policy: fix metadata resolve via sessionpolicy for git and attestations

tonistiigi · jsternberg · commit 25463ffd31aa · 2025-12-16T10:57:57.000-06:00
When support for these fields were added, tests were only written for static policies, missing the conversions for session variants. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 169afbf)
diff --git a/client/policy_test.go b/client/policy_test.go
@@ -299,7 +299,8 @@ func testSourcePolicyParallelSession(t *testing.T, sb integration.Sandbox) {
 
 func testSourcePolicySignedCommit(t *testing.T, sb integration.Sandbox) {
 	requiresLinux(t)
-	c, err := New(sb.Context(), sb.Address())
+	ctx := sb.Context()
+	c, err := New(ctx, sb.Address())
 	require.NoError(t, err)
 	defer c.Close()
 
@@ -532,4 +533,101 @@ func testSourcePolicySignedCommit(t *testing.T, sb integration.Sandbox) {
 			require.ErrorContains(t, err, tt.expectedErr, "test case %q failed", tt.name)
 		})
 	}
+
+	// session policy based test cases
+
+	type tcase struct {
+		name          string
+		state         func() llb.State
+		callbacks     []policysession.PolicyCallback
+		expectedError string
+	}
+
+	tcases := []tcase{
+		{
+			name:  "gitchecksum",
+			state: func() llb.State { return llb.Git(server.URL+"/.git", "", llb.GitRef("v2.0")) },
+			callbacks: []policysession.PolicyCallback{
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.Nil(t, req.Source.Git)
+					return nil, &pb.ResolveSourceMetaRequest{
+						Source:   req.Source.Source,
+						Platform: req.Platform,
+					}, nil
+				},
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.NotNil(t, req.Source.Git)
+					require.Len(t, req.Source.Git.Checksum, 40)
+					require.Len(t, req.Source.Git.CommitChecksum, 40)
+					require.NotEqual(t, req.Source.Git.Checksum, req.Source.Git.CommitChecksum)
+					require.Nil(t, req.Source.Git.CommitObject)
+					return &policysession.DecisionResponse{
+						Action: sourcepolicypb.PolicyAction_ALLOW,
+					}, nil, nil
+				},
+			},
+		},
+		{
+			name:  "gitobjects",
+			state: func() llb.State { return llb.Git(server.URL+"/.git", "", llb.GitRef("v2.0")) },
+			callbacks: []policysession.PolicyCallback{
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.Nil(t, req.Source.Git)
+					return nil, &pb.ResolveSourceMetaRequest{
+						Source:   req.Source.Source,
+						Platform: req.Platform,
+						Git: &pb.ResolveSourceGitRequest{
+							ReturnObject: true,
+						},
+					}, nil
+				},
+				func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+					require.Equal(t, gitURL+"#v2.0", req.Source.Source.Identifier)
+					require.NotNil(t, req.Source.Git)
+					require.Len(t, req.Source.Git.Checksum, 40)
+					require.Len(t, req.Source.Git.CommitChecksum, 40)
+					require.NotEqual(t, req.Source.Git.Checksum, req.Source.Git.CommitChecksum)
+					require.NotNil(t, req.Source.Git.CommitObject)
+					require.Greater(t, len(req.Source.Git.CommitObject), 50)
+					return &policysession.DecisionResponse{
+						Action: sourcepolicypb.PolicyAction_ALLOW,
+					}, nil, nil
+				},
+			},
+		},
+	}
+
+	for _, tc := range tcases {
+		t.Run(tc.name, func(t *testing.T) {
+			st := tc.state()
+			def, err := st.Marshal(ctx)
+			require.NoError(t, err)
+
+			callCounter := 0
+
+			p := policysession.NewPolicyProvider(func(ctx context.Context, req *policysession.CheckPolicyRequest) (*policysession.DecisionResponse, *pb.ResolveSourceMetaRequest, error) {
+				if callCounter >= len(tc.callbacks) {
+					return nil, nil, errors.Errorf("too many calls to policy callback %d", callCounter)
+				}
+				cb := tc.callbacks[callCounter]
+				callCounter++
+				return cb(ctx, req)
+			})
+
+			_, err = c.Solve(ctx, def, SolveOpt{
+				SourcePolicyProvider: p,
+			}, nil)
+			if tc.expectedError != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedError)
+				return
+			}
+			require.NoError(t, err)
+
+			require.Equal(t, len(tc.callbacks), callCounter, "not all policy callbacks were called")
+		})
+	}
 }
diff --git a/frontend/gateway/gateway.go b/frontend/gateway/gateway.go
@@ -653,43 +653,7 @@ func (lbf *llbBridgeForwarder) ResolveSourceMeta(ctx context.Context, req *pb.Re
 	if err != nil {
 		return nil, err
 	}
-
-	r := &pb.ResolveSourceMetaResponse{
-		Source: resp.Op,
-	}
-
-	if resp.Image != nil {
-		r.Image = &pb.ResolveSourceImageResponse{
-			Digest: string(resp.Image.Digest),
-			Config: resp.Image.Config,
-		}
-		if resp.Image.AttestationChain != nil {
-			r.Image.AttestationChain = toPBAttestationChain(resp.Image.AttestationChain)
-		}
-	}
-	if resp.Git != nil {
-		r.Git = &pb.ResolveSourceGitResponse{
-			Checksum:       resp.Git.Checksum,
-			Ref:            resp.Git.Ref,
-			CommitChecksum: resp.Git.CommitChecksum,
-			CommitObject:   resp.Git.CommitObject,
-			TagObject:      resp.Git.TagObject,
-		}
-	}
-	if resp.HTTP != nil {
-		var lastModified *timestamp.Timestamp
-		if resp.HTTP.LastModified != nil {
-			lastModified = &timestamp.Timestamp{
-				Seconds: resp.HTTP.LastModified.Unix(),
-			}
-		}
-		r.HTTP = &pb.ResolveSourceHTTPResponse{
-			Checksum:     resp.HTTP.Digest.String(),
-			Filename:     resp.HTTP.Filename,
-			LastModified: lastModified,
-		}
-	}
-	return r, nil
+	return ToPBResolveSourceMetaResponse(resp), nil
 }
 
