Merge pull request #1574 from joejstuart/EC-1537

joejstuart · web-flow · commit 0b1574b131df · 2025-11-25T10:55:58.000-06:00
Add schema validation for trusted_task_rules
diff --git a/policy/lib/tekton/trusted.rego b/policy/lib/tekton/trusted.rego
@@ -202,3 +202,111 @@ data_errors contains error if {
 		},
 	)
 }
+
+# Validate trusted_task_rules data format using the schema defined in
+# trusted_tasks/trusted_task_rules.schema.json
+# Skip validation if trusted_task_rules is not provided (null or empty list []).
+# lib_rule_data returns [] when a key is not found, so we only validate when
+# the value is actually an object (the expected type).
+data_errors contains error if {
+	trusted_task_rules_data := lib_rule_data("trusted_task_rules")
+	is_object(trusted_task_rules_data) # Only validate if it's an object (skip null and [])
+	some e in j.validate_schema(trusted_task_rules_data, _trusted_task_rules_schema)
+	error := {
+		"message": sprintf("trusted_task_rules data has unexpected format: %s", [e.message]),
+		"severity": e.severity,
+	}
+}
+
+# Schema for trusted_task_rules as defined in trusted_tasks/trusted_task_rules.schema.json
+# This schema validates the rule-based trusted tasks configuration (ADR 53)
+_trusted_task_rules_schema := {
+	"$schema": "http://json-schema.org/draft-07/schema#",
+	"$id": "https://konflux.io/schemas/trusted_task_rules.json",
+	"title": "Trusted Task Rules Schema",
+	"description": "Schema for trusted_task_rules configuration as defined in ADR 53",
+	"type": "object",
+	"properties": {
+		"allow": {
+			"type": "array",
+			"description": "Rules that allow tasks matching the pattern",
+			"items": {
+				"type": "object",
+				"required": ["name", "pattern"],
+				"properties": {
+					"name": {
+						"type": "string",
+						"description": "Human-readable name for the rule",
+					},
+					"pattern": {
+						"type": "string",
+						# regal ignore:line-length
+						"description": "URL pattern to match task references. Must not include version tags (e.g., 'oci://quay.io/konflux-ci/tekton-catalog/*' not 'oci://quay.io/konflux-ci/tekton-catalog/task-buildah:0.4*'). Supports wildcards (*).",
+						"pattern": "^(oci://|git\\+)",
+					},
+					"effective_on": {
+						"type": "string",
+						"format": "date",
+						# regal ignore:line-length
+						"description": "Date when this rule becomes effective (e.g., '2025-02-01'). Rules with future effective_on dates are not considered. If omitted, rule is effective immediately.",
+					},
+					"versions": {
+						"type": "array",
+						# regal ignore:line-length
+						"description": "Version constraints to apply. Only tasks matching these version constraints are allowed. Non-semver tags never match version constraints.",
+						"items": {
+							"type": "string",
+							"description": "Version constraint using semver syntax (e.g., '<0.5', '>=2,<2.1.0')",
+						},
+						"minItems": 1,
+					},
+				},
+				"additionalProperties": true,
+			},
+			"default": [],
+		},
+		"deny": {
+			"type": "array",
+			"description": "Rules that deny tasks matching the pattern. Deny rules take precedence over allow rules.",
+			"items": {
+				"type": "object",
+				"required": ["name", "pattern"],
+				"properties": {
+					"name": {
+						"type": "string",
+						"description": "Human-readable name for the rule",
+					},
+					"pattern": {
+						"type": "string",
+						# regal ignore:line-length
+						"description": "URL pattern to match task references. Must not include version tags (e.g., 'oci://quay.io/konflux-ci/tekton-catalog/task-buildah*' not 'oci://quay.io/konflux-ci/tekton-catalog/task-buildah:0.4*'). Supports wildcards (*).",
+						"pattern": "^(oci://|git\\+)",
+					},
+					"effective_on": {
+						"type": "string",
+						"format": "date",
+						# regal ignore:line-length
+						"description": "Date when this rule becomes effective (e.g., '2025-11-15'). Rules with future effective_on dates are not considered. If omitted, rule is effective immediately.",
+					},
+					"message": {
+						"type": "string",
+						"description": "User-visible message explaining why the task is denied (e.g., deprecation notice)",
