Run buf Policies locally

private/buf/bufctl/controller.go

@@ -65,6 +65,7 @@ type ImageWithConfig interface {
 	LintConfig() bufconfig.LintConfig
 	BreakingConfig() bufconfig.BreakingConfig
 	PluginConfigs() []bufconfig.PluginConfig
+	PolicyConfigs() []bufconfig.PolicyConfig
 
 	isImageWithConfig()
 }
@@ -404,7 +405,10 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 		}
 		lintConfig := bufconfig.DefaultLintConfigV1
 		breakingConfig := bufconfig.DefaultBreakingConfigV1
-		var pluginConfigs []bufconfig.PluginConfig
+		var (
+			pluginConfigs []bufconfig.PluginConfig
+			policyConfigs []bufconfig.PolicyConfig
+		)
 		pluginKeyProvider := bufplugin.NopPluginKeyProvider
 		bufYAMLFile, err := bufconfig.GetBufYAMLFileForPrefixOrOverride(
 			ctx,
@@ -442,6 +446,7 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 			// buf.yaml file is found, the PluginConfigs from the buf.yaml file and the PluginKeys
 			// from the buf.lock file are resolved to create the PluginKeyProvider.
 			pluginConfigs = bufYAMLFile.PluginConfigs()
+			policyConfigs = bufYAMLFile.PolicyConfigs()
 			// If a config override is provided, the PluginConfig remote Refs use the BSR
 			// to resolve the PluginKeys. No buf.lock is required.
 			// If the buf.yaml file is not found, the bufplugin.NopPluginKeyProvider is returned.
@@ -485,6 +490,7 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 				lintConfig,
 				breakingConfig,
 				pluginConfigs,
+				policyConfigs,
 			),
 		}
 		checkClient, err := bufcheck.NewClient(
@@ -495,6 +501,7 @@ func (c *controller) GetTargetImageWithConfigsAndCheckClient(
 			),
 			bufcheck.ClientWithLocalWasmPluginsFromOS(),
 			bufcheck.ClientWithRemoteWasmPlugins(pluginKeyProvider, c.pluginDataProvider),
+			bufcheck.ClientWithLocalPoliciesFromOS(),
 		)
 		if err != nil {
 			return nil, nil, err
@@ -812,6 +819,7 @@ func (c *controller) GetCheckClientForWorkspace(
 			pluginKeyProvider,
 			c.pluginDataProvider,
 		),
+		bufcheck.ClientWithLocalPoliciesFromOS(),
 	)
 }
 
@@ -1182,6 +1190,7 @@ func (c *controller) buildTargetImageWithConfigs(
 				workspace.GetLintConfigForOpaqueID(module.OpaqueID()),
 				workspace.GetBreakingConfigForOpaqueID(module.OpaqueID()),
 				workspace.PluginConfigs(),
+				workspace.PolicyConfigs(),
 			),
 		)
 	}

private/buf/bufctl/image_with_config.go

@@ -28,6 +28,7 @@ type imageWithConfig struct {
 	lintConfig     bufconfig.LintConfig
 	breakingConfig bufconfig.BreakingConfig
 	pluginConfigs  []bufconfig.PluginConfig
+	policyConfigs  []bufconfig.PolicyConfig
 }
 
 func newImageWithConfig(
@@ -37,6 +38,7 @@ func newImageWithConfig(
 	lintConfig bufconfig.LintConfig,
 	breakingConfig bufconfig.BreakingConfig,
 	pluginConfigs []bufconfig.PluginConfig,
+	policyConfigs []bufconfig.PolicyConfig,
 ) *imageWithConfig {
 	return &imageWithConfig{
 		Image:          image,
@@ -45,6 +47,7 @@ func newImageWithConfig(
 		lintConfig:     lintConfig,
 		breakingConfig: breakingConfig,
 		pluginConfigs:  pluginConfigs,
+		policyConfigs:  policyConfigs,
 	}
 }
 
@@ -68,4 +71,8 @@ func (i *imageWithConfig) PluginConfigs() []bufconfig.PluginConfig {
 	return i.pluginConfigs
 }
 
