feat(policies): allow gate=false to override org-wide blocking

.github/workflows/lint.yml

@@ -56,6 +56,7 @@ jobs:
           token: ${{ secrets.buf_api_token }}
           breaking: true
           pr_comment: false
+          exclude_imports: true
 
   lint-dagger-module:
     runs-on: ubuntu-latest

app/cli/cmd/attestation_push.go

@@ -64,7 +64,7 @@ func newAttestationPushCmd() *cobra.Command {
 		Annotations: map[string]string{
 			useAPIToken: "true",
 		},
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			info, err := executableInfo()
 			if err != nil {
 				return fmt.Errorf("getting executable information: %w", err)
@@ -194,17 +194,11 @@ func validatePolicyEnforcement(status *action.AttestationStatusResult, bypassPol
 		}
 	}
 
-	// Do a final check in case the operator has configured the attestation
-	// to be blocked on any policy violation.
-	if status.MustBlockOnPolicyViolations {
-		if bypassPolicyCheck {
-			logger.Warn().Msg(exceptionBypassPolicyCheck)
-			return nil
-		}
-
-		if status.HasPolicyViolations {
-			return ErrBlockedByPolicyViolation
-		}
+	// Block on any policy violation only when configured (bypass handled above).
+	// When we have policy evaluations, gate semantics are already enforced in the loop above.
+	if status.MustBlockOnPolicyViolations && bypassPolicyCheck {
+		logger.Warn().Msg(exceptionBypassPolicyCheck)
+		return nil
 	}
 
 	return nil

app/cli/cmd/attestation_push_test.go

@@ -67,4 +67,25 @@ func TestValidatePolicyEnforcement(t *testing.T) {
 		require.ErrorAs(t, err, &gateErr)
 		require.Equal(t, "cdx-fresh", gateErr.PolicyName)
 	})
+
+	t.Run("does not block when strategy is enforced and policy is explicitly not gated", func(t *testing.T) {
+		status := &action.AttestationStatusResult{
+			PolicyEvaluations: map[string][]*action.PolicyEvaluation{
+				"materials": {
+					{
+						Name: "cdx-fresh",
+						Gate: false,
+						Violations: []*action.PolicyViolation{
+							{Message: "policy violation"},
+						},
+					},
+				},
+			},
+			HasPolicyViolations:         true,
+			MustBlockOnPolicyViolations: true,
+		}
+
+		err := validatePolicyEnforcement(status, false)
+		require.NoError(t, err)
+	})
 }

app/controlplane/api/workflowcontract/v1/crafting_schema.proto

@@ -236,8 +236,11 @@ message PolicyAttachment {
     }
   }];
 
-  // If true, the policy will act as a gate, returning an error code if the policy fails
-  bool gate = 7;
+  // Controls whether policy violations act as a gate.
+  // - true: policy violations are blocking for this policy
+  // - false: policy violations are non-blocking for this policy
+  // - unset: inherit organization-level default behavior
+  optional bool gate = 7;
 
   message MaterialSelector {
     // material name

buf.yaml

@@ -49,6 +49,7 @@ modules:
       except:
         - EXTENSION_NO_DELETE
         - FIELD_SAME_DEFAULT
+        - FIELD_SAME_CARDINALITY
   - path: app/controlplane/internal/conf
     lint:
       use:

pkg/attestation/crafter/crafter.go

@@ -728,7 +728,14 @@ func (c *Crafter) addMaterial(ctx context.Context, m *schemaapi.CraftingSchema_M
 		return i.MaterialName == m.Name
 	})
 
-	pgv := policies.NewPolicyGroupVerifier(c.CraftingState.GetPolicyGroups(), c.CraftingState.GetPolicies(), c.attClient, c.Logger, policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...))
+	pgv := policies.NewPolicyGroupVerifier(
+		c.CraftingState.GetPolicyGroups(),
+		c.CraftingState.GetPolicies(),
+		c.attClient,
+		c.Logger,
+		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
+	)
 	policyGroupResults, err := pgv.VerifyMaterial(ctx, mt, value)
 	if err != nil {
 		return nil, fmt.Errorf("error applying policy groups to material: %w", err)
@@ -739,7 +746,13 @@ func (c *Crafter) addMaterial(ctx context.Context, m *schemaapi.CraftingSchema_M
 	policies.LogPolicyEvaluations(policyGroupResults, c.Logger)
 
