add support for allowlisting custom hostnames during eval command #2335
Description
The rego engine can now be configured with additional set of hostnames to allowlist http.send requests #2267
We should allow the eval command to accept the list of additional hostnames, so for example, the following policy wouldn't fail like this
chainloop policy develop eval --kind EVIDENCE --material ./empty.json -p test-http.yaml
ERR evaluating policy: failed to execute policy : failed to evaluate policy: test-http:36: eval_builtin_error: http.send: unallowed host: app.chainloop.dev
apiVersion: workflowcontract.chainloop.dev/v1
kind: Policy
metadata:
name: test-http
description: HTTP policy that validates Chainloop platform version against expected version 1.2.3
spec:
policies:
- path: test-http.rego
kind: EVIDENCEpackage main
import rego.v1
################################
# Common section do NOT change #
################################
result := {
"skipped": skipped,
"violations": violations,
"skip_reason": skip_reason,
"ignore": ignore,
}
default skip_reason := ""
skip_reason := m if {
not valid_input
m := "invalid input"
}
default skipped := true
skipped := false if valid_input
default ignore := false
########################################
# EO Common section, custom code below #
########################################
# Validates if the input is valid and can be understood by this policy
valid_input := true
# Make HTTP request to Chainloop API
api_response := http.send({
"method": "GET",
"url": "https://app.chainloop.dev/api/info",
"headers": {
"Accept": "application/json",
"User-Agent": "Chainloop-Policy/1.0",
},
})
# Extract platform version from API response
platform_version := api_response.body.platform.version
violations contains msg if {
valid_input
api_response.status_code == 200
platform_version != "1.2.3"
msg := sprintf("Platform version violation: expected '1.2.3', got '%s'", [platform_version])
}
Metadata
Metadata
Assignees
Labels
No labels