Skip to content

feat(contract): reject attestation level policies in materials#2484

Draft
Piskoo wants to merge 1 commit intochainloop-dev:mainfrom
Piskoo:add-material-kind-policy-validation
Draft

feat(contract): reject attestation level policies in materials#2484
Piskoo wants to merge 1 commit intochainloop-dev:mainfrom
Piskoo:add-material-kind-policy-validation

Conversation

@Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Oct 27, 2025
edited
Loading

This PR adds validation to contract creation and update, that prevents assigning policies that contain execution path for kind ATTESTATION on material level.

Example:

For sbom-present policy

apiVersion: workflowcontract.chainloop.dev/v1
kind: Policy
metadata:
  name: sbom-present
  description: desc
spec:
  policies:
    - kind: ATTESTATION
      path: sbom-present.rego

Valid contract

schema_version: v1
policies:
  attestation:
    - ref: sbom-present

Passes, the contract is created/updated

Invalid contract

schema_version: v1
policies:
  materials:
    - ref: sbom-present

Returns

ERR validation error: attestation policy "sbom-present" cannot be attached to materials
exit status 1

Already existing contracts are unaffected, invalid contract will also fail if raw contract is given during att init in --contract flag.

@Piskoo
add-material-kind-policy-validation
5d5ddaa 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo marked this pull request as ready for review October 27, 2025 13:31
migmartri
migmartri reviewed Oct 27, 2025
View reviewed changes
app/controlplane/pkg/biz/workflowcontract.go

// Check if any policy has kind ATTESTATION - this is not allowed for material-level policies
for _, policySpec := range policies {
if policySpec.GetKind() == schemav1.CraftingSchema_Material_ATTESTATION {
Copy link
Member

@migmartri migmartri Oct 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to review this because we support providing ATTESTATION as material type. But maybe the key here is to make sure it's not the only option. cc/ @jiparis

Copy link
Member

@jiparis jiparis Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ATTESTATION policies can be designed to run against an attestation material, or against the attestation itself (or both), but I don't think we have enough information at this point to know it, even if it's the only execution path.

In my opinion, we have two options:

  • change the semantics so that ATTESTATION materials are not allowed anymore (what this PR is implementing).
  • or some kind of metadata in the policy that allow policy authors to specify how the policy should be run.

Copy link
Collaborator Author

@Piskoo Piskoo Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could also "double check" if the users' intention was to apply attestation policy to a material, to do that we could require a selector

Copy link
Member

@migmartri migmartri Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What policies do we have that use an attestation as the material?

@Piskoo Piskoo marked this pull request as draft November 10, 2025 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri left review comments

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Piskoo @migmartri @jiparis