feat: add policy develop lint#2250
Conversation
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
migmartri
left a comment
There was a problem hiding this comment.
I think we should re-evaluate the marshaling and validation of the policy spec by using the actual spec file, not custom ducktyping.
basically import the policy spec generated code, we might do it in other places already, then do protojson.Unmarshal or similar
additionally, once you have the marshalled object, you might be able to run protovalidate if the proto file has additional validation annotations.
Does it make sense?
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package policy |
There was a problem hiding this comment.
this package name should probably match the directory name that way you do not need to policy "github.com/chainloop-dev/chainloop/app/cli/internal/policydevel" :)
| return nil, fmt.Errorf("reading file: %w", err) | ||
| } | ||
|
|
||
| switch strings.ToLower(filepath.Ext(absPath)) { |
There was a problem hiding this comment.
this code seems repeated ot the one above. Maybe this detection can be extracted? It looks like a good opportunity to maybe to a recursive function when you find potential candidate files in a directory :)
| } | ||
|
|
||
| // Process each embedded policy | ||
| if spec, ok := data["spec"].(map[string]interface{}); ok { |
There was a problem hiding this comment.
I think you should unmarshal against the actual proto spec using protojson.Unmarshal and protovalidaet.Validate.
… replicated code Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
|
Thanks for you PR @Piskoo one question, how difficult would it be to be able to pass a custom configuration file to the regal module? Internally we have a set of custom configuration for regal and we were wondering how difficult would it be to add such option. |
I'd love it if we could come up with sensible defaults for that configuration, which one are we using internally? |
I think we are using this one correct? Do we like it? Should we make that a sensible default for our linter? cc/ @javirln @jiparis in any case @Piskoo, adding support for configuration override or adding one built-in could come in another PR |
| } | ||
|
|
||
| // Read policy files from the given directory or file | ||
| func Read(absPath string, format bool) (*Policy, error) { |
There was a problem hiding this comment.
| func Read(absPath string, format bool) (*Policy, error) { | |
| func Lookup(absPath string, format bool) (*Policy, error) { |
| "github.com/styrainc/regal/pkg/rules" | ||
| ) | ||
|
|
||
| type Policy struct { |
There was a problem hiding this comment.
| type Policy struct { | |
| type PolicyToLint struct { |
|
|
||
| // Read policy files from the given directory or file | ||
| func Read(absPath string, format bool) (*Policy, error) { | ||
| fileInfo, err := os.Stat(absPath) |
| return policy, nil | ||
| } | ||
|
|
||
| func readDirectory(policy *Policy, dirPath string) error { |
There was a problem hiding this comment.
please add a comment indicating that this is a one level directory lookup
| return allErrors | ||
| } | ||
|
|
||
| func (p *Policy) validateYAMLFile(file *File) []error { |
There was a problem hiding this comment.
I do not think this is idiomatic. []error just return an error and use https://pkg.go.dev/errors#example-Join
There was a problem hiding this comment.
I've changed the way that violations are stored/passed between functions
| } | ||
|
|
||
| // 2. Structural validation | ||
| errs = append(errs, checkResultStructure(content, path, []string{"skipped", "violations", "skip_reason"})...) |
There was a problem hiding this comment.
@jiparis should we try to add here ignore as well? Or no? The engine by default fallback to false
From the list of rules we are ignoring on the custom configuration, I would say that we can remove the The most important is The rest of the options is up to us, not a strong opinion there. |
|
@Piskoo let me know what you think about adding the following defaults once done we can assume this PR is done :) |
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Looks good to me, although like @javirln mentioned |
|
Let me know if this is ready for review, otherwise, please mark it as draft, thanks! |
It's ready for review, I'll add configs in another PR |
This PR adds policy linting and auto-formatting capabilities
Usage
Flags:
--policy: File or directory, by default current working directory--format: Auto-formatting for rego files with OPA fmtSummary
apiVersion, kind, specfor .yaml filesskipped, violations, skip_reasonfor result in .rego files--formatflagPart of #1108