Merge pull request #1609 from st3penta/EC-1541

st3penta · web-flow · commit 5f0159a7bc9b · 2025-12-23T16:45:14.000+01:00
Implement support for version-based trusted_task_rules
diff --git a/acceptance/acceptance_test.go b/acceptance/acceptance_test.go
@@ -47,6 +47,12 @@ var (
 	sampleGCPolicyInput string
 	//go:embed samples/clamav-task.json
 	sampleClamAVTask string
+	//go:embed samples/trusted-task.json
+	sampleTrustedTask string
+	//go:embed samples/untrusted-task.json
+	sampleUntrustedTask string
+	//go:embed samples/untrusted-task-despite-valid-oci-ref-tag.json
+	sampleUntrustedTaskDespiteValidOciRefTag string
 )
 
 type testStateKey struct{}
@@ -105,6 +111,12 @@ func writeSampleGCPolicyInput(ctx context.Context, sampleName string) (context.C
 		content = sampleGCPolicyInput
 	case "clamav-task":
 		content = sampleClamAVTask
+	case "trusted-task":
+		content = sampleTrustedTask
+	case "untrusted-task":
+		content = sampleUntrustedTask
+	case "untrusted-task-despite-valid-oci-ref-tag":
+		content = sampleUntrustedTaskDespiteValidOciRefTag
 	default:
 		return ctx, fmt.Errorf("%q is not a known sample name", sampleName)
 	}
@@ -191,6 +203,24 @@ func thereShouldBeNoViolationsInTheResult(ctx context.Context) error {
 	return nil
 }
 
