feat(policy-devel): support providing allowed hostnames (#2339)

Signed-off-by: Miguel Martinez <[email protected]>

Author: migmartri

app/cli/cmd/policy_develop_eval.go

@@ -26,11 +26,12 @@ import (
 
 func newPolicyDevelopEvalCmd() *cobra.Command {
 	var (
-		materialPath string
-		kind         string
-		annotations  []string
-		policyPath   string
-		inputs       []string
+		materialPath     string
+		kind             string
+		annotations      []string
+		policyPath       string
+		inputs           []string
+		allowedHostnames []string
 	)
 
 	cmd := &cobra.Command{
@@ -44,11 +45,12 @@ evaluates the policy against the provided material or attestation.`,
   chainloop policy eval --policy policy.yaml --material sbom.json --kind SBOM_CYCLONEDX_JSON --annotation key1=value1,key2=value2 --input key3=value3`,
 		RunE: func(_ *cobra.Command, _ []string) error {
 			opts := &action.PolicyEvalOpts{
-				MaterialPath: materialPath,
-				Kind:         kind,
-				Annotations:  parseKeyValue(annotations),
-				PolicyPath:   policyPath,
-				Inputs:       parseKeyValue(inputs),
+				MaterialPath:     materialPath,
+				Kind:             kind,
+				Annotations:      parseKeyValue(annotations),
+				PolicyPath:       policyPath,
+				Inputs:           parseKeyValue(inputs),
+				AllowedHostnames: allowedHostnames,
 			}
 
 			policyEval, err := action.NewPolicyEval(opts, actionOpts)
@@ -71,6 +73,7 @@ evaluates the policy against the provided material or attestation.`,
 	cmd.Flags().StringSliceVar(&annotations, "annotation", []string{}, "Key-value pairs of material annotations (key=value)")
 	cmd.Flags().StringVarP(&policyPath, "policy", "p", "policy.yaml", "Path to custom policy file")
 	cmd.Flags().StringSliceVar(&inputs, "input", []string{}, "Key-value pairs of policy inputs (key=value)")
+	cmd.Flags().StringSliceVar(&allowedHostnames, "allowed-hostnames", []string{}, "Additional hostnames allowed for http.send requests in policies")
 
 	return cmd
 }

app/cli/documentation/cli-reference.mdx

@@ -2810,12 +2810,13 @@ chainloop policy eval --policy policy.yaml --material sbom.json --kind SBOM_CYCL
 Options
 
 ```
---annotation strings   Key-value pairs of material annotations (key=value)
--h, --help                 help for eval
---input strings        Key-value pairs of policy inputs (key=value)
---kind string          Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
---material string      Path to material or attestation file
--p, --policy string        Path to custom policy file (default "policy.yaml")
+--allowed-hostnames strings   Additional hostnames allowed for http.send requests in policies
+--annotation strings          Key-value pairs of material annotations (key=value)
+-h, --help                        help for eval
+--input strings               Key-value pairs of policy inputs (key=value)
+--kind string                 Kind of the material: ["ARTIFACT" "ATTESTATION" "BLACKDUCK_SCA_JSON" "CHAINLOOP_RUNNER_CONTEXT" "CONTAINER_IMAGE" "CSAF_INFORMATIONAL_ADVISORY" "CSAF_SECURITY_ADVISORY" "CSAF_SECURITY_INCIDENT_RESPONSE" "CSAF_VEX" "EVIDENCE" "GHAS_CODE_SCAN" "GHAS_DEPENDENCY_SCAN" "GHAS_SECRET_SCAN" "GITLAB_SECURITY_REPORT" "HELM_CHART" "JACOCO_XML" "JUNIT_XML" "OPENVEX" "SARIF" "SBOM_CYCLONEDX_JSON" "SBOM_SPDX_JSON" "SLSA_PROVENANCE" "STRING" "TWISTCLI_SCAN_JSON" "ZAP_DAST_ZIP"]
+--material string             Path to material or attestation file
+-p, --policy string               Path to custom policy file (default "policy.yaml")
 ```
 
 Options inherited from parent commands

app/cli/internal/action/policy_develop_eval.go

@@ -22,11 +22,12 @@ import (
 )
 
 type PolicyEvalOpts struct {
-	MaterialPath string
-	Kind         string
-	Annotations  map[string]string
-	PolicyPath   string
-	Inputs       map[string]string
+	MaterialPath     string
+	Kind             string
+	Annotations      map[string]string
+	PolicyPath       string
+	Inputs           map[string]string
+	AllowedHostnames []string
 }
 
 type PolicyEvalResult struct {
@@ -50,11 +51,12 @@ func NewPolicyEval(opts *PolicyEvalOpts, actionOpts *ActionsOpts) (*PolicyEval,
 
 func (action *PolicyEval) Run() ([]*PolicyEvalResult, error) {
 	evalOpts := &policydevel.EvalOptions{
-		PolicyPath:   action.opts.PolicyPath,
-		MaterialKind: action.opts.Kind,
-		Annotations:  action.opts.Annotations,
-		MaterialPath: action.opts.MaterialPath,
-		Inputs:       action.opts.Inputs,
+		PolicyPath:       action.opts.PolicyPath,
+		MaterialKind:     action.opts.Kind,
+		Annotations:      action.opts.Annotations,
+		MaterialPath:     action.opts.MaterialPath,
+		Inputs:           action.opts.Inputs,
+		AllowedHostnames: action.opts.AllowedHostnames,
 	}
 
 	// Evaluate policy

app/cli/internal/policydevel/eval.go

@@ -29,11 +29,12 @@ import (
 )
 
 type EvalOptions struct {
-	PolicyPath   string
-	MaterialKind string
-	Annotations  map[string]string
-	MaterialPath string
-	Inputs       map[string]string
+	PolicyPath       string
+	MaterialKind     string
+	Annotations      map[string]string
+	MaterialPath     string
+	Inputs           map[string]string
+	AllowedHostnames []string
 }
 
 type EvalResult struct {
@@ -58,7 +59,7 @@ func Evaluate(opts *EvalOptions, logger zerolog.Logger) ([]*EvalResult, error) {
 	material.Annotations = opts.Annotations
 
 	// 3. Verify material against policy
-	result, err := verifyMaterial(schema, material, opts.MaterialPath, &logger)
+	result, err := verifyMaterial(schema, material, opts.MaterialPath, opts.AllowedHostnames, &logger)
 	if err != nil {
 		return nil, err
 	}
@@ -81,8 +82,12 @@ func createCraftingSchema(policyPath string, inputs map[string]string) (*v1.Craf
 	}, nil
 }
 
-func verifyMaterial(schema *v1.CraftingSchema, material *v12.Attestation_Material, materialPath string, logger *zerolog.Logger) ([]*EvalResult, error) {
-	v := policies.NewPolicyVerifier(schema, nil, logger)
+func verifyMaterial(schema *v1.CraftingSchema, material *v12.Attestation_Material, materialPath string, allowedHostnames []string, logger *zerolog.Logger) ([]*EvalResult, error) {
+	var opts []policies.PolicyVerifierOption
+	if len(allowedHostnames) > 0 {
+		opts = append(opts, policies.WithAllowedHostnames(allowedHostnames...))
+	}
+	v := policies.NewPolicyVerifier(schema, nil, logger, opts...)
 	policyEvs, err := v.VerifyMaterial(context.Background(), material, materialPath)
 	if err != nil {
 		return nil, err