2468 --- Makefile | 4 ++-- README.md | 23 +++++++++---------- default/policy.yaml | 1 + everything/policy.yaml | 1 + github-default/policy.yaml | 1 + minimal/policy.yaml | 1 + redhat-no-hermetic/policy.yaml | 1 + redhat/policy.yaml | 1 + slsa1/policy.yaml | 1 + slsa2/policy.yaml | 1 + slsa3/policy.yaml | 1 + src/README-github.md.tmpl | 8 ++++--- src/README-rhtap.md.tmpl | 10 +++++---- src/README.md.tmpl | 29 ++++++++++++++---------- src/data.json | 40 +++++++++++++++++----------------- src/policy-github.yaml.tmpl | 5 ++++- src/policy-rhtap.yaml.tmpl | 7 ++++-- src/policy.yaml.tmpl | 20 +++++++++-------- 18 files changed, 91 insertions(+), 64 deletions(-) diff --git a/Makefile b/Makefile index c642a3e..253105c 100644 --- a/Makefile +++ b/Makefile @@ -16,9 +16,9 @@ endif @mkdir -p $(*) @env NAME=$(*) $(GOMPLATE) -d data=$(DATA_JSON) --file $< \ -t rhtap=$(POLICY_RHTAP_TEMPLATE) -t github=$(POLICY_GITHUB_TEMPLATE) \ - > $@ + -o $@ -POLICY_FILES=$(shell jq -r '"\(.[].name)/policy.yaml"' src/data.json) +POLICY_FILES=$(shell jq -r '"\(keys | .[])/policy.yaml"' src/data.json) README_TEMPLATE=src/README.md.tmpl README_RHTAP_TEMPLATE=src/README-rhtap.md.tmpl diff --git a/README.md b/README.md index 2d30a0b..5ac09bd 100644 --- a/README.md +++ b/README.md @@ -25,6 +25,17 @@ Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used * Github URL: `https://github.com/redhat-appstudio/build-definitions` * Path in repository: [`pipelines/enterprise-contract.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract.yaml) +### Everything (experimental) + +Include every rule in the default policy source. For experiments only. This is not expected to pass for RHTAP builds without excluding some rules. + +* URL for Enterprise Contract: `github.com/enterprise-contract/config//everything` +* Source: [everything/policy.yaml](https://github.com/enterprise-contract/config/blob/main/everything/policy.yaml) +* Collections: +* RHTAP Integration Test pipeline definition: + * Github URL: `https://github.com/redhat-appstudio/build-definitions` + * Path in repository: [`pipelines/enterprise-contract-everything.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-everything.yaml) + ### Red Hat Includes the full set of rules and policies required internally by Red Hat when building Red Hat products. @@ -36,7 +47,7 @@ Includes the full set of rules and policies required internally by Red Hat when * Github URL: `https://github.com/redhat-appstudio/build-definitions` * Path in repository: [`pipelines/enterprise-contract-redhat.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-redhat.yaml) -### Red Hat No Hermetic +### Red Hat (non hermetic) Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds. @@ -58,16 +69,6 @@ Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic * Github URL: `https://github.com/redhat-appstudio/build-definitions` * Path in repository: [`pipelines/enterprise-contract-slsa3.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-slsa3.yaml) -### Everything - -Include every rule in the default policy source. For experiments only. This is not expected to pass for RHTAP builds without excluding some rules. - -* URL for Enterprise Contract: `github.com/enterprise-contract/config//everything` -* Source: [everything/policy.yaml](https://github.com/enterprise-contract/config/blob/main/everything/policy.yaml) -* Collections: -* RHTAP Integration Test pipeline definition: - * Github URL: `https://github.com/redhat-appstudio/build-definitions` - * Path in repository: [`pipelines/enterprise-contract-everything.