feat(policy): add policy develop eval#2274
Conversation
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Piskoo
force-pushed
the
feat-add-policy-develop-eval
branch
from
ac5ad6a to
dffde7c
Compare
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
| Violations []string | ||
| } | ||
|
|
||
| func Evaluate(opts *EvalOptions, logger zerolog.Logger) (*EvalResult, error) { |
There was a problem hiding this comment.
we also run attestation-type policies. Their evaluation happen on att push. Does this cover this case?
There was a problem hiding this comment.
Currently only material policies are evaluated, should I add a way choose between material or attestation metadata evaluation?
There was a problem hiding this comment.
Why do you need to chooose? Wouldn't providing kind ATTESTATION would be enough? cc/ @jiparis
There was a problem hiding this comment.
Found the problem, I'll make it work that way if kind ATTESTATION is detected/passed
There was a problem hiding this comment.
Went through the existing code again, everything should be working for ATTESTATION in the current implementation.
There was a problem hiding this comment.
Yes, it works like any other material type, it should be supported already.
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
| result := &EvalResult{ | ||
| NoPolicies: true, | ||
| Skipped: false, | ||
| SkipReasons: []string{}, | ||
| Violations: []string{}, | ||
| } |
There was a problem hiding this comment.
I think the ignore flag is missign
There was a problem hiding this comment.
Yes, @Piskoo there is a "ignore" flag in evaluation results, that is used for the engine to ignore the policy execution (as it never existed). It's used in cases where the decision logic is in the Rego itself. Not too important for this command though.
There was a problem hiding this comment.
It's being handled by NoPolicies, I will rename it for consistency
app/cli/cmd/policy_develop_eval.go
Outdated
| for _, violation := range result.Violations { | ||
| logger.Error().Msgf("- %s", violation) | ||
| } | ||
| logger.Error().Msg("policy evaluation failed") |
There was a problem hiding this comment.
I think this should be Info() as well. Unless we know what's the user expectation, having Violations is a valid outcome, not an error.
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
| return result, nil | ||
| } | ||
|
|
||
| func craftMaterial(materialPath, materialKind string, logger *zerolog.Logger) (*v12.Attestation_Material, error) { |
There was a problem hiding this comment.
I like we are using real crafted materials, instead of a simulation.
I'd create a follow up task to extract this functionality in the CLI and use it everywhere instead of duplicating the logic (like the kind autodetect loop, for example).
jiparis
left a comment
jiparis
left a comment
There was a problem hiding this comment.
Accepted with some minor comments. Thanks.
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
4 participants
This PR adds a new policy eval command to evaluate policies against materials.
Usage
Flags
--policy: Path to policy file (required)--material: Path to material file (required)--kind: Material type (optional, will auto-detect if omitted)--annotation: Material annotations (key=value pairs)--input: Policy inputs (key=value pairs)Closes #1108