+func (i *imageWithConfig) PolicyConfigs() []bufconfig.PolicyConfig {
+	return i.policyConfigs
+}
+
 func (*imageWithConfig) isImageWithConfig() {}

private/buf/buflsp/file.go

@@ -721,6 +721,7 @@ func (f *file) RunLints(ctx context.Context) bool {
 		f.workspace.GetLintConfigForOpaqueID(f.module.OpaqueID()),
 		f.image,
 		bufcheck.WithPluginConfigs(f.workspace.PluginConfigs()...),
+		bufcheck.WithPolicyConfigs(f.workspace.PolicyConfigs()...),
 	))
 }
 
@@ -749,6 +750,7 @@ func (f *file) RunBreaking(ctx context.Context) bool {
 		f.image,
 		f.againstImage,
 		bufcheck.WithPluginConfigs(f.workspace.PluginConfigs()...),
+		bufcheck.WithPolicyConfigs(f.workspace.PolicyConfigs()...),
 	))
 }
 

private/buf/bufworkspace/workspace.go

@@ -21,6 +21,7 @@ import (
 	"github.com/bufbuild/buf/private/bufpkg/bufmodule"
 	"github.com/bufbuild/buf/private/bufpkg/bufparse"
 	"github.com/bufbuild/buf/private/bufpkg/bufplugin"
+	"github.com/bufbuild/buf/private/bufpkg/bufpolicy"
 )
 
 // Workspace is a buf workspace.
@@ -81,6 +82,14 @@ type Workspace interface {
 	//
 	// These come from the buf.lock file. Only v2 supports plugins.
 	RemotePluginKeys() []bufplugin.PluginKey
+	// PolicyConfigs gets the configured PolicyConfigs of the Workspace.
+	//
+	// These come from the buf.yaml files.
+	PolicyConfigs() []bufconfig.PolicyConfig
+	// RemotePolicyKeys gets the remote PolicyKeys of the Workspace.
+	//
+	// These come from the buf.lock file. Only v2 supports policies.
+	RemotePolicyKeys() []bufpolicy.PolicyKey
 	// ConfiguredDepModuleRefs returns the configured dependencies of the Workspace as Refs.
 	//
 	// These come from buf.yaml files.
@@ -114,6 +123,8 @@ type workspace struct {
 	opaqueIDToBreakingConfig map[string]bufconfig.BreakingConfig
 	pluginConfigs            []bufconfig.PluginConfig
 	remotePluginKeys         []bufplugin.PluginKey
+	policyConfigs            []bufconfig.PolicyConfig
+	remotePolicyKeys         []bufpolicy.PolicyKey
 	configuredDepModuleRefs  []bufparse.Ref
 
 	// If true, the workspace was created from v2 buf.yamls.
@@ -127,6 +138,7 @@ func newWorkspace(
 	opaqueIDToBreakingConfig map[string]bufconfig.BreakingConfig,
 	pluginConfigs []bufconfig.PluginConfig,
 	remotePluginKeys []bufplugin.PluginKey,
+	policyConfigs []bufconfig.PolicyConfig,
 	configuredDepModuleRefs []bufparse.Ref,
 	isV2 bool,
 ) *workspace {
@@ -136,6 +148,7 @@ func newWorkspace(
 		opaqueIDToBreakingConfig: opaqueIDToBreakingConfig,
 		pluginConfigs:            pluginConfigs,
 		remotePluginKeys:         remotePluginKeys,
+		policyConfigs:            policyConfigs,
 		configuredDepModuleRefs:  configuredDepModuleRefs,
 		isV2:                     isV2,
 	}
@@ -157,6 +170,14 @@ func (w *workspace) RemotePluginKeys() []bufplugin.PluginKey {
 	return slices.Clone(w.remotePluginKeys)
 }
 