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract-everything.yaml) ## GitHub diff --git a/default/policy.yaml b/default/policy.yaml index c30ae6f..8e4415f 100644 --- a/default/policy.yaml +++ b/default/policy.yaml @@ -13,6 +13,7 @@ # value: github.com/enterprise-contract/config//default # ... # +name: Default description: >- Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new RHTAP applications. Available collections are defined in diff --git a/everything/policy.yaml b/everything/policy.yaml index 8506d72..1835ad7 100644 --- a/everything/policy.yaml +++ b/everything/policy.yaml @@ -13,6 +13,7 @@ # value: github.com/enterprise-contract/config//everything # ... # +name: Everything (experimental) description: >- Include every rule in the default policy source. For experiments only. This is not expected to pass for RHTAP builds without excluding some rules. Available collections are defined in diff --git a/github-default/policy.yaml b/github-default/policy.yaml index 2557e2b..62a04c6 100644 --- a/github-default/policy.yaml +++ b/github-default/policy.yaml @@ -5,6 +5,7 @@ # --public-key key.pub \ # --policy github.com/enterprise-contract/config//github-default # +name: GitHub Default description: >- Rules for container images built via GitHub Workflows. diff --git a/minimal/policy.yaml b/minimal/policy.yaml index 53aadee..bfbe92e 100644 --- a/minimal/policy.yaml +++ b/minimal/policy.yaml @@ -15,6 +15,7 @@ # value: github.com/enterprise-contract/config//minimal # ... # +name: Minimal (deprecated) description: >- Includes a set of basic checks that are expected to pass for all RHTAP builds. Available collections are defined in diff --git a/redhat-no-hermetic/policy.yaml b/redhat-no-hermetic/policy.yaml index ccb98ac..ee27bc6 100644 --- a/redhat-no-hermetic/policy.yaml +++ b/redhat-no-hermetic/policy.yaml @@ -13,6 +13,7 @@ # value: github.com/enterprise-contract/config//redhat-no-hermetic # ... # +name: Red Hat (non hermetic) description: >- Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds. Available collections are defined in diff --git a/redhat/policy.yaml b/redhat/policy.yaml index 805ec53..5c2411d 100644 --- a/redhat/policy.yaml +++ b/redhat/policy.yaml @@ -13,6 +13,7 @@ # value: github.com/enterprise-contract/config//redhat # ... # +name: Red Hat description: >- Includes the full set of rules and policies required internally by Red Hat when building Red Hat products. Available collections are defined in diff --git a/slsa1/policy.yaml b/slsa1/policy.yaml index 8d41b1c..d560131 100644 --- a/slsa1/policy.yaml +++ b/slsa1/policy.yaml @@ -15,6 +15,7 @@ # value: github.com/enterprise-contract/config//slsa1 # ... # +name: SLSA1 (deprecated) description: >- Rules specifically related to levels 1 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds. Available collections are defined in diff --git a/slsa2/policy.yaml b/slsa2/policy.yaml index 9ca9a67..6f80076 100644 --- a/slsa2/policy.yaml +++ b/slsa2/policy.yaml @@ -15,6 +15,7 @@ # value: github.com/enterprise-contract/config//slsa2 # ... # +name: SLSA2 (deprecated) description: >- Rules specifically related to levels 1 & 2 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds. Available collections are defined in diff --git a/slsa3/policy.yaml b/slsa3/policy.yaml index 738ce72..1937569 100644 --- a/slsa3/policy.yaml +++ b/slsa3/policy.yaml @@ -13,6 +13,7 @@ # value: github.com/enterprise-contract/config//slsa3 # ... # +name: SLSA3 description: >- Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds. Available collections are defined in diff --git a/src/README-github.md.tmpl b/src/README-github.md.tmpl index 69ac27b..2a49eff 100644 --- a/src/README-github.md.tmpl +++ b/src/README-github.md.tmpl @@ -1,12 +1,14 @@ -### {{ .name | strings.Title | regexp.Replace "Github" "GitHub" | regexp.Replace "-" " "}} +{{ with .data }} +### {{ .name }} {{ .description }} -* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ .name }}` -* Source: [{{ .name }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ .name }}/policy.yaml) +* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ $.directory }}` +* Source: [{{ $.directory }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ $.directory }}/policy.yaml) * Collections:{{ $comma := false }}{{ range .include -}} {{- if strings.HasPrefix "@" . -}} {{- if not $comma }}{{ $comma = true }} {{ else }}, {{ end -}} [{{ . }}](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#{{ strings.TrimPrefix "@" . }}) {{- end -}} {{- end }} +{{- end }} diff --git a/src/README-rhtap.md.tmpl b/src/README-rhtap.md.tmpl index aa2a265..b6a15ab 100644 --- a/src/README-rhtap.md.tmpl +++ b/src/README-rhtap.md.tmpl @@ -1,9 +1,10 @@ -### {{ .name | strings.Title | regexp.Replace "Slsa" "SLSA" | regexp.Replace "Redhat" "Red Hat" | regexp.Replace "Github" "GitHub" | regexp.Replace "-" " "}} +{{ with .data }} +### {{ .name }} {{ .description }} -* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ .name }}` -* Source: [{{ .name }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ .name }}/policy.yaml) +* URL for Enterprise Contract: `github.com/enterprise-contract/config//{{ $.directory }}` +* Source: [{{ $.directory }}/policy.yaml](https://github.com/enterprise-contract/config/blob/main/{{ $.directory }}/policy.yaml) * Collections:{{ $comma := false }}{{ range .include -}} {{- if strings.HasPrefix "@" . -}} {{- if not $comma }}{{ $comma = true }} {{ else }}, {{ end -}} @@ -12,4 +13,5 @@ {{- end }} * RHTAP Integration Test pipeline definition: * Github URL: `https://github.com/redhat-appstudio/build-definitions` - * Path in repository: [`pipelines/enterprise-contract{{ if ne .name "default" }}-{{ .name }}{{ end }}.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract{{ if ne .name "default" }}-{{ .name }}{{ end }}.yaml) + * Path in repository: [`pipelines/enterprise-contract{{ if ne $.directory "default" }}-{{ $.directory }}{{ end }}.yaml`](https://github.com/redhat-appstudio/build-definitions/blob/main/pipelines/enterprise-contract{{ if ne $.directory "default" }}-{{ $.directory }}{{ end }}.yaml) +{{- end }} diff --git a/src/README.md.tmpl b/src/README.md.tmpl index 6c2a2e5..d3c13bf 100644 --- a/src/README.md.tmpl +++ b/src/README.md.tmpl @@ -13,23 +13,28 @@ this section. They can be used when creating an Integration Test in RHTAP as per here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/proc_managing-compliance-with-the-enterprise-contract/). The policy configuration files are: -{{ range ds "data" }} -{{- if not (index . "deprecated") }} -{{- if eq .environment "rhtap" }} -{{ template "rhtap" . }} -{{- end -}} -{{- end -}} +{{ range $k, $v := ds "data" }} + {{- with coll.Dict "directory" $k "data" $v }} + {{- if not (index .data "deprecated") }} + {{- if eq .data.environment "rhtap" }} + {{- template "rhtap" . }} + {{- end }} + {{- end }} + {{- end }} {{- end }} + ## GitHub Container images built via [GitHub Actions](https://docs.github.com/actions) can be verified with the following policy configurations. -{{ range ds "data" }} -{{- if not (index . "deprecated") }} -{{- if eq .environment "github" }} -{{ template "github" . }} -{{- end }} -{{- end -}} +{{ range $k, $v := ds "data" }} + {{- with coll.Dict "directory" $k "data" $v }} + {{- if not (index .data "deprecated") }} + {{- if eq .data.environment "github" }} + {{- template "github" . }} + {{- end }} + {{- end }} + {{- end }} {{- end }} ## See also diff --git a/src/data.json b/src/data.json index b303bce..276dc06 100644 --- a/src/data.json +++ b/src/data.json @@ -1,68 +1,68 @@ -[ - { - "name": "default", +{ + "default": { + "name": "Default", "description": "Includes rules for levels 1, 2 & 3 of SLSA v0.1. This is the default config used for new RHTAP applications.", "environment": "rhtap", "include": ["@slsa1", "@slsa2", "@slsa3"], "exclude": [] }, - { - "name": "minimal", + "minimal": { + "name": "Minimal (deprecated)", "description": "Includes a set of basic checks that are expected to pass for all RHTAP builds.", "environment": "rhtap", "include": ["@minimal"], "exclude": [], "deprecated": true }, - { - "name": "redhat", + "redhat": { + "name": "Red Hat", "description": "Includes the full set of rules and policies required internally by Red Hat when building Red Hat products.", "environment": "rhtap", "include": ["@redhat"], "exclude": [] }, - { - "name": "redhat-no-hermetic", + "redhat-no-hermetic": { + "name": "Red Hat (non