Skip to content

Commit 175338b

Browse files
authored
fix(controlplane): exempt batch-local policy refs in contract apply (#3230)
1 parent 4abc341 commit 175338b

9 files changed

Lines changed: 293 additions & 21 deletions

app/controlplane/api/controlplane/v1/workflow_contract.pb.go

Lines changed: 27 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/controlplane/v1/workflow_contract.proto

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,12 @@ message WorkflowContractServiceApplyRequest {
121121
bytes raw_schema = 1;
122122
// When true, validate and compute the result without persisting any change
123123
bool dry_run = 2;
124+
// Names of policies created/updated in the same batch apply. References to these are
125+
// treated as known instead of being resolved against the registry (they may not be
126+
// persisted yet, e.g. during dry-run). Remote references are still validated.
127+
repeated string batch_policy_names = 3;
128+
// Same as batch_policy_names, for policy groups created/updated in the same batch.
129+
repeated string batch_policy_group_names = 4;
124130
}
125131

126132
message WorkflowContractServiceApplyResponse {

app/controlplane/api/gen/frontend/controlplane/v1/workflow_contract.ts

Lines changed: 47 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowContractServiceApplyRequest.jsonschema.json

Lines changed: 28 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.WorkflowContractServiceApplyRequest.schema.json

Lines changed: 28 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/internal/service/attestation.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -785,7 +785,7 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP
785785

786786
// contract validation
787787
if req.GetContractBytes() != nil {
788-
if err = s.workflowContractUseCase.ValidateContractPolicies(ctx, req.GetContractBytes(), token); err != nil {
788+
if err = s.workflowContractUseCase.ValidateContractPolicies(ctx, req.GetContractBytes(), token, nil, nil); err != nil {
789789
return nil, handleUseCaseErr(err, s.log)
790790
}
791791
}

app/controlplane/internal/service/workflowcontract.go

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -146,7 +146,7 @@ func (s *WorkflowContractService) Create(ctx context.Context, req *pb.WorkflowCo
146146
}
147147

148148
if len(req.RawContract) != 0 {
149-
if err = s.contractUseCase.ValidateContractPolicies(ctx, req.RawContract, token); err != nil {
149+
if err = s.contractUseCase.ValidateContractPolicies(ctx, req.RawContract, token, nil, nil); err != nil {
150150
return nil, handleUseCaseErr(err, s.log)
151151
}
152152
}
@@ -212,7 +212,7 @@ func (s *WorkflowContractService) Update(ctx context.Context, req *pb.WorkflowCo
212212

213213
// Validate the contract policies if the raw contract is provided
214214
if len(req.RawContract) != 0 {
215-
if err = s.contractUseCase.ValidateContractPolicies(ctx, req.RawContract, token); err != nil {
215+
if err = s.contractUseCase.ValidateContractPolicies(ctx, req.RawContract, token, nil, nil); err != nil {
216216
return nil, handleUseCaseErr(err, s.log)
217217
}
218218
}
@@ -253,7 +253,16 @@ func (s *WorkflowContractService) Apply(ctx context.Context, req *pb.WorkflowCon
253253
return nil, err
254254
}
255255

256-
if err = s.contractUseCase.ValidateContractPolicies(ctx, req.RawSchema, token); err != nil {
256+
// Batch-local references are only exempted from registry resolution on a dry-run, where
257+
// the resources may not be persisted yet. A real apply persists batch resources before the
258+
// contract, so it must always validate fully and never trust the client-supplied batch lists.
259+
var batchPolicyNames, batchPolicyGroupNames []string
260+
if dryRun {
261+
batchPolicyNames = req.GetBatchPolicyNames()
262+
batchPolicyGroupNames = req.GetBatchPolicyGroupNames()
263+
}
264+
265+
if err = s.contractUseCase.ValidateContractPolicies(ctx, req.RawSchema, token, batchPolicyNames, batchPolicyGroupNames); err != nil {
257266
return nil, handleUseCaseErr(err, s.log)
258267
}
259268

0 commit comments

Comments
 (0)