[TEP-0091] Add mode for VerificationPolicy

This commit adds the mode field into VerificationPolicy. Mode can be set to `enforce` or `warn`. It controls whether a failing policy will fail the taskrun/pipelinerun or only log the warning. When set to `enforce`, the run will fail. When set to `warn`, the run won't fail and only log warning. Signed-off-by: Yongxuan Zhang yongxuanzhang@google.com
tektoncd · Mar 9, 2023 · 64d9d1b · 64d9d1b
1 parent 12f6fbe
commit 64d9d1b
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 66 deletions.
diff --git a/docs/pipeline-api.md b/docs/pipeline-api.md
@@ -6151,6 +6151,21 @@ Then the ResourcesPattern should be valid regex. E.g. If using gitresolver, and
 <p>Authorities defines the rules for validating signatures.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>mode</code><br/>
+<em>
+<a href="#tekton.dev/v1alpha1.ModeType">
+ModeType
+</a>
+</em>
+</td>
+<td>
+<p>Mode controls whether a failing policy will fail the taskrun/pipelinerun, or only log the warnings
+enforce - fail the taskrun/pipelinerun if verification fails (default)
+warn - don&rsquo;t fail the taskrun/pipelinerun if verification fails but log warnings</p>
+</td>
+</tr>
 </table>
 </td>
 </tr>
@@ -6352,6 +6367,14 @@ HashAlgorithm
 </tr>
 </tbody>
 </table>
+<h3 id="tekton.dev/v1alpha1.ModeType">ModeType
+(<code>string</code> alias)</h3>
+<p>
+(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.VerificationPolicySpec">VerificationPolicySpec</a>)
+</p>
+<div>
+<p>ModeType indicates the type of a mode for VerificationPolicy</p>
+</div>
 <h3 id="tekton.dev/v1alpha1.ResourcePattern">ResourcePattern
 </h3>
 <p>
@@ -6607,6 +6630,21 @@ Then the ResourcesPattern should be valid regex. E.g. If using gitresolver, and
 <p>Authorities defines the rules for validating signatures.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>mode</code><br/>
+<em>
+<a href="#tekton.dev/v1alpha1.ModeType">
+ModeType
+</a>
+</em>
+</td>
+<td>
+<p>Mode controls whether a failing policy will fail the taskrun/pipelinerun, or only log the warnings
+enforce - fail the taskrun/pipelinerun if verification fails (default)
+warn - don&rsquo;t fail the taskrun/pipelinerun if verification fails but log warnings</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="tekton.dev/v1alpha1.RunResult">RunResult
@@ -8658,11 +8696,7 @@ The names of the <code>params</code> must match the names of the <code>params</c
 <h3 id="tekton.dev/v1beta1.Param">Param
 </h3>
 <p>
-<<<<<<< HEAD
-(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.RunSpec">RunSpec</a>, <a href="#tekton.dev/v1beta1.CustomRunSpec">CustomRunSpec</a>, <a href="#tekton.dev/v1beta1.PipelineRunSpec">PipelineRunSpec</a>, <a href="#tekton.dev/v1beta1.ResolverRef">ResolverRef</a>, <a href="#tekton.dev/v1beta1.TaskRunInputs">TaskRunInputs</a>, <a href="#tekton.dev/v1beta1.TaskRunSpec">TaskRunSpec</a>, <a href="#resolution.tekton.dev/v1beta1.ResolutionRequestSpec">ResolutionRequestSpec</a>)
