Skip to content

Commit 6f4868b

Browse files
joejstuartclaude
andcommitted
test: add OPA evaluator acceptance test scenarios
Add validate_image_opa.feature (7 scenarios) and validate_input_opa.feature (2 scenarios) that exercise the OPA evaluator end-to-end via EC_USE_OPA=1. Covers happy day, rejection, multiple sources, rule filtering, future deny conversion, volatile config, and input validation paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 4a562f1 commit 6f4868b

2 files changed

Lines changed: 208 additions & 0 deletions

File tree

Lines changed: 162 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,162 @@
1+
Feature: evaluate enterprise contract with OPA evaluator
2+
The ec command line should produce correct results using the OPA evaluator
3+
4+
Background:
5+
Given the environment variable is set "EC_USE_OPA=1"
6+
Given a stub cluster running
7+
Given stub rekord running
8+
Given stub registry running
9+
Given stub git daemon running
10+
Given stub tuf running
11+
12+
Scenario: OPA happy day
13+
Given a key pair named "known"
14+
Given an image named "acceptance/opa-happy-day"
15+
Given a valid image signature of "acceptance/opa-happy-day" image signed by the "known" key
16+
Given a valid attestation of "acceptance/opa-happy-day" signed by the "known" key
17+
Given a git repository named "happy-day-policy" with
18+
| main.rego | examples/happy_day.rego |
19+
Given policy configuration named "ec-policy" with specification
20+
"""
21+
{
22+
"sources": [
23+
{
24+
"policy": [
25+
"git::https://${GITHOST}/git/happy-day-policy.git"
26+
]
27+
}
28+
]
29+
}
30+
"""
31+
When ec command is run with "validate image --image ${REGISTRY}/acceptance/opa-happy-day --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes --output json"
32+
Then the exit status should be 0
33+
Then the output should match the snapshot
34+
35+
Scenario: OPA rejection
36+
Given a key pair named "known"
37+
Given an image named "acceptance/opa-reject"
38+
Given a valid image signature of "acceptance/opa-reject" image signed by the "known" key
39+
Given a valid attestation of "acceptance/opa-reject" signed by the "known" key
40+
Given a git repository named "reject-policy" with
41+
| main.rego | examples/reject.rego |
42+
Given policy configuration named "ec-policy" with specification
43+
"""
44+
{
45+
"sources": [
46+
{
47+
"policy": [
48+
"git::https://${GITHOST}/git/reject-policy.git"
49+
]
50+
}
51+
]
52+
}
53+
"""
54+
When ec command is run with "validate image --image ${REGISTRY}/acceptance/opa-reject --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes --output json"
55+
Then the exit status should be 1
56+
Then the output should match the snapshot
57+
58+
Scenario: OPA multiple policy sources
59+
Given a key pair named "known"
60+
Given an image named "acceptance/opa-multiple-sources"
61+
Given a valid image signature of "acceptance/opa-multiple-sources" image signed by the "known" key
62+
Given a valid attestation of "acceptance/opa-multiple-sources" signed by the "known" key
63+
Given a git repository named "repository1" with
64+
| main.rego | examples/happy_day.rego |
65+
Given a git repository named "repository2" with
66+
| main.rego | examples/reject.rego |
67+
Given a git repository named "repository3" with
68+
| main.rego | examples/warn.rego |
69+
Given policy configuration named "ec-policy" with specification
70+
"""
71+
{
72+
"sources": [
73+
{ "policy": ["git::https://${GITHOST}/git/repository1.git"] },
74+
{ "policy": ["git::https://${GITHOST}/git/repository2.git"] },
75+
{ "policy": ["git::https://${GITHOST}/git/repository3.git"] }
76+
]
77+
}
78+
"""
79+
When ec command is run with "validate image --image ${REGISTRY}/acceptance/opa-multiple-sources --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes --output json"
80+
Then the exit status should be 1
81+
Then the output should match the snapshot
82+
83+
Scenario: OPA policy rule filtering
84+
Given a key pair named "known"
85+
Given an image named "acceptance/opa-filtering"
86+
Given a valid image signature of "acceptance/opa-filtering" image signed by the "known" key
87+
Given a valid attestation of "acceptance/opa-filtering" signed by the "known" key
88+
Given a git repository named "happy-day-policy" with
89+
| filtering.rego | examples/filtering.rego |
90+
Given policy configuration named "ec-policy" with specification
91+
"""
92+
{
93+
"sources": [
94+
{
95+
"policy": [
96+
"git::https://${GITHOST}/git/happy-day-policy.git"
