Merge pull request #3077 from joejstuart/volatile-poc

joejstuart · web-flow · commit f4b357be8fbf · 2026-01-29T10:29:32.000-06:00
add policy spec and component name to Rego input
diff --git a/acceptance/examples/volatile_config_warnings.rego b/acceptance/examples/volatile_config_warnings.rego
@@ -0,0 +1,67 @@
+# Policy to validate volatile config schema contract between ec-cli and ec-policies.
+# This serves as an integration test to ensure the input schema is correctly populated.
+# The warning patterns here align with policy/release/volatile_config/volatile_config.rego
+package main
+
+import rego.v1
+
+# Warn for volatile rules pending activation (effectiveOn in future)
+warn contains result if {
+	some source in input.policy_spec.sources
+	some config in source.volatileConfig.exclude
+	config.effectiveOn
+	_is_future_date(config.effectiveOn)
+	result := {
+		"msg": sprintf("Volatile exclude rule '%s' is pending activation (effective on: %s)", [config.value, config.effectiveOn]),
+	}
+}
+
+# Warn for volatile rules that will expire (effectiveUntil in future)
+warn contains result if {
+	some source in input.policy_spec.sources
+	some config in source.volatileConfig.exclude
+	config.effectiveUntil
+	not _is_past_date(config.effectiveUntil)
+	result := {
+		"msg": sprintf("Volatile exclude rule '%s' will expire (effective until: %s)", [config.value, config.effectiveUntil]),
+	}
+}
+
+# Warn for volatile rules with no expiration date
+warn contains result if {
+	some source in input.policy_spec.sources
+	some config in source.volatileConfig.exclude
+	not config.effectiveUntil
+	not config.effectiveOn
+	result := {
+		"msg": sprintf("Volatile exclude rule '%s' has no expiration date set", [config.value]),
+	}
+}
+
+# Warn for volatile rules scoped to component names (proves componentNames is accessible)
+warn contains result if {
+	some source in input.policy_spec.sources
+	some config in source.volatileConfig.exclude
+	count(config.componentNames) > 0
+	some name in config.componentNames
+	name == input.component_name
+	result := {
+		"msg": sprintf("Volatile exclude rule '%s' is scoped to component '%s'", [config.value, input.component_name]),
+	}
+}
+
+# Helper to check if date is in the future
+_is_future_date(date_str) if {
+	date_str != ""
+	date_ns := time.parse_rfc3339_ns(date_str)
+	now_ns := time.now_ns()
+	date_ns > now_ns
+}
+
+# Helper to check if date is in the past
+_is_past_date(date_str) if {
+	date_str != ""
+	date_ns := time.parse_rfc3339_ns(date_str)
+	now_ns := time.now_ns()
+	date_ns < now_ns
+}
diff --git a/features/__snapshots__/validate_image.snap b/features/__snapshots__/validate_image.snap
@@ -2784,6 +2784,18 @@ ${__________known_PUBLIC_KEY}
       }
     ],
     "artifacts": {}
+  },
+  "component_name": "Unnamed",
+  "policy_spec": {
+    "sources": [
+      {
+        "policy": [
+          "git::${GITHOST}/git/policy-input-output-policy.git?ref=${LATEST_COMMIT}"
+        ]
+      }
+    ],
+    "rekorUrl": "${REKOR}",
+    "publicKey": "${known_PUBLIC_KEY}"
   }
 }
 ---
@@ -3147,6 +3159,17 @@ Error: success criteria not met
       }
     ],
     "artifacts": {}
+  },
+  "component_name": "Unnamed",
+  "policy_spec": {
+    "sources": [
+      {
+        "policy": [
+          "git::${GITHOST}/git/olm-manifests.git?ref=${LATEST_COMMIT}"
+        ]
+      }
+    ],
+    "publicKey": "${known_PUBLIC_KEY}"
   }
 }
 ---
@@ -5351,3 +5374,92 @@ Error: success criteria not met
 [SLSA v1 attestation support:stderr - 1]
 
 ---
+
+[volatile config warnings schema contract:stdout - 1]
+{
+  "success": true,
+  "components": [
+    {
+      "name": "Unnamed",
+      "containerImage": "${REGISTRY}/acceptance/volatile-config-test@sha256:${REGISTRY_acceptance/volatile-config-test:latest_DIGEST}",
+      "source": {},
