feat(policies): allow gate=false to override org-wide blocking (#2777)

matiasinsaurralde · web-flow · commit 2d70b6c0cebf · 2026-02-27T13:48:19.000-03:00
Signed-off-by: Matías Insaurralde &lt;matias@chainloop.dev&gt;
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -56,6 +56,7 @@ jobs:
           token: ${{ secrets.buf_api_token }}
           breaking: true
           pr_comment: false
+          exclude_imports: true
 
   lint-dagger-module:
     runs-on: ubuntu-latest
diff --git a/app/cli/cmd/attestation_push.go b/app/cli/cmd/attestation_push.go
@@ -64,7 +64,7 @@ func newAttestationPushCmd() *cobra.Command {
 		Annotations: map[string]string{
 			useAPIToken: "true",
 		},
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			info, err := executableInfo()
 			if err != nil {
 				return fmt.Errorf("getting executable information: %w", err)
@@ -163,8 +163,7 @@ func newAttestationPushCmd() *cobra.Command {
 const exceptionFlagName = "exception-bypass-policy-check"
 
 var (
-	ErrBlockedByPolicyViolation = fmt.Errorf("the operator requires all policies to pass before continuing, please fix them and try again or temporarily bypass the policy check using --%s", exceptionFlagName)
-	exceptionBypassPolicyCheck  = fmt.Sprintf("Attention: You have opted to bypass the policy enforcement check and an operator has been notified of this exception.\nPlease make sure you are back on track with the policy evaluations and remove the --%s as soon as possible.", exceptionFlagName)
+	exceptionBypassPolicyCheck = fmt.Sprintf("Attention: You have opted to bypass the policy enforcement check and an operator has been notified of this exception.\nPlease make sure you are back on track with the policy evaluations and remove the --%s as soon as possible.", exceptionFlagName)
 )
 
 type GateError struct {
@@ -202,9 +201,6 @@ func validatePolicyEnforcement(status *action.AttestationStatusResult, bypassPol
 			return nil
 		}
 
-		if status.HasPolicyViolations {
-			return ErrBlockedByPolicyViolation
-		}
 	}
 
 	return nil
diff --git a/app/cli/cmd/attestation_push_test.go b/app/cli/cmd/attestation_push_test.go
@@ -67,4 +67,25 @@ func TestValidatePolicyEnforcement(t *testing.T) {
 		require.ErrorAs(t, err, &gateErr)
 		require.Equal(t, "cdx-fresh", gateErr.PolicyName)
 	})
+
+	t.Run("does not block when strategy is enforced and policy is explicitly not gated", func(t *testing.T) {
+		status := &action.AttestationStatusResult{
+			PolicyEvaluations: map[string][]*action.PolicyEvaluation{
+				"materials": {
+					{
+						Name: "cdx-fresh",
+						Gate: false,
+						Violations: []*action.PolicyViolation{
+							{Message: "policy violation"},
+						},
+					},
+				},
+			},
+			HasPolicyViolations:         true,
+			MustBlockOnPolicyViolations: true,
+		}
+
+		err := validatePolicyEnforcement(status, false)
+		require.NoError(t, err)
+	})
 }
diff --git a/app/cli/main.go b/app/cli/main.go
@@ -1,5 +1,5 @@
 //
-// Copyright 2023-2025 The Chainloop Authors.
+// Copyright 2023-2026 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -100,9 +100,6 @@ func errorInfo(err error, logger zerolog.Logger) (string, int) {
 			logger.Debug().Msg("GracefulErrorExit enabled (exitCode 0). If you want to disable it set --graceful-exit=false")
 			exitCode = 0
 		}
-	case errors.Is(err, cmd.ErrBlockedByPolicyViolation):
-		// default exit code for policy violations
-		exitCode = 3
 	case errors.As(err, &gateErr):
 		// exit code for gate errors
 		exitCode = 4
diff --git a/app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts b/app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts
diff --git a/app/controlplane/api/gen/jsonschema/workflowcontract.v1.PolicyAttachment.jsonschema.json b/app/controlplane/api/gen/jsonschema/workflowcontract.v1.PolicyAttachment.jsonschema.json
diff --git a/app/controlplane/api/gen/jsonschema/workflowcontract.v1.PolicyAttachment.schema.json b/app/controlplane/api/gen/jsonschema/workflowcontract.v1.PolicyAttachment.schema.json
diff --git a/app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go b/app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go
diff --git a/app/controlplane/api/workflowcontract/v1/crafting_schema.proto b/app/controlplane/api/workflowcontract/v1/crafting_schema.proto
@@ -236,8 +236,11 @@ message PolicyAttachment {
     }
   }];
 
