Merge pull request #1544 from st3penta/support-slsa-v1

Support for SLSA v1 in slsa_source_version_controlled and slsa_build_build_service

Author: st3penta

policy/release/slsa_build_build_service/slsa_build_build_service.rego

@@ -35,7 +35,7 @@ import data.lib.json as j
 #
 deny contains result if {
 	some att in lib.pipelinerun_attestations
-	not att.statement.predicate.builder.id
+	not _builder_id(att)
 	result := lib.result_helper(rego.metadata.chain(), [])
 }
 
@@ -61,7 +61,7 @@ deny contains result if {
 deny contains result if {
 	allowed_builder_ids := lib.rule_data(_rule_data_key)
 	some att in lib.pipelinerun_attestations
-	builder_id := att.statement.predicate.builder.id
+	builder_id := _builder_id(att)
 	not builder_id in allowed_builder_ids
 	result := lib.result_helper(rego.metadata.chain(), [builder_id])
 }
@@ -103,4 +103,12 @@ _rule_data_errors contains error if {
 	}
 }
 
+_builder_id(att) := builder_id if {
+	# slsa v0.2
+	builder_id := att.statement.predicate.builder.id
+} else := builder_id if {
+	# slsa v1.0
+	builder_id := att.statement.predicate.runDetails.builder.id
+}
+
 _rule_data_key := "allowed_builder_ids"

policy/release/slsa_build_build_service/slsa_build_build_service_test.rego

@@ -7,11 +7,13 @@ import data.slsa_build_build_service
 
 test_all_good if {
 	builder_id := lib.rule_data("allowed_builder_ids")[0]
-	lib.assert_empty(slsa_build_build_service.deny) with input.attestations as [_mock_attestation(builder_id)]
+	lib.assert_empty(slsa_build_build_service.deny) with input.attestations as [_mock_slsa_v02_attestation(builder_id)]
+
+	lib.assert_empty(slsa_build_build_service.deny) with input.attestations as [_mock_slsa_v1_attestation(builder_id)]
 }
 
 test_slsa_builder_id_found if {
-	attestations := [
+	slsa_v02_attestations := [
 		# Missing predicate.builder.id
 		{"statement": {"predicate": {
 			"builder": {},
@@ -21,12 +23,39 @@ test_slsa_builder_id_found if {
 		{"statement": {"predicate": {"buildType": lib.tekton_pipeline_run}}},
 	]
 
+	slsa_v1_attestations := [
+		# Missing predicate.runDetails.builder.id
+		{"statement": {
+			"predicateType": "https://slsa.dev/provenance/v1",
+			"predicate": {
+				"buildDefinition": {
+					"buildType": "https://tekton.dev/chains/v2/slsa",
+					"externalParameters": {"runSpec": {"pipelineSpec": {}}},
+				},
+				"runDetails": {"builder": {}},
+			},
+		}},
+		# Missing predicate.runDetails.builder
+		{"statement": {
+			"predicateType": "https://slsa.dev/provenance/v1",
+			"predicate": {
+				"buildDefinition": {
+					"buildType": "https://tekton.dev/chains/v2/slsa",
+					"externalParameters": {"runSpec": {"pipelineSpec": {}}},
+				},
+				"runDetails": {},
+			},
+		}},
+	]
+
 	expected := {{
 		"code": "slsa_build_build_service.slsa_builder_id_found",
 		"msg": "Builder ID not set in attestation",
 	}}
 
-	lib.assert_equal_results(expected, slsa_build_build_service.deny) with input.attestations as attestations
+	lib.assert_equal_results(expected, slsa_build_build_service.deny) with input.attestations as slsa_v02_attestations
+
+	lib.assert_equal_results(expected, slsa_build_build_service.deny) with input.attestations as slsa_v1_attestations
 }
 
 test_accepted_slsa_builder_id if {
@@ -38,7 +67,12 @@ test_accepted_slsa_builder_id if {
 	lib.assert_equal_results(
 		expected,
 		slsa_build_build_service.deny,
-	) with input.attestations as [_mock_attestation(builder_id)]
+	) with input.attestations as [_mock_slsa_v02_attestation(builder_id)]
+
+	lib.assert_equal_results(
+		expected,
+		slsa_build_build_service.deny,
+	) with input.attestations as [_mock_slsa_v1_attestation(builder_id)]
 }
 
 test_rule_data_format if {
@@ -64,10 +98,21 @@ test_rule_data_format if {
 	}
 
 	lib.assert_equal_results(slsa_build_build_service.deny, expected) with data.rule_data as d
-		with input.attestations as [_mock_attestation("foo")]
+		with input.attestations as [_mock_slsa_v02_attestation("foo")]
 }
 
