diff --git a/features/ta_task_validate_image.feature b/features/ta_task_validate_image.feature index c3a583a48..672ddadaa 100644 --- a/features/ta_task_validate_image.feature +++ b/features/ta_task_validate_image.feature @@ -50,3 +50,25 @@ Feature: Verify Conforma Trusted Artifact Tekton Task And the task results should match the snapshot And the task logs for step "show-config" should match the snapshot + Scenario: Policy configuration passed as JSON string + Given a working namespace + Given a snapshot artifact with content: + ``` + { + "components": [ + { + "containerImage": "quay.io/hacbs-contract-demo/golden-container@sha256:e76a4ae9dd8a52a0d191fd34ca133af5b4f2609536d32200a4a40a09fdc93a0d" + } + ] + } + ``` + When version 0.1 of the task named "verify-conforma-konflux-ta" is run with parameters: + | SNAPSHOT_FILENAME | snapshotartifact | + | SOURCE_DATA_ARTIFACT | oci:${REGISTRY}/acceptance/snapshotartifact@${BUILD_SNAPSHOT_DIGEST} | + | POLICY_CONFIGURATION | {"publicKey":"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERhr8Zj4dZW67zucg8fDr11M4lmRp\\nzN6SIcIjkvH39siYg1DkCoa2h2xMUZ10ecbM3/ECqvBV55YwQ2rcIEa7XQ==\\n-----END PUBLIC KEY-----","sources":[{"policy":["git::github.com/conforma/policy//policy/release?ref=d34eab36b23d43748e451004177ca144296bf323","git::github.com/conforma/policy//policy/lib?ref=d34eab36b23d43748e451004177ca144296bf323"],"config":{"include":["slsa_provenance_available"]}}]} | + | STRICT | true | + | IGNORE_REKOR | true | + | TRUSTED_ARTIFACTS_DEBUG | "true" | + | ORAS_OPTIONS | --plain-http | + Then the task should succeed + And the task logs for step "show-config" should contain "slsa_provenance_available" diff --git a/tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml b/tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml index 59882420f..26a53f725 100644 --- a/tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml +++ b/tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml @@ -295,12 +295,13 @@ spec: #!/bin/bash set -euo pipefail - # Build EC arguments + # Build EC arguments array + # POLICY_CONFIGURATION is passed via environment variable to safely handle JSON strings EC_ARGS=( validate image --images /tekton/home/snapshot.json - --policy "$(params.POLICY_CONFIGURATION)" + --policy "${POLICY_CONFIGURATION}" --public-key "$(params.PUBLIC_KEY)" --rekor-url "$(params.REKOR_HOST)" --ignore-rekor=$(params.IGNORE_REKOR) @@ -311,6 +312,9 @@ spec: --show-successes --effective-time=$(params.EFFECTIVE_TIME) --extra-rule-data=$(params.EXTRA_RULE_DATA) + ) + + EC_ARGS+=( --retry-max-wait "$(params.RETRY_MAX_WAIT)" --retry-max-retry "$(params.RETRY_MAX_RETRY)" --retry-duration "$(params.RETRY_DURATION)" @@ -327,7 +331,7 @@ spec: if [[ "$(params.ATTESTATION_FORMAT)" == "dsse" ]]; then if [[ -z "$(params.VSA_SIGNING_KEY)" ]]; then - echo "ERROR: VSA_SIGNING_KEY required for format=dsse" + echo "ERROR: VSA_SIGNING_KEY required for format=dsse" >&2 exit 1 fi EC_ARGS+=(--vsa-signing-key "$(params.VSA_SIGNING_KEY)") @@ -342,6 +346,10 @@ spec: # Execute EC with constructed arguments ec "${EC_ARGS[@]}" env: + # POLICY_CONFIGURATION is passed via environment variable to safely handle JSON strings + # This avoids shell quoting issues when Tekton substitutes parameter values directly in scripts + - name: POLICY_CONFIGURATION + value: "$(params.POLICY_CONFIGURATION)" - name: SSL_CERT_DIR # The Tekton Operator automatically sets the SSL_CERT_DIR env to the value below but, # of course, without the $(param.SSL_CERT_DIR) bit. When a Task Step sets it to a