diff --git a/app/cli/internal/action/attestation_init.go b/app/cli/internal/action/attestation_init.go index bb1fc2a2d..87585ca80 100644 --- a/app/cli/internal/action/attestation_init.go +++ b/app/cli/internal/action/attestation_init.go @@ -316,7 +316,7 @@ func getGroupMaterialsToAdd(group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachme // translates materials and interpolates material names func groupMaterialToCraftingSchemaMaterial(gm *v1.PolicyGroup_Material, group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachment, logger *zerolog.Logger) (*v1.CraftingSchema_Material, error) { // Validates and computes arguments - args, err := policies.ComputeArguments(group.GetSpec().GetInputs(), pgAtt.GetWith(), nil, logger) + args, err := policies.ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), pgAtt.GetWith(), nil, logger) if err != nil { return nil, err } diff --git a/pkg/policies/policies.go b/pkg/policies/policies.go index ebd173d89..672b77798 100644 --- a/pkg/policies/policies.go +++ b/pkg/policies/policies.go @@ -140,7 +140,7 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme pv.logger.Debug().Msgf("evaluating policy %s against attestation", policy.Metadata.Name) } - args, err := ComputeArguments(policy.GetSpec().GetInputs(), attachment.GetWith(), opts.bindings, pv.logger) + args, err := ComputeArguments(policy.GetMetadata().GetName(), policy.GetSpec().GetInputs(), attachment.GetWith(), opts.bindings, pv.logger) if err != nil { return nil, NewPolicyError(err) } @@ -215,7 +215,7 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme } // ComputeArguments takes a list of arguments, and matches it against the expected inputs. It also applies a set of interpolations if needed. -func ComputeArguments(inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) { +func ComputeArguments(name string, inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) { result := make(map[string]string) // Policies without inputs in the spec @@ -263,7 +263,7 @@ func ComputeArguments(inputs []*v1.PolicyInput, args map[string]string, bindings return input.Name == k }) if !expected { - logger.Warn().Msgf("argument %q will be ignored", k) + logger.Warn().Msgf("argument %q not defined in policy %q spec, ignoring it", k, name) continue } value, err := templates.ApplyBinding(v, bindings) diff --git a/pkg/policies/policies_test.go b/pkg/policies/policies_test.go index 747865830..ec9641354 100644 --- a/pkg/policies/policies_test.go +++ b/pkg/policies/policies_test.go @@ -814,22 +814,25 @@ func (s *testSuite) TestGetInputArguments() { func (s *testSuite) TestComputePolicyArguments() { cases := []struct { - name string - inputs []*v12.PolicyInput - args map[string]string - bindings map[string]string - expected map[string]string - expectErr bool - errMsg string + name string + policyName string + inputs []*v12.PolicyInput + args map[string]string + bindings map[string]string + expected map[string]string + expectErr bool + errMsg string }{ { - name: "all args passed when no inputs present", - inputs: nil, - args: map[string]string{"arg1": "value1", "arg2": "value2"}, - expected: map[string]string{"arg1": "value1", "arg2": "value2"}, + name: "all args passed when no inputs present", + policyName: "test-policy", + inputs: nil, + args: map[string]string{"arg1": "value1", "arg2": "value2"}, + expected: map[string]string{"arg1": "value1", "arg2": "value2"}, }, { - name: "required inputs", + name: "required inputs", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", Required: true, @@ -839,7 +842,8 @@ func (s *testSuite) TestComputePolicyArguments() { errMsg: "missing required input \"arg1\"", }, { - name: "default values are set", + name: "default values are set", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", Default: "value1", @@ -851,7 +855,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "value1", "arg2": "value2"}, }, { - name: "unexpected arguments are ignored", + name: "unexpected arguments are ignored", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", Default: "value1", @@ -862,7 +867,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "value1"}, }, { - name: "expected arguments with values are respected", + name: "expected arguments with values are respected", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", Default: "value1", @@ -873,7 +879,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "value1", "arg2": "value2"}, }, { - name: "simple bindings", + name: "simple bindings", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", }}, @@ -882,7 +889,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "Hello world"}, }, { - name: "multiple bindings", + name: "multiple bindings", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", }, { @@ -893,7 +901,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "Hello world template", "arg2": "Bye template"}, }, { - name: "no variable found in bindings, renders zero value", + name: "no variable found in bindings, renders zero value", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", }}, @@ -902,7 +911,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "Hello "}, }, { - name: "no interpolation needed", + name: "no interpolation needed", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", }}, @@ -911,7 +921,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "Hello world"}, }, { - name: "required and default is illegal", + name: "required and default is illegal", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", Required: true, @@ -922,7 +933,8 @@ func (s *testSuite) TestComputePolicyArguments() { errMsg: "input arg1 can not be required and have a default at the same time", }, { - name: "inputs prefix without dot", + name: "inputs prefix without dot", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", }, { @@ -933,7 +945,8 @@ func (s *testSuite) TestComputePolicyArguments() { expected: map[string]string{"arg1": "Hello world template", "arg2": "Bye template"}, }, { - name: "required input with missing binding", + name: "required input with missing binding", + policyName: "test-policy", inputs: []*v12.PolicyInput{{ Name: "arg1", Required: true, @@ -945,7 +958,7 @@ func (s *testSuite) TestComputePolicyArguments() { for _, tc := range cases { s.Run(tc.name, func() { - computed, err := ComputeArguments(tc.inputs, tc.args, tc.bindings, &s.logger) + computed, err := ComputeArguments(tc.policyName, tc.inputs, tc.args, tc.bindings, &s.logger) if tc.expectErr { s.Error(err) s.Contains(err.Error(), tc.errMsg) diff --git a/pkg/policies/policy_groups.go b/pkg/policies/policy_groups.go index 38e733d9f..ddacfb597 100644 --- a/pkg/policies/policy_groups.go +++ b/pkg/policies/policy_groups.go @@ -62,7 +62,7 @@ func (pgv *PolicyGroupVerifier) VerifyMaterial(ctx context.Context, material *ap } // matches group arguments against spec and apply defaults - groupArgs, err := ComputeArguments(group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger) + groupArgs, err := ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger) if err != nil { return nil, NewPolicyError(err) } @@ -121,7 +121,7 @@ func (pgv *PolicyGroupVerifier) VerifyStatement(ctx context.Context, statement * continue } // compute group arguments - groupArgs, err := ComputeArguments(group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger) + groupArgs, err := ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger) if err != nil { return nil, NewPolicyError(err) }