97+
],
98+
"config": {
99+
"include": ["@stamps", "filtering.always_pass"],
100+
"exclude": ["filtering.always_fail", "filtering.always_fail_with_collection"]
101+
}
102+
}
103+
]
104+
}
105+
"""
106+
When ec command is run with "validate image --image ${REGISTRY}/acceptance/opa-filtering --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes --output json"
107+
Then the exit status should be 0
108+
Then the output should match the snapshot
109+
110+
Scenario: OPA future failure is converted to a warning
111+
Given a key pair named "known"
112+
Given an image named "acceptance/opa-future-deny"
113+
Given a valid image signature of "acceptance/opa-future-deny" image signed by the "known" key
114+
Given a valid attestation of "acceptance/opa-future-deny" signed by the "known" key
115+
Given a git repository named "future-deny-policy" with
116+
| main.rego | examples/future_deny.rego |
117+
When ec command is run with "validate image --image ${REGISTRY}/acceptance/opa-future-deny --policy {"sources":[{"policy":["git::https://${GITHOST}/git/future-deny-policy.git"]}]} --public-key ${known_PUBLIC_KEY} --rekor-url ${REKOR} --show-successes --output json"
118+
Then the exit status should be 0
119+
Then the output should match the snapshot
120+
121+
Scenario: OPA volatile config warnings
122+
Given a key pair named "known"
123+
Given an image named "acceptance/opa-volatile-config"
124+
Given a valid image signature of "acceptance/opa-volatile-config" image signed by the "known" key
125+
Given a valid attestation of "acceptance/opa-volatile-config" signed by the "known" key
126+
Given a git repository named "volatile-config-policy" with
127+
| main.rego | examples/volatile_config_warnings.rego |
128+
Given policy configuration named "ec-policy" with specification
129+
"""
130+
{
131+
"sources": [
132+
{
133+
"name": "volatile-test-source",
134+
"policy": [
135+
"git::https://${GITHOST}/git/volatile-config-policy.git"
136+
],
137+
"volatileConfig": {
138+
"exclude": [
139+
{
140+
"value": "test.rule_with_no_expiration"
141+
},
142+
{
143+
"value": "test.rule_expiring_soon",
144+
"effectiveUntil": "2099-12-31T23:59:59Z"
145+
},
146+
{
147+
"value": "test.rule_pending_activation",
148+
"effectiveOn": "2099-01-01T00:00:00Z"
149+
},
150+
{
151+
"value": "test.component_scoped_rule",
152+
"componentNames": ["Unnamed"]
153+
}
154+
]
155+
}
156+
}
157+
]
158+
}
159+
"""
160+
When ec command is run with "validate image --image ${REGISTRY}/acceptance/opa-volatile-config --policy acceptance/ec-policy --public-key ${known_PUBLIC_KEY} --ignore-rekor --output json"
161+
Then the exit status should be 0
162+
Then the output should match the snapshot
Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
Feature: validate input with OPA evaluator
2+
The ec command line should produce correct results for input validation using the OPA evaluator
3+
4+
Background:
5+
Given the environment variable is set "EC_USE_OPA=1"
6+
Given stub git daemon running
7+
8+
Scenario: OPA valid policy URL
9+
Given a git repository named "happy-day-config" with
10+
| policy.yaml | examples/happy_config.yaml |
11+
Given a git repository named "happy-day-policy" with
12+
| main.rego | examples/happy_day.rego |
13+
Given a pipeline definition file named "pipeline_definition.yaml" containing
14+
"""
15+
---
16+
apiVersion: tekton.dev/v1
17+
kind: Pipeline
18+
metadata:
19+
name: basic-build
20+
spec:
21+
tasks:
22+
- name: appstudio-init
23+
taskRef:
24+
name: init
25+
version: "0.1"
26+
"""
27+
When ec command is run with "validate input --file pipeline_definition.yaml --policy git::https://${GITHOST}/git/happy-day-config.git --output json"
28+
Then the exit status should be 0
29+
Then the output should match the snapshot
30+
31+
Scenario: OPA policy with multiple sources
32+
Given a git repository named "multiple-sources-config" with
33+
| policy.yaml | examples/multiple_sources_config.yaml |
34+
Given a git repository named "spam-policy" with
35+
| main.rego | examples/spam.rego |
36+
Given a git repository named "ham-policy" with
37+
| main.rego | examples/ham.rego |
38+
Given a pipeline definition file named "input.yaml" containing
39+
"""
40+
---
41+
spam: false
42+
ham: rotten
43+
"""
44+
When ec command is run with "validate input --file input.yaml --policy git::https://${GITHOST}/git/multiple-sources-config.git --output json"
45+
Then the exit status should be 1
46+
Then the output should match the snapshot

0 commit comments

Comments
 (0)