profile
viewpoint
Lennard Eijsackers Blokje5 DataWorkz Leiden, Netherlands www.blokje5.dev

open-policy-agent/conftest 1336

Write tests against structured configuration data using the Open Policy Agent Rego query language

Blokje5/validating-terraform-with-conftest 9

Example Code along with the blog post at https://blokje5/dev

Blokje5/terraform-deployment-pipeline 5

Repository containing a set of policies for aws resources created with terraform

cryptobitsbytes/CryptoCrawler 2

Node.js Ticker crawler

Blokje5/aws-conftest-plugin 1

A Conftest plugin for validating AWS resources with Open Policy Agent.

Blokje5/blokje5.dev 1

Repository containing the code for my personal blog

Blokje5/BashUtils 0

Utilities for Bash

Blokje5/conftest 0

Write tests against structured configuration data using the Rego query language

startedabalki001/mariadb-operator

started time in 16 hours

PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha 01ab5c8cbb931b77fbe874f0c7769ca185cd1ff0

Fix plugins on Windows (#400) * Fix plugins on Windows Signed-off-by: John Reese <john@reese.dev> * Run tidy Signed-off-by: John Reese <john@reese.dev>

view details

push time in 2 days

PR merged open-policy-agent/conftest

Fix plugins on Windows

Noticed when I was on my Windows machine that plugins were not working as expected and the acceptance testing was failing.

This PR gets plugins working on Windows and additionally, should provide a better experience when using the plugin package. Most of the semantics were left in place, but a lot of the underlying mechanics were adjusted.

  • Removed the Metadata type in favor of a single Plugin type. A plugin can be fully described by a single type and we can build behaviors off of that type.

  • Renamed Download to Install to more accurately reflect the operation.

  • Consolidated the kubectl plugin that was in the examples folder to the contrib/plugins/kubectl folder. There we two copies of this plugin and both were in a half-state.

  • When attempting to install a plugin from either a directory or URL, the source plugin will now be validated before adding the plugin to the cache.

    • from URL: The plugin will first be downloaded to a temporary folder and then its configuration file will be validated. If a configuration file is not present or valid, the plugin is not added to the cache.
    • from Directory: Before creating the symlink in the plugin cache, the source plugin must first have a valid configuration file.
  • Plugins are now stored in the plugin cache under a folder with the same name as the plugin. The name of a plugin must be unique across the plugin cache, because the name is what is used to set the Cobra command name. This enables us to just create the plugins folder as its name.

Windows specific

  • Lots of paths have been sanitized to help correct pathing differences on Max/Linux/Windows.

  • If a plugin is being executed on Windows, and that plugin is a .sh file, Exec will prepend sh to the command to be executed. Without using sh to execute the .sh file, Windows considers the file invalid.

+404 -516

0 comment

17 changed files

jpreese

pr closed time in 2 days

PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha 67f5f4e54bc3196a11b618e144d27c7fc1598697

Add maintainers field (#408) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 2 days

PR merged open-policy-agent/conftest

Add maintainers field

Resolves #399

This field appears to be required by dpkg and .. does not support multiple aliases?

+1 -0

0 comment

1 changed file

jpreese

pr closed time in 2 days

PullRequestReviewEvent

startedgoreleaser/goreleaser

started time in 2 days

push eventopen-policy-agent/conftest

John Reese

commit sha d31f0c8961fd4d1bc554dc2e0a48fc42323c7f95

Initial commit (#402) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 2 days

PR merged open-policy-agent/conftest

Simplify exposed output package methods

Continuing to work towards more stable and usable package APIs for a conftest v1 release, this PR reworks the output package.

  • Remove Manager terminology in favor of types that represent what they output. A package consumer could create an output type by saying output.JSON

  • Remove the Flush() and Put() methods on each Outputter in favor of a single Output(). Everywhere in the codebase we were just ranging over the CheckResults collection to Put() them into the output manager and then flushing. This lets us just pass in a collection of results and write them e.g.

outputter := output.Get(format)
if err := outputter.Output(results); err != nil {
  return fmt.Errorf("output results: %w", err)
}
  • Replace log.Logger with io.Writer. This gives us, as well as package consumers, way more flexibility in how they can get at the formatted output. Tests can continue to pass inbytes.Buffer, and the Conftest binary can pass in os.Stdout.
+578 -605

0 comment

16 changed files

jpreese

pr closed time in 2 days

PullRequestReviewEvent

issue openedopen-policy-agent/conftest

Create a Windows test environment

If we want to support Conftest on Windows, we need to make sure that we run the acceptance tests in a Windows environment as well. E.g. #400 shows that there is a risk that certain functionality does not work on Windows.

created time in 2 days

Pull request review commentopen-policy-agent/conftest

Fix plugins on Windows

 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxK cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= cloud.google.com/go v0.46.3 h1:AVXDdKsrtX33oR9fbCMu/+c1o8Ofjq6Ku/MInaLVg5Y= cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=+cloud.google.com/go/bigquery v1.0.1 h1:hL+ycaJpVE9M7nLoiXb/Pn10ENE2u+oddxbD8uu0ZVU=

Where did the go.sum changes come from? Maybe running go mod tidy removes the changes?

jpreese

comment created time in 2 days

PullRequestReviewEvent
PullRequestReviewEvent

issue commentopen-policy-agent/conftest

Support XDG Specification for Plugin Directory

Thanks for looking into this @jpreese. I must admit that I completely lost track of the issue.

On your suggestions: I agree with the priority order. Providing an error on a misconfigured XDG_ variable makes sense if the variables are set to incorrect values. But I am unsure if we need a conftest plugin location command. I am not sure if a command just for debugging Conftest has added value as part of the CLI. I would propose one of the following alternatives:

  1. Include the location on disk in the conftest plugin list command. We could provide flags to control the output.
  2. Start applying trace logging in conftest, controlled with an environment variable. E.g. if I am debugging issues in Terraform i'll use TF_LOG=TRACE to figure out what is going wrong. This might be nice to have anyway.
06kellyjac

comment created time in 2 days

push eventopen-policy-agent/conftest

John Reese

commit sha 3e5e03c9371768cb96233e84581008ae5dd70ccc

Remove custom HCL2 conversion (#403) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 2 days

PR merged open-policy-agent/conftest

Remove custom HCL2 conversion

Now that the HCL to JSON package is exposed, we can remove our custom conversion logic and rely on the upstream.

