Add Rego validation for Dockerfiles with policies stored in OCI regis…

…tries

Signed-off-by: Santosh <[email protected]>

cmd/regoval_dockerfileval.go

@@ -2,7 +2,7 @@ package cmd
 
 import (
 	"fmt"
-	"os"
+	"strings"
 
 	"github.com/intelops/genval/pkg/oci"
 	"github.com/intelops/genval/pkg/utils"
@@ -74,23 +74,31 @@ func runDockerfilevalCmd(cmd *cobra.Command, args []string) error {
 		log.Errorf("Error reading Dockerfile: %v, validation failed: %s\n", input, err)
 	}
 
-	if policy == "" {
-		fmt.Println("\n" + "Validating with default policies...")
+	if policy == "" || strings.HasPrefix(policy, "oci://") {
 
-		tempDir, err := os.MkdirTemp("", "policyDirectory")
+		tempDir, cleanup, err := utils.TempDirWithCleanup()
 		if err != nil {
-			return fmt.Errorf("error creating policy directory: %v", err)
+			return fmt.Errorf("error creating temporary directory: %v", err)
 		}
-		defer os.RemoveAll(tempDir)
-
-		policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
-		if err != nil {
-			return fmt.Errorf("error fetching policy from registry: %v", err)
-		}
-
-		defaultRegoPolicies, err := validate.ApplyDefaultPolicies(policyLoc, tempDir)
-		if err != nil {
-			return fmt.Errorf("error applying default policies: %v", err)
+		defer cleanup()
+
+		var defaultRegoPolicies string
+		if policy == "" {
+			fmt.Println("\n" + "Validating with default policies...")
+			policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
+			if err != nil {
+				return fmt.Errorf("error fetching policy from registry: %v", err)
+			}
+
+			defaultRegoPolicies, err = validate.ApplyDefaultPolicies(policyLoc, tempDir)
+			if err != nil {
+				return fmt.Errorf("error applying default policies: %v", err)
+			}
+		} else {
+			defaultRegoPolicies, err = validate.ApplyDefaultPolicies(policy, tempDir)
+			if err != nil {
+				return fmt.Errorf("error applying default policies: %v", err)
+			}
 		}
 
 		err = validate.ValidateDockerfile(string(dockerfilefileContent), defaultRegoPolicies)

pkg/oci/constants.go

@@ -21,6 +21,7 @@ const (
 
 	URLPrefix = "oci://"
 
+	// OCI URLs for Rego policies
 	DockerfilePolicies = URLPrefix + "ghcr.io/intelops/policyhub/genval/dockerfile-policies:v0.0.1"
 	InfrafilePolicies  = URLPrefix + "ghcr.io/intelops/policyhub/genval/infrafile_policies:v0.0.1"
 	TerraformPOlicies  = URLPrefix + "ghcr.io/intelops/policyhub/genval/terraform-policies:v0.0.1"

pkg/oci/ociClient.go

@@ -296,25 +296,13 @@ func GenerateCraneOptions() ([]crane.Option, error) {
 				if user == "" || pass == "" {
 					return nil, errors.New("username or password is empty")
 				}
-				token, tokenSet := os.LookupEnv("ARTIFACT_REGISTRY_TOKEN")
-
-				if tokenSet || token != "" {
-					// Token is set, use it
-					authConfig := authn.AuthConfig{RegistryToken: token}
-					opts = append(opts, crane.WithAuth(authn.FromConfig(authConfig)))
-				} else {
-					if user == "" || pass == "" {
-						return nil, errors.New("username or password is empty")
-					}
-
-					// Create authentication config
-					authConfig := authn.AuthConfig{Username: user, Password: pass}
-					opts = append(opts, crane.WithAuth(authn.FromConfig(authConfig)))
-				}
 				// Create authentication config
 				authConfig := authn.AuthConfig{Username: user, Password: pass}
 				opts = append(opts, crane.WithAuth(authn.FromConfig(authConfig)))
 			}
+			// Create authentication config
+			authConfig := authn.AuthConfig{Username: user, Password: pass}
+			opts = append(opts, crane.WithAuth(authn.FromConfig(authConfig)))
 		} else {
 			// Other error occurred while checking for Docker config file
 			return nil, fmt.Errorf("error checking Docker config at %s: %v", credPath, err)