+func thereShouldBeViolationsInTheResult(ctx context.Context) error {
+	ts, err := getTestState(ctx)
+	if err != nil {
+		return fmt.Errorf("reading test state: %w", err)
+	}
+
+	violationCount := 0
+	for _, filepath := range ts.report.FilePaths {
+		violationCount += len(filepath.Violations)
+	}
+
+	if violationCount == 0 {
+		return errors.New("expected violations, but got none")
+	}
+
+	return nil
+}
+
 func thereShouldBeNoWarningsInTheResult(ctx context.Context) error {
 	ts, err := getTestState(ctx)
 	if err != nil {
@@ -350,6 +380,7 @@ func InitializeScenario(sc *godog.ScenarioContext) {
 	sc.Step(`^a policy config:$`, writePolicyConfig)
 	sc.Step(`^input is validated$`, validateInputWithPolicyConfig)
 	sc.Step(`^there should be no violations in the result$`, thereShouldBeNoViolationsInTheResult)
+	sc.Step(`^there should be violations in the result$`, thereShouldBeViolationsInTheResult)
 	sc.Step(`^there should be no warnings in the result$`, thereShouldBeNoWarningsInTheResult)
 	sc.Step(`^there should be no violations with "([^"]*)" collection in the result$`, thereShouldBeNoViolationsWithCollectionInTheResult)
 	sc.Step(`^there should be no violations with "([^"]*)" package in the result$`, thereShouldBeNoViolationsWithPackageInTheResult)
diff --git a/acceptance/features/task.feature b/acceptance/features/task.feature
@@ -26,3 +26,84 @@ Feature: Task Definition
         When input is validated
         Then there should be no violations in the result
         Then there should be no warnings in the result
+
+    Scenario: Trusted task using trusted_task_rules
+        Given a sample policy input "trusted-task"
+        And a policy config:
+            """
+            {
+                "sources": [
+                    {
+                        "policy": [
+                            "$GITROOT/policy/lib",
+                            "$GITROOT/policy/pipeline"
+                        ],
+                        "data": [
+                            "$GITROOT/example/data",
+                            "$GITROOT/acceptance/testdata"
+                        ],
+                        "config": {
+                            "include": [
+                                "task_bundle.*"
+                            ]
+                        }
+                    }
+                ]
+            }
+            """
+        When input is validated
+        Then there should be no violations in the result
+
+    Scenario: Untrusted task rejected by trusted_task_rules
+        Given a sample policy input "untrusted-task"
+        And a policy config:
+            """
+            {
+                "sources": [
+                    {
+                        "policy": [
+                            "$GITROOT/policy/lib",
+                            "$GITROOT/policy/pipeline"
+                        ],
+                        "data": [
+                            "$GITROOT/example/data",
+                            "$GITROOT/acceptance/testdata"
+                        ],
+                        "config": {
+                            "include": [
+                                "task_bundle.*"
+                            ]
+                        }
+                    }
+                ]
+            }
+            """
+        When input is validated
+        Then there should be violations in the result
+
+    Scenario: Task rejected by trusted_task_rules because of no tag in the manifest annotations (tag in oci ref is ignored)
+        Given a sample policy input "untrusted-task-despite-valid-oci-ref-tag"
+        And a policy config:
+            """
+            {
+                "sources": [
+                    {
+                        "policy": [
+                            "$GITROOT/policy/lib",
+                            "$GITROOT/policy/pipeline"
+                        ],
+                        "data": [
+                            "$GITROOT/example/data",
+                            "$GITROOT/acceptance/testdata"
+                        ],
+                        "config": {
+                            "include": [
+                                "task_bundle.*"
+                            ]
+                        }
+                    }
+                ]
+            }
+            """
+        When input is validated
+        Then there should be violations in the result
diff --git a/acceptance/samples/trusted-task.json b/acceptance/samples/trusted-task.json
@@ -0,0 +1,31 @@
+{
+  "apiVersion": "tekton.dev/v1",
+  "kind": "Pipeline",
+  "metadata": {
+    "name": "test-pipeline"
+  },
+  "spec": {
+    "tasks": [
+      {
+        "name": "buildah-task",
+        "taskRef": {
+          "resolver": "bundles",
+          "params": [
+            {
+              "name": "bundle",
+              "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.6@sha256:8dcb64b7cd78a3ab1b2cb0e991860ba519aac5a4682b2e7f9f8f91ded1101e29"
+            },
+            {
+              "name": "name",
+              "value": "buildah"
+            },
+            {
+              "name": "kind",
+              "value": "task"
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/acceptance/samples/untrusted-task-despite-valid-oci-ref-tag.json b/acceptance/samples/untrusted-task-despite-valid-oci-ref-tag.json
@@ -0,0 +1,32 @@
+{
+  "_comment": "Task with OCI ref tag 0.7 that should be denied because manifest annotation shows version 0.5 (0.7 in the oci ref is ignored)",
+  "apiVersion": "tekton.dev/v1",
+  "kind": "Pipeline",
+  "metadata": {
+    "name": "test-pipeline"
+  },
+  "spec": {
+    "tasks": [
+      {
+        "name": "buildah-task",
+        "taskRef": {
+          "resolver": "bundles",
+          "params": [
+            {
+              "name": "bundle",
+              "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.7@sha256:633a99fc16d0b05d32a9c08f792ac1ddaecabf6db5ac805856ac92970b63025b"
+            },
+            {
+              "name": "name",
+              "value": "buildah"
+            },
+            {
+              "name": "kind",
+              "value": "task"
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/acceptance/samples/untrusted-task.json b/acceptance/samples/untrusted-task.json
@@ -0,0 +1,31 @@
+{
+  "apiVersion": "tekton.dev/v1",
+  "kind": "Pipeline",
+  "metadata": {
+    "name": "test-pipeline"
+  },
+  "spec": {
+    "tasks": [
+      {
+        "name": "buildah-task",
+        "taskRef": {
+          "resolver": "bundles",
+          "params": [
+            {
+              "name": "bundle",
+              "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.5@sha256:633a99fc16d0b05d32a9c08f792ac1ddaecabf6db5ac805856ac92970b63025b"
+            },
+            {
+              "name": "name",
+              "value": "buildah"
+            },
+            {
+              "name": "kind",
+              "value": "task"
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
diff --git a/acceptance/testdata/trusted-task-rules-data.yml b/acceptance/testdata/trusted-task-rules-data.yml
@@ -0,0 +1,24 @@
+---
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+rule_data:
+  trusted_task_rules:
+    allow:
+      - name: "Allow Konflux tasks"
+        pattern: "oci://quay.io/konflux-ci/tekton-catalog/*"
+    deny:
+      - name: "Deprecate old buildah versions"
+        pattern: "oci://quay.io/konflux-ci/tekton-catalog/task-buildah"
+        versions: ["<=0.5"]
diff --git a/policy/lib/tekton/trusted.rego b/policy/lib/tekton/trusted.rego
diff --git a/policy/lib/tekton/trusted_test.rego b/policy/lib/tekton/trusted_test.rego