 func (lbf *llbBridgeForwarder) ResolveImageConfig(ctx context.Context, req *pb.ResolveImageConfigRequest) (*pb.ResolveImageConfigResponse, error) {
@@ -1705,6 +1669,45 @@ func getCaps(label string) map[string]struct{} {
 	return out
 }
 
+func ToPBResolveSourceMetaResponse(in *sourceresolver.MetaResponse) *pb.ResolveSourceMetaResponse {
+	r := &pb.ResolveSourceMetaResponse{
+		Source: in.Op,
+	}
+
+	if in.Image != nil {
+		r.Image = &pb.ResolveSourceImageResponse{
+			Digest: string(in.Image.Digest),
+			Config: in.Image.Config,
+		}
+		if in.Image.AttestationChain != nil {
+			r.Image.AttestationChain = toPBAttestationChain(in.Image.AttestationChain)
+		}
+	}
+	if in.Git != nil {
+		r.Git = &pb.ResolveSourceGitResponse{
+			Checksum:       in.Git.Checksum,
+			Ref:            in.Git.Ref,
+			CommitChecksum: in.Git.CommitChecksum,
+			CommitObject:   in.Git.CommitObject,
+			TagObject:      in.Git.TagObject,
+		}
+	}
+	if in.HTTP != nil {
+		var lastModified *timestamp.Timestamp
+		if in.HTTP.LastModified != nil {
+			lastModified = &timestamp.Timestamp{
+				Seconds: in.HTTP.LastModified.Unix(),
+			}
+		}
+		r.HTTP = &pb.ResolveSourceHTTPResponse{
+			Checksum:     in.HTTP.Digest.String(),
+			Filename:     in.HTTP.Filename,
+			LastModified: lastModified,
+		}
+	}
+	return r
+}
+
 func toPBAttestationChain(ac *sourceresolver.AttestationChain) *pb.AttestationChain {
 	if ac == nil {
 		return nil
diff --git a/solver/llbsolver/policy.go b/solver/llbsolver/policy.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/moby/buildkit/client/llb/sourceresolver"
+	"github.com/moby/buildkit/frontend/gateway"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/sourcepolicy"
@@ -88,19 +89,26 @@ func (p *policyEvaluator) Evaluate(ctx context.Context, op *pb.Op) (bool, error)
 					Platform: toOCIPlatform(metareq.Platform),
 				}
 			}
+
+			if metareq.Image != nil {
+				if op.ImageOpt == nil {
+					op.ImageOpt = &sourceresolver.ResolveImageOpt{}
+				}
+				op.ImageOpt.NoConfig = metareq.Image.NoConfig
+				op.ImageOpt.AttestationChain = metareq.Image.AttestationChain
+			}
+
+			if metareq.Git != nil {
+				op.GitOpt = &sourceresolver.ResolveGitOpt{
+					ReturnObject: metareq.Git.ReturnObject,
+				}
+			}
+
 			resp, err := p.resolveSourceMetadata(ctx, metareq.Source, op, false)
 			if err != nil {
 				return false, errors.Wrap(err, "error resolving source metadata from policy request")
 			}
-			req.Source = &gatewaypb.ResolveSourceMetaResponse{
-				Source: resp.Op,
-			}
-			if resp.Image != nil {
-				req.Source.Image = &gatewaypb.ResolveSourceImageResponse{
-					Digest: resp.Image.Digest.String(),
-					Config: resp.Image.Config,
-				}
-			}
+			req.Source = gateway.ToPBResolveSourceMetaResponse(resp)
 			continue
 		}
 