There are still some discussions around how to represent provider blocks, but this is still a strong step forward.

+103 -316

0 comment

5 changed files

jpreese

pr closed time in 2 days

PullRequestReviewEvent

Pull request review commentopen-policy-agent/conftest

Remove custom HCL2 conversion

 func TestConversion(t *testing.T) { 	} 	for name, tc := range testTable { 		bytes := []byte(tc.input)-		conf, diags := hclsyntax.ParseConfig(bytes, "test", hcl.Pos{Byte: 0, Line: 1, Column: 1})-		if diags.HasErrors() {-			t.Errorf("Failed to parse config: %v", diags)-		}-		converted, err := convertFile(conf)--		if err != nil {-			t.Errorf("Unable to convert from hcl: %v", err)-		} -		jb, err := json.MarshalIndent(converted, "", "\t")+		json, err := convert.Bytes(bytes, "", convert.Options{})

Ah yeah it makes sense to ensure that it at least works with the previous HCL2 Parser. That makes sense. Let's keep the tests for now then.

jpreese

comment created time in 2 days

PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha 3a772ae02ccb4f288fe75effff7c10566ee54670

Update docs to reflect newest releases (#407) * Update documentation to reflect newest changes Signed-off-by: John Reese <john@reese.dev> * Add more details around reading about policies Signed-off-by: John Reese <john@reese.dev>

view details

push time in 2 days

PR merged open-policy-agent/conftest

Update docs to reflect newest releases

This goes through the current documentation and updates them to reflect the latest changes to Conftest (rendered output, flags, etc).

Documentation of note would be the new --combine behavior and --fail-on-warn.

+321 -269

0 comment

11 changed files

jpreese

pr closed time in 2 days

PullRequestReviewEvent

startednikitavoloboev/my-mac-os

started time in 3 days

startedapache/camel-k

started time in 3 days

startedapache/camel-k-examples

started time in 3 days

startedartifacthub/hub

started time in 3 days

startedMChorfa/awesome-cnab

started time in 4 days

Pull request review commentopen-policy-agent/conftest

Update docs to reflect newest releases

 # Conftest -Conftest is a utility to help you write tests against structured configuration data. For instance you could write tests for your Kubernetes configurations, or Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.+Conftest is a utility to help you write tests against structured configuration data. For instance, you could write tests for your Kubernetes configurations, Tekton pipeline definitions, Terraform code, Serverless configs or any other structured data.  Conftest relies on the Rego language from [Open Policy Agent](https://www.openpolicyagent.org/) for writing the assertions. You can read more about Rego in [How do I write policies](https://www.openpolicyagent.org/docs/how-do-i-write-policies.html) in the Open Policy Agent documentation.  ## Usage -Conftest allows you to write policies using Open Policy Agent/rego and apply them to one or-more configuration files. Policies by default should be placed in a directory called `policy` but this can be overridden.+Policies by default should be placed in a directory called `policy`, but this can be overridden with the `--policy` flag.

Maybe it would be good to introduce the concept of policies a bit more, as above they are referred to as assertions.

jpreese

comment created time in 4 days

Pull request review commentopen-policy-agent/conftest

Update docs to reflect newest releases

 Before submitting large changes, please open an issue on GitHub outlining: - Detailed description of what your changes would entail. - Alternative solutions or approaches if applicable. -Use your judgement about what constitutes a large change. If you aren't sure, send a message to the `#conftest` channel in the OPA slack or submit an issue on GitHub.+Use your judgment about what constitutes a large change. If you aren't sure, send a message to the `#conftest` channel in the OPA slack or submit an issue on GitHub.

Typo here, should be judgement right?

jpreese

comment created time in 4 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha 1d94894027dbde1d813862a4402fc6311cad8f44

Sort combined results by file path (#405) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 4 days

PR merged open-policy-agent/conftest

Sort combined results by file path

The primary driver behind this was a flaky test (https://github.com/open-policy-agent/conftest/blob/master/parser/format_test.go#L39). But it also makes sense to do, especially when using the parse command which renders the results to the console.

+13 -3

0 comment

1 changed file

jpreese

pr closed time in 4 days

PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha cf13dffb7061aba3ef46b4d8811f4e67c7fc006d

Remove runtime check on YAML parser (#406) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 4 days

PR merged open-policy-agent/conftest

Remove runtime check on YAML parser

There really shouldn't need to be a distinction made between Windows/not-Windows when figuring out how to break apart the YAML document. Just which line breaks the document is being used.

Noticed when trying to build the Docker image (alpine) on a Windows machine. Build fails due to linebreaks consisting of CRLF, but the runtime is not windows.

+1 -3

0 comment

1 changed file

jpreese

pr closed time in 4 days

PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha 336af58e51c52c9555d1c1f99b595b80cb21fe81

Add git to Dockerfile (#404) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 4 days

PR merged open-policy-agent/conftest

Add git to Dockerfile

Resolves #389

+5 -1

0 comment

2 changed files

jpreese

pr closed time in 4 days

issue closedopen-policy-agent/conftest

conftest container errors on pull

I attempted to use https://hub.docker.com/r/openpolicyagent/conftest to run conftest pull https://github.com/instrumenta/policies.git and got

Error: download policies: client get: error downloading 'https://github.com/instrumenta/policies.git': git must be available and on the PATH

Seems the container needs to include git for conftest pull to work.

closed time in 4 days

MikaelSmith
PullRequestReviewEvent

Pull request review commentopen-policy-agent/conftest

Remove custom HCL2 conversion

 import ( 	"encoding/json" 	"fmt" -	"github.com/hashicorp/hcl/v2"-	"github.com/hashicorp/hcl/v2/hclsyntax"+	"github.com/tmccombs/hcl2json/convert" ) -// Parser is a HCL2 parser+// Parser is an HCL2 parser. type Parser struct{} -func (h *Parser) Unmarshal(p []byte, v interface{}) error {-	file, diags := hclsyntax.ParseConfig(p, "", hcl.Pos{Byte: 0, Line: 1, Column: 1})--	if diags.HasErrors() {-		var details []error-		for _, each := range diags.Errs() {-			each = fmt.Errorf("%s \n", each)-			details = append(details, each)-		}--		return fmt.Errorf("parse hcl2 config: \n %s", details)-	}--	content, err := convertFile(file)-	if err != nil {-		return fmt.Errorf("convert hcl2 to json: %w", err)-	}--	j, err := json.Marshal(content)+// Unmarshal unmarshals HCL files that are written using+// version 2 of the HCL language.+func (Parser) Unmarshal(p []byte, v interface{}) error {+	hclBytes, err := convert.Bytes(p, "", convert.Options{})

