chore(policies): validate remote policies on contract creation (#1240)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/controlplane/internal/service/workflowcontract.go

@@ -19,6 +19,7 @@ import (
 	"context"
 
 	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
+	"github.com/chainloop-dev/chainloop/app/controlplane/internal/usercontext"
 	"github.com/chainloop-dev/chainloop/app/controlplane/pkg/biz"
 	errors "github.com/go-kratos/kratos/v2/errors"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -91,6 +92,15 @@ func (s *WorkflowContractService) Create(ctx context.Context, req *pb.WorkflowCo
 		return nil, err
 	}
 
+	token, err := usercontext.GetRawToken(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = s.contractUseCase.ValidateContractPolicies(req.RawContract, token); err != nil {
+		return nil, handleUseCaseErr(err, s.log)
+	}
+
 	// Currently supporting only v1 version
 	schema, err := s.contractUseCase.Create(ctx, &biz.WorkflowContractCreateOpts{
 		OrgID: currentOrg.ID,
@@ -109,6 +119,15 @@ func (s *WorkflowContractService) Update(ctx context.Context, req *pb.WorkflowCo
 		return nil, err
 	}
 
+	token, err := usercontext.GetRawToken(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = s.contractUseCase.ValidateContractPolicies(req.RawContract, token); err != nil {
+		return nil, handleUseCaseErr(err, s.log)
+	}
+
 	schemaWithVersion, err := s.contractUseCase.Update(ctx, currentOrg.ID, req.Name,
 		&biz.WorkflowContractUpdateOpts{
 			Description: req.Description,

app/controlplane/internal/usercontext/usercontext.go

@@ -0,0 +1,38 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package usercontext
+
+import (
+	"context"
+	"strings"
+
+	"github.com/go-kratos/kratos/v2/middleware/auth/jwt"
+	"github.com/go-kratos/kratos/v2/transport"
+)
+
+// GetRawToken takes whatever Bearer token is in the request
+func GetRawToken(ctx context.Context) (string, error) {
+	header, ok := transport.FromServerContext(ctx)
+	if !ok {
+		return "", jwt.ErrMissingJwtToken
+	}
+
+	auths := strings.SplitN(header.RequestHeader().Get("Authorization"), " ", 2)
+	if len(auths) != 2 || !strings.EqualFold(auths[0], "Bearer") {
+		return "", jwt.ErrMissingJwtToken
+	}
+	return auths[1], nil
+}

app/controlplane/pkg/biz/workflowcontract.go

@@ -27,6 +27,7 @@ import (
 	"github.com/bufbuild/protoyaml-go"
 	schemav1 "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/policies"
+	loader "github.com/chainloop-dev/chainloop/pkg/policies"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/uuid"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -299,6 +300,47 @@ func (uc *WorkflowContractUseCase) Update(ctx context.Context, orgID, name strin
 	return c, nil
 }
 
+func (uc *WorkflowContractUseCase) ValidateContractPolicies(rawSchema []byte, token string) error {
+	// Validate that externally provided policies exist
+	c, err := identifyUnMarshalAndValidateRawContract(rawSchema)
+	if err != nil {
+		return NewErrValidation(err)
+	}
+	for _, att := range c.Schema.GetPolicies().GetAttestation() {
+		_, err := uc.findPolicy(att, token)
+		if err != nil {
+			return NewErrValidation(err)
+		}
+	}
+	for _, att := range c.Schema.GetPolicies().GetMaterials() {
+		_, err := uc.findPolicy(att, token)
+		if err != nil {
+			return NewErrValidation(err)
+		}
+	}
+	return nil
+}
+
+func (uc *WorkflowContractUseCase) findPolicy(att *schemav1.PolicyAttachment, token string) (*schemav1.Policy, error) {
+	if att.GetEmbedded() != nil {
+		return att.GetEmbedded(), nil
+	}
+
+	// if it should come from a provider, check that it's available
+	// chainloop://[provider/]name
+	if loader.IsProviderScheme(att.GetRef()) {
+		provider, name := loader.ProviderParts(att.GetRef())
+		policy, err := uc.GetPolicy(provider, name, token)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get policy '%s': %w", name, err)
+		}
+		return policy, nil
+	}
+
+	// Otherwise, don't return an error, as it might consist of a local policy, not available in this context
+	return nil, nil
+}
+
 // Delete soft-deletes the entry
 func (uc *WorkflowContractUseCase) Delete(ctx context.Context, orgID, contractID string) error {
 	orgUUID, err := uuid.Parse(orgID)

pkg/policies/loader.go

@@ -66,7 +66,7 @@ func (l *BlobLoader) Load(_ context.Context, attachment *v1.PolicyAttachment) (*
 	return &spec, nil
 }
 
-const chainloopScheme = "chainloop"
+const ChainloopScheme = "chainloop"
 
 // ChainloopLoader loads policies referenced with chainloop://provider/name URLs
 type ChainloopLoader struct {
@@ -91,20 +91,11 @@ func (c *ChainloopLoader) Load(ctx context.Context, attachment *v1.PolicyAttachm
 		return remotePolicyCache[ref], nil
 	}
 
-	parts := strings.SplitN(ref, "://", 2)
-	if len(parts) != 2 || parts[0] != chainloopScheme {
+	if !IsProviderScheme(ref) {
 		return nil, fmt.Errorf("invalid policy reference %q", ref)
 	}
 
-	pn := strings.SplitN(parts[1], "/", 2)
-	var (
-		name     = pn[0]
-		provider string
-	)
-	if len(pn) == 2 {
-		provider = pn[0]
-		name = pn[1]
-	}
+	name, provider := ProviderParts(ref)
 
 	resp, err := c.Client.GetPolicy(ctx, &pb.AttestationServiceGetPolicyRequest{
 		Provider:   provider,
@@ -119,3 +110,23 @@ func (c *ChainloopLoader) Load(ctx context.Context, attachment *v1.PolicyAttachm
 
 	return resp.GetPolicy(), nil
 }
+
+// IsProviderScheme takes a policy reference and returns whether it's referencing to an external provider or not
+func IsProviderScheme(ref string) bool {
+	parts := strings.SplitN(ref, "://", 2)
+	return len(parts) == 2 && parts[0] == ChainloopScheme
+}
+
+func ProviderParts(ref string) (string, string) {
+	parts := strings.SplitN(ref, "://", 2)
+	pn := strings.SplitN(parts[1], "/", 2)
+	var (
+		name     = pn[0]
+		provider string
+	)
+	if len(pn) == 2 {
+		provider = pn[0]
+		name = pn[1]
+	}
+	return provider, name
+}

pkg/policies/policies.go

@@ -198,8 +198,7 @@ func (pv *PolicyVerifier) getLoader(attachment *v1.PolicyAttachment) (Loader, er
 	if emb != nil {
 		loader = new(EmbeddedLoader)
 	} else {
-		parts := strings.SplitN(ref, "://", 2)
-		if len(parts) == 2 && parts[0] == chainloopScheme {
+		if IsProviderScheme(ref) {
 			loader = NewChainloopLoader(pv.client)
 		} else {
 			loader = new(BlobLoader)