Support restricting registries and packages globally for security

[suzuki-shunsuke]

Feature Overview

Support restricting registries and packages globally for security.

Why is the feature needed?

Please explain the problem you want to solve.

This is useful to prevent from malicious tools being installed and executed.

Does the feature include Breaking Changes?

No.

Example Code

command and configuration

$ export AQUA_SECURITY_CONFIG=$HOME/.config/aquaproj-aqua/security.yaml # You can change the file path freely

security.yaml

By default, all registries and packages are forbidden.

{} # all registries and packages are forbidden

registries:
- id: standard # Allow the standard registry
- id: github_content/github.com/aquaproj/aqua-registry/v3.17.0/registry.yaml
- id: github_content/github.com/aquaproj/aqua-registry/.*
  id_format: regexp # glob
- id: local # Allow local registry
packages:
- id: github_release/github.com/suzuki-shunsuke/tfcmt/.*
  id_format: regexp # glob, equal, prefix, suffix
  version: >= v3.0.0 # Version Constraint

⚠️ Assumption

We assume that the environment variable can't be changed easily.
In some CI Platform such as GitHub Actions people can change the environment variable easily, so this feature doesn't work well. This means this feature assumes CI runs in secure platform.
For example, in Mercari's Terraform CI platform people can't change the environment variable easily.
https://engineering.mercari.com/en/blog/entry/20220121-securing-terraform-monorepo-ci/
Or we should consider to sign the configuration file.

registry id format

package id format

Reference

• x/crypto/openpgp: mark as frozen and deprecated golang/go#44226

[suzuki-shunsuke]

• feat: support restricting registries and packages globally for security #1308

[suzuki-shunsuke]

aqua.yaml
aqua-policy.yaml

AQUA_POLICY_CONFIG

packages: # OR condition
- registry:
    id: standard # Allow standard registry
- registry:
    id: github_content/github.com/aquaproj/aqua-registry/v3.17.0/registry.yaml # Allow custom registry
    id_format: equal
  packages:
  - name: suzuki-shunsuke/tfcmt # If local registry is used, name can't be used for security
    name_format: equal
- packages:
  - id: github_release/github.com/suzuki-shunsuke/tfcmt/.*
    id_format: regexp
    version: >= v3.0.0 # Version Constraint

[suzuki-shunsuke]

aqua-policy.yaml

registries:
- type: standard
  ref: semVer(">= 3.0.0") || Version == "xxx"
- type: standard
  ref: xxx
  name: standard-xxx
- type: local
  name: local
  path: registry.yaml # relative path from aqua-policy.yaml
- type: github_content
  name: aqua-registry
  repo_owner: aquaproj
  repo_name: aqua-registry
  ref: semVer(">= v3.0.0")
  path: registry.yaml
packages:
- name: cli/cli
  version: semVer(">= v2.0.0")
- name: gohugoio/hugo
  registry: aqua-registry

[suzuki-shunsuke]

• add policy as code aquaproj.github.io#212