Nice to see you upstreamed this logic!

jpreese

comment created time in 4 days

Pull request review commentopen-policy-agent/conftest

Remove custom HCL2 conversion

 func TestConversion(t *testing.T) { 	} 	for name, tc := range testTable { 		bytes := []byte(tc.input)-		conf, diags := hclsyntax.ParseConfig(bytes, "test", hcl.Pos{Byte: 0, Line: 1, Column: 1})-		if diags.HasErrors() {-			t.Errorf("Failed to parse config: %v", diags)-		}-		converted, err := convertFile(conf)--		if err != nil {-			t.Errorf("Unable to convert from hcl: %v", err)-		} -		jb, err := json.MarshalIndent(converted, "", "\t")+		json, err := convert.Bytes(bytes, "", convert.Options{})

Why is the test not excercising the interface of the Parser? I guess originally we needed these tests to check the custom HCL logic but right now it would be better to have a simple test checking the Unmarshal method.

jpreese

comment created time in 4 days

PullRequestReviewEvent
PullRequestReviewEvent

startedstretchr/testify

started time in 5 days

push eventopen-policy-agent/conftest

John Reese

commit sha 73cfc1c6586a7f9f480e135d3388a803ca42ca05

Render trace results once (#393) * Passing tests Signed-off-by: John Reese <john@reese.dev> * Remove table tracing Signed-off-by: John Reese <john@reese.dev>

view details

push time in 7 days

PR merged open-policy-agent/conftest

Render trace results once

The overall scope of this PR is to try to provide a better overall --trace experience.

Traces are done at the query level, like data.main.deny and data.main.warn. A query can return multiple results, in the case of multiple deny rules all named the same, but it will still only have a single trace. https://github.com/open-policy-agent/conftest/blob/master/policy/engine.go#L264.

We're currently associating the same tracelines with every result, causing a lot of extra noise in the rendered results.

This PR introduced a QueryResult type which puts more emphasis on this idea. Where after the evaluation of a query, what was the query that was executed, what was its result(s), and the associated trace lines. This puts the focus of the trace data around the query, and not the result. This also allows us to render traces in a more user-friendly way.

For some bonuses that also came out of this:

  • Remove jsonCheckResult and jsonResult in favor of the package level CheckResult and Result types. These should both be the same anyway.

  • Add exceptions to the above types, they were not included in other output formats, such as JSON.

+330 -392

2 comments

15 changed files

jpreese

pr closed time in 7 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha 019a093bc0e529dea39d80923f36982a3bcd6f94

Load policies and data individually (#394) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 7 days

PR merged open-policy-agent/conftest

Load policies and data documents individually

Because we allow end-users to explicitly specify the paths for both policy and data, it could lead to unexpected errors when attempting to load a given path.

There could exist other valid documents (like data documents), that would also get loaded and have the potential to error. This does force us to load the policies and documents separately.

+34 -43

0 comment

2 changed files

jpreese

pr closed time in 7 days

PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha cc794a63878502dff336211cd46f6ef02580ae8b

Combine configurations into struct when using combine (#388) * Multidocument YAML Signed-off-by: John Reese <john@reese.dev> * Additional conflicts Signed-off-by: John Reese <john@reese.dev>

view details

push time in 7 days

PR merged open-policy-agent/conftest

Combine configurations into struct when using combine

When evaluating policies with the --combine flag, put all of the configurations into a struct that exposes a path and a contents field. This implements the proposed solution found here (third one down) https://github.com/open-policy-agent/conftest/issues/106#issuecomment-550362911 by @gwkunze.

Policies that use the --combine flag would look something like:

deny[msg] {
  # The index (input[_]) is just an index (as an integer) representing the document number

  filepath := input[_].path            # The path/filename of the document (e.g. dir/doc.yaml)
  filecontents := input[_].contents    # The contents found in the document (e.g. yaml contents)
  msg := sprintf("original file: %s | contents: %s", filepath, filecontents)
}
+454 -490

4 comments

28 changed files

jpreese

pr closed time in 7 days

Pull request review commentopen-policy-agent/conftest

Combine configurations into struct when using combine

 func getFilesFromDirectory(directory string, ignoreRegex string) ([]string, erro 		}  		for _, input := range parser.ValidInputs() {-			if strings.HasSuffix(info.Name(), input) {+			currentInput := strings.ToLower(input)

Good catch!

jpreese

comment created time in 7 days

PullRequestReviewEvent

Pull request review commentopen-policy-agent/conftest

Combine configurations into struct when using combine

 func GetParser(fileType string) (Parser, error) { 	case "xml": 		return &xml.Parser{}, nil 	default:-		return nil, fmt.Errorf("unknown filetype given: %v", fileType)+		return nil, fmt.Errorf("unknown file extension given: %v", fileExtension)+	}+}++// GetParserFromPath returns a file parser based on the file type+// that exists at the given path.+func GetParserFromPath(path string) (Parser, error) {+	fileType := getFileType(path)++	return GetParser(fileType)+}++// ParseConfigurations parses and returns the configurations from the given+// list of files.+func ParseConfigurations(files []string) (map[string]interface{}, error) {+	configurations, err := parseConfigurations(files, "")+	if err != nil {+		return nil, fmt.Errorf("get configurations: %w", err)+	}++	return configurations, nil+}++// ParseConfigurationsAs parses the files as the given file type and returns the+// configurations given in the file list.+func ParseConfigurationsAs(files []string, fileExtension string) (map[string]interface{}, error) {+	configurations, err := parseConfigurations(files, fileExtension)+	if err != nil {+		return nil, fmt.Errorf("parse configurations: %w", err)+	}++	return configurations, nil+}++// CombineConfigurations takes the given configurations and combines them into a single+// configuration.+func CombineConfigurations(configs map[string]interface{}) map[string]interface{} {+	type configuration struct {+		Path     string      `json:"path"`+		Contents interface{} `json:"contents"`+	}++	var allConfigurations []configuration+	for path, config := range configs {+		if subconfigs, exist := config.([]interface{}); exist {+			for _, subconfig := range subconfigs {+				configuration := configuration{+					Path:     path,

