Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/cli/internal/action/attestation_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ func getGroupMaterialsToAdd(group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachme
// translates materials and interpolates material names
func groupMaterialToCraftingSchemaMaterial(gm *v1.PolicyGroup_Material, group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachment, logger *zerolog.Logger) (*v1.CraftingSchema_Material, error) {
// Validates and computes arguments
args, err := policies.ComputeArguments(group.GetSpec().GetInputs(), pgAtt.GetWith(), nil, logger)
args, err := policies.ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), pgAtt.GetWith(), nil, logger)
if err != nil {
return nil, err
}
Expand Down
6 changes: 3 additions & 3 deletions pkg/policies/policies.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,7 +140,7 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme
pv.logger.Debug().Msgf("evaluating policy %s against attestation", policy.Metadata.Name)
}

args, err := ComputeArguments(policy.GetSpec().GetInputs(), attachment.GetWith(), opts.bindings, pv.logger)
args, err := ComputeArguments(policy.GetMetadata().GetName(), policy.GetSpec().GetInputs(), attachment.GetWith(), opts.bindings, pv.logger)
if err != nil {
return nil, NewPolicyError(err)
}
Expand Down Expand Up @@ -215,7 +215,7 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme
}

// ComputeArguments takes a list of arguments, and matches it against the expected inputs. It also applies a set of interpolations if needed.
func ComputeArguments(inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) {
func ComputeArguments(name string, inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) {
result := make(map[string]string)

// Policies without inputs in the spec
Expand Down Expand Up @@ -263,7 +263,7 @@ func ComputeArguments(inputs []*v1.PolicyInput, args map[string]string, bindings
return input.Name == k
})
if !expected {
logger.Warn().Msgf("argument %q will be ignored", k)
logger.Warn().Msgf("argument %q not defined in policy %q spec, ignoring it", k, name)
continue
}
value, err := templates.ApplyBinding(v, bindings)
Expand Down
59 changes: 36 additions & 23 deletions pkg/policies/policies_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -814,22 +814,25 @@ func (s *testSuite) TestGetInputArguments() {

func (s *testSuite) TestComputePolicyArguments() {
cases := []struct {
name string
inputs []*v12.PolicyInput
args map[string]string
bindings map[string]string
expected map[string]string
expectErr bool
errMsg string
name string
policyName string
inputs []*v12.PolicyInput
args map[string]string
bindings map[string]string
expected map[string]string
expectErr bool
errMsg string
}{
{
name: "all args passed when no inputs present",
inputs: nil,
args: map[string]string{"arg1": "value1", "arg2": "value2"},
expected: map[string]string{"arg1": "value1", "arg2": "value2"},
name: "all args passed when no inputs present",
policyName: "test-policy",
inputs: nil,
args: map[string]string{"arg1": "value1", "arg2": "value2"},
expected: map[string]string{"arg1": "value1", "arg2": "value2"},
},
{
name: "required inputs",
name: "required inputs",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
Required: true,
Expand All @@ -839,7 +842,8 @@ func (s *testSuite) TestComputePolicyArguments() {
errMsg: "missing required input \"arg1\"",
},
{
name: "default values are set",
name: "default values are set",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
Default: "value1",
Expand All @@ -851,7 +855,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "value1", "arg2": "value2"},
},
{
name: "unexpected arguments are ignored",
name: "unexpected arguments are ignored",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
Default: "value1",
Expand All @@ -862,7 +867,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "value1"},
},
{
name: "expected arguments with values are respected",
name: "expected arguments with values are respected",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
Default: "value1",
Expand All @@ -873,7 +879,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "value1", "arg2": "value2"},
},
{
name: "simple bindings",
name: "simple bindings",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
}},
Expand All @@ -882,7 +889,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "Hello world"},
},
{
name: "multiple bindings",
name: "multiple bindings",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
}, {
Expand All @@ -893,7 +901,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "Hello world template", "arg2": "Bye template"},
},
{
name: "no variable found in bindings, renders zero value",
name: "no variable found in bindings, renders zero value",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
}},
Expand All @@ -902,7 +911,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "Hello "},
},
{
name: "no interpolation needed",
name: "no interpolation needed",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
}},
Expand All @@ -911,7 +921,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "Hello world"},
},
{
name: "required and default is illegal",
name: "required and default is illegal",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
Required: true,
Expand All @@ -922,7 +933,8 @@ func (s *testSuite) TestComputePolicyArguments() {
errMsg: "input arg1 can not be required and have a default at the same time",
},
{
name: "inputs prefix without dot",
name: "inputs prefix without dot",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
}, {
Expand All @@ -933,7 +945,8 @@ func (s *testSuite) TestComputePolicyArguments() {
expected: map[string]string{"arg1": "Hello world template", "arg2": "Bye template"},
},
{
name: "required input with missing binding",
name: "required input with missing binding",
policyName: "test-policy",
inputs: []*v12.PolicyInput{{
Name: "arg1",
Required: true,
Expand All @@ -945,7 +958,7 @@ func (s *testSuite) TestComputePolicyArguments() {

for _, tc := range cases {
s.Run(tc.name, func() {
computed, err := ComputeArguments(tc.inputs, tc.args, tc.bindings, &s.logger)
computed, err := ComputeArguments(tc.policyName, tc.inputs, tc.args, tc.bindings, &s.logger)
if tc.expectErr {
s.Error(err)
s.Contains(err.Error(), tc.errMsg)
Expand Down
4 changes: 2 additions & 2 deletions pkg/policies/policy_groups.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ func (pgv *PolicyGroupVerifier) VerifyMaterial(ctx context.Context, material *ap
}

// matches group arguments against spec and apply defaults
groupArgs, err := ComputeArguments(group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
groupArgs, err := ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
if err != nil {
return nil, NewPolicyError(err)
}
Expand Down Expand Up @@ -121,7 +121,7 @@ func (pgv *PolicyGroupVerifier) VerifyStatement(ctx context.Context, statement *
continue
}
// compute group arguments
groupArgs, err := ComputeArguments(group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
groupArgs, err := ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
if err != nil {
return nil, NewPolicyError(err)
}
Expand Down
Loading