feat: allow to define params in rule type and enforce them (#669)

* feat: allow to define params in rule type and enforce them Closes: #660 * add fixes when merging different entities in policy * validate params in another method * fixes from review * using sets for params
mindersec · Aug 14, 2023 · 5b46519 · 5b46519
1 parent 4f14459
commit 5b46519
Show file tree

Hide file tree

Showing 19 changed files with 1,327 additions and 916 deletions.
diff --git a/cmd/cli/app/policy/policy_create.go b/cmd/cli/app/policy/policy_create.go
@@ -76,7 +76,7 @@ within a mediator control plane.`,
 		ctx, cancel := util.GetAppContext()
 		defer cancel()
 
-		p, err := engine.ReadYAMLPolicyFromReader(preader)
+		p, err := engine.ParseYAML(preader)
 		if err != nil {
 			return fmt.Errorf("error reading fragment from file: %w", err)
 		}

diff --git a/database/migrations/000001_init.up.sql b/database/migrations/000001_init.up.sql
@@ -144,6 +144,7 @@ CREATE TABLE rule_type (
     provider TEXT NOT NULL,
     group_id INTEGER NOT NULL REFERENCES groups(id) ON DELETE CASCADE,
     definition JSONB NOT NULL,
+    params JSONB NOT NULL,
     created_at TIMESTAMP NOT NULL DEFAULT NOW(),
     updated_at TIMESTAMP NOT NULL DEFAULT NOW()
 );

diff --git a/database/query/rule_types.sql b/database/query/rule_types.sql
@@ -3,7 +3,8 @@ INSERT INTO rule_type (
     name,
     provider,
     group_id,
-    definition) VALUES ($1, $2, $3, sqlc.arg(definition)::jsonb) RETURNING *;
+    definition,
+    params) VALUES ($1, $2, $3, sqlc.arg(definition)::jsonb, sqlc.arg(params)::jsonb) RETURNING *;
 
 -- name: ListRuleTypesByProviderAndGroup :many
 SELECT * FROM rule_type WHERE provider = $1 AND group_id = $2;
@@ -18,4 +19,4 @@ SELECT * FROM rule_type WHERE provider = $1 AND group_id = $2 AND name = $3;
 DELETE FROM rule_type WHERE id = $1;
 
 -- name: UpdateRuleType :exec
-UPDATE rule_type SET definition = sqlc.arg(definition)::jsonb WHERE id = $1;
+UPDATE rule_type SET definition = sqlc.arg(definition)::jsonb, params = sqlc.arg(params)::jsonb WHERE id = $1;
diff --git a/docs/docs/protodocs/proto.md b/docs/docs/protodocs/proto.md
diff --git a/examples/github/policies/policy.yaml b/examples/github/policies/policy.yaml
@@ -31,9 +31,17 @@ repository:
         def:
           enabled: true
           allowed_actions: selected
+artifact:
+  - context: github
+    rules:
       - type: artifact_signature
+        params:
+          tag: main
+          artifactName: test
         def:
           is_signed: true
+          is_verified: true
+          is_bundle_verified: true
 # build_environment:
 #   - rules:  # Not specifying a context takes the default context
 #       - type: no_org_wide_github_action_permissions

diff --git a/examples/github/policies/policy_artifact.yaml b/examples/github/policies/policy_artifact.yaml
@@ -12,6 +12,7 @@ artifact:
       - type: artifact_signature
         params:
           tag: main
+          artifactName: test
         def:
           is_signed: true
           is_verified: true

diff --git a/examples/github/rule-types/artifact_signature.yaml b/examples/github/rule-types/artifact_signature.yaml
@@ -6,6 +6,14 @@ name: artifact_signature
 context:
   provider: github
   group: Root Group
+params:
+  entries:
+    - name: artifactName
+      type: string
+      description: "The name of the artifact to check."
+    - name: tag
+      type: string
+      description: "The tag of the artifact to check."
 def:
   # Defines the section of the pipeline the rule will appear in.
   # This will affect the template that is used to render multiple parts
@@ -30,7 +38,7 @@ def:
       # method will be called using reflection, and will accept a generic json payload
       # it will also return a generic json payload
       method: ValidateSignature
-    key-type: jq
+    key_type: jq
     data:
       # This key is meant to denote where the info will be
       # persisted in the aspect itself.

diff --git a/examples/github/rule-types/branch_protection.yaml b/examples/github/rule-types/branch_protection.yaml
@@ -6,6 +6,11 @@ name: branch_protection
 context:
   provider: github
   group: Root Group
+params:
+  entries:
+    - name: branch
+      type: string
+      description: "The name of the branch to check."
 def:
   # Defines the section of the pipeline the rule will appear in.
   # This will affect the template that is used to render multiple parts

diff --git a/internal/engine/executor.go b/internal/engine/executor.go
@@ -170,7 +170,7 @@ func (e *Executor) handleReposInitEvent(ctx context.Context, prov string, evt *I
 				UpdatedAt:  timestamppb.New(dbrepo.UpdatedAt),
 			}
 
-			// Let's evaluate all the rules for this policy
+			// Let's evaluate all the repo rules for this policy
 			err = TraverseRules(relevant, func(rule *pb.PipelinePolicy_Rule) error {
 				rt, rte, err := e.getEvaluator(ctx, *pol.Id, prov, cli, "", ectx, rule)
 				if err != nil {
@@ -336,6 +336,7 @@ func (e *Executor) handleArtifactPublishedEvent(ctx context.Context, prov string
 			if err != nil {
 				return err
 			}
+
 			result := rte.Eval(ctx, artifact, rule.Def.AsMap(), rule.Params.AsMap())
 			return e.createOrUpdateRepositoryEvalStatus(ctx, *pol.Id, dbrepo.ID, *rt.Id, result)
 		})