I really like this solution! It makes it a lot more obvious how to write policies in the combined case!

jpreese

comment created time in 7 days

PullRequestReviewEvent

push eventopen-policy-agent/conftest

John Reese

commit sha 9711356c54cba9e592763b7e0e06303ae4ab19fa

Remove input-file from verify docs (#396) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 7 days

PR merged open-policy-agent/conftest

Remove input-file from verify docs

Initially thought there was a bug here with verify not respecting any inputs but noticed its intended and that the input-file piece after the --trace explanation was incorrect.

+4 -4

0 comment

1 changed file

jpreese

pr closed time in 7 days

PullRequestReviewEvent

issue closedopen-policy-agent/conftest

conftest pull error

When I run

$ conftest --version
Version: 0.21.0
Commit: 125160d
Date: 2020-09-13T10:21:35Z
$ conftest pull github.com/instrumenta/policies/kubernetes -p policy/kubesec
Error: download policies: client get: RemoveAll .: invalid argument

on macOS 10.15.6 I get an error. This used to work.

Installed via Homebrew.

closed time in 7 days

MikaelSmith

issue commentopen-policy-agent/conftest

conftest pull error

Fixed by #395

MikaelSmith

comment created time in 7 days

push eventopen-policy-agent/conftest

John Reese

commit sha 9ede5bf86308c228d92d6ca993dd84b2a75e9373

Bind pull flag (#395) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 7 days

PR merged open-policy-agent/conftest

Set policy flag as string

Define a policy flag for the pull command rather than the typical StringSlice used in other commands.

+1 -1

0 comment

1 changed file

jpreese

pr closed time in 7 days

PullRequestReviewEvent

push eventopen-policy-agent/conftest

dependabot[bot]

commit sha 1fdc9d0075c6b6210bacba06ad28654f65ea2609

Bump github.com/hashicorp/go-getter from 1.4.1 to 1.4.2 (#398) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.4.1 to 1.4.2. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.4.1...v1.4.2) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

push time in 7 days

PR merged open-policy-agent/conftest

Bump github.com/hashicorp/go-getter from 1.4.1 to 1.4.2 dependencies

Bumps github.com/hashicorp/go-getter from 1.4.1 to 1.4.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/go-getter/releases">github.com/hashicorp/go-getter's releases</a>.</em></p> <blockquote> <h2>v1.4.2</h2> <p>Improvement:</p> <ul> <li>Expose a Umask option to mask file permissions when storing local files or decompressing an archive. Helpful for clearing <code>setuid</code> or other sensitive bits.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/hashicorp/go-getter/commit/7ac233b171080abfefcde0f813c9aed3187f54bd"><code>7ac233b</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/hashicorp/go-getter/issues/256">#256</a> from hashicorp/f-umask-master-may-2020</li> <li><a href="https://github.com/hashicorp/go-getter/commit/437601e5bd5ff2d6a7f392e2055c58b7851bd56e"><code>437601e</code></a> feat(detector): provide a detector for repository hosted on GitLab.com (<a href="https://github-redirect.dependabot.com/hashicorp/go-getter/issues/259">#259</a>)</li> <li><a href="https://github.com/hashicorp/go-getter/commit/81f79b4d1874c11ea2bf0c6d154ec94dce22465d"><code>81f79b4</code></a> Use default AWS credential chain under normal circumstances (<a href="https://github-redirect.dependabot.com/hashicorp/go-getter/issues/218">#218</a>)</li> <li><a href="https://github.com/hashicorp/go-getter/commit/142d79c44beedbaede40e95fa1ec8a0388d66ecd"><code>142d79c</code></a> missing umask/mode and copy util calls</li> <li><a href="https://github.com/hashicorp/go-getter/commit/3c581d4f5416b51e72a344edcfb38261cb7716ee"><code>3c581d4</code></a> client add Umask to the client config, use it to Chmod files</li> <li><a href="https://github.com/hashicorp/go-getter/commit/294934336035803eaf11297e5d98315ac1276107"><code>2949343</code></a> Add windows tests to CircleCI</li> <li><a href="https://github.com/hashicorp/go-getter/commit/340bd77dded6712e4c6b9b9d20ceecdf42f9878b"><code>340bd77</code></a> Add windows tests</li> <li><a href="https://github.com/hashicorp/go-getter/commit/fc35e45ef81499cc4edf9a0d291a4856bc96265c"><code>fc35e45</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/hashicorp/go-getter/issues/237">#237</a> from hasheddan/docs</li> <li><a href="https://github.com/hashicorp/go-getter/commit/b0b9b8efd8821e3229dead1aa65839bc6c667c4f"><code>b0b9b8e</code></a> Minor update to docs wording</li> <li><a href="https://github.com/hashicorp/go-getter/commit/4e060f562497205c19664f76ecc3fa85bfbcd7f6"><code>4e060f5</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/hashicorp/go-getter/issues/233">#233</a> from hashicorp/go-mod-version</li> <li>Additional commits viewable in <a href="https://github.com/hashicorp/go-getter/compare/v1.4.1...v1.4.2">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

</details>

+8 -1

0 comment

2 changed files

dependabot[bot]

pr closed time in 7 days

PullRequestReviewEvent

PR opened hashicorp/go-getter

Add support for retrieving data from OCI registries

Fixes #271

Draft PR showcasing the OCI getter that is used in Conftest. Let me know if it would be something go-getter is interested in including upstream.

Several existing registries with OCI support can be detected and the URL will recieve the oci:// protocol. Alternatively, the oci:// protocol can be added to the URL for other (e.g. private) registries. The deis/ORAS library is used to fetch the OCI artifacts from the storage.

+405 -2

0 comment

5 changed files

pr created time in 9 days

issue openedhashicorp/go-getter

Support OCI registries as a source

We have been using go-getter in Conftest as a way to fetch Rego policies from a variety of sources. Since in the earlier version we already had OCI support we wrapped the OCI fetching in a OCIGetter so that go-getter became OCI aware.

