fix(policies): Set proper host on policy engine (chainloop-dev#1403)

Signed-off-by: Javier Rodriguez <[email protected]>

pkg/policies/engine/rego/rego.go

@@ -57,8 +57,8 @@ var builtinFuncNotAllowed = []*ast.Builtin{
 // allowedNetworkDomains is a list of network domains that are allowed for the compiler to access
 // when using http.send built-in function
 var allowedNetworkDomains = []string{
-	"chainloop.dev",
-	"cisa.gov",
+	"www.chainloop.dev",
+	"www.cisa.gov",
 }
 
 // Force interface

pkg/policies/engine/rego/rego_test.go

@@ -195,7 +195,7 @@ func TestRego_VerifyInvalidPolicy(t *testing.T) {
 	})
 }
 
-func TestRego_WithRestrictiveMOde(t *testing.T) {
+func TestRego_WithRestrictiveMode(t *testing.T) {
 	t.Run("forbidden functions", func(t *testing.T) {
 		regoContent, err := os.ReadFile("testfiles/restrictive_mode.rego")
 		require.NoError(t, err)
@@ -229,6 +229,20 @@ func TestRego_WithRestrictiveMOde(t *testing.T) {
 		assert.Contains(t, err.Error(), "eval_builtin_error: http.send: unallowed host: example.com")
 		assert.Len(t, violations, 0)
 	})
+
+	t.Run("allowed network requests", func(t *testing.T) {
+		regoContent, err := os.ReadFile("testfiles/restricted_mode_networking_allowed_host.rego")
+		require.NoError(t, err)
+
+		r := &Rego{}
+		policy := &engine.Policy{
+			Name:   "policy",
+			Source: regoContent,
+		}
+
+		_, err = r.Verify(context.TODO(), policy, []byte(`{}`), nil)
+		assert.NoError(t, err)
+	})
 }
 
 func TestRego_WithPermissiveMode(t *testing.T) {

pkg/policies/engine/rego/testfiles/restricted_mode_networking_allowed_host.rego

@@ -0,0 +1,9 @@
+package main
+
+import rego.v1
+
+violations contains msg if {
+    kev := http.send({"method": "GET", "url": "https://www.chainloop.dev", "cache": true}).body
+
+    msg := ""
+}