-_mock_attestation(builder_id) := {"statement": {"predicate": {
+_mock_slsa_v02_attestation(builder_id) := {"statement": {"predicate": {
 	"builder": {"id": builder_id},
 	"buildType": lib.tekton_pipeline_run,
 }}}
+
+_mock_slsa_v1_attestation(builder_id) := {"statement": {
+	"predicateType": "https://slsa.dev/provenance/v1",
+	"predicate": {
+		"buildDefinition": {
+			"buildType": "https://tekton.dev/chains/v2/slsa",
+			"externalParameters": {"runSpec": {"pipelineSpec": {}}},
+		},
+		"runDetails": {"builder": {"id": builder_id}},
+	},
+}}

policy/release/slsa_source_version_controlled/slsa_source_version_controlled.rego

@@ -114,3 +114,10 @@ materials contains material if {
 	material.uri
 	material.digest.sha1
 }
+
+materials contains material if {
+	some attestation in lib.pipelinerun_attestations
+	some material in attestation.statement.predicate.buildDefinition.resolvedDependencies
+	material.uri
+	material.digest.sha1
+}

policy/release/slsa_source_version_controlled/slsa_source_version_controlled_test.rego

@@ -17,7 +17,8 @@ test_all_good if {
 		},
 	]
 
-	lib.assert_empty(slsa_source_version_controlled.deny) with input.attestations as [_mock_attestation(materials)]
+	lib.assert_empty(slsa_source_version_controlled.deny) with input.attestations as [_mock_slsa_v02_attestation(materials)] # regal ignore:line-length
+	lib.assert_empty(slsa_source_version_controlled.deny) with input.attestations as [_mock_slsa_v1_attestation(materials)]
 }
 
 test_non_git_uri if {
@@ -46,7 +47,12 @@ test_non_git_uri if {
 	lib.assert_equal_results(
 		expected,
 		slsa_source_version_controlled.deny,
-	) with input.attestations as [_mock_attestation(materials)]
+	) with input.attestations as [_mock_slsa_v02_attestation(materials)]
+
+	lib.assert_equal_results(
+		expected,
+		slsa_source_version_controlled.deny,
+	) with input.attestations as [_mock_slsa_v1_attestation(materials)]
 }
 
 # regal ignore:rule-length
@@ -87,7 +93,12 @@ test_non_git_commit if {
 	lib.assert_equal_results(
 		expected,
 		slsa_source_version_controlled.deny,
-	) with input.attestations as [_mock_attestation(materials)]
+	) with input.attestations as [_mock_slsa_v02_attestation(materials)]
+
+	lib.assert_equal_results(
+		expected,
+		slsa_source_version_controlled.deny,
+	) with input.attestations as [_mock_slsa_v1_attestation(materials)]
 }
 
 test_invalid_materials if {
@@ -108,10 +119,24 @@ test_invalid_materials if {
 	lib.assert_equal_results(
 		expected,
 		slsa_source_version_controlled.deny,
-	) with input.attestations as [_mock_attestation(materials)]
+	) with input.attestations as [_mock_slsa_v02_attestation(materials)]
+
+	lib.assert_equal_results(
+		expected,
+		slsa_source_version_controlled.deny,
+	) with input.attestations as [_mock_slsa_v1_attestation(materials)]
 }
 
-_mock_attestation(materials) := {"statement": {"predicate": {
+_mock_slsa_v02_attestation(materials) := {"statement": {"predicate": {
 	"buildType": lib.tekton_pipeline_run,
 	"materials": materials,
 }}}
+
+_mock_slsa_v1_attestation(materials) := {"statement": {
+	"predicateType": "https://slsa.dev/provenance/v1",
+	"predicate": {"buildDefinition": {
+		"buildType": "https://tekton.dev/chains/v2/slsa",
+		"externalParameters": {"runSpec": {"pipelineSpec": {}}},
+		"resolvedDependencies": materials,
+	}},
+}}