Given that OCI as storage is becoming more prevalent and most container registries now support OCI formats it could be worthwhile to move the OCIGetter to the go-getter library so that it is supported for other users of the library as well.

created time in 9 days

create barnchBlokje5/go-getter

branch : oci-support

created branch time in 9 days

fork Blokje5/go-getter

Package for downloading things from a string URL using a variety of protocols.

fork in 9 days

push eventopen-policy-agent/conftest

Anshul Sharma

commit sha 1bf374471edcb9befbcf7c31d3ecb4b77cac908a

Bump version in docs (#392) Signed-off-by: Anshul Sharma <optimisticanshul@gmail.com>

view details

push time in 9 days

PullRequestReviewEvent
PullRequestReviewEvent

issue closedopen-policy-agent/conftest

[bug] Support for "_" in iterators

Hi there,

It does not appear that conftest supports the "_" for iterators
not contains(input.spec.rules[_].host, "blah-plain.....com")
> Error: build compiler: compiling: 1 error occurred: policy/ingress.rego:67: rego_unsafe_var_error: var _ is unsafe

is this correct? Thanks! :)

closed time in 10 days

rosscdh

issue commentopen-policy-agent/conftest

[bug] Support for "_" in iterators

Hi @rosscdh, it looks like you have a compilation error in your policy. In general there should be (almost) no differences between what OPA supports and what conftest supports.

For good resources on policy writing I can suggest the following:

  • https://academy.styra.com/ is a course on Rego policies.
  • The official documentation: https://www.openpolicyagent.org/docs/latest/policy-language/
  • And feel free to ask in the Open Policy Agent slack: https://slack.openpolicyagent.org/

I will close this issue now.

rosscdh

comment created time in 10 days

issue openedopen-policy-agent/conftest

Separate examples from tests

Right now we often use the examples section both in the go tests and bats tests. However, we should strive to create realistic examples. I think it would be best to start separating the examples from the tests. This means we can start working on creating more realistic examples without worrying about breaking tests.

created time in 10 days

push eventopen-policy-agent/conftest

John Reese

commit sha 9a80b55332d74888c4d6687b3773dcb4f53e7fb1

Include warnings when subconfigs are present (#384) Signed-off-by: John Reese <john@reese.dev>

view details

push time in 10 days

PR merged open-policy-agent/conftest

Include warnings when subconfigs are present

Aggregate warnings in the subconfig loop and add a test for warnings.

+19 -13

0 comment

2 changed files

jpreese

pr closed time in 10 days

PullRequestReviewEvent

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 func NewParseCommand(ctx context.Context) *cobra.Command { 			return nil 		}, 		RunE: func(cmd *cobra.Command, fileList []string) error {-			params := &runner.ParseParams{}-			viper.Unmarshal(params)-			runner := runner.ParseRunner{-				Params:        params,-				ConfigManager: &parser.ConfigManager{},-			}-			out, err := runner.Run(ctx, fileList)

Moving the formatting methods to the parser seems like a clean solution to this problem!

