Merge pull request #1183 from zregvart/pr/check-effective-on

Conventions check for `effective_on` annotation
enterprise-contract · Oct 10, 2024 · ce24a1d · ce24a1d
2 parents a6e8618 + edd4826
commit ce24a1d
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/checks/annotations.rego b/checks/annotations.rego
@@ -129,3 +129,18 @@ violation contains msg if {
 
 	msg := sprintf("ERROR: Found non-unique code %q at %s:%d", [code, file, annotation.location.row])
 }
+
+# Validates that the `effective_on` annotation has the correct syntax
+violation contains msg if {
+	some policy_files in policy_rule_files(input.namespaces)
+
+	some file in policy_files.files
+	some annotation in input.annotations
+
+	annotation.location.file == file
+
+	effective_on := annotation.annotations.custom.effective_on
+	not time.parse_rfc3339_ns(effective_on)
+
+	msg := sprintf("ERROR: wrong syntax of effective_on value %q at %s:%d", [effective_on, file, annotation.location.row])
+}
diff --git a/checks/annotations_test.rego b/checks/annotations_test.rego
@@ -162,6 +162,46 @@ opa_inspect_duplicate := {
 	],
 }
 
+opa_inspect_effective_on := {
+	"namespaces": {"data.policy.release.effective_on": ["policy/release/effective_on.rego"]},
+	"annotations": [
+		{
+			"annotations": {
+				"custom": {
+					"short_name": "good_effective_on",
+					"failure_msg": "all good",
+					"effective_on": "1985-04-12T23:20:50.52Z",
+				},
+				"description": "effective_on must be well formed",
+				"scope": "rule",
+				"title": "effective_on ok case",
+			},
+			"location": {
+				"file": "policy/release/effective_on.rego",
+				"row": 1,
+				"col": 1,
+			},
+		},
+		{
+			"annotations": {
+				"custom": {
+					"short_name": "bad_effective_on",
+					"failure_msg": "not good",
+					"effective_on": "wubba lubba dub dub",
+				},
+				"description": "effective_on must be well formed",
+				"scope": "rule",
+				"title": "effective_on bad case",
+			},
+			"location": {
+				"file": "policy/release/effective_on.rego",
+				"row": 10,
+				"col": 1,
+			},
+		},
+	],
+}
+
 test_required_annotations_invalid if {
 	err = "ERROR: Missing annotation(s) custom.failure_msg, title at policy/release/attestation_task_bundle.rego:13"
 	lib.assert_equal({err}, checks.violation) with input as opa_inspect_missing_annotations
@@ -181,3 +221,8 @@ test_duplicate_rules if {
 	err2 = `ERROR: Found non-unique code "data.policy.release.attestation_type.known_attestation_type" at policy/release/attestation_type.rego:50`
 	lib.assert_equal({err1, err2}, checks.violation) with input as opa_inspect_duplicate
 }
+
+test_effective_on if {
+	err := `ERROR: wrong syntax of effective_on value "wubba lubba dub dub" at policy/release/effective_on.rego:10`
+	lib.assert_equal({err}, checks.violation) with input as opa_inspect_effective_on
+}