-=======
-(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.RunSpec">RunSpec</a>, <a href="#tekton.dev/v1beta1.CustomRunSpec">CustomRunSpec</a>, <a href="#tekton.dev/v1beta1.Matrix">Matrix</a>, <a href="#tekton.dev/v1beta1.MatrixInclude">MatrixInclude</a>, <a href="#tekton.dev/v1beta1.PipelineRunSpec">PipelineRunSpec</a>, <a href="#tekton.dev/v1beta1.PipelineTask">PipelineTask</a>, <a href="#tekton.dev/v1beta1.ResolverRef">ResolverRef</a>, <a href="#tekton.dev/v1beta1.TaskRunSpec">TaskRunSpec</a>, <a href="#resolution.tekton.dev/v1beta1.ResolutionRequestSpec">ResolutionRequestSpec</a>)
->>>>>>> 88e27b27f (Remove Git, Storage and Generic PipelineResources)
+(<em>Appears on:</em><a href="#tekton.dev/v1alpha1.RunSpec">RunSpec</a>, <a href="#tekton.dev/v1beta1.CustomRunSpec">CustomRunSpec</a>, <a href="#tekton.dev/v1beta1.PipelineRunSpec">PipelineRunSpec</a>, <a href="#tekton.dev/v1beta1.ResolverRef">ResolverRef</a>, <a href="#tekton.dev/v1beta1.TaskRunSpec">TaskRunSpec</a>, <a href="#resolution.tekton.dev/v1beta1.ResolutionRequestSpec">ResolutionRequestSpec</a>)
 </p>
 <div>
 <p>Param declares an ParamValues to use for the parameter called name.</p>
@@ -8863,7 +8897,6 @@ map[string]string
 </tr>
 </tbody>
 </table>
-<<<<<<< HEAD
 <h3 id="tekton.dev/v1beta1.Params">Params
 (<code>[]github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Param</code> alias)</h3>
 <p>
@@ -8872,66 +8905,6 @@ map[string]string
 <div>
 <p>Params is a list of Param</p>
 </div>
-<h3 id="tekton.dev/v1beta1.PipelineDeclaredResource">PipelineDeclaredResource
-</h3>
-<p>
-(<em>Appears on:</em><a href="#tekton.dev/v1beta1.PipelineSpec">PipelineSpec</a>)
-</p>
-<div>
-<p>PipelineDeclaredResource is used by a Pipeline to declare the types of the
-PipelineResources that it will required to run and names which can be used to
-refer to these PipelineResources in PipelineTaskResourceBindings.</p>
-</div>
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>name</code><br/>
-<em>
-string
-</em>
-</td>
-<td>
-<p>Name is the name that will be used by the Pipeline to refer to this resource.
-It does not directly correspond to the name of any PipelineResources Task
-inputs or outputs, and it does not correspond to the actual names of the
-PipelineResources that will be bound in the PipelineRun.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>type</code><br/>
-<em>
-string
-</em>
-</td>
-<td>
-<p>Type is the type of the PipelineResource.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>optional</code><br/>
-<em>
-bool
-</em>
-</td>
-<td>
-<p>Optional declares the resource as optional.
-optional: true - the resource is considered optional
-optional: false - the resource is considered required (default/equivalent of not specifying it)</p>
-</td>
-</tr>
-</tbody>
-</table>
-=======
->>>>>>> 88e27b27f (Remove Git, Storage and Generic PipelineResources)
 <h3 id="tekton.dev/v1beta1.PipelineObject">PipelineObject
 </h3>
 <div>