jpreese

comment created time in 12 days

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 func TestGetConfigurations(t *testing.T) { func TestGetFileType(t *testing.T) { 	testTable := []struct { 		name             string-		inputFileType    string 		fileName         string 		expectedFileType string 	}{-		{"Test YAML file", "", "example/kubernetes/deployment.yaml", "yaml"},-		{"Test not YAML file", "", "example/traefik/traefik.toml", "toml"},-		{"Test default file type", "", "-", "yaml"},+		{"Test YAML file", "example/kubernetes/deployment.yaml", "yaml"},+		{"Test not YAML file", "example/traefik/traefik.toml", "toml"},+		{"Test default file type", "-", "yaml"}, 	}  	for _, testUnit := range testTable { 		t.Run(testUnit.name, func(t *testing.T) {-			c := ConfigManager{}-			fileType := c.getFileType(testUnit.fileName, testUnit.inputFileType)+			fileType := getFileType(testUnit.fileName) 			if fileType != testUnit.expectedFileType { 				t.Fatalf("got wrong filetype got:%s want:%s", fileType, testUnit.expectedFileType) 			} 		}) 	} } -func TestUnmarshaller(t *testing.T) {-	t.Run("error constructing an unmarshaller for a type of file", func(t *testing.T) {-		t.Run("which can be used to BulkUnmarshal file contents into an object", func(t *testing.T) {-			testTable := []struct {-				name           string-				controlReaders []ConfigDoc-				expectedResult map[string]interface{}-				shouldError    bool-			}{-				{-					name: "a single reader",-					controlReaders: []ConfigDoc{-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader("sample: true")),-							Filepath:   "sample.yml",-							Parser:     &yaml.Parser{},-						},-					},-					expectedResult: map[string]interface{}{-						"sample.yml": map[string]interface{}{-							"sample": true,-						},-					},-					shouldError: false,-				},-				{-					name: "multiple readers",-					controlReaders: []ConfigDoc{-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader("sample: true")),-							Filepath:   "sample.yml",-							Parser:     &yaml.Parser{},-						},-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader("hello: true")),-							Filepath:   "hello.yml",-							Parser:     &yaml.Parser{},-						},-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader("nice: true")),-							Filepath:   "nice.yml",-							Parser:     &yaml.Parser{},-						},-					},-					expectedResult: map[string]interface{}{-						"sample.yml": map[string]interface{}{-							"sample": true,-						},-						"hello.yml": map[string]interface{}{-							"hello": true,-						},-						"nice.yml": map[string]interface{}{-							"nice": true,-						},-					},-					shouldError: false,+func TestParseConfiguration(t *testing.T) {+	testTable := []struct {+		name           string+		path           string+		contents       []byte+		expectedResult map[string]interface{}+	}{+		{+			name:     "a single reader",+			path:     "sample.yml",+			contents: []byte("sample: true"),+			expectedResult: map[string]interface{}{+				"sample.yml": map[string]interface{}{+					"sample": true, 				},-				{-					name: "a single reader with multiple yaml subdocs",-					controlReaders: []ConfigDoc{-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader(`---+			},+		},+		{+			name: "a single reader with multiple yaml subdocs",+			path: "sample.yml",+			contents: []byte(`--- sample: true --- hello: true ----nice: true`)),-							Filepath: "sample.yml",-							Parser:   &yaml.Parser{},-						},-					},-					expectedResult: map[string]interface{}{-						"sample.yml": []interface{}{-							map[string]interface{}{-								"sample": true,-							},-							map[string]interface{}{-								"hello": true,-							},-							map[string]interface{}{-								"nice": true,-							},-						},+nice: true`),+			expectedResult: map[string]interface{}{+				"sample.yml": []interface{}{+					map[string]interface{}{+						"sample": true, 					},-					shouldError: false,-				},-				{-					name: "multiple readers with multiple subdocs",-					controlReaders: []ConfigDoc{-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader(`----sample: true-----hello: true-----nice: true`)),-							Filepath: "sample.yml",-							Parser:   &yaml.Parser{},-						},-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader(`----sample: true-----hello: true-----nice: true`)),-							Filepath: "hello.yml",-							Parser:   &yaml.Parser{},-						},-						{-							ReadCloser: ioutil.NopCloser(strings.NewReader("nice: true")),-							Filepath:   "nice.yml",-							Parser:     &yaml.Parser{},-						},+					map[string]interface{}{+						"hello": true, 					},-					expectedResult: map[string]interface{}{-						"sample.yml": []interface{}{-							map[string]interface{}{-								"sample": true,-							},-							map[string]interface{}{-								"hello": true,-							},-							map[string]interface{}{-								"nice": true,-							},-						},-						"hello.yml": []interface{}{-							map[string]interface{}{-								"sample": true,-							},-							map[string]interface{}{-								"hello": true,-							},-							map[string]interface{}{-								"nice": true,-							},-						},-						"nice.yml": map[string]interface{}{-							"nice": true,-						},+					map[string]interface{}{+						"nice": true, 					},-					shouldError: false, 				},+			},+		},+	}++	for _, test := range testTable {+		t.Run(test.name, func(t *testing.T) {+			var unmarshalledConfigs map[string]interface{}+			unmarshalledConfigs, err := parseConfiguration(test.path, test.contents, "")+			if err != nil {+				t.Errorf("errors unmarshalling: %v", err)+			}++			if unmarshalledConfigs == nil {+				t.Error("error seeing the actual value of object, received nil") 			} -			for _, test := range testTable {-				t.Run(test.name, func(t *testing.T) {-					var unmarshalledConfigs map[string]interface{}-					c := ConfigManager{}-					unmarshalledConfigs, err := c.bulkUnmarshal(test.controlReaders)-					if err != nil {-						t.Errorf("errors unmarshalling: %v", err)-					}--					if unmarshalledConfigs == nil {-						t.Error("error seeing the actual value of object, received nil")-					}--					if !reflect.DeepEqual(test.expectedResult, unmarshalledConfigs) {-						t.Errorf("\nResult\n%v\n and type %T\n Expected\n%v\n and type %T\n", unmarshalledConfigs, unmarshalledConfigs, test.expectedResult, test.expectedResult)-					}-				})+			if !reflect.DeepEqual(test.expectedResult, unmarshalledConfigs) {+				t.Errorf("\nResult\n%v\n and type %T\n Expected\n%v\n and type %T\n", unmarshalledConfigs, unmarshalledConfigs, test.expectedResult, test.expectedResult) 			} 		})-	})+	}+}++func TestFormatAll(t *testing.T) {+	configurations := make(map[string]interface{})

Adding another configuration to this test would be nice.

