Add an optional Message to Static actions for custom fail message.

Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
sigstore · Mar 8, 2023 · 4f2d853 · 4f2d853
1 parent 9c96f55
commit 4f2d853
Show file tree

Hide file tree

Showing 9 changed files with 37 additions and 5 deletions.
diff --git a/config/300-clusterimagepolicy.yaml b/config/300-clusterimagepolicy.yaml
@@ -237,6 +237,9 @@ spec:
                           action:
                             description: Action defines how to handle a matching policy.
                             type: string
+                          message:
+                            description: For fail actions, emit an optional custom message
+                            type: string
                 images:
                   description: Images defines the patterns of image names that should be subject to this policy.
                   type: array
@@ -570,6 +573,9 @@ spec:
                           action:
                             description: Action defines how to handle a matching policy.
                             type: string
+                          message:
+                            description: For fail actions, emit an optional custom message
+                            type: string
                 images:
                   description: Images defines the patterns of image names that should be subject to this policy.
                   type: array

diff --git a/docs/api-types/index-v1alpha1.md b/docs/api-types/index-v1alpha1.md
@@ -344,6 +344,7 @@ StaticRef specifies that signatures / attestations are not validated but instead
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | action | Action defines how to handle a matching policy. | string | true |
+| message | For fail actions, emit an optional custom message. This only makes sense for 'fail' action because on 'pass' there's no place to jot down the message. | string | false |
 
 [Back to TOC](#table-of-contents)
 

diff --git a/docs/api-types/index.md b/docs/api-types/index.md
@@ -223,6 +223,7 @@ StaticRef specifies that signatures / attestations are not validated but instead
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | action | Action defines how to handle a matching policy. | string | true |
+| message | For fail actions, emit an optional custom message | string | false |
 
 [Back to TOC](#table-of-contents)
 

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go
@@ -140,7 +140,8 @@ func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1.Authori
 	}
 	if authority.Static != nil {
 		sink.Static = &v1beta1.StaticRef{
-			Action: authority.Static.Action,
+			Action:  authority.Static.Action,
+			Message: authority.Static.Message,
 		}
 	}
 	return nil
@@ -293,7 +294,10 @@ func (authority *Authority) ConvertFrom(ctx context.Context, source *v1beta1.Aut
 		}
 	}
 	if source.Static != nil {
-		authority.Static = &StaticRef{Action: source.Static.Action}
+		authority.Static = &StaticRef{
+			Action:  source.Static.Action,
+			Message: source.Static.Message,
+		}
 	}
 	return nil
 }

diff --git a/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go b/pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go
@@ -170,6 +170,10 @@ type KeyRef struct {
 type StaticRef struct {
 	// Action defines how to handle a matching policy.
 	Action string `json:"action"`
+	// For fail actions, emit an optional custom message. This only makes
+	// sense for 'fail' action because on 'pass' there's no place to jot down
+	// the message.
+	Message string `json:"message,omitempty"`
 }
 
 // Source specifies the location of the signature / attestations.

diff --git a/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go b/pkg/apis/policy/v1beta1/clusterimagepolicy_types.go
@@ -169,6 +169,8 @@ type KeyRef struct {
 type StaticRef struct {
 	// Action defines how to handle a matching policy.
 	Action string `json:"action"`
+	// For fail actions, emit an optional custom message
+	Message string `json:"message,omitempty"`
 }
 
 // Source specifies the location of the signature / attestations.

diff --git a/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go b/pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go
@@ -122,7 +122,8 @@ type KeylessRef struct {
 }
 
 type StaticRef struct {
-	Action string `json:"action"`
+	Action  string `json:"action"`
+	Message string `json:"message,omitempty"`
 }
 
 type AttestationPolicy struct {
@@ -406,6 +407,7 @@ func convertStaticRefV1Alpha1ToWebhook(in *v1alpha1.StaticRef) *StaticRef {
 	}
 
 	return &StaticRef{
-		Action: in.Action,
+		Action:  in.Action,
+		Message: in.Message,
 	}
 }
diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go
@@ -515,7 +515,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 			switch {
 			case authority.Static != nil:
 				if authority.Static.Action == "fail" {
-					result.err = cosign.NewVerificationError("disallowed by static policy")
+					result.err = cosign.NewVerificationError("disallowed by static policy: " + authority.Static.Message)
 					results <- result
 					return
 				}

diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go
@@ -1709,6 +1709,18 @@ func TestValidatePolicy(t *testing.T) {
 			}},
 		},
 		wantErrs: []string{"disallowed by static policy"},
+	}, {
+		name: "simple, static set to fail with custom message",
+		policy: webhookcip.ClusterImagePolicy{
+			Authorities: []webhookcip.Authority{{
+				Name: "authority-0",
+				Static: &webhookcip.StaticRef{
+					Action:  "fail",
+					Message: "test custom message here",
+				},
+			}},
+		},
+		wantErrs: []string{"disallowed by static policy: test custom message here"},
 	}, {
 		name: "simple, public key, no error",
 		policy: webhookcip.ClusterImagePolicy{