Merge pull request #1198 from lcarva/EC-864

Flatten package names

antora/docs/modules/ROOT/pages/build_task_policy.adoc

@@ -4,30 +4,29 @@
 
 These rules are applied to Tekton build task definitions.
 
-[#labels_package]
-== link:#labels_package[Tekton task build type label checks]
+[#build_labels_package]
+== link:#build_labels_package[Tekton task build type label checks]
 
 Policies to verify that a Tekton build task definition has the required build type label.
 
-* Package name: `labels`
-* Package full path: `build_task.labels`
+* Package name: `build_labels`
 
-[#labels__build_type_label_set]
-=== link:#labels__build_type_label_set[Build task has build type label]
+[#build_labels__build_type_label_set]
+=== link:#build_labels__build_type_label_set[Build task has build type label]
 
 Confirm the build task definition has the required build type label.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `The required build label '%s' is missing`
-* Code: `labels.build_type_label_set`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/build_task/labels/labels.rego#L17[Source, window="_blank"]
+* Code: `build_labels.build_type_label_set`
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/build_task/build_labels/build_labels.rego#L17[Source, window="_blank"]
 
-[#labels__build_task_has_label]
-=== link:#labels__build_task_has_label[Build task has label]
+[#build_labels__build_task_has_label]
+=== link:#build_labels__build_task_has_label[Build task has label]
 
 Confirm that the build task definition includes at least one label.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `The task definition does not include any labels`
-* Code: `labels.build_task_has_label`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/build_task/labels/labels.rego#L30[Source, window="_blank"]
+* Code: `build_labels.build_task_has_label`
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/build_task/build_labels/build_labels.rego#L30[Source, window="_blank"]

antora/docs/modules/ROOT/pages/pipeline_policy.adoc

@@ -10,7 +10,6 @@ These rules are applied to Tekton pipeline definitions.
 To be able to reproduce and audit builds accurately it's important to know exactly what happens during the build. To do this Enterprise Contract requires that all tasks are defined in a set of known and trusted task bundles. This package includes rules to confirm that the tasks in a Pipeline definition are defined in task bundles, and that the task bundles are from the list of known and trusted bundles.
 
 * Package name: `task_bundle`
-* Package full path: `pipeline.task_bundle`
 
 [#task_bundle__missing_required_data]
 === link:#task_bundle__missing_required_data[Missing required data]
@@ -78,7 +77,6 @@ Check if the Tekton Bundle used for the Tasks in the Pipeline definition is pinn
 Policies to confirm the Tekton Pipeline definition has the expected kind.
 
 * Package name: `basic`
-* Package full path: `pipeline.basic`
 
 [#basic__expected_kind]
 === link:#basic__expected_kind[Pipeline definition has expected kind]
@@ -96,7 +94,6 @@ Confirm that the pipeline definition has the kind "Pipeline".
 Konflux expects that certain Tekton tasks are executed during image builds. This package includes policy rules to confirm that the pipeline definition includes those required tasks.
 
 * Package name: `required_tasks`
-* Package full path: `pipeline.required_tasks`
 
 [#required_tasks__missing_future_required_task]
 === link:#required_tasks__missing_future_required_task[Missing future required task]

antora/docs/modules/ROOT/pages/task_policy.adoc

@@ -10,7 +10,6 @@ These rules are applied to Tekton task definitions.
 This package ensures that a Task definition contains expected values for the image references used by the Task's steps.
 
 * Package name: `step_image_registries`
-* Package full path: `task.step_image_registries`
 
 [#step_image_registries__step_image_registry_prefix_list_provided]
 === link:#step_image_registries__step_image_registry_prefix_list_provided[Permitted step image registry prefix list provided]
@@ -42,7 +41,6 @@ Confirm that each step in the Task uses a container image with a URL that matche
 Policies to verify that a Tekton Task definition uses well formed expected annotations .
 
 * Package name: `annotations`
-* Package full path: `task.annotations`
 
 [#annotations__expires_on_format]
 === link:#annotations__expires_on_format[Task definition uses expires-on annotation in RFC3339 format]
@@ -60,7 +58,6 @@ Make sure to use the date format in RFC3339 format in the "build.appstudio.redha
 Verify Tekton Task definitions provide expected results.
 
 * Package name: `results`
-* Package full path: `task.results`
 
 [#results__required]
 === link:#results__required[Required result defined]
@@ -90,7 +87,6 @@ Confirm the expected `required_task_results` rule data key has been provided in
 Policies to verify that a Tekton task definition has the expected value for kind.
 
 * Package name: `kind`
-* Package full path: `task.kind`
 
 [#kind__kind_present]
 === link:#kind__kind_present[Kind field is present in task definition]
@@ -118,7 +114,6 @@ Confirm the task definition has the kind "Task".
 Policies to verify that a Tekton task definition conforms to the expected conventions required for using Trusted Artifacts.
 