jpreese

comment created time in 12 days

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 package parser  import ( 	"bufio"-	"context"+	"bytes"+	"encoding/json" 	"fmt"-	"io" 	"io/ioutil" 	"os" 	"path/filepath" ) -// ConfigDoc is an input document to be checked-type ConfigDoc struct {-	ReadCloser io.ReadCloser-	Filepath   string-	Parser     Parser-}+// ParseConfigurations parses and returns the configurations given in the file list.+func ParseConfigurations(files []string) (map[string]interface{}, error) {+	configurations, err := parseConfigurations(files, "")+	if err != nil {+		return nil, fmt.Errorf("get configurations: %w", err)+	} -type CustomConfigManager interface {-	GetConfigurations(ctx context.Context, input string, fileList []string) (map[string]interface{}, error)+	return configurations, nil } -type ConfigManager struct{}+// ParseConfigurationsAs parses the files as the given file type and returns the+// configurations given in the file list.+func ParseConfigurationsAs(files []string, fileType string) (map[string]interface{}, error) {+	configurations, err := parseConfigurations(files, fileType)+	if err != nil {+		return nil, fmt.Errorf("get configurations: %w", err)+	} -// GetConfigurations parses and returns the configurations given in the file list-func (c *ConfigManager) GetConfigurations(ctx context.Context, input string, fileList []string) (map[string]interface{}, error) {-	var fileConfigs []ConfigDoc-	for _, fileName := range fileList {-		var config io.ReadCloser+	return configurations, nil+} -		config, err := c.getConfig(fileName)-		if err != nil {-			return nil, fmt.Errorf("get config: %w", err)-		}+// FormatAll takes in multiple configurations input and formats the configuration+// to be more human readable. The key of each configuration should be its filepath.+func FormatAll(configurations map[string]interface{}) (string, error) {+	output := "\n"+	for file, config := range configurations {+		output += file + "\n" -		fileType := c.getFileType(fileName, input)-		parser, err := GetParser(fileType)+		current, err := Format(config) 		if err != nil {-			return nil, fmt.Errorf("get parser: %w", err)+			return "", fmt.Errorf("marshal output to json: %w", err) 		} -		configDoc := ConfigDoc{-			ReadCloser: config,-			Filepath:   fileName,-			Parser:     parser,-		}--		fileConfigs = append(fileConfigs, configDoc)+		output += current 	} -	unmarshaledConfigs, err := c.bulkUnmarshal(fileConfigs)+	return output, nil+}++// Format takes in a single configuration input and formats the configuration+// to be more human readable.+func Format(in interface{}) (string, error) {+	out, err := json.Marshal(in) 	if err != nil {-		return nil, fmt.Errorf("bulk unmarshal: %w", err)+		return "", fmt.Errorf("marshal output to json: %w", err)+	}++	var prettyJSON bytes.Buffer+	if err = json.Indent(&prettyJSON, out, "", "\t"); err != nil {+		return "", fmt.Errorf("indentation: %w", err)+	}++	if _, err := prettyJSON.WriteString("\n"); err != nil {+		return "", fmt.Errorf("adding line break: %w", err) 	} -	return unmarshaledConfigs, nil+	return prettyJSON.String(), nil } -func (c *ConfigManager) bulkUnmarshal(configList []ConfigDoc) (map[string]interface{}, error) {-	configContents := make(map[string]interface{})-	for _, config := range configList {-		contents, err := ioutil.ReadAll(config.ReadCloser)+func parseConfigurations(paths []string, fileType string) (map[string]interface{}, error) {+	var parsedConfigurations []map[string]interface{}+	for _, path := range paths {+		contents, err := getConfigurationContent(path) 		if err != nil {-			return nil, fmt.Errorf("read config: %w", err)+			return nil, fmt.Errorf("get configuration content: %w", err) 		} -		var singleContent interface{}-		if err := config.Parser.Unmarshal(contents, &singleContent); err != nil {-			return nil, fmt.Errorf("parser unmarshal: %w", err)+		parsedConfiguration, err := parseConfiguration(path, contents, fileType)+		if err != nil {+			return nil, fmt.Errorf("parsing configuration: %w", err) 		} -		configContents[config.Filepath] = singleContent-		config.ReadCloser.Close()+		parsedConfigurations = append(parsedConfigurations, parsedConfiguration) 	} -	return configContents, nil+	result := make(map[string]interface{})+	for _, config := range parsedConfigurations {+		for path, contents := range config {+			result[path] = contents+		}+	}++	return result, nil } -func (c *ConfigManager) getConfig(fileName string) (io.ReadCloser, error) {-	if fileName == "-" {-		config := ioutil.NopCloser(bufio.NewReader(os.Stdin))-		return config, nil+func parseConfiguration(path string, configuration []byte, fileType string) (map[string]interface{}, error) {+	var parser Parser+	var err error+	if fileType == "" {+		parser, err = GetParserFromPath(path)+	} else {+		parser, err = GetParser(fileType) 	}--	filePath, err := filepath.Abs(fileName) 	if err != nil {-		return nil, fmt.Errorf("get abs: %w", err)+		return nil, fmt.Errorf("get parser: %w", err) 	} -	config, err := os.Open(filePath)-	if err != nil {-		return nil, fmt.Errorf("open file: %w", err)+	var parsed interface{}+	if err := parser.Unmarshal(configuration, &parsed); err != nil {+		return nil, fmt.Errorf("parser unmarshal: %w", err) 	} -	return config, nil+	parsedConfiguration := make(map[string]interface{})+	parsedConfiguration[path] = parsed

By returning a map here we need to unwrap the map and reconstruct it in the parseConfigurations method. Wouldn't it make sense to just return the contents and construct the map in the parseConfigurations method?

jpreese

comment created time in 12 days

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 func NewDefaultCommand() *cobra.Command {  	cmd.SetVersionTemplate(`{{.Version}}`) -	cmd.PersistentFlags().StringSliceP("policy", "p", []string{"policy"}, "path to the Rego policy files directory. For the test command, specifying a specific .rego file is allowed. Can be specified multiple times.")-	cmd.PersistentFlags().Bool("no-color", false, "disable color when printing")--	viper.BindPFlag("policy", cmd.PersistentFlags().Lookup("policy"))

Nice to see that these flags moved. It both simplifies unmarshaling the flags and removes the flags from commands where it does not make sense!

jpreese

comment created time in 12 days

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 type jsonCheckResult struct { 	Failures  []jsonResult `json:"failures"` } -// JSONOutputManager formats its output to JSON+// JSONOutputManager formats its output to JSON. type JSONOutputManager struct {-	logger *log.Logger-	data   []jsonCheckResult+	logger  *log.Logger+	data    []jsonCheckResult+	tracing bool } -// NewDefaultJSONOutputManager creates a new JSONOutputManager using the default logger+// NewDefaultJSONOutputManager creates a new JSONOutputManager using the default logger. func NewDefaultJSONOutputManager() *JSONOutputManager { 	return NewJSONOutputManager(log.New(os.Stdout, "", 0)) } -// NewJSONOutputManager creates a new JSONOutputManager with a given logger instance+// NewJSONOutputManager creates a new JSONOutputManager with a given logger instance. func NewJSONOutputManager(l *log.Logger) *JSONOutputManager { 	return &JSONOutputManager{ 		logger: l, 	} } -// Put puts the result of the check to the manager in the managers buffer+// WithTracing adds tracing to the output.+func (j *JSONOutputManager) WithTracing() OutputManager {

Nitpick: We are duplicating this method now for every OutputManager.

jpreese

comment created time in 12 days

PullRequestReviewEvent
PullRequestReviewEvent

push eventBlokje5/conftest

Lennard Eijsackers

commit sha 6c68ff195105e387b4a193cb3a2ed27aacca4eda

chore: Add a CONTRIBUTING.md document (#365) Fixes #362 Signed-off-by: Lennard Eijsackers <lennardeijsackers92@gmail.com>

view details

Anders Eknert

commit sha bbfd1d2333cc30de652aea2c37eb4d8f2b96f78a

Mac OS support and other fixes (#369) Signed-off-by: Anders Eknert <anders@eknert.com>

view details

Lennard Eijsackers

commit sha d9c928eafc8114c5c5544f79a1cdd36907850f3f

Refactor Test Command (#368) Signed-off-by: Lennard Eijsackers <lennardeijsackers92@gmail.com>

view details

KeisukeYamashita

commit sha bc983d74aba38bc97de8122b907028fa488f46a4

Migrate dependabot to github native version 2 (#366) Signed-off-by: KeisukeYamashita <19yamashita15@gmail.com>

view details

dependabot[bot]

commit sha 2a37ddf944ee1a4b59c72ebb62696661c3a6d7eb

Bump github.com/hashicorp/hcl/v2 from 2.2.0 to 2.6.0 (#375) Bumps [github.com/hashicorp/hcl/v2](https://github.com/hashicorp/hcl) from 2.2.0 to 2.6.0. - [Release notes](https://github.com/hashicorp/hcl/releases) - [Changelog](https://github.com/hashicorp/hcl/blob/v2.6.0/CHANGELOG.md) - [Commits](https://github.com/hashicorp/hcl/compare/v2.2.0...v2.6.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