+					},
+					"versions": {
+						"type": "array",
+						# regal ignore:line-length
+						"description": "Version constraints to apply. Only tasks matching these version constraints are denied. Non-semver tags never match version constraints.",
+						"items": {
+							"type": "string",
+							"description": "Version constraint using semver syntax (e.g., '<0.5', '>=2,<2.1.0')",
+						},
+						"minItems": 1,
+					},
+				},
+				"additionalProperties": true,
+			},
+			"default": [],
+		},
+	},
+	"additionalProperties": false,
+}
diff --git a/policy/lib/tekton/trusted_test.rego b/policy/lib/tekton/trusted_test.rego
@@ -238,6 +238,91 @@ test_task_expiry_warning_days_data if {
 	lib.assert_empty(tekton.data_errors) with data.rule_data.task_expiry_warning_days as 14
 }
 
+test_trusted_task_rules_data_errors if {
+	# When trusted_task_rules is not provided (defaults to []), validation should be skipped
+	lib.assert_empty(tekton.data_errors)
+
+	# Valid empty object should pass
+	lib.assert_empty(tekton.data_errors) with data.rule_data.trusted_task_rules as {}
+
+	# Valid trusted_task_rules should pass
+	valid_rules := {
+		"allow": [{
+			"name": "Allow all konflux tasks",
+			"pattern": "oci://quay.io/konflux-ci/tekton-catalog/*",
+		}],
+		"deny": [{
+			"name": "Deny old buildah",
+			"pattern": "oci://quay.io/konflux-ci/tekton-catalog/task-buildah*",
+			"versions": ["<0.5"],
+			"effective_on": "2025-11-15",
+			"message": "Deprecated",
+		}],
+	}
+	lib.assert_empty(tekton.data_errors) with data.rule_data.trusted_task_rules as valid_rules
+
+	# Missing required fields
+	invalid_rules := {"allow": [{}]} # missing name and pattern
+	expected := {
+		{
+			"message": "trusted_task_rules data has unexpected format: allow.0: name is required",
+			"severity": "failure",
+		},
+		{
+			"message": "trusted_task_rules data has unexpected format: allow.0: pattern is required",
+			"severity": "failure",
+		},
+	}
+	lib.assert_equal(tekton.data_errors, expected) with data.rule_data.trusted_task_rules as invalid_rules
+
+	# Invalid pattern validation is not tested here because JSON schema
+	# pattern validation may not be enforced by the OPA json.match_schema
+	# function. Pattern validation should be implemented separately in the
+	# rule evaluation logic when trusted_task_rules is used.
+
+	# Invalid effective_on date format
+	invalid_date_rules := {"allow": [{
+		"name": "Invalid date",
+		"pattern": "oci://quay.io/konflux-ci/tekton-catalog/*",
+		"effective_on": "not-a-date",
+	}]}
+	expected_date := {{
+		# regal ignore:line-length
+		"message": "trusted_task_rules data has unexpected format: allow.0.effective_on: Does not match format 'date'",
+		"severity": "failure",
+	}}
+	lib.assert_equal(tekton.data_errors, expected_date) with data.rule_data.trusted_task_rules as invalid_date_rules
+
+	# Invalid structure - not an object
+	lib.assert_empty(tekton.data_errors) with data.rule_data.trusted_task_rules as [] # Empty list is skipped
+
+	# Invalid allow/deny - not arrays
+	invalid_structure := {
+		"allow": "not-an-array",
+		"deny": [{
+			"name": "Valid deny",
+			"pattern": "oci://quay.io/konflux-ci/tekton-catalog/*",
+		}],
+	}
+	expected_structure := {{
+		"message": "trusted_task_rules data has unexpected format: allow: Invalid type. Expected: array, given: string",
+		"severity": "failure",
+	}}
+	lib.assert_equal(tekton.data_errors, expected_structure) with data.rule_data.trusted_task_rules as invalid_structure
+
+	# Empty versions array (should fail minItems: 1)
+	invalid_versions := {"allow": [{
+		"name": "Empty versions",
+		"pattern": "oci://quay.io/konflux-ci/tekton-catalog/*",
+		"versions": [],
+	}]}
+	expected_versions := {{
+		"message": "trusted_task_rules data has unexpected format: allow.0.versions: Array must have at least 1 items",
+		"severity": "failure",
+	}}
+	lib.assert_equal(tekton.data_errors, expected_versions) with data.rule_data.trusted_task_rules as invalid_versions
+}
+
 trusted_bundle_task := {"spec": {"taskRef": {"resolver": "bundles", "params": [
 	{"name": "bundle", "value": "registry.local/trusty:1.0@sha256:digest"},
 	{"name": "name", "value": "trusty"},