+      "warnings": [
+        {
+          "msg": "Volatile exclude rule 'test.component_scoped_rule' has no expiration date set"
+        },
+        {
+          "msg": "Volatile exclude rule 'test.component_scoped_rule' is scoped to component 'Unnamed'"
+        },
+        {
+          "msg": "Volatile exclude rule 'test.rule_expiring_soon' will expire (effective until: ${TIMESTAMP})"
+        },
+        {
+          "msg": "Volatile exclude rule 'test.rule_pending_activation' is pending activation (effective on: ${TIMESTAMP})"
+        },
+        {
+          "msg": "Volatile exclude rule 'test.rule_with_no_expiration' has no expiration date set"
+        }
+      ],
+      "success": true,
+      "signatures": [
+        {
+          "keyid": "",
+          "sig": "${IMAGE_SIGNATURE_acceptance/volatile-config-test}"
+        }
+      ],
+      "attestations": [
+        {
+          "type": "https://in-toto.io/Statement/v0.1",
+          "predicateType": "https://slsa.dev/provenance/v0.2",
+          "predicateBuildType": "https://tekton.dev/attestations/chains/pipelinerun@v2",
+          "signatures": [
+            {
+              "keyid": "",
+              "sig": "${ATTESTATION_SIGNATURE_acceptance/volatile-config-test}"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "key": "${known_PUBLIC_KEY_JSON}",
+  "policy": {
+    "sources": [
+      {
+        "name": "volatile-test-source",
+        "policy": [
+          "git::${GITHOST}/git/volatile-config-policy.git?ref=${LATEST_COMMIT}"
+        ],
+        "volatileConfig": {
+          "exclude": [
+            {
+              "value": "test.rule_with_no_expiration"
+            },
+            {
+              "value": "test.rule_expiring_soon",
+              "effectiveUntil": "${TIMESTAMP}"
+            },
+            {
+              "value": "test.rule_pending_activation",
+              "effectiveOn": "${TIMESTAMP}"
+            },
+            {
+              "value": "test.component_scoped_rule",
+              "componentNames": [
+                "Unnamed"
+              ]
+            }
+          ]
+        }
+      }
+    ],
+    "publicKey": "${known_PUBLIC_KEY}"
+  },
+  "ec-version": "${EC_VERSION}",
+  "effective-time": "${TIMESTAMP}"
+}
+---
+
+[volatile config warnings schema contract:stderr - 1]
+
+---
diff --git a/features/validate_image.feature b/features/validate_image.feature
@@ -958,6 +958,49 @@ Feature: evaluate enterprise contract
      And the output should match the snapshot
      And the "${TMPDIR}/input.json" file should match the snapshot
 
+  Scenario: volatile config warnings schema contract
+    Given a key pair named "known"
+    Given an image named "acceptance/volatile-config-test"
+    Given a valid image signature of "acceptance/volatile-config-test" image signed by the "known" key
+    Given a valid attestation of "acceptance/volatile-config-test" signed by the "known" key
+    Given a git repository named "volatile-config-policy" with
+      | main.rego | examples/volatile_config_warnings.rego |
+    Given policy configuration named "ec-policy" with specification
+    """
+    {
+      "sources": [
+        {
+          "name": "volatile-test-source",
+          "policy": [
+            "git::https://${GITHOST}/git/volatile-config-policy.git"
+          ],
+          "volatileConfig": {
+            "exclude": [
+              {
+                "value": "test.rule_with_no_expiration"
+              },
+              {
+                "value": "test.rule_expiring_soon",
+                "effectiveUntil": "2099-12-31T23:59:59Z"
+              },
+              {
+                "value": "test.rule_pending_activation",
+                "effectiveOn": "2099-01-01T00:00:00Z"
+              },
+              {