 	// Validate policies
-	pv := policies.NewPolicyVerifier(c.CraftingState.GetPolicies(), c.attClient, c.Logger, policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...))
+	pv := policies.NewPolicyVerifier(
+		c.CraftingState.GetPolicies(),
+		c.attClient,
+		c.Logger,
+		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
+	)
 	policyResults, err := pv.VerifyMaterial(ctx, mt, value)
 	if err != nil {
 		return nil, fmt.Errorf("error applying policies to material: %w", err)
@@ -772,6 +785,7 @@ func (c *Crafter) EvaluateAttestationPolicies(ctx context.Context, attestationID
 	// evaluate attestation-level policies
 	pv := policies.NewPolicyVerifier(c.CraftingState.GetPolicies(), c.attClient, c.Logger,
 		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
 		policies.WithEvalPhase(phase),
 	)
 	policyEvaluations, err := pv.VerifyStatement(ctx, statement)
@@ -781,6 +795,7 @@ func (c *Crafter) EvaluateAttestationPolicies(ctx context.Context, attestationID
 
 	pgv := policies.NewPolicyGroupVerifier(c.CraftingState.GetPolicyGroups(), c.CraftingState.GetPolicies(), c.attClient, c.Logger,
 		policies.WithAllowedHostnames(c.CraftingState.Attestation.PoliciesAllowedHostnames...),
+		policies.WithDefaultGate(c.CraftingState.Attestation.GetBlockOnPolicyViolation()),
 		policies.WithEvalPhase(phase),
 	)
 	policyGroupResults, err := pgv.VerifyStatement(ctx, statement)

pkg/policies/policies.go

@@ -78,6 +78,7 @@ type PolicyVerifier struct {
 	client           v13.AttestationServiceClient
 	grpcConn         *grpc.ClientConn
 	allowedHostnames []string
+	defaultGate      bool
 	includeRawData   bool
 	enablePrint      bool
 	evalPhase        EvalPhase
@@ -87,6 +88,7 @@ var _ Verifier = (*PolicyVerifier)(nil)
 
 type PolicyVerifierOptions struct {
 	AllowedHostnames []string
+	DefaultGate      bool
 	IncludeRawData   bool
 	EnablePrint      bool
 	GRPCConn         *grpc.ClientConn
@@ -101,6 +103,12 @@ func WithAllowedHostnames(hostnames ...string) PolicyVerifierOption {
 	}
 }
 
+func WithDefaultGate(defaultGate bool) PolicyVerifierOption {
+	return func(o *PolicyVerifierOptions) {
+		o.DefaultGate = defaultGate
+	}
+}
+
 func WithIncludeRawData(include bool) PolicyVerifierOption {
 	return func(o *PolicyVerifierOptions) {
 		o.IncludeRawData = include
@@ -137,6 +145,7 @@ func NewPolicyVerifier(policies *v1.Policies, client v13.AttestationServiceClien
 		logger:           logger,
 		grpcConn:         options.GRPCConn,
 		allowedHostnames: options.AllowedHostnames,
+		defaultGate:      options.DefaultGate,
 		includeRawData:   options.IncludeRawData,
 		enablePrint:      options.EnablePrint,
 		evalPhase:        options.EvalPhase,
@@ -336,10 +345,22 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme
 		SkipReasons:  reasons,
 		Requirements: attachment.Requirements,
 		RawResults:   engineRawResultsToAPIRawResults(rawResults),
-		Gate:         attachment.GetGate(),
+		Gate:         policyAttachmentGate(attachment, pv.defaultGate),
 	}, nil
 }
 
+func policyAttachmentGate(attachment *v1.PolicyAttachment, defaultGate bool) bool {
+	if attachment == nil {
+		return defaultGate
+	}
+
+	if attachment.Gate != nil {
+		return attachment.GetGate()
+	}
+
+	return defaultGate
+}
+
 // ComputeArguments takes a list of arguments, and matches it against the expected inputs. It also applies a set of interpolations if needed.
 func ComputeArguments(name string, inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) {
 	result := make(map[string]string)

pkg/policies/policies_test.go

@@ -1434,3 +1434,57 @@ func (s *testSuite) TestIsURLPath() {
 		})
 	}
 }
+
+func (s *testSuite) TestPolicyAttachmentGate() {
+	trueGate := true
+	falseGate := false
+
+	cases := []struct {
+		name         string
+		attachment   *v12.PolicyAttachment
+		defaultGate  bool
+		expectedGate bool
+	}{
+		{
+			name:         "nil attachment falls back to default true",
+			attachment:   nil,
+			defaultGate:  true,
+			expectedGate: true,
+		},
+		{
+			name:         "unset gate inherits default false",
+			attachment:   &v12.PolicyAttachment{},
+			defaultGate:  false,
+			expectedGate: false,
+		},
+		{
+			name:         "unset gate inherits default true",
+			attachment:   &v12.PolicyAttachment{},
+			defaultGate:  true,
+			expectedGate: true,
+		},
+		{
+			name: "explicit gate false overrides default true",
+			attachment: &v12.PolicyAttachment{
+				Gate: &falseGate,
+			},
+			defaultGate:  true,
+			expectedGate: false,
+		},
+		{
+			name: "explicit gate true overrides default false",
+			attachment: &v12.PolicyAttachment{
+				Gate: &trueGate,
+			},
+			defaultGate:  false,
+			expectedGate: true,
+		},
+	}
+
+	for _, tc := range cases {
+		s.Run(tc.name, func() {
+			got := policyAttachmentGate(tc.attachment, tc.defaultGate)
+			s.Equal(tc.expectedGate, got)
+		})
+	}
+}