Skip to content

feat: support storage and use of custom rego engine hostnames #2315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Aug 8, 2025
Merged

feat: support storage and use of custom rego engine hostnames #2315

merged 12 commits into from
Aug 8, 2025

Conversation

migmartri
Copy link
Member

@migmartri migmartri commented Aug 6, 2025
edited
Loading

This PR allows to store, expose and use custom hostnames that can be used inside policies. If provided, they will be appended to the existing ones.

This PR includes

  • Org update API and CLI now to set the allowedHostnames
  • It's exposed in the org describe and att init response.
  • The result is stored in the crafting state and injected in the rego engine

closes #2267

@migmartri
chore: support storage and exposure of rego engine domains
c095783 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri requested review from jiparis, javirln and Piskoo August 6, 2025 21:21
migmartri
migmartri commented Aug 6, 2025
View reviewed changes
@migmartri
feat: update from CLI
99ca524 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri changed the title chore: support storage and exposure of rego engine domains chore: support storage and exposure of rego engine hostnames Aug 6, 2025
@migmartri
feat: update from CLI
47f1078 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri mentioned this pull request Aug 6, 2025
Merged
@migmartri
Merge branch 'main' into 2267-configurable-domains
67bb469
@migmartri
fix reference
4a85039 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
feat: glue domains
6497007 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
feat: glue domains
253f254 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri changed the title chore: support storage and exposure of rego engine hostnames chore: support storage and use of custom rego engine hostnames Aug 7, 2025
@migmartri
feat: glue domains
f72233c 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
feat: glue domains
d641ed5 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
jiparis
jiparis reviewed Aug 7, 2025
View reviewed changes
app/cli/internal/action/attestation_init.go Outdated
policiesAllowedHostnames = result.GetPoliciesAllowedHostnames()

signingOpts := result.GetSigningOptions()
if signingOpts != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is actually not needed, right? proto getters are always safe and work for nil receivers, so it's safe to do GetSigningOptions().GetTimestampAuthorityUrl() even if SigningOptions is nil

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me double check it

app/cli/internal/action/membership_list.go
ID, Name string
CreatedAt *time.Time
PolicyViolationBlockingStrategy string
PolicyAllowedHostnames []string `json:"policyAllowedHostnames,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

accidental annotation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nope really, I wanted to hide this option if the default is set

app/cli/internal/action/org_update.go
type NewOrgUpdateOpts struct {
BlockOnPolicyViolation *bool
BlockOnPolicyViolation *bool
PoliciesAllowedHostnames *[]string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks a bit weird. Slices are pointers already and are nil if no initialized. No need to create a pointer to a pointer. Just keep in mind that len([]string(nil)) is 0

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

checking, thanks

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated the pointer situation to leverage instead the duality of empty slice vs nil slice.

jiparis
jiparis reviewed Aug 7, 2025
View reviewed changes
app/cli/internal/action/org_update.go
}

if opts.PoliciesAllowedHostnames != nil {
payload.PoliciesAllowedHostnames = *opts.PoliciesAllowedHostnames
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what I mean, *variable shouldn't be needed for slices, since they are pointers anyways.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is about making sure we can detect when we want to update the value vs empty it. In any case I've implemented the same by using slices

@migmartri
merge main
6180b74 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri changed the title chore: support storage and use of custom rego engine hostnames feat: support storage and use of custom rego engine hostnames Aug 8, 2025
@migmartri
change pointer
be48820 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
change pointer
bcbb7a5 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri merged commit e0d32ff into chainloop-dev:main Aug 8, 2025
13 checks passed
@migmartri migmartri deleted the 2267-configurable-domains branch August 8, 2025 11:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiparis jiparis jiparis approved these changes

@javirln javirln Awaiting requested review from javirln

@Piskoo Piskoo Awaiting requested review from Piskoo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: allowed domains for http.send in Rego engine
2 participants
@migmartri @jiparis