Skip to content

feat(contract): reject attestation level policies in materials #2484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(contract): reject attestation level policies in materials #2484

wants to merge 1 commit into from
+130 −2

Conversation

@Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Oct 27, 2025
edited
Loading

This PR adds validation to contract creation and update, that prevents assigning policies that contain execution path for kind ATTESTATION on material level.

Example:

For sbom-present policy

apiVersion: workflowcontract.chainloop.dev/v1
kind: Policy
metadata:
  name: sbom-present
  description: desc
spec:
  policies:
    - kind: ATTESTATION
      path: sbom-present.rego

Valid contract

schema_version: v1
policies:
  attestation:
    - ref: sbom-present

Passes, the contract is created/updated

Invalid contract

schema_version: v1
policies:
  materials:
    - ref: sbom-present

Returns

ERR validation error: attestation policy "sbom-present" cannot be attached to materials
exit status 1

Already existing contracts are unaffected, invalid contract will also fail if raw contract is given during att init in --contract flag.

@Piskoo
add-material-kind-policy-validation
5d5ddaa 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo marked this pull request as ready for review October 27, 2025 13:31
migmartri
migmartri reviewed Oct 27, 2025
View reviewed changes
app/controlplane/pkg/biz/workflowcontract.go

// Check if any policy has kind ATTESTATION - this is not allowed for material-level policies
for _, policySpec := range policies {
if policySpec.GetKind() == schemav1.CraftingSchema_Material_ATTESTATION {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to review this because we support providing ATTESTATION as material type. But maybe the key here is to make sure it's not the only option. cc/ @jiparis

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ATTESTATION policies can be designed to run against an attestation material, or against the attestation itself (or both), but I don't think we have enough information at this point to know it, even if it's the only execution path.

In my opinion, we have two options:

  • change the semantics so that ATTESTATION materials are not allowed anymore (what this PR is implementing).
  • or some kind of metadata in the policy that allow policy authors to specify how the policy should be run.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also "double check" if the users' intention was to apply attestation policy to a material, to do that we could require a selector

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri left review comments

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Piskoo @migmartri @jiparis