feat(policies): validate policy attachments against remote provider (#1668)

jiparis · web-flow · commit d92660a8de2f · 2024-12-17T16:25:46.000+01:00
Signed-off-by: Jose I. Paris &lt;jiparis@chainloop.dev&gt;
diff --git a/app/controlplane/pkg/biz/workflowcontract.go b/app/controlplane/pkg/biz/workflowcontract.go
@@ -359,6 +359,19 @@ func (uc *WorkflowContractUseCase) ValidateContractPolicies(rawSchema []byte, to
 	return nil
 }
 
+func (uc *WorkflowContractUseCase) ValidatePolicyAttachment(providerName string, att *schemav1.PolicyAttachment, token string) error {
+	provider, err := uc.findProvider(providerName)
+	if err != nil {
+		return err
+	}
+
+	if err = provider.ValidateAttachment(att, token); err != nil {
+		return fmt.Errorf("invalid attachment: %w", err)
+	}
+
+	return nil
+}
+
 func (uc *WorkflowContractUseCase) findAndValidatePolicy(att *schemav1.PolicyAttachment, token string) (*schemav1.Policy, error) {
 	var policy *schemav1.Policy
 
@@ -370,6 +383,11 @@ func (uc *WorkflowContractUseCase) findAndValidatePolicy(att *schemav1.PolicyAtt
 	// [chainloop://][provider:][org_name/]name
 	if loader.IsProviderScheme(att.GetRef()) {
 		pr := loader.ProviderParts(att.GetRef())
+		// Validate attachment
+		if err := uc.ValidatePolicyAttachment(pr.Provider, att, token); err != nil {
+			return nil, err
+		}
+
 		remotePolicy, err := uc.GetPolicy(pr.Provider, pr.Name, pr.OrgName, token)
 		if err != nil {
 			return nil, err
diff --git a/app/controlplane/pkg/policies/policyprovider.go b/app/controlplane/pkg/policies/policyprovider.go
@@ -16,6 +16,7 @@
 package policies
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -31,6 +32,7 @@ import (
 
 const (
 	policiesEndpoint = "policies"
+	validateAction   = "validate"
 	groupsEndpoint   = "groups"
 
 	digestParam  = "digest"
@@ -50,6 +52,15 @@ type ProviderResponse struct {
 	Raw    *RawMessage    `json:"raw"`
 }
 
+type ValidateRequest struct {
+	PolicyAttachment string `json:"policy_attachment"`
+}
+
+type ValidateResponse struct {
+	Valid            bool     `json:"valid"`
+	ValidationErrors []string `json:"validationErrors"`
+}
+
 type RawMessage struct {
 	Body   []byte `json:"body"`
 	Format string `json:"format"`
@@ -88,6 +99,73 @@ func (p *PolicyProvider) Resolve(policyName, orgName, token string) (*schemaapi.
 	return &policy, createRef(url, policyName, providerDigest, orgName), nil
 }
 
+func (p *PolicyProvider) ValidateAttachment(att *schemaapi.PolicyAttachment, token string) error {
+	endpoint, err := url.JoinPath(p.url, policiesEndpoint, validateAction)
+	if err != nil {
+		return fmt.Errorf("invalid url: %w", err)
+	}
+	url, err := url.Parse(endpoint)
+	if err != nil {
+		return fmt.Errorf("error parsing policy provider URL: %w", err)
+	}
+
+	attBody, err := protojson.Marshal(att)
+	if err != nil {
+		return fmt.Errorf("error serializing policy attachment: %w", err)
+	}
+
+	validateReq := &ValidateRequest{
+		PolicyAttachment: string(attBody),
+	}
+
+	reqBody, err := json.Marshal(validateReq)
+	if err != nil {
+		return fmt.Errorf("error serializing policy validation request: %w", err)
+	}
+
+	req, err := http.NewRequest("POST", url.String(), bytes.NewReader(reqBody))
+	if err != nil {
+		return fmt.Errorf("error creating policy request: %w", err)
+	}
+
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
+	req.Header.Set("Content-Type", "application/json")
+
+	// make the request
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("error executing policy request: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		if resp.StatusCode == http.StatusNotFound {
+			// Ignore endpoint not found as it might not be implemented by the provider
+			return nil
+		}
+
+		return fmt.Errorf("expected status code 200 but got %d", resp.StatusCode)
+	}
+
+	resBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("error reading validation response: %w", err)
+	}
+
+	defer resp.Body.Close()
+
+	// unmarshall response
+	var response ValidateResponse
+	if err := json.Unmarshal(resBytes, &response); err != nil {
+		return fmt.Errorf("error unmarshalling validation response: %w", err)
+	}
+
+	if !response.Valid {
+		return fmt.Errorf("validation failures: %v", response.ValidationErrors)
+	}
+
+	return nil
+}
+
 // ResolveGroup calls remote provider for retrieving a policy group definition
 func (p *PolicyProvider) ResolveGroup(groupName, orgName, token string) (*schemaapi.PolicyGroup, *PolicyReference, error) {
 	if groupName == "" || token == "" {
