Skip to content

Commit

Permalink
use protection / serviceAccount in deploy policy
Browse files Browse the repository at this point in the history 
Signed-off-by: laurentsimon <[email protected]>
  • Loading branch information
@laurentsimon
laurentsimon committed Mar 27, 2024
1 parent 458e281 commit 107809a
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 41 deletions.
32 changes: 16 additions & 16 deletions pkg/deployment/internal/project/project.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,14 @@ type Package struct {
Environment Environment `json:"environment"`
}

type Principal struct {
URI string `json:"uri"`
type Protection struct {
ServiceAccount string `json:"service_account"`
}

// Policy defines the policy.
type Policy struct {
Format int `json:"format"`
Principal Principal `json:"principal"`
Protection Protection `json:"protection"`
Packages []Package `json:"packages"`
BuildRequirements BuildRequirements `json:"build"`
validator options.PolicyValidator `json:"-"`
Expand Down Expand Up @@ -70,7 +70,7 @@ func (p *Policy) validate(maxBuildLevel int) error {
if err := p.validateFormat(); err != nil {
return err
}
if err := p.validatePrincipal(); err != nil {
if err := p.validateProtection(); err != nil {
return err
}
if err := p.validatePackages(); err != nil {
Expand All @@ -90,9 +90,9 @@ func (p *Policy) validateFormat() error {
return nil
}

func (p *Policy) validatePrincipal() error {
if p.Principal.URI == "" {
return fmt.Errorf("[project] %w: empty principal name", errs.ErrorInvalidField)
func (p *Policy) validateProtection() error {
if p.Protection.ServiceAccount == "" {
return fmt.Errorf("[project] %w: empty protection service_account", errs.ErrorInvalidField)
}
return nil
}
Expand Down Expand Up @@ -161,7 +161,7 @@ func (p *Policy) validateBuildRequirements(maxBuildLevel int) error {
// FromReaders creates a set of policies indexed by their unique id.
func FromReaders(readers iterator.NamedReadCloserIterator, orgPolicy organization.Policy, validator options.PolicyValidator) (map[string]Policy, error) {
policies := make(map[string]Policy)
principals := make(map[string]bool)
protections := make(map[string]bool)
for readers.HasNext() {
id, reader := readers.Next()
// NOTE: fromReader()validates that the required levels is achievable.
Expand All @@ -175,12 +175,12 @@ func FromReaders(readers iterator.NamedReadCloserIterator, orgPolicy organizatio
}
policies[id] = *policy

// The principal must be unique across all projects.
name := policy.Principal.URI
if _, exists := principals[name]; exists {
return nil, fmt.Errorf("[project] %w: principal's name (%q) is defined more than once", errs.ErrorInvalidField, name)
// The protection must be unique across all projects.
name := policy.Protection.ServiceAccount
if _, exists := protections[name]; exists {
return nil, fmt.Errorf("[project] %w: protection's serivce_account (%q) is defined more than once", errs.ErrorInvalidField, name)
}
principals[name] = true
protections[name] = true
}
//TODO: add test for this.
if readers.Error() != nil {
Expand All @@ -191,7 +191,7 @@ func FromReaders(readers iterator.NamedReadCloserIterator, orgPolicy organizatio

// Evaluate evaluates a policy.
func (p *Policy) Evaluate(digests intoto.DigestSet, packageName string,
orgPolicy organization.Policy, releaseOpts options.ReleaseVerification) (*Principal, error) {
orgPolicy organization.Policy, releaseOpts options.ReleaseVerification) (*Protection, error) {
if releaseOpts.Verifier == nil {
return nil, fmt.Errorf("[project] %w: verifier is empty", errs.ErrorInvalidInput)
}
Expand All @@ -200,7 +200,7 @@ func (p *Policy) Evaluate(digests intoto.DigestSet, packageName string,
if err := digests.Validate(); err != nil {
return nil, err
}
// Get the package for principal Name.
// Get the package for protection Name.
pkg, err := p.getPackage(packageName)
if err != nil {
return nil, err
Expand Down Expand Up @@ -236,7 +236,7 @@ func (p *Policy) Evaluate(digests intoto.DigestSet, packageName string,
return nil, err
}
// The target Name of the policy.
cpy := p.Principal
cpy := p.Protection
return &cpy, nil
}
return nil, fmt.Errorf("[project] %w: cannot verify: %v", errs.ErrorVerification, allErrs)
Expand Down
50 changes: 25 additions & 25 deletions pkg/deployment/internal/project/project_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func Test_validateFormat(t *testing.T) {
}
}

