Merge pull request #1103 from stacklok/policy-easier

cleanup: Allow for policy files to not specify projects

cmd/cli/app/policy/policy_create.go

@@ -42,6 +42,7 @@ within a mediator control plane.`,
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		f := util.GetConfigValue("file", "file", cmd, "").(string)
+		proj := viper.GetString("project")
 
 		var err error
 
@@ -75,7 +76,15 @@ within a mediator control plane.`,
 
 		p, err := engine.ParseYAML(preader)
 		if err != nil {
-			return fmt.Errorf("error reading fragment from file: %w", err)
+			return fmt.Errorf("error reading policy from file: %w", err)
+		}
+
+		if proj != "" {
+			if p.Context == nil {
+				p.Context = &pb.Context{}
+			}
+
+			p.Context.Project = &proj
 		}
 
 		// create a policy
@@ -96,4 +105,5 @@ within a mediator control plane.`,
 func init() {
 	PolicyCmd.AddCommand(Policy_createCmd)
 	Policy_createCmd.Flags().StringP("file", "f", "", "Path to the YAML defining the policy (or - for stdin)")
+	Policy_createCmd.Flags().StringP("project", "p", "", "Project to create the policy in")
 }

examples/github/policies/policy.yaml

@@ -4,7 +4,6 @@ version: v1
 type: policy
 name: acme-github-policy
 context:
-  project: Root Project
   provider: github
 repository:
   - type: secret_scanning

examples/github/policies/policy_artifact.yaml

@@ -4,7 +4,6 @@ version: v1
 type: policy
 name: acme-github-policy-artifact
 context:
-  project: Root Project
   provider: github
 artifact:
   - type: artifact_signature

examples/github/policies/pr_vuln_check.yaml

@@ -3,7 +3,6 @@ version: v1
 type: policy
 name: acme-github-policy-pr-vuln-check
 context:
-  project: Root Project
   provider: github
 pull_request:
   - type: pr_vulnerability_check

examples/github/rule-types/actions_check_pinned_tags.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: actions_check_pinned_tags
 context:
   provider: github
-  group: Root Group
 description: Verifies that any actions use pinned tags
 guidance: |
   Verifies that any actions use pinned tags

examples/github/rule-types/allowed_selected_actions.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: allowed_selected_actions
 context:
   provider: github
-  group: Root Group
 description: |
   Verifies the settings for selected actions and reusable workflows that are allowed
   in a repository. To use this rule, the repository policy for allowed_actions must

examples/github/rule-types/artifact_signature.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: artifact_signature
 context:
   provider: github
-  group: Root Group
 description: Verifies that a given artifact has a valid signature.
 guidance: |
   Artifact signing allows a user to add a digital fingerprint to an artifact and verify its trust later.

examples/github/rule-types/branch_protection.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: branch_protection
 context:
   provider: github
-  group: Root Group
 description: Verifies that a branch has proper protections.
 guidance: |
   You can protect important branches by setting branch protection rules, which define whether

examples/github/rule-types/codeql_enabled.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: codeql_enabled
 context:
   provider: github
-  group: Root Group
 description: Verifies that CodeQL is enabled for the repository
 guidance: |
   CodeQL is a tool that can be used to analyze code for security vulnerabilities.

examples/github/rule-types/default_workflow_permissions.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: default_workflow_permissions
 context:
   provider: github
-  group: Root Group
 description: |
   Verifies the default workflow permissions granted to the GITHUB_TOKEN
   when running workflows in a repository, as well as if GitHub Actions

examples/github/rule-types/dependabot_configured.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: dependabot_configured
 context:
   provider: github
-  group: Root Group
 description: Verifies that Dependabot is configured for the repository
 guidance: |
   Dependabot enables Automated dependency updates for repositories.

examples/github/rule-types/dockerfile_no_latest_tag.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: dockerfile_no_latest_tag
 context:
   provider: github
-  group: Root Group
 description: Verifies that the Dockerfile image references don't use the latest tag
 guidance: |
   Using the latest tag for Docker images is not recommended as it can lead to unexpected behavior.

examples/github/rule-types/github_actions_allowed.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: github_actions_allowed
 context:
   provider: github
-  group: Root Group
 description: |
   Verifies permissions for github actions for a specific repository.
 

examples/github/rule-types/pr_vulnerability_check.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: pr_vulnerability_check
 context:
   provider: github
-  group: Root Group
 description: Verifies that pull requests do not add any vulnerable dependecies
 guidance: |
   For every pull request submitted to a repository, this rule will check if the pull request

examples/github/rule-types/repo_workflow_access_level.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: repo_workflow_access_level
 context:
   provider: github
-  group: Root Group
 description: |
   Verifies the level of access that workflows outside of the repository have
   to actions and reusable workflows in the repository. This only applies to private repositories.