+                "value": "test.component_scoped_rule",
+                "componentNames": ["Unnamed"]
+              }
+            ]
+          }
+        }
+      ]
+    }
+    """
+    When ec command is run with "validate image --image ${REGISTRY}/acceptance/volatile-config-test --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --ignore-rekor --output json"
+    Then the exit status should be 0
+    Then the output should match the snapshot
+
   Scenario: Unsupported policies
     Given a key pair named "known"
     Given an image named "acceptance/image"
diff --git a/internal/evaluation_target/application_snapshot_image/__snapshots__/application_snapshot_image_test.snap b/internal/evaluation_target/application_snapshot_image/__snapshots__/application_snapshot_image_test.snap
@@ -35,6 +35,7 @@
   "ref": "registry.io/repository/image:tag",
   "source": {}
  },
+ "policy_spec": {},
  "snapshot": {
   "application": "",
   "artifacts": {},
@@ -94,6 +95,7 @@
   "ref": "registry.io/repository/image:tag",
   "source": {}
  },
+ "policy_spec": {},
  "snapshot": {
   "application": "",
   "artifacts": {},
@@ -151,6 +153,7 @@
   ],
   "source": {}
  },
+ "policy_spec": {},
  "snapshot": {
   "application": "",
   "artifacts": {},
@@ -182,6 +185,7 @@
   "ref": "registry.io/repository/image:tag",
   "source": {}
  },
+ "policy_spec": {},
  "snapshot": {
   "application": "",
   "artifacts": {},
@@ -216,6 +220,7 @@
   "ref": "registry.io/repository/image:tag",
   "source": {}
  },
+ "policy_spec": {},
  "snapshot": {
   "application": "",
   "artifacts": {},
@@ -275,6 +280,7 @@
   "ref": "registry.io/repository/image:tag",
   "source": {}
  },
+ "policy_spec": {},
  "snapshot": {
   "application": "",
   "artifacts": {},
@@ -318,6 +324,7 @@
   "ref": "registry.io/repository/image:tag",
   "source": {}
  },
+ "policy_spec": {},
  "snapshot": {
   "application": "",
   "artifacts": {},
@@ -349,6 +356,84 @@
    }
   }
  },
+ "policy_spec": {},
+ "snapshot": {
+  "application": "",
+  "artifacts": {},
+  "components": [
+   {
+    "containerImage": "registry.io/repository/image:tag",
+    "name": "",
+    "source": {}
+   },
+   {
+    "containerImage": "registry.io/other-repository/image2:tag",
+    "name": "",
+    "source": {}
+   }
+  ]
+ }
+}
+---
+
+[TestWriteInputFile/component_name_in_input - 1]
+{
+ "attestations": null,
+ "component_name": "my-component",
+ "image": {
+  "ref": "registry.io/repository/image:tag",
+  "source": {}
+ },
+ "policy_spec": {},
+ "snapshot": {
+  "application": "",
+  "artifacts": {},
+  "components": [
+   {
+    "containerImage": "registry.io/repository/image:tag",
+    "name": "",
+    "source": {}
+   },
+   {
+    "containerImage": "registry.io/other-repository/image2:tag",
+    "name": "",
+    "source": {}
+   }
+  ]
+ }
+}
+---
+
+[TestWriteInputFile/policy_spec_with_volatile_config - 1]
+{
+ "attestations": null,
+ "component_name": "test-component",
+ "image": {
+  "ref": "registry.io/repository/image:tag",
+  "source": {}
+ },
+ "policy_spec": {
+  "sources": [
+   {
+    "name": "test-source",
+    "volatileConfig": {
+     "exclude": [
+      {
+       "imageDigest": "sha256:abc123",
+       "value": "test.rule"
+      }
+     ],
+     "include": [
+      {
+       "effectiveOn": "2024-01-01T00:00:00Z",
+       "effectiveUntil": "2025-12-31T23:59:59Z",
+       "value": "tasks.required_tasks_found:clamav-scan"
+      }
+     ]
+    }
+   }
+  ]
+ },
  "snapshot": {
   "application": "",
   "artifacts": {},
diff --git a/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go b/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go
diff --git a/internal/evaluation_target/application_snapshot_image/application_snapshot_image_test.go b/internal/evaluation_target/application_snapshot_image/application_snapshot_image_test.go
