Skip to content

Commit

Permalink
More hackery
Browse files Browse the repository at this point in the history
Will clean it up later.

This demos slsa3 passing with ec validate input.
  • Loading branch information
simonbaird committed Mar 22, 2024
1 parent 56255d8 commit a93ec19
Showing 1 changed file with 31 additions and 15 deletions.
46 changes: 31 additions & 15 deletions hack/builtin-experiments/demo.sh
Original file line number Diff line number Diff line change
Expand Up @@ -43,18 +43,25 @@ INPUT_JSON='{
# A minimal ECP using local files
# ec looks for specific subdirs under the source's root location
# so that's why we have policy/policy and data/data
POLICY_JSON='{
"sources": [
{
"policy": [
"'$LOCAL_DIR'/policy"
],
"data": [
"'$LOCAL_DIR'/data"
]
}
]
}'
POLICY_YAML='
sources:
- policy:
- '$POLICY_DIR'
- github.com/simonbaird/ec-policies//policy/lib?ref=builtin-experiments
- github.com/simonbaird/ec-policies//policy/release?ref=builtin-experiments
data:
- '$DATA_DIR'
- oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest
- github.com/release-engineering/rhtap-ec-policy//data
config:
include:
# Fixme: I dont think it is running the sigstore check sin sigstore.rego
# now, not sure why
- "sigstore"
- "@slsa3"
'

# Public key for the signature of the image we're verifying
PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
Expand All @@ -73,7 +80,8 @@ echo '{
# The acceptance test rego is pretty much prod-ready.. :)
# Tweak one line to make it work with the sigstore_opts data we just created above
sed \
's/^_sigstore_opts :=.*/_sigstore_opts := object.union(data.config.default_sigstore_opts, data.sigstore_opts)/' \
-e 's/^_sigstore_opts :=.*/_sigstore_opts := object.union(data.config.default_sigstore_opts, data.sigstore_opts)/' \
-e 's/^package sigstore/package policy.release.sigstore/' \
${GIT_ROOT}/acceptance/examples/sigstore.rego \
> ${POLICY_DIR}/sigstore.rego

Expand All @@ -83,7 +91,15 @@ echo "$INPUT_JSON" | yq -P
echo -e "\n* EC results:\n"
$EC validate input \
--file <(echo $INPUT_JSON) \
--policy "$(echo $POLICY_JSON)" \
--policy "$(echo "$POLICY_YAML" | yq -ojson)" \
--show-successes \
--info \
| yq -P

# For debugging...
#echo "$INPUT_JSON" > i.json
#ec opa eval \
# --input i.json \
# 'data.lib._input_attestations' \
# --data ${DATA_DIR} \
# --data /home/sbaird/code/ec-policies/policy/lib \
# --data /home/sbaird/code/ec-policies/policy/release | yq -P

0 comments on commit a93ec19

Please sign in to comment.