examples/github/rule-types/secret_push_protection.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: secret_push_protection
 context:
   provider: github
-  group: Root Group
 description: Verfies that secret push protection is enabled for a given repository.
 guidance: |
   You can use secret scanning to prevent supported secrets from being pushed into your repository by enabling secret scanning push protection.

examples/github/rule-types/secret_scanning.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: secret_scanning
 context:
   provider: github
-  group: Root Group
 description: Verifies that secret scanning is enabled for a given repository.
 guidance: |
   Secret scanning is a feature that scans repositories for secrets and alerts

examples/github/rule-types/trivy_action_enabled.yaml

@@ -4,7 +4,6 @@ type: rule-type
 name: trivy_action_enabled
 context:
   provider: github
-  group: Root Group
 description: Verifies that the Trivy action is enabled for the repository and scanning
 guidance: |
   ## Please set up trivy!

internal/controlplane/handlers_policy.go

@@ -129,7 +129,7 @@ func (s *Server) CreatePolicy(ctx context.Context,
 		return nil, providerError(fmt.Errorf("provider error: %w", err))
 	}
 
-	if err := engine.ValidatePolicy(in); err != nil {
+	if err := in.Validate(); err != nil {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid policy: %v", err)
 	}
 

internal/engine/policy.go

@@ -30,11 +30,6 @@ import (
 	pb "github.com/stacklok/mediator/pkg/api/protobuf/go/mediator/v1"
 )
 
-var (
-	// ErrValidationFailed is returned when a policy fails validation
-	ErrValidationFailed = fmt.Errorf("validation failed")
-)
-
 // RuleValidationError is used to report errors from evaluating a rule, including
 // attribution of the particular error encountered.
 type RuleValidationError struct {
@@ -71,7 +66,7 @@ func ParseJSON(r io.Reader) (*pb.Policy, error) {
 		return nil, fmt.Errorf("error decoding json: %w", err)
 	}
 
-	if err := ValidatePolicy(&out); err != nil {
+	if err := out.Validate(); err != nil {
 		return nil, fmt.Errorf("error validating policy: %w", err)
 	}
 
@@ -101,86 +96,6 @@ func ReadPolicyFromFile(fpath string) (*pb.Policy, error) {
 	return out, nil
 }
 
-// ValidatePolicy validates a pipeline policy
-func ValidatePolicy(p *pb.Policy) error {
-	if err := validateContext(p.Context); err != nil {
-		return err
-	}
-
-	// If the policy is nil or empty, we don't need to validate it
-	if p.Repository != nil && len(p.Repository) > 0 {
-		return validateEntity(p.Repository)
-	}
-
-	if p.BuildEnvironment != nil && len(p.BuildEnvironment) > 0 {
-		return validateEntity(p.BuildEnvironment)
-	}
-
-	if p.Artifact != nil && len(p.Artifact) > 0 {
-		return validateEntity(p.Artifact)
-	}
-
-	if p.PullRequest != nil && len(p.PullRequest) > 0 {
-		return validateEntity(p.PullRequest)
-	}
-
-	return nil
-}
-
-func validateContext(c *pb.Context) error {
-	if c == nil {
-		return fmt.Errorf("%w: context cannot be empty", ErrValidationFailed)
-	}
-
-	if c.Provider == "" {
-		return fmt.Errorf("%w: context provider cannot be empty", ErrValidationFailed)
-	}
-
-	if c.Organization == nil && c.Project == nil {
-		return fmt.Errorf("%w: context organization or group must be set", ErrValidationFailed)
-	}
-
-	if c.Organization != nil && *c.Organization == "" {
-		return fmt.Errorf("%w: context organization cannot be empty", ErrValidationFailed)
-	}
-
-	if c.Project != nil && *c.Project == "" {
-		return fmt.Errorf("%w: context group cannot be empty", ErrValidationFailed)
-	}
-
-	return nil
-}
-
-func validateEntity(e []*pb.Policy_Rule) error {
-	if len(e) == 0 {
-		return fmt.Errorf("%w: entity rules cannot be empty", ErrValidationFailed)
-	}
-
-	for _, r := range e {
-		if r == nil {
-			return fmt.Errorf("%w: entity contextual rules cannot be nil", ErrValidationFailed)
-		}
-
-		if err := validateRule(r); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func validateRule(r *pb.Policy_Rule) error {
-	if r.Type == "" {
-		return fmt.Errorf("%w: rule type cannot be empty", ErrValidationFailed)
-	}
-
-	if r.Def == nil {
-		return fmt.Errorf("%w: rule def cannot be nil", ErrValidationFailed)
-	}
-
-	return nil
-}
-
 // GetRulesForEntity returns the rules for the given entity
 func GetRulesForEntity(p *pb.Policy, entity pb.Entity) ([]*pb.Policy_Rule, error) {
 	switch entity {