From edd48266cfd4651d951d22c32f139783e0001aa5 Mon Sep 17 00:00:00 2001
From: Zoran Regvart <zoran@regvart.com>
Date: Thu, 10 Oct 2024 11:00:44 +0200
Subject: [PATCH] Conventions check for `effective_on` annotation

Makes sure that the `effective_on` annotation is in correct syntax.
---
 checks/annotations.rego      | 15 ++++++++++++
 checks/annotations_test.rego | 45 ++++++++++++++++++++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/checks/annotations.rego b/checks/annotations.rego
index f87209ed..c8199475 100644
--- a/checks/annotations.rego
+++ b/checks/annotations.rego
@@ -129,3 +129,18 @@ violation contains msg if {
 
 	msg := sprintf("ERROR: Found non-unique code %q at %s:%d", [code, file, annotation.location.row])
 }
+
+# Validates that the `effective_on` annotation has the correct syntax
+violation contains msg if {
+	some policy_files in policy_rule_files(input.namespaces)
+
+	some file in policy_files.files
+	some annotation in input.annotations
+
+	annotation.location.file == file
+
+	effective_on := annotation.annotations.custom.effective_on
+	not time.parse_rfc3339_ns(effective_on)
+
+	msg := sprintf("ERROR: wrong syntax of effective_on value %q at %s:%d", [effective_on, file, annotation.location.row])
+}
diff --git a/checks/annotations_test.rego b/checks/annotations_test.rego
index 0b0b91a6..fac2f481 100644
--- a/checks/annotations_test.rego
+++ b/checks/annotations_test.rego
@@ -162,6 +162,46 @@ opa_inspect_duplicate := {
 	],
 }
 
+opa_inspect_effective_on := {
+	"namespaces": {"data.policy.release.effective_on": ["policy/release/effective_on.rego"]},
+	"annotations": [
+		{
+			"annotations": {
+				"custom": {
+					"short_name": "good_effective_on",
+					"failure_msg": "all good",
+					"effective_on": "1985-04-12T23:20:50.52Z",
+				},
+				"description": "effective_on must be well formed",
+				"scope": "rule",
+				"title": "effective_on ok case",
+			},
+			"location": {
+				"file": "policy/release/effective_on.rego",
+				"row": 1,
+				"col": 1,
+			},
+		},
+		{
+			"annotations": {
+				"custom": {
+					"short_name": "bad_effective_on",
+					"failure_msg": "not good",
+					"effective_on": "wubba lubba dub dub",
+				},
+				"description": "effective_on must be well formed",
+				"scope": "rule",
+				"title": "effective_on bad case",
+			},
+			"location": {
+				"file": "policy/release/effective_on.rego",
+				"row": 10,
+				"col": 1,
+			},
+		},
+	],
+}
+
 test_required_annotations_invalid if {
 	err = "ERROR: Missing annotation(s) custom.failure_msg, title at policy/release/attestation_task_bundle.rego:13"
 	lib.assert_equal({err}, checks.violation) with input as opa_inspect_missing_annotations
@@ -181,3 +221,8 @@ test_duplicate_rules if {
 	err2 = `ERROR: Found non-unique code "data.policy.release.attestation_type.known_attestation_type" at policy/release/attestation_type.rego:50`
 	lib.assert_equal({err1, err2}, checks.violation) with input as opa_inspect_duplicate
 }
+
+test_effective_on if {
+	err := `ERROR: wrong syntax of effective_on value "wubba lubba dub dub" at policy/release/effective_on.rego:10`
+	lib.assert_equal({err}, checks.violation) with input as opa_inspect_effective_on
+}