Merge pull request #1228 from zregvart/issue/EC-944

Author: zregvart

antora/docs/modules/ROOT/pages/pipeline_policy.adoc

@@ -19,7 +19,7 @@ Confirm the `trusted_tasks` rule data was provided, since it's required by the p
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Missing required trusted_tasks data`
 * Code: `task_bundle.missing_required_data`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L92[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L94[Source, window="_blank"]
 
 [#task_bundle__untrusted_task_bundle]
 === link:#task_bundle__untrusted_task_bundle[Task bundle is not trusted]
@@ -29,15 +29,15 @@ For each Task in the Pipeline definition, check if the Tekton Bundle used is a t
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Pipeline task '%s' uses an untrusted task bundle '%s'`
 * Code: `task_bundle.untrusted_task_bundle`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L77[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L79[Source, window="_blank"]
 
 [#task_bundle__out_of_date_task_bundle]
 === link:#task_bundle__out_of_date_task_bundle[Task bundle is out of date]
 
 For each Task in the Pipeline definition, check if the Tekton Bundle used is the most recent.
 
 * Rule type: [rule-type-indicator warning]#WARNING#
-* WARNING message: `Pipeline task '%s' uses an out of date task bundle '%s'`
+* WARNING message: `Pipeline task '%s' uses an out of date task bundle '%s', new version of the Task must be used before %s`
 * Code: `task_bundle.out_of_date_task_bundle`
 * https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L34[Source, window="_blank"]
 
@@ -49,7 +49,7 @@ Check that a valid task bundle reference is being used.
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Pipeline task '%s' uses an empty bundle image reference`
 * Code: `task_bundle.empty_task_bundle_reference`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L64[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L66[Source, window="_blank"]
 
 [#task_bundle__disallowed_task_reference]
 === link:#task_bundle__disallowed_task_reference[Task bundle was not used or is not defined]
@@ -59,7 +59,7 @@ Check for the existence of a task bundle. This rule will fail if the task is not
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Pipeline task '%s' does not contain a bundle reference`
 * Code: `task_bundle.disallowed_task_reference`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L50[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/pipeline/task_bundle/task_bundle.rego#L52[Source, window="_blank"]
 
 [#task_bundle__unpinned_task_bundle]
 === link:#task_bundle__unpinned_task_bundle[Unpinned task bundle reference]

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -1602,7 +1602,7 @@ Confirm the `trusted_tasks` rule data was provided, since it's required by the p
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Missing required trusted_tasks data`
 * Code: `attestation_task_bundle.trusted_bundles_provided`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L113[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L114[Source, window="_blank"]
 
 [#attestation_task_bundle__task_ref_bundles_not_empty]
 === link:#attestation_task_bundle__task_ref_bundles_not_empty[Task bundle references not empty]
@@ -1614,7 +1614,7 @@ Check that a valid task bundle reference is being used.
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Pipeline task '%s' uses an empty bundle image reference`
 * Code: `attestation_task_bundle.task_ref_bundles_not_empty`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L75[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L76[Source, window="_blank"]
 
 [#attestation_task_bundle__task_ref_bundles_pinned]
 === link:#attestation_task_bundle__task_ref_bundles_pinned[Task bundle references pinned to digest]
@@ -1638,7 +1638,7 @@ For each Task in the SLSA Provenance attestation, check if the Tekton Bundle use
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Pipeline task '%s' uses an untrusted task bundle '%s'`
 * Code: `attestation_task_bundle.task_ref_bundles_trusted`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L92[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L93[Source, window="_blank"]
 
 [#attestation_task_bundle__task_ref_bundles_current]
 === link:#attestation_task_bundle__task_ref_bundles_current[Task bundles are latest versions]
@@ -1648,7 +1648,7 @@ For each Task in the SLSA Provenance attestation, check if the Tekton Bundle use
 *Solution*: A task bundle used is not the most recent. The most recent task bundles are defined in the data source of your policy config.
 
 * Rule type: [rule-type-indicator warning]#WARNING#
-* WARNING message: `Pipeline task '%s' uses an out of date task bundle '%s'`
+* WARNING message: `Pipeline task '%s' uses an out of date task bundle '%s', new version of the Task must be used before %s`
 * Code: `attestation_task_bundle.task_ref_bundles_current`
 * https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L38[Source, window="_blank"]
 
@@ -1660,7 +1660,7 @@ Check for the existence of a task bundle. This rule will fail if the task is not
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Pipeline task '%s' does not contain a bundle reference`
 * Code: `attestation_task_bundle.tasks_defined_in_bundle`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L59[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/attestation_task_bundle/attestation_task_bundle.rego#L60[Source, window="_blank"]
 
 [#tasks_package]
 == link:#tasks_package[Tasks]
@@ -1933,7 +1933,7 @@ Confirm the expected `trusted_tasks` data keys have been provided in the expecte
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `trusted_task.data_format`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L184[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L187[Source, window="_blank"]
 
 [#trusted_task__pinned]
 === link:#trusted_task__pinned[Task references are pinned]
@@ -1959,7 +1959,7 @@ Confirm the `trusted_tasks` rule data was provided, since it's required by the p
 * FAILURE message: `Missing required trusted_tasks data`
 * Code: `trusted_task.data`
 * Effective from: `2024-05-07T00:00:00Z`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L134[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L137[Source, window="_blank"]
 
