Merge pull request #3539 from tonistiigi/opa-source-policy

add rego integration to source policies

Author: tonistiigi

Dockerfile

@@ -5,7 +5,7 @@ ARG ALPINE_VERSION=3.23
 ARG XX_VERSION=1.7.0
 
 # for testing
-ARG DOCKER_VERSION=29.0.0
+ARG DOCKER_VERSION=29.1
 ARG DOCKER_VERSION_ALT_28=28.5
 ARG DOCKER_VERSION_ALT_27=27.5.1
 ARG DOCKER_CLI_VERSION=${DOCKER_VERSION}

build/build.go

@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/fs"
 	"maps"
 	"os"
 	"slices"
@@ -21,6 +22,7 @@ import (
 	noderesolver "github.com/docker/buildx/build/resolver"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/policy"
 	"github.com/docker/buildx/util/buildflags"
 	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/desktop"
@@ -95,6 +97,15 @@ type Options struct {
 	SourcePolicy           *spb.Policy
 	GroupRef               string
 	Annotations            map[exptypes.AnnotationKey]string // Not used during build, annotations are already set in Exports. Just used to check for support with drivers.
+	Policy                 []PolicyConfig
+}
+
+type PolicyConfig struct {
+	Files    []policy.File
+	Reset    bool
+	Disabled bool
+	Strict   *bool
+	LogLevel *logrus.Level
 }
 
 type CallFunc struct {
@@ -113,6 +124,85 @@ type Inputs struct {
 	// DockerfileMappingSrc and DockerfileMappingDst are filled in by the builder.
 	DockerfileMappingSrc string
 	DockerfileMappingDst string
+
+	policy *policyOpt
+}
+
+type policyOpt struct {
+	Files    []policy.File
+	FS       func() (fs.StatFS, func() error, error)
+	Strict   bool
+	LogLevel *logrus.Level
+}
+
+func withPolicyConfig(defaultPolicy policyOpt, configs []PolicyConfig) ([]policyOpt, error) {
+	if len(configs) == 0 {
+		if len(defaultPolicy.Files) == 0 {
+			return nil, nil
+		}
+		return []policyOpt{defaultPolicy}, nil
+	}
+
+	for _, cfg := range configs {
+		if !cfg.Disabled {
+			continue
+		}
+		if cfg.Reset || cfg.Strict != nil || cfg.LogLevel != nil || len(cfg.Files) > 0 {
+			return nil, errors.New("disabled policy cannot be combined with other policy flags")
+		}
+		if len(configs) > 1 {
+			return nil, errors.New("disabled policy cannot be combined with other policy flags")
+		}
+		return nil, nil
+	}
+
+	out := make([]policyOpt, 0, len(configs)+1)
+	if len(defaultPolicy.Files) != 0 {
+		out = append(out, defaultPolicy)
+	}
+
+	var last PolicyConfig
+
+	for _, cfg := range configs {
+		if cfg.Reset {
+			out = nil
+		}
+
+		if len(cfg.Files) == 0 {
+			if len(out) == 0 {
+				last = cfg
+			} else {
+				last := &out[len(out)-1]
+				if cfg.Strict != nil {
+					last.Strict = *cfg.Strict
+				}
+				if cfg.LogLevel != nil {
+					last.LogLevel = cfg.LogLevel
+				}
+			}
+			continue
+		}
+
+		opt := policyOpt{
+			Files: cfg.Files,
+		}
+		if last.Strict != nil {
+			opt.Strict = *last.Strict
+		}
+		if last.LogLevel != nil {
+			opt.LogLevel = last.LogLevel
+		}
+		if cfg.Strict != nil {
+			opt.Strict = *cfg.Strict
+		}
+		if cfg.LogLevel != nil {
+			opt.LogLevel = cfg.LogLevel
+		}
+		opt.FS = defaultPolicy.FS
+		out = append(out, opt)
+	}
+
+	return out, nil
 }
 
 type NamedContext struct {
@@ -926,7 +1016,7 @@ func detectSharedMounts(ctx context.Context, reqs map[string][]*reqForNode) (_ m
 			}
 			fsMap := m[nodeName]
 			for name, m := range req.so.LocalMounts {
-				fs, ok := m.(*fs)
+				fs, ok := m.(*fsMount)
 				if !ok {
 					continue
 				}

build/git.go

@@ -135,7 +135,7 @@ func getGitAttributes(ctx context.Context, contextPath, dockerfilePath string) (
 		}
 
 		for key, mount := range so.LocalMounts {
-			fs, ok := mount.(*fs)
+			fs, ok := mount.(*fsMount)
 			if !ok {
 				continue
 			}