File: disable-opa.patch

package info (click to toggle)
cosign 2.5.0-2
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 4,960 kB
sloc: sh: 222; makefile: 170
file content (90 lines) | stat: -rw-r--r-- 3,187 bytes
From: Simon Josefsson <simon@josefsson.org>
Subject: [PATCH] Disable OPA
Origin: vendor
Forwarded: not-needed
Last-Update: 2025-01-20

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
index 93c27690..9b8ccc2f 100644
--- a/cmd/cosign/cli/verify/verify_attestation.go
+++ b/cmd/cosign/cli/verify/verify_attestation.go
@@ -33,7 +33,6 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign/cue"
 	"github.com/sigstore/cosign/v2/pkg/cosign/pivkey"
 	"github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key"
-	"github.com/sigstore/cosign/v2/pkg/cosign/rego"
 	"github.com/sigstore/cosign/v2/pkg/oci"
 	"github.com/sigstore/cosign/v2/pkg/policy"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
@@ -256,16 +255,14 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 			}
 		}
 
-		var cuePolicies, regoPolicies []string
+		var cuePolicies []string
 
 		for _, policy := range c.Policies {
 			switch filepath.Ext(policy) {
-			case ".rego":
-				regoPolicies = append(regoPolicies, policy)
 			case ".cue":
 				cuePolicies = append(cuePolicies, policy)
 			default:
-				return errors.New("invalid policy format, expected .cue or .rego")
+				return errors.New("invalid policy format, expected .cue")
 			}
 		}
 
@@ -295,15 +292,6 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 				}
 			}
 
-			if len(regoPolicies) > 0 {
-				ui.Infof(ctx, "will be validating against Rego policies: %v", regoPolicies)
-				regoValidationErrs := rego.ValidateJSON(payload, regoPolicies)
-				if len(regoValidationErrs) > 0 {
-					validationErrors = append(validationErrors, regoValidationErrs...)
-					continue
-				}
-			}
-
 			checked = append(checked, vp)
 		}
 
diff --git a/pkg/policy/eval.go b/pkg/policy/eval.go
index 9e33a8a0..6aff4e8e 100644
--- a/pkg/policy/eval.go
+++ b/pkg/policy/eval.go
@@ -20,7 +20,6 @@ import (
 	"fmt"
 
 	"cuelang.org/go/cue/cuecontext"
-	"github.com/sigstore/cosign/v2/pkg/cosign/rego"
 )
 
 // EvaluatePolicyAgainstJson is used to run a policy engine against JSON bytes.
@@ -39,15 +38,6 @@ func EvaluatePolicyAgainstJSON(ctx context.Context, name, policyType string, pol
 				fmt.Errorf("failed evaluating cue policy for %s: %w", name, cueValidationErr),
 			}
 		}
-	case "rego":
-		regoValidationWarn, regoValidationErr := evaluateRego(ctx, jsonBytes, policyBody)
-		if regoValidationErr != nil {
-			return regoValidationWarn, &EvaluationFailure{
-				fmt.Errorf("failed evaluating rego policy for type %s: %w", name, regoValidationErr),
-			}
-		}
-		// It is possible to return warning messages when the policy is compliant
-		return regoValidationWarn, regoValidationErr
 	default:
 		return nil, fmt.Errorf("sorry Type %s is not supported yet", policyType)
 	}
@@ -71,8 +61,3 @@ func evaluateCue(_ context.Context, attestation []byte, evaluator string) error
 	}
 	return nil
 }
-
-// evaluateRego evaluates a rego policy `evaluator` against `attestation`
-func evaluateRego(_ context.Context, attestation []byte, evaluator string) (warnings error, errors error) {
-	return rego.ValidateJSONWithModuleInput(attestation, evaluator)
-}