ansible · ffirg · Apr 7, 2025 · Apr 7, 2025 · Apr 7, 2025 · Apr 7, 2025
diff --git a/aap_policy_examples/github_repo_validation.rego b/aap_policy_examples/github_repo_validation.rego
@@ -0,0 +1,36 @@
+package aap_policy_examples
+
+import rego.v1
+
+# Define list of allowed GitHub repositories
+allowed_github_repos := [
+    "organization/repo1",
+    "organization/repo2"
+]
+
+# Default policy response indicating allowed status with no violations
+default github_repo_validation := {
+    "allowed": true,
+    "violations": [],
+}
+
+# Validate that the GitHub repository is in the whitelist
+github_repo_validation := result if {
+    # Extract SCM URL from input
+    scm_url := object.get(input, ["project", "scm_url"], "")
+
+    # Extract repository path from URL
+    parts := split(scm_url, "/")
+    count_parts := count(parts)
+    org := parts[count_parts-2]
+    repo_name := trim_suffix(parts[count_parts-1], ".git")
+    repo_path := concat("/", [org, repo_name])
+
+    # Check if repo path is not in the whitelist
+    not repo_path in allowed_github_repos
+
+    result := {
+        "allowed": false,
+        "violations": [sprintf("Repository '%v' is not in the allowed list", [repo_path])],
+    }
+}
diff --git a/aap_policy_examples/jt_naming_validation.rego b/aap_policy_examples/jt_naming_validation.rego
@@ -0,0 +1,29 @@
+package aap_policy_examples
+
+import rego.v1
+import future.keywords.in
+
+# Default policy response indicating allowed status with no violations
+default jt_naming_validation := {
+    "allowed": true,
+    "violations": [],
+}
+
+# Validate that job template name has correct organization and project name prefixes
+jt_naming_validation := result if {
+    # Extract values from input
+    org_name := object.get(input, ["organization", "name"], "")
+    project_name := object.get(input, ["project", "name"], "")
+    jt_name := object.get(input, ["job_template", "name"], "")
+
+    # Construct the expected prefix
+    expected_prefix := concat("_", [org_name, project_name])
+
+    # Check if job template name starts with expected prefix
+    not startswith(jt_name, expected_prefix)
+
+    result := {
+        "allowed": false,
+        "violations": [sprintf("Job template naming for '%v' does not comply with standards", [jt_name])]
+    }
+}
diff --git a/aap_policy_examples/project_scm_branch.rego b/aap_policy_examples/project_scm_branch.rego
@@ -0,0 +1,32 @@
+package aap_policy_examples
+
+import rego.v1
+
+# Define allowed values for project.scm_branch
+valid_project_scm_branch_values := ["main", "v1"]
+
+# Default policy response indicating allowed status with no violations
+default project_scm_branch_validation := {
+	"allowed": true,
+	"violations": [],
+}
+
+# Evaluate branch_validation to check if project.scm_branch value is allowed
+project_scm_branch_validation := result if {
+	# Extract project.scm_branch from input
+	branch := object.get(input, ["project", "scm_branch"], "")
+
+	# Check if branch value is not in the allowed list
+	not allowed_branch(branch)
+
+	result := {
+		"allowed": false,
+		"violations": [sprintf("Invalid branch: %v. Only named 'main' or 'v1' branches are allowed.", [branch])],
+	}
+}
+
+# Check if a given branch value is allowed
+allowed_branch(branch) if {
+	some allowed_value in valid_project_scm_branch_values
+	branch == allowed_value
+}