-  // If true, the policy will act as a gate, returning an error code if the policy fails
-  bool gate = 7;
+  // Controls whether policy violations act as a gate.
+  // - true: policy violations are blocking for this policy
+  // - false: policy violations are non-blocking for this policy
+  // - unset: inherit organization-level default behavior
+  optional bool gate = 7;
 
   message MaterialSelector {
     // material name
diff --git a/buf.yaml b/buf.yaml
@@ -49,6 +49,7 @@ modules:
       except:
         - EXTENSION_NO_DELETE
         - FIELD_SAME_DEFAULT
+        - FIELD_SAME_CARDINALITY
   - path: app/controlplane/internal/conf
     lint:
       use:
diff --git a/pkg/attestation/crafter/crafter.go b/pkg/attestation/crafter/crafter.go
@@ -728,7 +728,14 @@ func (c *Crafter) addMaterial(ctx context.Context, m *schemaapi.CraftingSchema_M
 		return i.MaterialName == m.Name
 	})
 
-	pgv := policies.NewPolicyGroupVerifier(c.CraftingState.GetPolicyGroups(), c.CraftingState.GetPolicies(), c.attClient, c.Logger, policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...))
+	pgv := policies.NewPolicyGroupVerifier(
+		c.CraftingState.GetPolicyGroups(),
+		c.CraftingState.GetPolicies(),
+		c.attClient,
+		c.Logger,
+		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
+	)
 	policyGroupResults, err := pgv.VerifyMaterial(ctx, mt, value)
 	if err != nil {
 		return nil, fmt.Errorf("error applying policy groups to material: %w", err)
@@ -739,7 +746,13 @@ func (c *Crafter) addMaterial(ctx context.Context, m *schemaapi.CraftingSchema_M
 	policies.LogPolicyEvaluations(policyGroupResults, c.Logger)
 
 	// Validate policies
-	pv := policies.NewPolicyVerifier(c.CraftingState.GetPolicies(), c.attClient, c.Logger, policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...))
+	pv := policies.NewPolicyVerifier(
+		c.CraftingState.GetPolicies(),
+		c.attClient,
+		c.Logger,
+		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
+	)
 	policyResults, err := pv.VerifyMaterial(ctx, mt, value)
 	if err != nil {
 		return nil, fmt.Errorf("error applying policies to material: %w", err)
@@ -772,6 +785,7 @@ func (c *Crafter) EvaluateAttestationPolicies(ctx context.Context, attestationID
 	// evaluate attestation-level policies
 	pv := policies.NewPolicyVerifier(c.CraftingState.GetPolicies(), c.attClient, c.Logger,
 		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
 		policies.WithEvalPhase(phase),
 	)
 	policyEvaluations, err := pv.VerifyStatement(ctx, statement)
@@ -781,6 +795,7 @@ func (c *Crafter) EvaluateAttestationPolicies(ctx context.Context, attestationID
 
 	pgv := policies.NewPolicyGroupVerifier(c.CraftingState.GetPolicyGroups(), c.CraftingState.GetPolicies(), c.attClient, c.Logger,
 		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
 		policies.WithEvalPhase(phase),
 	)
 	policyGroupResults, err := pgv.VerifyStatement(ctx, statement)
diff --git a/pkg/policies/policies.go b/pkg/policies/policies.go
@@ -78,6 +78,7 @@ type PolicyVerifier struct {
 	client           v13.AttestationServiceClient
 	grpcConn         *grpc.ClientConn
 	allowedHostnames []string
+	defaultGate      bool
 	includeRawData   bool
 	enablePrint      bool
 	evalPhase        EvalPhase
@@ -87,6 +88,7 @@ var _ Verifier = (*PolicyVerifier)(nil)
 
