Merge pull request #1429 from joejstuart/EC-1338

Add pipeline_intention field to rule metadata

Author: joejstuart

antora/docs/modules/ROOT/pages/packages/release_olm.adoc

@@ -43,7 +43,7 @@ Each image referenced by the OLM bundle should match an entry in the list of pre
 * FAILURE message: `The %q CSV image reference is not from an allowed registry.`
 * Code: `olm.allowed_registries`
 * Effective from: `2024-09-01T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L288[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L304[Source, window="_blank"]
 
 [#olm__olm_bundle_multi_arch]
 === link:#olm__olm_bundle_multi_arch[OLM bundle images are not multi-arch]
@@ -56,7 +56,7 @@ OLM bundle images should be built for a single architecture. They should not be
 * FAILURE message: `The %q bundle image is a multi-arch reference.`
 * Code: `olm.olm_bundle_multi_arch`
 * Effective from: `2025-5-01T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L321[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L337[Source, window="_blank"]
 
 [#olm__allowed_registries_related]
 === link:#olm__allowed_registries_related[Related images references are from allowed registries]
@@ -69,7 +69,7 @@ Each image indicated as a related image should match an entry in the list of pre
 * FAILURE message: `The %q related image reference is not from an allowed registry.`
 * Code: `olm.allowed_registries_related`
 * Effective from: `2025-04-15T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L218[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L230[Source, window="_blank"]
 
 [#olm__required_olm_features_annotations_provided]
 === link:#olm__required_olm_features_annotations_provided[Required OLM feature annotations list provided]
@@ -105,7 +105,7 @@ Check the input image for the presence of related images. Ensure that all images
 * FAILURE message: `The %q related image reference is not accessible.`
 * Code: `olm.inaccessible_related_images`
 * Effective from: `2025-03-10T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L188[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L196[Source, window="_blank"]
 
 [#olm__unmapped_references]
 === link:#olm__unmapped_references[Unmapped images in OLM bundle]
@@ -118,7 +118,7 @@ Check the OLM bundle image for the presence of unmapped image references. Unmapp
 * FAILURE message: `The %q CSV image reference is not in the snapshot or accessible.`
 * Code: `olm.unmapped_references`
 * Effective from: `2024-08-15T00:00:00Z`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L248[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L260[Source, window="_blank"]
 
 [#olm__unpinned_references]
 === link:#olm__unpinned_references[Unpinned images in OLM bundle]
@@ -155,4 +155,4 @@ Check the input image for the presence of related images. Ensure all related ima
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%d related images are not pinned with a digest: %s.`
 * Code: `olm.unpinned_related_images`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L156[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/olm/olm.rego#L160[Source, window="_blank"]

antora/docs/modules/ROOT/pages/packages/release_schedule.adoc

@@ -18,7 +18,7 @@ Check if the current date is not allowed based on the rule data value from the k
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s is a disallowed date: %s`
 * Code: `schedule.date_restriction`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/schedule/schedule.rego#L38[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/schedule/schedule.rego#L41[Source, window="_blank"]
 
 [#schedule__rule_data_provided]
 === link:#schedule__rule_data_provided[Rule data provided]
@@ -30,7 +30,7 @@ Confirm the expected rule data keys have been provided in the expected format. T
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `schedule.rule_data_provided`
-* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/schedule/schedule.rego#L62[Source, window="_blank"]
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/schedule/schedule.rego#L68[Source, window="_blank"]
 
 [#schedule__weekday_restriction]
 === link:#schedule__weekday_restriction[Weekday Restriction]

policy/lib/result_helper.rego policy/lib/metadata_helper.regopolicy/lib/result_helper.rego renamed to policy/lib/metadata_helper.rego

@@ -4,6 +4,16 @@ import rego.v1
 
 import data.lib.time as time_lib
 
+# The first entry in the chain always points to the active rule, even if it has
+# no declared annotations (in which case the annotations member is not present).
+# Thus, result_helper assumes every rule defines annotations. At the very least
+# custom.short_name must be present.
+_rule_annotations(chain) := chain[0].annotations
+
+pipeline_intention_match(chain) if {
+	rule_data("pipeline_intention") in _rule_annotations(chain).custom.pipeline_intention
+} else := false
+
 result_helper(chain, failure_sprintf_params) := result if {
 	with_collections := {"collections": _rule_annotations(chain).custom.collections}
 	result := object.union(_basic_result(chain, failure_sprintf_params), with_collections)
@@ -39,12 +49,6 @@ _code(chain) := code if {
 	code := sprintf("%s.%s", [pkg_name, rule_name])
 }
 