+func (w *workspace) PolicyConfigs() []bufconfig.PolicyConfig {
+	return slices.Clone(w.policyConfigs)
+}
+
+func (w *workspace) RemotePolicyKeys() []bufpolicy.PolicyKey {
+	return slices.Clone(w.remotePolicyKeys)
+}
+
 func (w *workspace) ConfiguredDepModuleRefs() []bufparse.Ref {
 	return slices.Clone(w.configuredDepModuleRefs)
 }

private/buf/bufworkspace/workspace_provider.go

@@ -149,6 +149,7 @@ func (w *workspaceProvider) GetWorkspaceForModuleKey(
 	var (
 		pluginConfigs    []bufconfig.PluginConfig
 		remotePluginKeys []bufplugin.PluginKey
+		policyConfigs    []bufconfig.PolicyConfig
 	)
 	if config.configOverride != "" {
 		bufYAMLFile, err := bufconfig.GetBufYAMLFileForOverride(config.configOverride)
@@ -205,6 +206,8 @@ func (w *workspaceProvider) GetWorkspaceForModuleKey(
 					return nil, err
 				}
 			}
+
+			policyConfigs = bufYAMLFile.PolicyConfigs()
 		}
 	}
 
@@ -243,6 +246,7 @@ func (w *workspaceProvider) GetWorkspaceForModuleKey(
 		opaqueIDToBreakingConfig,
 		pluginConfigs,
 		remotePluginKeys,
+		policyConfigs,
 		nil,
 		false,
 	), nil
@@ -408,6 +412,7 @@ func (w *workspaceProvider) getWorkspaceForBucketAndModuleDirPathsV1Beta1OrV1(
 		v1WorkspaceTargeting.bucketIDToModuleConfig,
 		nil, // No PluginConfigs for v1
 		nil, // No remote PluginKeys for v1
+		nil, // No PolicyConfigs for v1
 		v1WorkspaceTargeting.allConfiguredDepModuleRefs,
 		false,
 	)
@@ -507,6 +512,7 @@ func (w *workspaceProvider) getWorkspaceForBucketBufYAMLV2(
 		v2Targeting.bucketIDToModuleConfig,
 		v2Targeting.bufYAMLFile.PluginConfigs(),
 		remotePluginKeys,
+		v2Targeting.bufYAMLFile.PolicyConfigs(),
 		v2Targeting.bufYAMLFile.ConfiguredDepModuleRefs(),
 		true,
 	)
@@ -518,6 +524,7 @@ func (w *workspaceProvider) getWorkspaceForBucketModuleSet(
 	bucketIDToModuleConfig map[string]bufconfig.ModuleConfig,
 	pluginConfigs []bufconfig.PluginConfig,
 	remotePluginKeys []bufplugin.PluginKey,
+	policyConfigs []bufconfig.PolicyConfig,
 	// Expected to already be unique by FullName.
 	configuredDepModuleRefs []bufparse.Ref,
 	isV2 bool,
@@ -544,6 +551,7 @@ func (w *workspaceProvider) getWorkspaceForBucketModuleSet(
 		opaqueIDToBreakingConfig,
 		pluginConfigs,
 		remotePluginKeys,
+		policyConfigs,
 		configuredDepModuleRefs,
 		isV2,
 	), nil

private/buf/cmd/buf/command/breaking/breaking.go

@@ -286,6 +286,7 @@ func run(
 	for i, imageWithConfig := range imageWithConfigs {
 		breakingOptions := []bufcheck.BreakingOption{
 			bufcheck.WithPluginConfigs(imageWithConfig.PluginConfigs()...),
+			bufcheck.WithPolicyConfigs(imageWithConfig.PolicyConfigs()...),
 			bufcheck.WithRelatedCheckConfigs(allCheckConfigs...),
 		}
 		if flags.ExcludeImports {

private/buf/cmd/buf/command/lint/lint.go

@@ -150,6 +150,7 @@ func run(
 	for _, imageWithConfig := range imageWithConfigs {
 		lintOptions := []bufcheck.LintOption{
 			bufcheck.WithPluginConfigs(imageWithConfig.PluginConfigs()...),
+			bufcheck.WithPolicyConfigs(imageWithConfig.PolicyConfigs()...),
 			bufcheck.WithRelatedCheckConfigs(allCheckConfigs...),
 		}
 		if err := checkClient.Lint(

private/bufpkg/bufanalysis/bufanalysis.go

@@ -149,6 +149,11 @@ type FileAnnotation interface {
 	// May be empty if this annotation did not originate from a plugin.
 	// This may be added to the printed message field for certain printers.
 	PluginName() string
+	// PolicyName is the name of the policy that the annotation originated from.
+	//
+	// May be empty if this annotation did not originate from a policy.
+	// This may be added to the printed message field for certain printers.
+	PolicyName() string
 
