[TEP-0089] SPIRE for non-falsifiable provenance.

This commit is a part of a larger set of commits to provide non-falsifiable provenance through SPIRE. In particular this commit introduces a utility function to check if SPIRE based non-falsifiable provenance has been enabled. Signed-off-by: jagathprakash <31057312+jagathprakash@users.noreply.github.com>
tektoncd · Apr 13, 2023 · 2d38ea8 · 2d38ea8
1 parent 6f68e80
commit 2d38ea8
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go
@@ -316,6 +316,11 @@ func CheckAlphaOrBetaAPIFields(ctx context.Context) bool {
 	return cfg.FeatureFlags.EnableAPIFields == AlphaAPIFields || cfg.FeatureFlags.EnableAPIFields == BetaAPIFields
 }
 
+// IsSpireEnabled checks if non-falsifiable provenance is enforced through SPIRE
+func IsSpireEnabled(ctx context.Context) bool {
+	return FromContextOrDefaults(ctx).FeatureFlags.EnforceNonfalsifiability == EnforceNonfalsifiabilityWithSpire
+}
+
 func setEnableAPIFields(ctx context.Context, want string) context.Context {
 	featureFlags, _ := NewFeatureFlagsFromMap(map[string]string{
 		"enable-api-fields": want,

diff --git a/pkg/apis/config/feature_flags_test.go b/pkg/apis/config/feature_flags_test.go
@@ -305,6 +305,60 @@ func TestCheckAlphaOrBetaAPIFields(t *testing.T) {
 	}
 }
 
+func TestIsSpireEnabled(t *testing.T) {
+	testCases := []struct {
+		name                   string
+		configmap              map[string]string
+		expectedIsSpireEnabled bool
+	}{{
+		name: "when enable-api-fields is set to beta and non-falsifiablity is not set.",
+		configmap: map[string]string{
+			"enable-api-fields":         "beta",
+			"enforce-nonfalsifiability": config.EnforceNonfalsifiabilityNone,
+		},
+		expectedIsSpireEnabled: false,
+	}, {
+		name: "when enable-api-fields is set to beta and non-falsifiability is set to 'spire'",
+		configmap: map[string]string{
+			"enable-api-fields":         "beta",
+			"enforce-nonfalsifiability": config.EnforceNonfalsifiabilityWithSpire,
+		},
+		expectedIsSpireEnabled: false,
+	}, {
+		name: "when enable-api-fields is set to alpha and non-falsifiability is not set",
+		configmap: map[string]string{
+			"enable-api-fields":         "alpha",
+			"enforce-nonfalsifiability": config.EnforceNonfalsifiabilityNone,
+		},
+		expectedIsSpireEnabled: false,
+	}, {
+		name: "when enable-api-fields is set to alpha and non-falsifiability is not set",
+		configmap: map[string]string{
+			"enable-api-fields":         "alpha",
+			"enforce-nonfalsifiability": config.EnforceNonfalsifiabilityWithSpire,
+		},
+		expectedIsSpireEnabled: true,
+	}}
+	ctx := context.Background()
+	store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
+	for _, tc := range testCases {
+		featureflags := &corev1.ConfigMap{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "feature-flags",
+			},
+			Data: tc.configmap,
+		}
+		store.OnConfigChanged(featureflags)
+		ctx = store.ToContext(ctx)
+		want := tc.expectedIsSpireEnabled
+		got := config.IsSpireEnabled(ctx)
+
+		if want != got {
+			t.Errorf("IsSpireEnabled() = %t, want %t", got, want)
+		}
+	}
+}
+
 func verifyConfigFileWithExpectedFeatureFlagsConfig(t *testing.T, fileName string, expectedConfig *config.FeatureFlags) {
 	t.Helper()
 	cm := test.ConfigMapFromTestFile(t, fileName)