Merge pull request enterprise-contract#1204 from zregvart/issue/EC-895

robnester-rh · Oct 24, 2024 · 4b661e5 · 4b661e5
2 parents 37a9373 + d9dbef9
commit 4b661e5
Show file tree

Hide file tree

Showing 52 changed files with 838 additions and 471 deletions.
diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
diff --git a/antora/docs/modules/ROOT/pages/task_policy.adoc b/antora/docs/modules/ROOT/pages/task_policy.adoc
@@ -21,7 +21,7 @@ Confirm the `allowed_step_image_registry_prefixes` rule data was provided, since
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `step_image_registries.step_image_registry_prefix_list_provided`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/step_image_registries/step_image_registries.rego#L43[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/step_image_registries/step_image_registries.rego#L44[Source, window="_blank"]
 
 [#step_image_registries__step_images_permitted]
 === link:#step_image_registries__step_images_permitted[Step images come from permitted registry]
@@ -33,7 +33,7 @@ Confirm that each step in the Task uses a container image with a URL that matche
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Step %d uses disallowed image ref '%s'`
 * Code: `step_image_registries.step_images_permitted`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/step_image_registries/step_image_registries.rego#L15[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/step_image_registries/step_image_registries.rego#L16[Source, window="_blank"]
 
 [#annotations_package]
 == link:#annotations_package[Tekton Task annotations]
@@ -67,7 +67,7 @@ Verify if Task defines the required result. This is controlled by the `required_
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `results.required`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/results/results.rego#L12[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/results/results.rego#L13[Source, window="_blank"]
 
 [#results__rule_data_provided]
 === link:#results__rule_data_provided[Rule data provided]
@@ -79,7 +79,7 @@ Confirm the expected `required_task_results` rule data key has been provided in
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `results.rule_data_provided`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/results/results.rego#L26[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/task/results/results.rego#L27[Source, window="_blank"]
 
 [#kind_package]
 == link:#kind_package[Tekton task kind checks]

diff --git a/policy/lib/json/schema.rego b/policy/lib/json/schema.rego
@@ -0,0 +1,61 @@
+package lib.json
+
+import rego.v1
+
+# Validates schema reporting the error message as well as the severity
+validate_schema(doc, schema) := issues if {
+	count(_arg_issues(doc, schema)) == 0
+	issues := _validation_issues(doc, schema)
+} else := _arg_issues(doc, schema)
+
+_validation_issues(doc, schema) := issues if {
+	not is_null(doc)
+	not is_null(schema)
+	d := _prepare_document(doc)
+	ok_error := json.match_schema(d, schema)
+	ok := ok_error[0]
+	errors := ok_error[1]
+	not ok
+	issues := [i |
+		some e in errors
+		i := {
+			"message": e.error, # e.desc is ignored, seems to repeat what is in e.error
+			"severity": _severity(e),
+		}
+	]
+}
+
+_arg_issues(doc, schema) := [i |
+	some check in [
+		{is_null(doc) == false: "Provided empty document for schema validation"},
+		{is_null(schema) == false: "Provided empty schema for schema validation"},
+		_check_schema(schema),
+	]
+	some ok, msg in check
+	not ok
+	i := {
+		"message": msg,
+		"severity": "failure",
+	}
+]
+
+_check_schema(schema) := ok_msg if {
+	not is_null(schema)
+	ok_error := json.verify_schema(schema)
+	ok := ok_error[0]
+	error := ok_error[1]
+	not ok
+	ok_msg := {false: sprintf("Provided schema is not a valid JSON Schema: %s", [error])}
+} else := {true, ""}
+
+_prepare_document(doc) := d if {
+	is_array(doc)
+
+	# match_schema expects either a marshaled JSON resource (String) or an
+	# Object. It doesn't handle an Array directly.
+	d := json.marshal(doc)
+} else := doc
+
+_severity(e) := "warning" if {
+	startswith(e.desc, "Additional property")
+} else := "failure"
diff --git a/policy/lib/json/schema_test.rego b/policy/lib/json/schema_test.rego
@@ -0,0 +1,98 @@
+package lib.json_test
+
+import data.lib
+import data.lib.json as j
+import rego.v1
+
+test_validate_args if {
+	lib.assert_equal(
+		[
+			{
+				"message": "Provided empty document for schema validation",
+				"severity": "failure",
+			},
+			{
+				"message": "Provided empty schema for schema validation",
+				"severity": "failure",
+			},
+		],
+		j.validate_schema(null, null),
+	)
+	lib.assert_equal(
+		[{
+			"message": "Provided empty schema for schema validation",
+			"severity": "failure",
+		}],
+		j.validate_schema({}, null),
+	)
+	lib.assert_equal(
+		[{
+			"message": "Provided empty document for schema validation",
+			"severity": "failure",
+		}],
+		j.validate_schema(null, {}),
+	)
+	lib.assert_equal(
+		[{
+			"message": "Provided schema is not a valid JSON Schema: jsonschema: wrong type, expected string or object",
+			"severity": "failure",
+		}],
+		j.validate_schema({}, ["something"]),
+	)
+}
+
+test_validate_schema_ok if {
+	lib.assert_equal(
+		[],
+		j.validate_schema({"a": 3}, {
+			"$schema": "https://json-schema.org/draft/2020-12/schema",
+			"properties": {"a": {"type": "number"}},
+		}),
+	)
+	lib.assert_equal(
+		[],
+		j.validate_schema([{"a": 3}], {
+			"$schema": "https://json-schema.org/draft/2020-12/schema",
+			"type": "array",
+			"items": {"properties": {"a": {"type": "number"}}},
+		}),
+	)
+}
+
+test_validate_schema_not_ok if {
+	lib.assert_equal(
+		[{
+			"message": "a: Invalid type. Expected: number, given: string",
+			"severity": "failure",
+		}],
+		j.validate_schema({"a": "b"}, {
+			"$schema": "https://json-schema.org/draft/2020-12/schema",
+			"properties": {"a": {"type": "number"}},
+		}),
+	)
+	lib.assert_equal(
+		[{
+			"message": "0.a: Invalid type. Expected: number, given: string",
+			"severity": "failure",
+		}],
+		j.validate_schema([{"a": "b"}], {
+			"$schema": "https://json-schema.org/draft/2020-12/schema",
+			"type": "array",
+			"items": {"properties": {"a": {"type": "number"}}},
+		}),
+	)
+}
+
+test_validate_schema_unknown_property_warning if {
+	lib.assert_equal(
+		[{
+			"message": "(Root): Additional property b is not allowed",
+			"severity": "warning",
+		}],
+		j.validate_schema({"a": 3, "b": "here"}, {
+			"$schema": "https://json-schema.org/draft/2020-12/schema",
+			"properties": {"a": {"type": "number"}},
+			"additionalProperties": false,
+		}),
+	)
+}
diff --git a/policy/lib/result_helper.rego b/policy/lib/result_helper.rego
@@ -16,6 +16,11 @@ result_helper_with_term(chain, failure_sprintf_params, term) := object.union(
 	{"term": term},
 )
 
+result_helper_with_severity(chain, failure_sprintf_params, severity) := object.union(
+	result_helper(chain, failure_sprintf_params),
+	{"severity": severity},
+)
+
 _basic_result(chain, failure_sprintf_params) := {
 	"code": _code(chain),
 	"msg": sprintf(_rule_annotations(chain).custom.failure_msg, failure_sprintf_params),