Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SNC-387] In policy decide, compile config only when context is config #983

Merged
merged 1 commit into from
Aug 3, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 4 additions & 9 deletions cmd/policy/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -283,9 +283,6 @@ This group of commands allows the management of polices to be verified against b
if policyPath == "" && ownerID == "" {
return fmt.Errorf("either [policy_file_or_dir_path] or --owner-id is required")
}
if !noCompile && ownerID == "" {
return fmt.Errorf("--owner-id is required for compiling config (use --no-compile to evaluate policy against source config only)")
}

metadata, err := readMetadata(meta, metaFile)
if err != nil {
Expand All @@ -297,7 +294,7 @@ This group of commands allows the management of polices to be verified against b
return fmt.Errorf("failed to read input file: %w", err)
}

if !noCompile {
if !noCompile && context == "config" {
compiler := config.New(globalConfig)
input, err = mergeCompiledConfig(compiler, config.ProcessConfigOpts{
ConfigPath: inputPath,
Expand Down Expand Up @@ -356,6 +353,7 @@ This group of commands allows the management of polices to be verified against b
inputPath string
meta string
metaFile string
context string
ownerID string
query string
noCompile bool
Expand All @@ -367,10 +365,6 @@ This group of commands allows the management of polices to be verified against b
RunE: func(cmd *cobra.Command, args []string) error {
policyPath := args[0]

if !noCompile && ownerID == "" {
return fmt.Errorf("--owner-id is required for compiling config (use --no-compile to evaluate policy against source config only)")
}

metadata, err := readMetadata(meta, metaFile)
if err != nil {
return fmt.Errorf("failed to read metadata: %w", err)
Expand All @@ -381,7 +375,7 @@ This group of commands allows the management of polices to be verified against b
return fmt.Errorf("failed to read input file: %w", err)
}

if !noCompile {
if !noCompile && context == "config" {
compiler := config.New(globalConfig)
input, err = mergeCompiledConfig(compiler, config.ProcessConfigOpts{
ConfigPath: inputPath,
Expand Down Expand Up @@ -410,6 +404,7 @@ This group of commands allows the management of polices to be verified against b

cmd.Flags().StringVar(&ownerID, "owner-id", "", "the id of the policy's owner")
cmd.Flags().StringVar(&inputPath, "input", "", "path to input file")
cmd.Flags().StringVar(&context, "context", "config", "policy context for decision")
cmd.Flags().StringVar(&meta, "meta", "", "decision metadata (json string)")
cmd.Flags().StringVar(&metaFile, "metafile", "", "decision metadata file")
cmd.Flags().StringVar(&query, "query", "data", "policy decision query")
Expand Down
5 changes: 0 additions & 5 deletions cmd/policy/policy_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -826,11 +826,6 @@ test: config
Args: []string{"decide", "./testdata/test0/policy.rego", "--input", "./testdata/test1/test.yml", "--meta", "{}", "--metafile", "somefile", "--no-compile"},
ExpectedErr: "failed to read metadata: use either --meta or --metafile flag, but not both",
},
{
Name: "fails if config compilation is enabled, but owner-id isn't provided",
Args: []string{"decide", "./testdata/test0/policy.rego", "--input", "./testdata/test1/test.yml"},
ExpectedErr: "--owner-id is required for compiling config (use --no-compile to evaluate policy against source config only)",
},
{
Name: "successfully performs decision for policy FILE provided locally",
Args: []string{"decide", "./testdata/test0/policy.rego", "--input", "./testdata/test0/config.yml", "--no-compile"},
Expand Down
1 change: 1 addition & 0 deletions cmd/policy/testdata/policy/eval-expected-usage.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ Examples:
circleci policy eval ./policies --input ./.circleci/config.yml

Flags:
--context string policy context for decision (default "config")
--input string path to input file
--meta string decision metadata (json string)
--metafile string decision metadata file
Expand Down