 * Package name: `trusted_artifacts`
-* Package full path: `task.trusted_artifacts`
 
 [#trusted_artifacts__parameter]
 === link:#trusted_artifacts__parameter[Parameter]

antora/docs/modules/ROOT/partials/build_task_policy_nav.adoc

@@ -1,4 +1,4 @@
 * xref:build_task_policy.adoc[Build Task Policy]
-** xref:build_task_policy.adoc#labels_package[Tekton task build type label checks]
-*** xref:build_task_policy.adoc#labels__build_type_label_set[Build task has build type label]
-*** xref:build_task_policy.adoc#labels__build_task_has_label[Build task has label]
+** xref:build_task_policy.adoc#build_labels_package[Tekton task build type label checks]
+*** xref:build_task_policy.adoc#build_labels__build_type_label_set[Build task has build type label]
+*** xref:build_task_policy.adoc#build_labels__build_task_has_label[Build task has label]

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

@@ -4,6 +4,7 @@
 *** xref:release_policy.adoc#minimal[minimal]
 *** xref:release_policy.adoc#policy_data[policy_data]
 *** xref:release_policy.adoc#redhat[redhat]
+*** xref:release_policy.adoc#rhtap-jenkins[rhtap-jenkins]
 *** xref:release_policy.adoc#slsa3[slsa3]
 ** Release Rules
 *** xref:release_policy.adoc#attestation_type_package[Attestation type]

docs/asciidoc/asciidoc.go

@@ -45,9 +45,10 @@ func (d *doc) SetAnnotations(a []ast.FlatAnnotationsRefSet) {
 	for _, set := range a {
 		rules := make([]*ast.Annotations, 0, 5)
 		for _, ref := range set {
-			path := ref.GetPackage().Path.String()
-			if strings.HasPrefix(path, fmt.Sprintf("data.%s.", d.Qualifier)) {
-				if strings.Contains(path, ".collection.") {
+			pkgPath := ref.GetPackage().Path.String()
+			locationPrefix := filepath.Join("policy", d.Qualifier)
+			if strings.HasPrefix(ref.Location.File, locationPrefix) {
+				if strings.Contains(pkgPath, ".collection.") {
 					c := col{ref.Annotations, nil}
 					c.SetAnnotations(a)
 					collections = append(collections, c)
@@ -192,7 +193,6 @@ func init() {
 	funcs := template.FuncMap{
 		"anchor":           anchor,
 		"packageName":      packageName,
-		"packageFullPath":  packageFullPath,
 		"warningOrFailure": warningOrFailure,
 		"toUpper":          strings.ToUpper,
 		"toTitle":          strings.ToTitle,
@@ -209,10 +209,6 @@ func packageName(p *pkg) string {
 	return path[len(path)-1]
 }
 
-func packageFullPath(p *pkg) string {
-	return strings.Join(p.path()[1:], ".")
-}
-
 func anchor(a *ast.Annotations) string {
 	path := a.GetTargetPath()
 	switch a.Scope {

docs/asciidoc/policy.template

@@ -34,7 +34,6 @@ Rules included:{{ "\n" }}
 {{ .Description }}
 
 * Package name: `{{ packageName . }}`
-* Package full path: `{{ packageFullPath . }}`
 
 {{- range .Rules }}
 

policy/build_task/labels/labels.rego → policy/build_task/build_labels/build_labels.rego

@@ -5,7 +5,7 @@
 #   Policies to verify that a Tekton build task definition has the
 #   required build type label.
 #
-package build_task.labels
+package build_labels
 
 import rego.v1
 

policy/build_task/labels/labels_test.rego → policy/build_task/build_labels/build_labels_test.rego

@@ -1,25 +1,25 @@
-package build_task.labels_test
+package build_labels_test
 
 import rego.v1
 
-import data.build_task.labels
+import data.build_labels
 import data.lib
 
 test_build_label_found if {
 	# regal ignore:line-length
-	lib.assert_empty(labels.deny) with input as {"metadata": {"labels": {"build.appstudio.redhat.com/build_type": "docker"}}}
+	lib.assert_empty(build_labels.deny) with input as {"metadata": {"labels": {"build.appstudio.redhat.com/build_type": "docker"}}}
 }
 
 test_build_label_not_found if {
-	lib.assert_equal_results(labels.deny, {{
-		"code": "labels.build_type_label_set",
+	lib.assert_equal_results(build_labels.deny, {{
+		"code": "build_labels.build_type_label_set",
 		"msg": "The required build label 'build.appstudio.redhat.com/build_type' is missing",
 	}}) with input as {"metadata": {"labels": {"bad": "docker"}}}
 }
 
 test_no_labels if {
-	lib.assert_equal_results(labels.deny, {{
-		"code": "labels.build_task_has_label",
+	lib.assert_equal_results(build_labels.deny, {{
+		"code": "build_labels.build_task_has_label",
 		"msg": "The task definition does not include any labels",
 	}}) with input as {"metadata": {"name": "no_labels"}}
 }

policy/lib/result_helper.rego

@@ -40,36 +40,15 @@ _code(chain) := code if {
 # custom.short_name must be present.
 _rule_annotations(chain) := chain[0].annotations
 
