Merge pull request #1236 from simonbaird/rhtap-multi-ci-improvements

More code reuse for RHTAP Multi-CI rego

Author: simonbaird

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -211,8 +211,8 @@ a| A set of policy rules to validate artifacts built using RHTAP Jenkins pipelin
 
 Rules included:
 
-* xref:release_policy.adoc#rhtap_jenkins__invocation_id_found[RHTAP Jenkins: RHTAP Jenkins SLSA Invocation ID present]
-* xref:release_policy.adoc#rhtap_jenkins__attestation_found[RHTAP Jenkins: RHTAP Jenkins SLSA Provenance Attestation Found]
+* xref:release_policy.adoc#rhtap_multi_ci__attestation_format[RHTAP Multi-CI: SLSA Provenance Attestation Format]
+* xref:release_policy.adoc#rhtap_multi_ci__attestation_found[RHTAP Multi-CI: SLSA Provenance Attestation Found]
 
 | [#slsa3]`slsa3`
 a| Includes policy rules required to meet SLSA Level 3.
@@ -959,74 +959,36 @@ Check the image metadata for the presence of a "quay.expires-after" label. If it
 * Code: `quay_expiration.expires_label`
 * https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/quay_expiration/quay_expiration.rego#L16[Source, window="_blank"]
 
-[#rhtap_github_package]
-== link:#rhtap_github_package[RHTAP GitHub]
+[#rhtap_multi_ci_package]
+== link:#rhtap_multi_ci_package[RHTAP Multi-CI]
 
-Some initial checks for images built using an RHTAP GitHub build pipeline. Note that the RHTAP GitHub pipeline is WIP currently, but will be shipped in an upcoming release of RHTAP. It's expected more useful checks will be added in future. RHTAP GitHub pipelines are defined under https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci
+Checks for images built using an RHTAP build pipeline in either Jenkins, GitLab or GitHub. RHTAP pipelines are defined under https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci
 
-* Package name: `rhtap_github`
+* Package name: `rhtap_multi_ci`
 
-[#rhtap_github__attestation_found]
-=== link:#rhtap_github__attestation_found[RHTAP GitHub SLSA Provenance Attestation Found]
+[#rhtap_multi_ci__attestation_format]
+=== link:#rhtap_multi_ci__attestation_format[SLSA Provenance Attestation Format]
 
-Verify an attestation created by the RHTAP GitHub build pipeline is present.
+Confirm the attestation created by the RHTAP Multi-CI build pipeline matches the expected format.
 
-*Solution*: It appears the build pipeline did not create a SLSA provenance attestation. Check the logs in GitHub for the cosign-sign-attest stage to see if you can find out why.
+*Solution*: This check looks for some fields expected to be present in the SLSA attestation. Modifying the scripts that produce the attestation predicate might cause this to fail. See also the `att-predicate-*.sh` scripts at https://github.com/redhat-appstudio/tssc-dev-multi-ci/tree/main/rhtap
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The expected SLSA v1.0 provenance with build type %s was not found.`
-* Code: `rhtap_github.attestation_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_github/rhtap_github.rego#L17[Source, window="_blank"]
+* FAILURE message: `RHTAP %s attestation problem: %s`
+* Code: `rhtap_multi_ci.attestation_format`
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_multi_ci/rhtap_multi_ci.rego#L40[Source, window="_blank"]
 
-[#rhtap_gitlab_package]
-== link:#rhtap_gitlab_package[RHTAP GitLab]
+[#rhtap_multi_ci__attestation_found]
+=== link:#rhtap_multi_ci__attestation_found[SLSA Provenance Attestation Found]
 
-Some initial checks for images built using an RHTAP GitLab build pipeline. Note that the RHTAP GitLab pipeline is WIP currently, but will be shipped in an upcoming release of RHTAP. It's expected more useful checks will be added in future. RHTAP GitLab pipelines are defined under https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci
+Verify an attestation created by the RHTAP Multi-CI build pipeline is present.
 