 type PolicyVerifierOptions struct {
 	AllowedHostnames []string
+	DefaultGate      bool
 	IncludeRawData   bool
 	EnablePrint      bool
 	GRPCConn         *grpc.ClientConn
@@ -101,6 +103,12 @@ func WithAllowedHostnames(hostnames ...string) PolicyVerifierOption {
 	}
 }
 
+func WithDefaultGate(defaultGate bool) PolicyVerifierOption {
+	return func(o *PolicyVerifierOptions) {
+		o.DefaultGate = defaultGate
+	}
+}
+
 func WithIncludeRawData(include bool) PolicyVerifierOption {
 	return func(o *PolicyVerifierOptions) {
 		o.IncludeRawData = include
@@ -137,6 +145,7 @@ func NewPolicyVerifier(policies *v1.Policies, client v13.AttestationServiceClien
 		logger:           logger,
 		grpcConn:         options.GRPCConn,
 		allowedHostnames: options.AllowedHostnames,
+		defaultGate:      options.DefaultGate,
 		includeRawData:   options.IncludeRawData,
 		enablePrint:      options.EnablePrint,
 		evalPhase:        options.EvalPhase,
@@ -336,10 +345,22 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme
 		SkipReasons:  reasons,
 		Requirements: attachment.Requirements,
 		RawResults:   engineRawResultsToAPIRawResults(rawResults),
-		Gate:         attachment.GetGate(),
+		Gate:         policyAttachmentGate(attachment, pv.defaultGate),
 	}, nil
 }
 
+func policyAttachmentGate(attachment *v1.PolicyAttachment, defaultGate bool) bool {
+	if attachment == nil {
+		return defaultGate
+	}
+
+	if attachment.Gate != nil {
+		return attachment.GetGate()
+	}
+
+	return defaultGate
+}
+
 // ComputeArguments takes a list of arguments, and matches it against the expected inputs. It also applies a set of interpolations if needed.
 func ComputeArguments(name string, inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) {
 	result := make(map[string]string)
diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go
@@ -1434,3 +1434,57 @@ func (s *testSuite) TestIsURLPath() {
 		})
 	}
 }
+
+func (s *testSuite) TestPolicyAttachmentGate() {
+	trueGate := true
+	falseGate := false
+
+	cases := []struct {
+		name         string
+		attachment   *v12.PolicyAttachment
+		defaultGate  bool
+		expectedGate bool
+	}{
+		{
+			name:         "nil attachment falls back to default true",
+			attachment:   nil,
+			defaultGate:  true,
+			expectedGate: true,
+		},
+		{
+			name:         "unset gate inherits default false",
+			attachment:   &v12.PolicyAttachment{},
+			defaultGate:  false,
+			expectedGate: false,
+		},
+		{
+			name:         "unset gate inherits default true",
+			attachment:   &v12.PolicyAttachment{},
+			defaultGate:  true,
+			expectedGate: true,
+		},
+		{
+			name: "explicit gate false overrides default true",
+			attachment: &v12.PolicyAttachment{
+				Gate: &falseGate,
+			},
+			defaultGate:  true,
+			expectedGate: false,
+		},
+		{
+			name: "explicit gate true overrides default false",
+			attachment: &v12.PolicyAttachment{
+				Gate: &trueGate,
+			},
+			defaultGate:  false,
+			expectedGate: true,
+		},
+	}
+
+	for _, tc := range cases {
+		s.Run(tc.name, func() {
+			got := policyAttachmentGate(tc.attachment, tc.defaultGate)
+			s.Equal(tc.expectedGate, got)
+		})
+	}
+}
