ansible · ffirg · Apr 7, 2025 · Apr 7, 2025
diff --git a/aap_policy_examples/project_scm_branch_validation.rego b/aap_policy_examples/project_scm_branch_validation.rego
@@ -0,0 +1,36 @@
+package aap_policy_examples
+
+import rego.v1
+
+# Define allowed values for project.scm_branch
+valid_project_scm_branch_values := ["main", "v1"]
+
+# Default policy response indicating allowed status with no violations
+default project_scm_branch_validation := {
+	"allowed": true,
+	"violations": [],
+}
+
+# Evaluate branch_validation to check if project.scm_branch value is allowed
+project_scm_branch_validation := result if {
+	# Extract project.scm_branch from input
+	branch := object.get(input, ["project", "scm_branch"], "")
+
+	# Check if branch value is not in the allowed list
+	not allowed_branch(branch)
+
+	result := {
+		"allowed": false,
+		"violations": [sprintf("Invalid branch: %v. Only named 'main' or 'v1' branches are allowed.", [branch])],
+	}
+}
+
+# Check if a given branch value is allowed
+allowed_branch(branch) if {
+	branch == ""
+}
+
+allowed_branch(branch) if {
+	some allowed_value in valid_project_scm_branch_values
+	branch == allowed_value
+}
diff --git a/test_aap_policy_examples/project_scm_branch_validation_test.rego b/test_aap_policy_examples/project_scm_branch_validation_test.rego
@@ -0,0 +1,39 @@
+package test_aap_policy_examples
+
+import data.aap_policy_examples
+
+test_valid_main_branch_allowed if {
+    test_input := {
+        "project": {
+            "scm_branch": "main"
+        }
+    }
+    aap_policy_examples.project_scm_branch_validation.allowed == true with input as test_input
+}
+
+test_valid_v1_branch_allowed if {
+    test_input := {
+        "project": {
+            "scm_branch": "v1"
+        }
+    }
+    aap_policy_examples.project_scm_branch_validation.allowed == true with input as test_input
+}
+
+test_invalid_branch_blocked if {
+    test_input := {
+        "project": {
+            "scm_branch": "develop"
+        }
+    }
+    aap_policy_examples.project_scm_branch_validation.allowed == false with input as test_input
+}
+
+test_invalid_branch_violation_message if {
+    test_input := {
+        "project": {
+            "scm_branch": "develop"
+        }
+    }
+    aap_policy_examples.project_scm_branch_validation.violations[0] == "Invalid branch: develop. Only named 'main' or 'v1' branches are allowed." with input as test_input
+}