-# This is meant to match the special handling done in ec-cli, see here:
-# https://github.com/enterprise-contract/ec-cli/blob/014a488a4/internal/opa/rule/rule.go#L161-L186
 _pkg_name(rule_path) := name if {
-	# Seems to not work if I keep assigning to a single var, so
-	# that's why the many different pN vars.
-
-	# Strip off the first element which is always "data"
+	# "data" is automatically added by rego.
 	p1 := _left_strip_elements(["data"], rule_path)
 
-	# Strip off policy.release or policy.pipeline to match what ec-cli
-	# does. (There are some edge cases where the behavior is not exactly
-	# the same, but I think this version is better.)
-	p2 := _left_strip_elements(["release"], p1)
-	p3 := _left_strip_elements(["pipeline"], p2)
-
-	# Actually ec-cli doesn't remove these, but lots of tests in this repo
-	# assume it will be removed, so let's go with the flow for now.
-	# (We might want to revist this behavior in future.)
-	p4 := _left_strip_elements(["task"], p3)
-	p5 := _left_strip_elements(["build_task"], p4)
-
-	# Strip off "policy" no matter what
-	p6 := _left_strip_elements(["policy"], p5)
-
-	# Remove the "deny" or "warn" element
-	p7 := _right_strip_elements(["deny"], p6)
-	p8 := _right_strip_elements(["warn"], p7)
+	# Remove the actual rule name as that is not part of the package.
+	p2 := _right_strip_elements(["deny"], p1)
+	p3 := _right_strip_elements(["warn"], p2)
 
-	# Put it all together with dots in between
-	name := concat(".", p8)
+	name := concat(".", p3)
 }
 
 _left_strip_elements(items_to_strip, list) := new_list if {

policy/lib/result_helper_test.rego

@@ -17,7 +17,7 @@ test_result_helper if {
 	}}
 
 	chain := [
-		{"annotations": rule_annotations, "path": ["data", "policy", "oh", "deny"]},
+		{"annotations": rule_annotations, "path": ["data", "oh", "deny"]},
 		{"annotations": {}, "path": ["ignored", "ignored"]}, # Actually not needed any more
 	]
 
@@ -36,7 +36,7 @@ test_result_helper_without_package_annotation if {
 		"failure_msg": "Bad thing %s",
 	}}
 
-	chain := [{"annotations": rule_annotations, "path": ["release", "package_name", "deny"]}]
+	chain := [{"annotations": rule_annotations, "path": ["package_name", "deny"]}]
 
 	lib.assert_equal(expected_result, lib.result_helper(chain, ["foo"]))
 }
@@ -77,7 +77,7 @@ test_result_helper_with_term if {
 	}}
 
 	chain := [
-		{"annotations": rule_annotations, "path": ["data", "release", "path", "oh", "deny"]},
+		{"annotations": rule_annotations, "path": ["data", "path", "oh", "deny"]},
 		{"annotations": {}, "path": ["ignored", "also_ignored"]},
 	]
 
@@ -86,43 +86,24 @@ test_result_helper_with_term if {
 
 test_result_helper_pkg_name if {
 	# "Normal" for ec-policies repo
-	lib.assert_equal("foo", lib._pkg_name(["data", "release", "foo", "deny"]))
-	lib.assert_equal("foo", lib._pkg_name(["data", "pipeline", "foo", "warn"]))
+	lib.assert_equal("foo", lib._pkg_name(["data", "foo", "deny"]))
+	lib.assert_equal("foo", lib._pkg_name(["data", "foo", "warn"]))
 
-	# Other categories that also get removed. These might be buggy in ec-cli
-	lib.assert_equal("foo", lib._pkg_name(["data", "task", "foo", "deny"]))
-	lib.assert_equal("foo", lib._pkg_name(["data", "build_task", "foo", "warn"]))
-
-	# Some other category other than release or pipeline
-	lib.assert_equal("another.foo.bar", lib._pkg_name(["data", "policy", "another", "foo", "bar", "deny"]))
-
-	# One extra level of package namespace
-	lib.assert_equal("foo.bar", lib._pkg_name(["data", "release", "foo", "bar", "deny"]))
-	lib.assert_equal("foo.bar", lib._pkg_name(["data", "pipeline", "foo", "bar", "warn"]))
-
-	# A custom policy that doesn't follow the conventions
-	lib.assert_equal("my_policy", lib._pkg_name(["data", "my_policy", "deny"]))
-	lib.assert_equal("my_policy.stuff", lib._pkg_name(["data", "my_policy", "stuff", "warn"]))
+	# Long package paths are retained
+	lib.assert_equal("another.foo.bar", lib._pkg_name(["data", "another", "foo", "bar", "deny"]))
+	lib.assert_equal("another.foo.bar", lib._pkg_name(["data", "another", "foo", "bar", "warn"]))
 