-# The first entry in the chain always points to the active rule, even if it has
-# no declared annotations (in which case the annotations member is not present).
-# Thus, result_helper assumes every rule defines annotations. At the very least
-# custom.short_name must be present.
-_rule_annotations(chain) := chain[0].annotations
-
 _pkg_name(rule_path) := name if {
 	# "data" is automatically added by rego.
 	p1 := _left_strip_elements(["data"], rule_path)

policy/lib/metadata_helper_test.rego

@@ -0,0 +1,250 @@
+package lib_test
+
+import rego.v1
+
+import data.lib
+
+test_rule_annotations_with_annotations if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"failure_msg": "Test failure message",
+		"pipeline_intention": ["build", "test"],
+	}}
+
+	chain := [
+		{"annotations": rule_annotations, "path": ["data", "test", "deny"]},
+		{"annotations": {}, "path": ["ignored", "path"]},
+	]
+
+	lib.assert_equal(rule_annotations, lib._rule_annotations(chain))
+}
+
+test_rule_annotations_empty_annotations if {
+	empty_annotations := {}
+
+	chain := [
+		{"annotations": empty_annotations, "path": ["data", "test", "deny"]},
+		{"annotations": {"some": "other"}, "path": ["ignored", "path"]},
+	]
+
+	lib.assert_equal(empty_annotations, lib._rule_annotations(chain))
+}
+
+test_rule_annotations_only_first_entry if {
+	first_rule_annotations := {"custom": {"short_name": "FirstRule"}}
+	second_rule_annotations := {"custom": {"short_name": "SecondRule"}}
+
+	chain := [
+		{"annotations": first_rule_annotations, "path": ["data", "test", "deny"]},
+		{"annotations": second_rule_annotations, "path": ["other", "path"]},
+	]
+
+	# Should only return annotations from the first entry
+	lib.assert_equal(first_rule_annotations, lib._rule_annotations(chain))
+}
+
+test_rule_annotations_single_entry_chain if {
+	rule_annotations := {"custom": {"short_name": "SingleRule"}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "single", "deny"]}]
+
+	lib.assert_equal(rule_annotations, lib._rule_annotations(chain))
+}
+
+test_pipeline_intention_match_with_matching_intention if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"pipeline_intention": ["build", "release", "test"],
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# When rule_data("pipeline_intention") matches one of the pipeline_intention values
+	lib.assert_equal(true, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "release"
+}
+
+test_pipeline_intention_match_with_non_matching_intention if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"pipeline_intention": ["build", "test"],
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# When rule_data("pipeline_intention") doesn't match any of the pipeline_intention values
+	lib.assert_equal(false, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "release"
+}
+
+test_pipeline_intention_match_with_empty_pipeline_intention if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"pipeline_intention": [],
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# When pipeline_intention is an empty list, should return false
+	lib.assert_equal(false, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "release"
+}
+
+test_pipeline_intention_match_without_pipeline_intention_field if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"failure_msg": "Some failure message",
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# When pipeline_intention field is missing, should return false
+	lib.assert_equal(false, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "release"
+}
+
+test_pipeline_intention_match_without_custom_field if {
+	rule_annotations := {"other": {"some_field": "value"}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# When custom field is missing, should return false
+	lib.assert_equal(false, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "release"
+}
+
+test_pipeline_intention_match_with_null_rule_data if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"pipeline_intention": ["build", "release", "test"],
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# When rule_data("pipeline_intention") is null, should return false
+	lib.assert_equal(false, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as null