-* Package name: `rhtap_gitlab`
-
-[#rhtap_gitlab__attestation_found]
-=== link:#rhtap_gitlab__attestation_found[RHTAP GitLab SLSA Provenance Attestation Found]
-
-Verify an attestation created by the RHTAP GitLab build pipeline is present.
-
-*Solution*: It appears the build pipeline did not create a SLSA provenance attestation. Check the logs in GitLab for the cosign-sign-attest stage to see if you can find out why.
-
-* Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The expected SLSA v1.0 provenance with build type %s was not found.`
-* Code: `rhtap_gitlab.attestation_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_gitlab/rhtap_gitlab.rego#L17[Source, window="_blank"]
-
-[#rhtap_jenkins_package]
-== link:#rhtap_jenkins_package[RHTAP Jenkins]
-
-Some initial checks for images built using an RHTAP Jenkins build pipeline. Note that the RHTAP Jenkins pipeline is WIP currently, but will be shipped in an upcoming release of RHTAP. It's expected more useful checks will be added in future. RHTAP Jenkins pipelines are defined under https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci
-
-* Package name: `rhtap_jenkins`
-
-[#rhtap_jenkins__invocation_id_found]
-=== link:#rhtap_jenkins__invocation_id_found[RHTAP Jenkins SLSA Invocation ID present]
-
-Confirm that an invocation ID was found in the attestation in the expected location.
-
-*Solution*: For some reason the invocation id was missing or empty in the build provenance. It should be located at `predicate.runDetails.metadata.invocationID` in the attestation statement.
-
-* Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The build provenance metadata did not contain an invocation id.`
-* Code: `rhtap_jenkins.invocation_id_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_jenkins/rhtap_jenkins.rego#L36[Source, window="_blank"]
-
-[#rhtap_jenkins__attestation_found]
-=== link:#rhtap_jenkins__attestation_found[RHTAP Jenkins SLSA Provenance Attestation Found]
-
-Verify an attestation created by the RHTAP Jenkins build pipeline is present.
-
-*Solution*: It appears the build pipeline did not create a SLSA provenance attestation. Check the logs in Jenkins for the cosign-sign-attest stage to see if you can find out why.
+*Solution*: It appears the build pipeline did not create the expected SLSA provenance attestation. Check for relevant error messages in the 'cosign-sign-attest' pipeline step logs.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
-* FAILURE message: `The expected SLSA v1.0 provenance with build type %s was not found.`
-* Code: `rhtap_jenkins.attestation_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_jenkins/rhtap_jenkins.rego#L17[Source, window="_blank"]
+* FAILURE message: `A SLSA v1.0 provenance with one of the following RHTAP Multi-CI build types was not found: %s.`
+* Code: `rhtap_multi_ci.attestation_found`
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/rhtap_multi_ci/rhtap_multi_ci.rego#L16[Source, window="_blank"]
 
 [#rpm_repos_package]
 == link:#rpm_repos_package[RPM Repos]

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

@@ -71,13 +71,9 @@
 **** xref:release_policy.adoc#provenance_materials__git_clone_task_found[Git clone task found]
 *** xref:release_policy.adoc#quay_expiration_package[Quay expiration]
 **** xref:release_policy.adoc#quay_expiration__expires_label[Expires label]
-*** xref:release_policy.adoc#rhtap_github_package[RHTAP GitHub]
-**** xref:release_policy.adoc#rhtap_github__attestation_found[RHTAP GitHub SLSA Provenance Attestation Found]
-*** xref:release_policy.adoc#rhtap_gitlab_package[RHTAP GitLab]
-**** xref:release_policy.adoc#rhtap_gitlab__attestation_found[RHTAP GitLab SLSA Provenance Attestation Found]
-*** xref:release_policy.adoc#rhtap_jenkins_package[RHTAP Jenkins]
-**** xref:release_policy.adoc#rhtap_jenkins__invocation_id_found[RHTAP Jenkins SLSA Invocation ID present]
-**** xref:release_policy.adoc#rhtap_jenkins__attestation_found[RHTAP Jenkins SLSA Provenance Attestation Found]
+*** xref:release_policy.adoc#rhtap_multi_ci_package[RHTAP Multi-CI]
+**** xref:release_policy.adoc#rhtap_multi_ci__attestation_format[SLSA Provenance Attestation Format]
+**** xref:release_policy.adoc#rhtap_multi_ci__attestation_found[SLSA Provenance Attestation Found]
 *** xref:release_policy.adoc#rpm_repos_package[RPM Repos]
 **** xref:release_policy.adoc#rpm_repos__ids_known[All rpms have known repo ids]
 **** xref:release_policy.adoc#rpm_repos__rule_data_provided[Known repo id list provided]

policy/release/lib/attestations.rego

@@ -84,22 +84,6 @@ taskrun_attestations := [att |
 	att.statement.predicate.buildType in taskrun_att_build_types
 ]
 
-# For attestations created using an RHTAP build pipeline. See also:
-# - https://github.com/redhat-appstudio/tssc-sample-jenkins
-# - https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci/source-repo/jenkins
-# - https://github.com/redhat-appstudio/tssc-sample-templates/tree/main/skeleton/ci/gitops-template/jenkins
-# - https://github.com/redhat-appstudio/tssc-dev-multi-ci/blob/main/rhtap/att-predicate-jenkins.sh
-# - https://github.com/redhat-appstudio/tssc-dev-multi-ci/blob/main/rhtap/att-predicate-github.sh
-# - https://github.com/redhat-appstudio/tssc-dev-multi-ci/blob/main/rhtap/att-predicate-gitlab.sh
-#
-rhtap_build_type(rhtap_ci_type) := sprintf("https://redhat.com/rhtap/slsa-build-types/%s-build/v1", [rhtap_ci_type])
-
-rhtap_attestations(rhtap_ci_type) := [att |
-	some att in input.attestations
-	att.statement.predicateType == slsa_provenance_predicate_type_v1
-	att.statement.predicate.buildDefinition.buildType == rhtap_build_type(rhtap_ci_type)
-]
-
 tasks_from_pipelinerun := [task |
 	some att in pipelinerun_attestations
 	some task in tekton.tasks(att)

policy/release/lib/attestations_test.rego

@@ -416,10 +416,3 @@ test_result_values if {
 
 	not lib.result_values(123)
 }
-
-test_rhtap_build_type if {
-	lib.assert_equal(
-		"https://redhat.com/rhtap/slsa-build-types/bacon-build/v1",
-		lib.rhtap_build_type("bacon"),
-	)
-}