 	isFileAnnotation()
 }
@@ -163,6 +168,7 @@ func NewFileAnnotation(
 	typeString string,
 	message string,
 	pluginName string,
+	policyName string,
 ) FileAnnotation {
 	return newFileAnnotation(
 		fileInfo,
@@ -173,6 +179,7 @@ func NewFileAnnotation(
 		typeString,
 		message,
 		pluginName,
+		policyName,
 	)
 }
 

private/bufpkg/bufanalysis/bufanalysistesting/bufanalysistesting.go

@@ -44,6 +44,7 @@ func NewFileAnnotationNoLocation(
 	t *testing.T,
 	path string,
 	typeString string,
+	options ...FileAnnotationOption,
 ) bufanalysis.FileAnnotation {
 	return NewFileAnnotation(
 		t,
@@ -53,6 +54,7 @@ func NewFileAnnotationNoLocation(
 		1,
 		1,
 		typeString,
+		options...,
 	)
 }
 
@@ -65,6 +67,7 @@ func NewFileAnnotation(
 	endLine int,
 	endColumn int,
 	typeString string,
+	options ...FileAnnotationOption,
 ) bufanalysis.FileAnnotation {
 	return newFileAnnotation(
 		t,
@@ -74,11 +77,27 @@ func NewFileAnnotation(
 		endLine,
 		endColumn,
 		typeString,
-		"",
-		"",
+		"", // message
+		options...,
 	)
 }
 
+type FileAnnotationOption func(*fileAnnotationOptions)
+
+// WithPluginName returns a FileAnnotationOption that sets the plugin name.
+func WithPluginName(pluginName string) FileAnnotationOption {
+	return func(options *fileAnnotationOptions) {
+		options.pluginName = pluginName
+	}
+}
+
+// WithPolicyName returns a FileAnnotationOption that sets the policy name.
+func WithPolicyName(policyName string) FileAnnotationOption {
+	return func(options *fileAnnotationOptions) {
+		options.policyName = policyName
+	}
+}
+
 func newFileAnnotation(
 	t *testing.T,
 	path string,
@@ -88,8 +107,12 @@ func newFileAnnotation(
 	endColumn int,
 	typeString string,
 	message string,
-	pluginName string,
+	options ...FileAnnotationOption,
 ) bufanalysis.FileAnnotation {
+	fileAnnotationOptions := &fileAnnotationOptions{}
+	for _, option := range options {
+		option(fileAnnotationOptions)
+	}
 	var fileInfo bufanalysis.FileInfo
 	if path != "" {
 		fileInfo = newFileInfo(path)
@@ -102,10 +125,17 @@ func newFileAnnotation(
 		endColumn,
 		typeString,
 		message,
-		pluginName,
+		fileAnnotationOptions.pluginName,
+		fileAnnotationOptions.policyName,
 	)
 }
 
+// fileAnnotationOptions holds the options for a FileAnnotation.
+type fileAnnotationOptions struct {
+	pluginName string
+	policyName string
+}
+
 // AssertFileAnnotationsEqual asserts that the annotations are equal minus the message.
 func AssertFileAnnotationsEqual(
 	t *testing.T,
@@ -138,13 +168,15 @@ func AssertFileAnnotationsEqual(
 					)
 				}
 			} else {
-				t.Logf("    bufanalysistesting.NewFileAnnotation(t, %q, %d, %d, %d, %d, %q),",
+				t.Logf("    bufanalysistesting.NewFileAnnotation(t, %q, %d, %d, %d, %d, %q, %q %q),",
 					path,
 					annotation.StartLine(),
 					annotation.StartColumn(),
 					annotation.EndLine(),
 					annotation.EndColumn(),
 					annotation.Type(),
+					annotation.PluginName(),
+					annotation.PolicyName(),
 				)
 			}
 		}
@@ -172,7 +204,8 @@ func normalizeFileAnnotations(
 			a.EndColumn(),
 			a.Type(),
 			"",
-			"",
+			a.PluginName(),
+			a.PolicyName(),
 		)
 	}
 	return normalizedFileAnnotations