fix(policies): fix provider parsing for pinned policies (chainloop-de…

…v#1410) Signed-off-by: Jose I. Paris <[email protected]>
jiparis · Oct 17, 2024 · 0c6836b · 0c6836b
1 parent cdd749a
commit 0c6836b
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 5 deletions.
diff --git a/app/controlplane/api/workflowcontract/v1/crafting_schema_test.go b/app/controlplane/api/workflowcontract/v1/crafting_schema_test.go
@@ -244,10 +244,22 @@ func TestValidateRefs(t *testing.T) {
 			ref:           "foobar:policy_name@foobar",
 			wantErrString: "invalid digest",
 		},
+		{
+			name: "valid digest",
+			ref:  "foobar:policy-name@sha256:133d39edc0f0d32780dd9c940951df0910ef53e6fd64942801ba6fb76494bbf9",
+		},
 		{
 			name: "chainloop provider with valid digest",
 			ref:  "foobar:policy-name@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c",
 		},
+		{
+			name: "custom policy with valid digest",
+			ref:  "readonly-demo/policy-name@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c",
+		},
+		{
+			name: "builtin policy with valid digest",
+			ref:  "policy-name@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c",
+		},
 		{
 			name:          "unsupported protocol",
 			ref:           "unsupported://foobar/policy_name",

diff --git a/pkg/policies/loader.go b/pkg/policies/loader.go
@@ -205,7 +205,19 @@ type ProviderRef struct {
 }
 
 // ProviderParts returns the provider information for a given reference
-func ProviderParts(ref string) *ProviderRef {
+func ProviderParts(reference string) *ProviderRef {
+	var ref, digest string
+	// first of all, remove the @sha256 suffix to make the parsing easier
+	withDigest := strings.SplitN(reference, "@sha256:", 2)
+
+	if len(withDigest) > 1 {
+		// it has digest
+		ref = withDigest[0]
+		digest = withDigest[1]
+	} else {
+		ref = reference
+	}
+
 	parts := strings.SplitN(ref, "://", 2)
 	var pn []string
 	if len(parts) == 1 {
@@ -232,6 +244,11 @@ func ProviderParts(ref string) *ProviderRef {
 		name = scoped[1]
 	}
 
+	// return the digest back
+	if digest != "" {
+		name = fmt.Sprintf("%s@sha256:%s", name, digest)
+	}
+
 	return &ProviderRef{
 		Provider: provider,
 		Name:     name,

diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go
@@ -249,10 +249,11 @@ func (s *testSuite) TestVerifyAttestations() {
 
 func (s *testSuite) TestProviderParts() {
 	testCases := []struct {
-		ref  string
-		prov string
-		name string
-		org  string
+		ref    string
+		prov   string
+		name   string
+		org    string
+		digest string
 	}{
 		{
 			ref:  "chainloop://cyclonedx-freshness",
@@ -302,6 +303,29 @@ func (s *testSuite) TestProviderParts() {
 			org:  "myorg",
 			name: "cyclonedx-freshness",
 		},
+		{
+			ref:  "myorg/cyclonedx-freshness@sha256:123123123",
+			org:  "myorg",
+			name: "cyclonedx-freshness@sha256:123123123",
+		},
+		{
+			ref:  "builtin:myorg/cyclonedx-freshness@sha256:123123123",
+			prov: "builtin",
+			org:  "myorg",
+			name: "cyclonedx-freshness@sha256:123123123",
+		},
+		{
+			ref:  "chainloop://builtin:myorg/cyclonedx-freshness@sha256:123123123",
+			prov: "builtin",
+			org:  "myorg",
+			name: "cyclonedx-freshness@sha256:123123123",
+		},
+		{
+			ref:  "chainloop://myorg/cyclonedx-freshness@sha256:123123123",
+			prov: "",
+			org:  "myorg",
+			name: "cyclonedx-freshness@sha256:123123123",
+		},
 	}
 
 	for _, tc := range testCases {