feat: support storage and use of custom rego engine hostnames (#2315)

Signed-off-by: Miguel Martinez <[email protected]>

Author: migmartri

app/cli/cmd/organization_describe.go

@@ -17,6 +17,7 @@ package cmd
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/chainloop-dev/chainloop/app/cli/internal/action"
 	"github.com/jedib0t/go-pretty/v6/table"
@@ -48,7 +49,12 @@ func contextTableOutput(config *action.ConfigContextItem) error {
 	gt.AppendSeparator()
 
 	if m := config.CurrentMembership; m != nil {
-		gt.AppendRow(table.Row{"Organization", fmt.Sprintf("%s (role=%s)\nPolicy strategy=%s", m.Org.Name, m.Role, m.Org.PolicyViolationBlockingStrategy)})
+		orgInfo := fmt.Sprintf("%s (role=%s)\nPolicy strategy=%s", m.Org.Name, m.Role, m.Org.PolicyViolationBlockingStrategy)
+		if len(m.Org.PolicyAllowedHostnames) > 0 {
+			orgInfo += fmt.Sprintf("\nPolicy allowed hostnames: %v", strings.Join(m.Org.PolicyAllowedHostnames, ", "))
+		}
+
+		gt.AppendRow(table.Row{"Organization", orgInfo})
 	}
 
 	backend := config.CurrentCASBackend

app/cli/cmd/organization_update.go

@@ -16,16 +16,15 @@
 package cmd
 
 import (
-	"context"
-
 	"github.com/chainloop-dev/chainloop/app/cli/internal/action"
 	"github.com/spf13/cobra"
 )
 
 func newOrganizationUpdateCmd() *cobra.Command {
 	var (
-		orgName                string
-		blockOnPolicyViolation bool
+		orgName                  string
+		blockOnPolicyViolation   bool
+		policiesAllowedHostnames []string
 	)
 
 	cmd := &cobra.Command{
@@ -37,7 +36,11 @@ func newOrganizationUpdateCmd() *cobra.Command {
 				opts.BlockOnPolicyViolation = &blockOnPolicyViolation
 			}
 
-			_, err := action.NewOrgUpdate(actionOpts).Run(context.Background(), orgName, opts)
+			if cmd.Flags().Changed("policies-allowed-hostnames") {
+				opts.PoliciesAllowedHostnames = &policiesAllowedHostnames
+			}
+
+			_, err := action.NewOrgUpdate(actionOpts).Run(cmd.Context(), orgName, opts)
 			if err != nil {
 				return err
 			}
@@ -52,5 +55,6 @@ func newOrganizationUpdateCmd() *cobra.Command {
 	cobra.CheckErr(err)
 
 	cmd.Flags().BoolVar(&blockOnPolicyViolation, "block", false, "set the default policy violation blocking strategy")
+	cmd.Flags().StringSliceVar(&policiesAllowedHostnames, "policies-allowed-hostnames", []string{}, "set the allowed hostnames for the policy engine")
 	return cmd
 }

app/cli/documentation/cli-reference.mdx

@@ -2710,9 +2710,10 @@ chainloop organization update [flags]
 Options
 
 ```
---block         set the default policy violation blocking strategy
--h, --help          help for update
---name string   organization name
+--block                                set the default policy violation blocking strategy
+-h, --help                                 help for update
+--name string                          organization name
+--policies-allowed-hostnames strings   set the allowed hostnames for the policy engine
 ```
 
 Options inherited from parent commands

app/cli/internal/action/action.go

@@ -81,7 +81,7 @@ func newCrafter(stateOpts *newCrafterStateOpts, conn *grpc.ClientConn, opts ...c
 			attestationStatePath = path
 		}
 
-		c.Logger.Debug().Str("path", attestationStatePath).Msg("using local state")
+		c.Logger.Debug().Str("path", fmt.Sprintf("file:%s", attestationStatePath)).Msg("using local state")
 		stateManager, err = filesystem.New(attestationStatePath)
 	}
 

app/cli/internal/action/attestation_init.go

@@ -173,8 +173,9 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 
 	var (
 		// Identifier of this attestation instance
-		attestationID          string
-		blockOnPolicyViolation bool
+		attestationID            string
+		blockOnPolicyViolation   bool
+		policiesAllowedHostnames []string
 		// Timestamp Authority URL for new attestations
 		timestampAuthorityURL, signingCAName string
 	)
@@ -197,14 +198,18 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 			return "", err
 		}
 