 [#trusted_task__trusted]
 === link:#trusted_task__trusted[Tasks are trusted]
@@ -1972,7 +1972,7 @@ Check the trust of the Tekton Tasks used in the build Pipeline. There are two mo
 * FAILURE message: `%s`
 * Code: `trusted_task.trusted`
 * Effective from: `2024-05-07T00:00:00Z`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L71[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L74[Source, window="_blank"]
 
 [#trusted_task__current]
 === link:#trusted_task__current[Tasks using the latest versions]
@@ -1982,7 +1982,7 @@ Check if all Tekton Tasks use the latest known Task reference.
 *Solution*: Update the Task reference to a newer version.
 
 * Rule type: [rule-type-indicator warning]#WARNING#
-* WARNING message: `Pipeline task %q uses an out of date task reference, %s`
+* WARNING message: `Pipeline task %q uses an out of date task reference, %s. A new version of the task must be used before %s`
 * Code: `trusted_task.current`
 * Effective from: `2024-05-07T00:00:00Z`
 * https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L49[Source, window="_blank"]
@@ -1997,7 +1997,7 @@ All input trusted artifacts must be produced on the pipeline. If they are not th
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Code tampering detected, input %q for task %q was not produced by the pipeline as attested.`
 * Code: `trusted_task.valid_trusted_artifact_inputs`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L97[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L100[Source, window="_blank"]
 
 [#trusted_task__trusted_parameters]
 === link:#trusted_task__trusted_parameters[Trusted parameters]
@@ -2010,7 +2010,7 @@ Confirm certain parameters provided to each builder Task have come from trusted
 * FAILURE message: `The %q parameter of the %q PipelineTask includes an untrusted digest: %s`
 * Code: `trusted_task.trusted_parameters`
 * Effective from: `2021-07-04T00:00:00Z`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L153[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/trusted_task/trusted_task.rego#L156[Source, window="_blank"]
 
 [#rpm_ostree_task_package]
 == link:#rpm_ostree_task_package[rpm-ostree Task]

policy/lib/rule_data.rego

@@ -97,6 +97,8 @@ rule_data_defaults := {
 	# using the ruleData key. Make this default to an empty dict so we can conveniently
 	# merge it with with `data.trusted_tasks`
 	"trusted_tasks": {},
+	# Number of days before a version of the Task expires that warnings are reported
+	"task_expiry_warning_days": 0,
 }
 
 # Returns the "first found" of the following:

policy/lib/tekton/trusted.rego

@@ -21,11 +21,24 @@ missing_trusted_tasks_data if {
 	count(_trusted_tasks) == 0
 }
 
-# Returns a subset of tasks that use a trusted Task reference, but an updated Task reference exists.
-out_of_date_task_refs(tasks) := {task |
-	some task in tasks
-	is_trusted_task(task)
-	_newer_record_exists(task)
+default task_expiry_warnings_after := 0
+
+task_expiry_warnings_after := grace if {
+	grace_period_days := lib_rule_data("task_expiry_warning_days")
+	grace_period_days > 0
+	grace := time.add_date(
+		time_lib.effective_current_time_ns, 0, 0,
+		grace_period_days,
+	)
+}
+
+# Returns the epoch time in nanoseconds of the time when the Task expires, or
+# nothing if Task is not set to expire currently.
+expiry_of(task) := expires if {
+	expires := _task_expires_on(task)
+
+	# only report if the task is expiring within task_expiry_warning_days days
+	expires > task_expiry_warnings_after
 }
 
 # Returns a subset of tasks that do not use a trusted Task reference.
@@ -47,19 +60,16 @@ is_trusted_task(task) if {
 	record.ref == ref.pinned_ref
 }
 
-# Returns true if a newer record exists with a different digest.
-_newer_record_exists(task) if {
+# Returns the date in epoch nanoseconds when the task expires, or nothing if it
+# hasn't expired yet.
+_task_expires_on(task) := expires if {
 	ref := task_ref(task)
 	records := _trusted_tasks[ref.key]
 
-	newest_record := time_lib.newest(records)
-	newest_record.ref != ref.pinned_ref
-
-	# newest record could have the same effective_on as the record for the given
-	# task, in that case we can't claim that the newer record exists
 	some record in records
 	record.ref == ref.pinned_ref
-	newest_record.effective_on != record.effective_on
+
+	expires = time.parse_rfc3339_ns(record.expires_on)
 }
 
 # _trusted_tasks provides a safe way to access the list of trusted tasks. It prevents a policy rule
@@ -126,3 +136,17 @@ data_errors contains error if {
 		"severity": "failure",
 	}
 }
+
+data_errors contains error if {
+	some error in j.validate_schema(
+		{"task_expiry_warning_days": lib_rule_data("task_expiry_warning_days")},
+		{
+			"$schema": "http://json-schema.org/draft-07/schema#",
+			"type": "object",
+			"properties": {"task_expiry_warning_days": {
+				"type": "integer",
+				"minimum": 0,
+			}},
+		},
+	)
+}