artifact-attestations-opa-provider/validation/from-org-constraint-template.yaml at main · github/artifact-attestations-opa-provider · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8sexternaldatafromorg
spec:
  crd:
    spec:
      names:
        kind: K8sExternalDataFromOrg
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sexternaldata

        violation[{"msg": msg}] {
          images := [img | img = input.review.object.spec.containers[_].image]
          response := external_data({"provider": "artifact-attestations-opa-provider", "keys": images})
          response_with_error(response)
          msg := sprintf("invalid response: %v", [response])
        }

        response_with_error(response) {
          count(response.errors) > 0
        }

        response_with_error(response) {
          count(response.system_error) > 0
        }

        response_with_error(response) {
          not fromOrg(response, ["your-org-1", "your-org-2"])
        }

        fromOrg(resp, orgs) {
          some i, j, k, l
          provenance := "https://slsa.dev/provenance/v1"
          issuer := "https://token.actions.githubusercontent.com"

          provenance == resp.responses[i][j][k].statement.predicateType
          issuer == resp.responses[i][j][k].signature.certificate.issuer
          orgUri := resp.responses[i][j][k].signature.certificate.sourceRepositoryOwnerURI
          # Prefix the org name with / before doing comparison
          endswith(orgUri, concat("", ["/", orgs[l]]))
        }