func Test_validatePrincipal(t *testing.T) {
func Test_validateProtection(t *testing.T) {
t.Parallel()

tests := []struct {
Expand All @@ -62,15 +62,15 @@ func Test_validatePrincipal(t *testing.T) {
expected error
}{
{
name: "uri present",
name: "service_account present",
policy: Policy{
Principal: Principal{
URI: "the_uri",
Protection: Protection{
ServiceAccount: "the_sa",
},
},
},
{
name: "uri not present",
name: "service_account not present",
policy: Policy{},
expected: errs.ErrorInvalidField,
},
Expand All @@ -79,7 +79,7 @@ func Test_validatePrincipal(t *testing.T) {
tt := tt // Re-initializing variable so it is not changed while executing the closure below
t.Run(tt.name, func(t *testing.T) {
t.Parallel()
err := tt.policy.validatePrincipal()
err := tt.policy.validateProtection()
if diff := cmp.Diff(tt.expected, err, cmpopts.EquateErrors()); diff != "" {
t.Fatalf("unexpected err (-want +got): \n%s", diff)
}
Expand Down Expand Up @@ -461,8 +461,8 @@ func Test_Evaluate(t *testing.T) {
},
}
project := Policy{
Principal: Principal{
URI: "principal_name",
Protection: Protection{
ServiceAccount: "protection_name",
},
BuildRequirements: BuildRequirements{
RequireSlsaLevel: common.AsPointer(2),
Expand Down Expand Up @@ -635,14 +635,14 @@ func Test_Evaluate(t *testing.T) {
opts := options.ReleaseVerification{
Verifier: verifier,
}
principal, err := tt.policy.Evaluate(tt.digests, tt.packageName, tt.org, opts)
protection, err := tt.policy.Evaluate(tt.digests, tt.packageName, tt.org, opts)
if diff := cmp.Diff(tt.expected, err, cmpopts.EquateErrors()); diff != "" {
t.Fatalf("unexpected err (-want +got): \n%s", diff)
}
if err != nil {
return
}
if diff := cmp.Diff(*principal, project.Principal); diff != "" {
if diff := cmp.Diff(*protection, project.Protection); diff != "" {
t.Fatalf("unexpected err (-want +got): \n%s", diff)
}
})
Expand All @@ -665,8 +665,8 @@ func Test_FromReaders(t *testing.T) {
policies: []Policy{
{
Format: 1,
Principal: Principal{
URI: "principal_name",
Protection: Protection{
ServiceAccount: "protection_name",
},
Packages: []Package{
{
Expand All @@ -682,8 +682,8 @@ func Test_FromReaders(t *testing.T) {
},
{
Format: 1,
Principal: Principal{
URI: "principal_name2",
Protection: Protection{
ServiceAccount: "protection_name2",
},
Packages: []Package{
{
Expand All @@ -700,14 +700,14 @@ func Test_FromReaders(t *testing.T) {
},
},
{
name: "same principal name",
name: "same protection name",
expected: errs.ErrorInvalidField,
maxBuildLevel: 3,
policies: []Policy{
{
Format: 1,
Principal: Principal{
URI: "principal_name",
Protection: Protection{
ServiceAccount: "protection_name",
},
Packages: []Package{
{
Expand All @@ -723,8 +723,8 @@ func Test_FromReaders(t *testing.T) {
},
{
Format: 1,
Principal: Principal{
URI: "principal_name",
Protection: Protection{
ServiceAccount: "protection_name",
},
Packages: []Package{
{
Expand All @@ -748,8 +748,8 @@ func Test_FromReaders(t *testing.T) {
policies: []Policy{
{
Format: 1,
Principal: Principal{
URI: "principal_name",
Protection: Protection{
ServiceAccount: "protection_name",
},
Packages: []Package{
{
Expand All @@ -765,8 +765,8 @@ func Test_FromReaders(t *testing.T) {
},
{
Format: 1,
Principal: Principal{
URI: "principal_name2",
Protection: Protection{
ServiceAccount: "protection_name2",
},
Packages: []Package{
{
Expand All @@ -790,8 +790,8 @@ func Test_FromReaders(t *testing.T) {
policies: []Policy{
{
Format: 1,
Principal: Principal{
URI: "principal_name",
Protection: Protection{
ServiceAccount: "protection_name",
},
Packages: []Package{
{
Expand Down

0 comments on commit 107809a

Please sign in to comment.