diff --git a/pkg/apis/pipeline/v1alpha1/verificationpolicy_types.go b/pkg/apis/pipeline/v1alpha1/verificationpolicy_types.go
@@ -62,6 +62,10 @@ type VerificationPolicySpec struct {
 	Resources []ResourcePattern `json:"resources"`
 	// Authorities defines the rules for validating signatures.
 	Authorities []Authority `json:"authorities"`
+	// Mode controls whether a failing policy will fail the taskrun/pipelinerun, or only log the warnings
+	// enforce - fail the taskrun/pipelinerun if verification fails (default)
+	// warn - don't fail the taskrun/pipelinerun if verification fails but log warnings
+	Mode ModeType `json:"mode,omitempty"`
 }
 
 // ResourcePattern defines the pattern of the resource source
@@ -82,6 +86,15 @@ type Authority struct {
 	Key *KeyRef `json:"key,omitempty"`
 }
 
+// ModeType indicates the type of a mode for VerificationPolicy
+type ModeType string
+
+// Valid ModeType:
+const (
+	ModeWarn    ModeType = "warn"
+	ModeEnforce ModeType = "enforce"
+)
+
 // KeyRef defines the reference to a public key
 type KeyRef struct {
 	// SecretRef sets a reference to a secret with the key.

diff --git a/pkg/apis/pipeline/v1alpha1/verificationpolicy_validation.go b/pkg/apis/pipeline/v1alpha1/verificationpolicy_validation.go
@@ -55,6 +55,13 @@ func (vs *VerificationPolicySpec) Validate(ctx context.Context) (errs *apis.Fiel
 			errs = errs.Also(a.Key.Validate(ctx).ViaFieldIndex("key", i))
 		}
 	}
+	if vs.Mode == "" {
+		errs = errs.Also(apis.ErrMissingField("mode"))
+	} else {
+		if vs.Mode != ModeEnforce && vs.Mode != ModeWarn {
+			errs = errs.Also(apis.ErrInvalidValue(vs.Mode, "mode"))
+		}
+	}
 	return errs
 }
 

diff --git a/pkg/apis/pipeline/v1alpha1/verificationpolicy_validation_test.go b/pkg/apis/pipeline/v1alpha1/verificationpolicy_validation_test.go
@@ -46,6 +46,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrMissingField("resources"),
@@ -65,6 +66,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrInvalidValue("^[", "ResourcePattern", fmt.Sprintf("%v: error parsing regexp: missing closing ]: `[`", v1alpha1.InvalidResourcePatternErr)),
@@ -76,9 +78,49 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 			},
 			Spec: v1alpha1.VerificationPolicySpec{
 				Resources: []v1alpha1.ResourcePattern{{".*"}},
+				Mode:      v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrMissingField("authorities"),
+	}, {
+		name: "missing Mode",
+		verificationPolicy: &v1alpha1.VerificationPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "vp",
+			},
+			Spec: v1alpha1.VerificationPolicySpec{
+				Resources: []v1alpha1.ResourcePattern{{".*"}},
+				Authorities: []v1alpha1.Authority{
+					{
+						Name: "foo",
+						Key: &v1alpha1.KeyRef{
+							Data: "inlinekey",
+						},
+					},
+				},
+			},
+		},
+		want: apis.ErrMissingField("mode"),
+	}, {
+		name: "missing Mode",
+		verificationPolicy: &v1alpha1.VerificationPolicy{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "vp",
+			},
+			Spec: v1alpha1.VerificationPolicySpec{
+				Resources: []v1alpha1.ResourcePattern{{".*"}},
+				Authorities: []v1alpha1.Authority{
+					{
+						Name: "foo",
+						Key: &v1alpha1.KeyRef{
+							Data: "inlinekey",
+						},
+					},
+				},
+				Mode: "wrongMode",
+			},
+		},
+		want: apis.ErrInvalidValue("wrongMode", "mode"),
 	}, {
 		name: "missing Authority key",
 		verificationPolicy: &v1alpha1.VerificationPolicy{
@@ -93,6 +135,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						Key:  &v1alpha1.KeyRef{},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrMissingOneOf("data", "kms", "secretref").ViaFieldIndex("key", 0),
@@ -115,6 +158,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrMultipleOneOf("data", "kms", "secretref").ViaFieldIndex("key", 0),
@@ -135,6 +179,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrMultipleOneOf("data", "kms", "secretref").ViaFieldIndex("key", 0),
@@ -158,6 +203,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrMultipleOneOf("data", "kms", "secretref").ViaFieldIndex("key", 0),
@@ -182,6 +228,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrMultipleOneOf("data", "kms", "secretref").ViaFieldIndex("key", 0),
@@ -202,6 +249,7 @@ func TestVerificationPolicy_Invalid(t *testing.T) {
 						},
 					},
 				},
+				Mode: v1alpha1.ModeEnforce,
 			},
 		},
 		want: apis.ErrInvalidValue("sha1", "HashAlgorithm").ViaFieldIndex("key", 0),
@@ -238,6 +286,7 @@ func TestVerificationPolicy_Valid(t *testing.T) {
 							},
 						},
 					},
+					Mode: v1alpha1.ModeEnforce,
 				},
 			},
 		}, {
@@ -259,6 +308,7 @@ func TestVerificationPolicy_Valid(t *testing.T) {
 							},
 						},
 					},
+					Mode: v1alpha1.ModeEnforce,
 				},
 			},
 		}, {
@@ -277,6 +327,7 @@ func TestVerificationPolicy_Valid(t *testing.T) {
 							},
 						},
 					},
+					Mode: v1alpha1.ModeEnforce,
 				},
 			},
 		}}