-		workflowRun := runResp.GetResult().GetWorkflowRun()
+		result := runResp.GetResult()
+		workflowRun := result.GetWorkflowRun()
 		workflowMeta.WorkflowRunId = workflowRun.GetId()
-		workflowMeta.Organization = runResp.GetResult().GetOrganization()
-		blockOnPolicyViolation = runResp.GetResult().GetBlockOnPolicyViolation()
-		timestampAuthorityURL = runResp.GetResult().GetSigningOptions().GetTimestampAuthorityUrl()
-		signingCAName = runResp.GetResult().GetSigningOptions().GetSigningCa()
-		if v := workflowMeta.Version; v != nil {
-			workflowMeta.Version.Prerelease = runResp.GetResult().GetWorkflowRun().Version.GetPrerelease()
+		workflowMeta.Organization = result.GetOrganization()
+		blockOnPolicyViolation = result.GetBlockOnPolicyViolation()
+		policiesAllowedHostnames = result.GetPoliciesAllowedHostnames()
+		signingOpts := result.GetSigningOptions()
+		timestampAuthorityURL = signingOpts.GetTimestampAuthorityUrl()
+		signingCAName = signingOpts.GetSigningCa()
+
+		if v := workflowMeta.Version; v != nil && workflowRun.GetVersion() != nil {
+			v.Prerelease = workflowRun.GetVersion().GetPrerelease()
 		}
 
 		action.Logger.Debug().Str("workflow-run-id", workflowRun.GetId()).Msg("attestation initialized in the control plane")
@@ -224,12 +229,14 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 	// NOTE: important to run this initialization here since workflowMeta is populated
 	// with the workflowRunId that comes from the control plane
 	initOpts := &crafter.InitOpts{
-		WfInfo:                 workflowMeta,
-		SchemaV1:               contractVersion.GetV1(),
-		DryRun:                 action.dryRun,
-		AttestationID:          attestationID,
-		Runner:                 discoveredRunner,
-		BlockOnPolicyViolation: blockOnPolicyViolation,
+		WfInfo: workflowMeta,
+		//nolint:staticcheck // TODO: Migrate to new contract version API
+		SchemaV1:                 contractVersion.GetV1(),
+		DryRun:                   action.dryRun,
+		AttestationID:            attestationID,
+		Runner:                   discoveredRunner,
+		BlockOnPolicyViolation:   blockOnPolicyViolation,
+		PoliciesAllowedHostnames: policiesAllowedHostnames,
 		SigningOptions: &crafter.SigningOpts{
 			TimestampAuthorityURL: timestampAuthorityURL,
 			SigningCAName:         signingCAName,

app/cli/internal/action/membership_list.go

@@ -32,6 +32,7 @@ type OrgItem struct {
 	ID, Name                        string
 	CreatedAt                       *time.Time
 	PolicyViolationBlockingStrategy string
+	PolicyAllowedHostnames          []string `json:"policyAllowedHostnames,omitempty"`
 }
 
 type MembershipItem struct {
@@ -129,9 +130,10 @@ func (action *MembershipList) ListMembers(ctx context.Context, page int, pageSiz
 
 func pbOrgItemToAction(in *pb.OrgItem) *OrgItem {
 	i := &OrgItem{
-		ID:        in.Id,
-		Name:      in.Name,
-		CreatedAt: toTimePtr(in.CreatedAt.AsTime()),
+		ID:                     in.Id,
+		Name:                   in.Name,
+		CreatedAt:              toTimePtr(in.CreatedAt.AsTime()),
+		PolicyAllowedHostnames: in.PolicyAllowedHostnames,
 	}
 
 	if in.DefaultPolicyViolationStrategy == pb.OrgItem_POLICY_VIOLATION_BLOCKING_STRATEGY_BLOCK {

app/cli/internal/action/org_update.go

@@ -30,14 +30,24 @@ func NewOrgUpdate(cfg *ActionsOpts) *OrgUpdate {
 }
 
 type NewOrgUpdateOpts struct {
-	BlockOnPolicyViolation *bool
+	BlockOnPolicyViolation   *bool
+	PoliciesAllowedHostnames *[]string
 }
 
 func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdateOpts) (*OrgItem, error) {
 	client := pb.NewOrganizationServiceClient(action.cfg.CPConnection)
-	resp, err := client.Update(ctx, &pb.OrganizationServiceUpdateRequest{
-		Name: name, BlockOnPolicyViolation: opts.BlockOnPolicyViolation,
-	})
+
+	payload := &pb.OrganizationServiceUpdateRequest{
+		Name:                   name,
+		BlockOnPolicyViolation: opts.BlockOnPolicyViolation,
+	}
+
+	if opts.PoliciesAllowedHostnames != nil {
+		payload.PoliciesAllowedHostnames = *opts.PoliciesAllowedHostnames
+		payload.UpdatePoliciesAllowedHostnames = true
+	}
+
+	resp, err := client.Update(ctx, payload)
 	if err != nil {
 		return nil, err
 	}