 	# Unlikely edge case: No deny or warn
 	lib.assert_equal("foo", lib._pkg_name(["data", "foo"]))
 	lib.assert_equal("foo.bar", lib._pkg_name(["data", "foo", "bar"]))
 
 	# Unlikely edge case: No data
-	# lib.assert_equal("foo", lib._pkg_name(["foo", "deny"]))
+	lib.assert_equal("foo", lib._pkg_name(["foo", "deny"]))
 	lib.assert_equal("foo.bar", lib._pkg_name(["foo", "bar", "warn"]))
 
-	# Unlikely edge case: Documenting this since it likely doesn't match the ec-cli behavior,
-	# but actually I think this way is slightly more sane, so let's accept the discrepancy for now.
-	# lib.assert_equal("pipeline.foo", lib._pkg_name(["data", "release", "pipeline", "foo", "deny"]))
-	lib.assert_equal("release.foo", lib._pkg_name(["data", "pipeline", "release", "foo", "deny"]))
-
 	# Very unlikely edge case: Just to illustrate how deny/warn/data are stripped once
-	# lib.assert_equal("foo", lib._pkg_name(["data", "policy", "release", "foo", "warn", "deny"]))
-	lib.assert_equal("foo.deny", lib._pkg_name(["data", "release", "foo", "deny", "warn"]))
-	lib.assert_equal("foo.warn", lib._pkg_name(["data", "release", "foo", "warn", "warn"]))
-	lib.assert_equal(
-		"data.release.foo.warn.deny",
-		lib._pkg_name(["data", "data", "release", "foo", "warn", "deny", "warn"]),
-	)
+	lib.assert_equal("foo", lib._pkg_name(["data", "foo", "warn", "deny"]))
+	lib.assert_equal("foo.deny", lib._pkg_name(["data", "foo", "deny", "warn"]))
+	lib.assert_equal("foo.warn", lib._pkg_name(["data", "foo", "warn", "warn"]))
+	lib.assert_equal("data.foo.warn.deny", lib._pkg_name(["data", "data", "foo", "warn", "deny", "warn"]))
 }

policy/pipeline/basic/basic.rego

@@ -4,7 +4,7 @@
 # description: >-
 #   Policies to confirm the Tekton Pipeline definition has the expected kind.
 #
-package pipeline.basic
+package basic
 
 import rego.v1
 

policy/pipeline/basic/basic_test.rego

@@ -1,9 +1,9 @@
-package pipeline.basic_test
+package basic_test
 
 import rego.v1
 
+import data.basic
 import data.lib
-import data.pipeline.basic
 
 test_unexpected_kind if {
 	lib.assert_equal_results(basic.deny, {{

policy/pipeline/required_tasks/required_tasks.rego

@@ -6,7 +6,7 @@
 #   This package includes policy rules to confirm that the pipeline definition
 #   includes those required tasks.
 #
-package pipeline.required_tasks
+package required_tasks
 
 import rego.v1
 

policy/pipeline/required_tasks/required_tasks_test.rego

@@ -1,9 +1,9 @@
-package pipeline.required_tasks_test
+package required_tasks_test
 
 import rego.v1
 
 import data.lib
-import data.pipeline.required_tasks
+import data.required_tasks
 
 test_required_tasks_met if {
 	pipeline := _pipeline_with_tasks_and_label(_expected_required_tasks, [], [])

policy/pipeline/task_bundle/task_bundle.rego

@@ -10,7 +10,7 @@
 #   bundles, and that the task bundles are from the list of known
 #   and trusted bundles.
 #
-package pipeline.task_bundle
+package task_bundle
 
 import rego.v1
 

policy/pipeline/task_bundle/task_bundle_test.rego

@@ -1,9 +1,9 @@
-package pipeline.task_bundle_test
+package task_bundle_test
 
 import rego.v1
 
 import data.lib
-import data.pipeline.task_bundle
+import data.task_bundle
 
 test_bundle_not_exists if {
 	tasks := [{"name": "my-task", "taskRef": {}}]

policy/release/attestation_task_bundle/attestation_task_bundle.rego

@@ -10,7 +10,7 @@
 #   bundles, and that the task bundles used are from the list of known
 #   and trusted bundles.
 #
-package release.attestation_task_bundle
+package attestation_task_bundle
 
 import rego.v1