eekwong/notary.rego Secret

## notary.rego
parse_image(image) = gun_digest {
    tuple := split(image, "@sha256:")
    gun_digest := {
        "gun": tuple[0],
        "digest": tuple[1]
    }
}

match[{"msg": msg}] {
    input.request.operation == "CREATE"
    input.request.kind.kind == "Pod"
    input.request.resource.resource == "pods"
    docker_io_images := [ container | container := input.request.object.spec.containers[_]
        image := container.image
        gun_digest := parse_image(image)
        startswith(gun_digest.gun, "docker.io/library") ]
    count(docker_io_images) > 0
    hashes_matched := [ container | container := docker_io_images[_]
        image := container.image
        gun_digest := parse_image(image)
        response := http.send({
            "method": "GET",
            "url": concat("", ["https://auth.docker.io/token?service=notary.docker.io&scope=repository:", gun_digest.gun, ":pull"])
        })
        resp := http.send({
            "method": "GET",
            "headers": {
                "Authorization": concat(" ", ["Bearer", response.body.token])
            },
            "force_json_decode": true,
            "url": concat("", ["https://notary.docker.io/v2/", gun_digest.gun, "/_trust/tuf/targets.json"])
        })
        hashes := { sha256 | sha256 := hex.encode(base64.decode(resp.body.signed.targets[_].hashes.sha256)) }
        hashes[gun_digest.digest] ]
    count(hashes_matched) < count(docker_io_images)
    msg := sprintf("number of matched hashes %v < number of docker.io/library images %v", [count(hashes_matched), count(docker_io_images)])
}
	parse_image(image) = gun_digest {
	tuple := split(image, "@sha256:")
	gun_digest := {
	"gun": tuple[0],
	"digest": tuple[1]
	}
	}

	match[{"msg": msg}] {
	input.request.operation == "CREATE"
	input.request.kind.kind == "Pod"
	input.request.resource.resource == "pods"
	docker_io_images := [ container \| container := input.request.object.spec.containers[_]
	image := container.image
	gun_digest := parse_image(image)
	startswith(gun_digest.gun, "docker.io/library") ]
	count(docker_io_images) > 0
	hashes_matched := [ container \| container := docker_io_images[_]
	image := container.image
	gun_digest := parse_image(image)
	response := http.send({
	"method": "GET",
	"url": concat("", ["https://auth.docker.io/token?service=notary.docker.io&scope=repository:", gun_digest.gun, ":pull"])
	})
	resp := http.send({
	"method": "GET",
	"headers": {
	"Authorization": concat(" ", ["Bearer", response.body.token])
	},
	"force_json_decode": true,
	"url": concat("", ["https://notary.docker.io/v2/", gun_digest.gun, "/_trust/tuf/targets.json"])
	})
	hashes := { sha256 \| sha256 := hex.encode(base64.decode(resp.body.signed.targets[_].hashes.sha256)) }
	hashes[gun_digest.digest] ]
	count(hashes_matched) < count(docker_io_images)
	msg := sprintf("number of matched hashes %v < number of docker.io/library images %v", [count(hashes_matched), count(docker_io_images)])
	}