+}
+
+test_pipeline_intention_match_with_multiple_matching_intentions if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"pipeline_intention": ["build", "release", "production", "test"],
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# When rule_data("pipeline_intention") matches one of multiple pipeline_intention values
+	lib.assert_equal(true, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "production"
+}
+
+test_pipeline_intention_match_case_sensitivity if {
+	rule_annotations := {"custom": {
+		"short_name": "TestRule",
+		"pipeline_intention": ["Build", "Release"],
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["data", "test", "deny"]}]
+
+	# Case sensitivity should be preserved
+	lib.assert_equal(false, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "release"
+	lib.assert_equal(true, lib.pipeline_intention_match(chain)) with data.rule_data.pipeline_intention as "Release"
+}
+
+test_result_helper if {
+	expected_result := {
+		"code": "oh.Hey",
+		"effective_on": "2022-01-01T00:00:00Z",
+		"msg": "Bad thing foo",
+	}
+
+	rule_annotations := {"custom": {
+		"short_name": "Hey",
+		"failure_msg": "Bad thing %s",
+	}}
+
+	chain := [
+		{"annotations": rule_annotations, "path": ["data", "oh", "deny"]},
+		{"annotations": {}, "path": ["ignored", "ignored"]}, # Actually not needed any more
+	]
+
+	lib.assert_equal(expected_result, lib.result_helper(chain, ["foo"]))
+}
+
+test_result_helper_without_package_annotation if {
+	expected_result := {
+		"code": "package_name.Hey", # Fixme
+		"effective_on": "2022-01-01T00:00:00Z",
+		"msg": "Bad thing foo",
+	}
+
+	rule_annotations := {"custom": {
+		"short_name": "Hey",
+		"failure_msg": "Bad thing %s",
+	}}
+
+	chain := [{"annotations": rule_annotations, "path": ["package_name", "deny"]}]
+
+	lib.assert_equal(expected_result, lib.result_helper(chain, ["foo"]))
+}
+
+test_result_helper_with_collections if {
+	expected := {
+		"code": "some.path.oh.Hey",
+		"collections": ["spam"],
+		"effective_on": "2022-01-01T00:00:00Z",
+		"msg": "Bad thing foo",
+	}
+
+	rule_annotations := {"custom": {
+		"collections": ["spam"],
+		"short_name": "Hey",
+		"failure_msg": "Bad thing %s",
+	}}
+
+	chain := [
+		{"annotations": rule_annotations, "path": ["some", "path", "oh", "deny"]},
+		{"annotations": {}, "path": ["ignored", "ignored"]}, # Actually not needed any more
+	]
+
+	lib.assert_equal(expected, lib.result_helper(chain, ["foo"]))
+}
+
+test_result_helper_with_term if {
+	expected := {
+		"code": "path.oh.Hey",
+		"term": "ola",
+		"effective_on": "2022-01-01T00:00:00Z",
+		"msg": "Bad thing foo",
+	}
+
+	rule_annotations := {"custom": {
+		"short_name": "Hey",
+		"failure_msg": "Bad thing %s",
+	}}
+
+	chain := [
+		{"annotations": rule_annotations, "path": ["data", "path", "oh", "deny"]},
+		{"annotations": {}, "path": ["ignored", "also_ignored"]},
+	]
+
+	lib.assert_equal(expected, lib.result_helper_with_term(chain, ["foo"], "ola"))
+}
+
+test_result_helper_pkg_name if {
+	# "Normal" for policy repo
+	lib.assert_equal("foo", lib._pkg_name(["data", "foo", "deny"]))
+	lib.assert_equal("foo", lib._pkg_name(["data", "foo", "warn"]))
+
+	# Long package paths are retained
+	lib.assert_equal("another.foo.bar", lib._pkg_name(["data", "another", "foo", "bar", "deny"]))
+	lib.assert_equal("another.foo.bar", lib._pkg_name(["data", "another", "foo", "bar", "warn"]))
+
+	# Unlikely edge case: No deny or warn
+	lib.assert_equal("foo", lib._pkg_name(["data", "foo"]))
+	lib.assert_equal("foo.bar", lib._pkg_name(["data", "foo", "bar"]))
+
+	# Unlikely edge case: No data
+	lib.assert_equal("foo", lib._pkg_name(["foo", "deny"]))
+	lib.assert_equal("foo.bar", lib._pkg_name(["foo", "bar", "warn"]))
+
+	# Very unlikely edge case: Just to illustrate how deny/warn/data are stripped once
+	lib.assert_equal("foo", lib._pkg_name(["data", "foo", "warn", "deny"]))
+	lib.assert_equal("foo.deny", lib._pkg_name(["data", "foo", "deny", "warn"]))
+	lib.assert_equal("foo.warn", lib._pkg_name(["data", "foo", "warn", "warn"]))
+	lib.assert_equal("data.foo.warn.deny", lib._pkg_name(["data", "data", "foo", "warn", "deny", "warn"]))
+}