hermetic)", "description": "Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds.", "environment": "rhtap", "include": ["@redhat"], "exclude": ["hermetic_build_task", "tasks.required_tasks_found:prefetch-dependencies"] }, - { - "name": "slsa1", + "slsa1": { + "name": "SLSA1 (deprecated)", "description": "Rules specifically related to levels 1 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.", "environment": "rhtap", "include": ["@minimal", "@slsa1"], "exclude": [], "deprecated": true }, - { - "name": "slsa2", + "slsa2": { + "name": "SLSA2 (deprecated)", "description": "Rules specifically related to levels 1 & 2 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.", "environment": "rhtap", "include": ["@minimal", "@slsa1", "@slsa2"], "exclude": [], "deprecated": true }, - { - "name": "slsa3", + "slsa3": { + "name": "SLSA3", "description": "Rules specifically related to levels 1, 2 & 3 of SLSA v0.1, plus a set of basic checks that are expected to pass for all RHTAP builds.", "environment": "rhtap", "include": ["@minimal", "@slsa1", "@slsa2", "@slsa3"], "exclude": [] }, - { - "name": "everything", + "everything": { + "name": "Everything (experimental)", "description": "Include every rule in the default policy source. For experiments only. This is not expected to pass for RHTAP builds without excluding some rules.", "environment": "rhtap", "include": ["*"], "exclude": [] }, - { - "name": "github-default", + "github-default": { + "name": "GitHub Default", "description": "Rules for container images built via GitHub Workflows.", "environment": "github", "include": ["@github"], "exclude": [] } -] +} diff --git a/src/policy-github.yaml.tmpl b/src/policy-github.yaml.tmpl index 5dab83a..204fbb0 100644 --- a/src/policy-github.yaml.tmpl +++ b/src/policy-github.yaml.tmpl @@ -1,3 +1,4 @@ +{{ with .data -}} # {{ if index . "deprecated" -}} # ** DEPRECATED ** @@ -7,8 +8,9 @@ # ec validate image \ # --image $IMAGE \ # --public-key key.pub \ -# --policy github.com/enterprise-contract/config//{{ .name }} +# --policy github.com/enterprise-contract/config//{{ $.directory }} # +name: {{.name}} description: >- {{ .description }} @@ -25,3 +27,4 @@ configuration: exclude: {{ .exclude | toYAML | strings.Indent 4 | strings.TrimSpace }} +{{- end -}} diff --git a/src/policy-rhtap.yaml.tmpl b/src/policy-rhtap.yaml.tmpl index c5b1444..4b66db6 100644 --- a/src/policy-rhtap.yaml.tmpl +++ b/src/policy-rhtap.yaml.tmpl @@ -1,3 +1,4 @@ +{{ with .data -}} # {{ if index . "deprecated" -}} # ** DEPRECATED ** @@ -7,16 +8,17 @@ # ec validate image \ # --image $IMAGE \ # --public-key key.pub \ -# --policy github.com/enterprise-contract/config//{{ .name }} +# --policy github.com/enterprise-contract/config//{{ $.directory }} # # To use with an RHTAP Enterprise Contract Integration Test CR: # ... # spec: # params: # - name: POLICY_CONFIGURATION -# value: github.com/enterprise-contract/config//{{ .name }} +# value: github.com/enterprise-contract/config//{{ $.directory }} # ... # +name: {{.name}} description: >- {{ .description }} Available collections are defined in @@ -44,3 +46,4 @@ configuration: # Exclude step_image_registries for now since it can cause false # positives due to https://issues.redhat.com/browse/OCPBUGS-8428 {{ .exclude | coll.Append "step_image_registries" | toYAML | strings.Indent 4 | strings.TrimSpace }} +{{- end -}} diff --git a/src/policy.yaml.tmpl b/src/policy.yaml.tmpl index f23f01b..fae7d4d 100644 --- a/src/policy.yaml.tmpl +++ b/src/policy.yaml.tmpl @@ -1,10 +1,12 @@ {{- $name := .Env.NAME -}} -{{- range ds "data" -}} -{{- if eq .name $name -}} -{{- if eq .environment "rhtap" -}} -{{ template "rhtap" . }} -{{- else -}} -{{ template "github" . }} -{{- end -}} -{{- end -}} -{{- end }} \ No newline at end of file +{{- range $key, $data := ds "data" }} + {{- if eq $key $name }} + {{- with coll.Dict "directory" $key "data" $data }} + {{- if eq .data.environment "rhtap" }} + {{- template "rhtap" . }} + {{- else }} + {{- template "github" . }} + {{- end }} + {{- end }} + {{- end }} +{{- end }}