dependabot[bot]

commit sha d04158beab15764232b509ea671150762dbeaa3d

Bump github.com/go-ini/ini from 1.51.0 to 1.61.0 (#371) Bumps [github.com/go-ini/ini](https://github.com/go-ini/ini) from 1.51.0 to 1.61.0. - [Release notes](https://github.com/go-ini/ini/releases) - [Commits](https://github.com/go-ini/ini/compare/v1.51.0...v1.61.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

dependabot[bot]

commit sha 16c1bd88569cb397fa9112318215f7e44fba3188

Bump github.com/hashicorp/go-getter from 1.4.0 to 1.4.1 (#372) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.4.0 to 1.4.1. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.4.0...v1.4.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

John Reese

commit sha 6e79a2fa7e6b0c8d2bf724076f38b49ed9547ac9

Number of configurations for successes (#376) * Update OPA version Signed-off-by: John Reese <john@reese.dev> * Passing tests Signed-off-by: John Reese <john@reese.dev> * Count successes Signed-off-by: John Reese <john@reese.dev> * Update json tests Signed-off-by: John Reese <john@reese.dev>

view details

John Reese

commit sha 8ce1a237a0b62aaed8ba40a8893d41edf29a4dd8

Move configuration options to options doc (#354) * Move configuration options to options doc Signed-off-by: John Reese <john@reese.dev> * Add additional clarity on configuration ordering Signed-off-by: John Reese <john@reese.dev>

view details

dependabot[bot]

commit sha 62cbd986c43d3ba65f2117f14feedacd35c6657a

Bump github.com/spf13/cobra from 0.0.5 to 0.0.7 (#379) Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 0.0.5 to 0.0.7. - [Release notes](https://github.com/spf13/cobra/releases) - [Changelog](https://github.com/spf13/cobra/blob/master/CHANGELOG.md) - [Commits](https://github.com/spf13/cobra/compare/0.0.5...0.0.7) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

view details

John Reese

commit sha 3b618a203d52e29d70d372dc1772bb2a73b0aede

Report error on verify command (#377) Signed-off-by: John Reese <john@reese.dev>

view details

John Reese

commit sha 154e53adc1a234a2a620bdb82ec2bfee31831185

Add additional exit codes (#378) * Add additional exit codes Signed-off-by: John Reese <john@reese.dev> * Add error code test Signed-off-by: John Reese <john@reese.dev>

view details

John Reese

commit sha 125160deacb9c02ce3c098bdf1f3ce7df216026a

Break up output package (#380) Signed-off-by: John Reese <john@reese.dev>

view details

Hendrik Ferber

commit sha 46ec24604d36a34cb6c6f3b338cbc89df3b1f585

fixed gitlab-ci example Signed-off-by: HaveFun83 <blackfon83@googlemail.com>

view details

Gareth Rushgrove

commit sha f74e0eaef3b19456e2f5b5ebafab027a0fd807f8

Merge pull request #382 from HaveFun83/gitlab-ci-fix fixed gitlab-ci example

view details

push time in 12 days

issue commentopen-policy-agent/conftest

Conftest using specific .rego file is not working properly

Thanks for reporting the issue @rawc0der! Could you share the policies you used? I'll see if I can reproduce the issue.

rawc0der

comment created time in 12 days

startedjetstack/kube-oidc-proxy

started time in 12 days

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 import ( 	"context" 	"errors" 	"fmt"+	"os" 	"strings"  	"github.com/open-policy-agent/conftest/output" 	"github.com/open-policy-agent/opa/ast"+	"github.com/open-policy-agent/opa/loader" 	"github.com/open-policy-agent/opa/rego" 	"github.com/open-policy-agent/opa/storage" 	"github.com/open-policy-agent/opa/topdown"+	"github.com/open-policy-agent/opa/version" ) -// Engine represents the policy engine+// Engine represents the policy engine. type Engine struct {-	Compiler *ast.Compiler-	Store    storage.Store-	Trace    bool+	result   *loader.Result+	compiler *ast.Compiler+	store    storage.Store+	tracing  bool } -// NewEngine returns a new instatiated Engine-func NewEngine(compiler *ast.Compiler, store storage.Store, trace bool) *Engine {-	return &Engine{-		Compiler: compiler,-		Store:    store,-		Trace:    trace,+// Namespaces returns all of the namespaces in the Engine.+func (e *Engine) Namespaces() []string {+	var namespaces []string+	for _, module := range e.Modules() {+		namespace := strings.Replace(module.Package.Path.String(), "data.", "", 1)+		if contains(namespaces, namespace) {+			continue+		}++		namespaces = append(namespaces, namespace)+	}++	return namespaces+}++// Documents returns all of the documents loaded into the engine.+func (e *Engine) Documents() map[string]string {+	documents := make(map[string]string)+	for path, content := range e.result.Documents {+		documents[path] = fmt.Sprintf("%v", content)+	}++	return documents+}++// Policies returns all of the policies loaded into the engine.+func (e *Engine) Policies() map[string]string {+	policies := make(map[string]string)+	for m := range e.result.Modules {+		policies[e.result.Modules[m].Name] = string(e.result.Modules[m].Raw) 	}++	return policies+}++// Compiler returns the compiler from the loaded policies.+func (e *Engine) Compiler() *ast.Compiler {+	return e.compiler+}++// Store returns the store from the loaded documents.+func (e *Engine) Store() storage.Store {+	return e.store+}++// Modules returns the modules from the loaded policies.+func (e *Engine) Modules() map[string]*ast.Module {+	return e.result.ParsedModules()+}++// Runtime returns the runtime of the engine.+func (e *Engine) Runtime() *ast.Term {+	env := ast.NewObject()+	for _, pair := range os.Environ() {+		parts := strings.SplitN(pair, "=", 2)+		if len(parts) == 1 {+			env.Insert(ast.StringTerm(parts[0]), ast.NullTerm())+		} else if len(parts) > 1 {+			env.Insert(ast.StringTerm(parts[0]), ast.StringTerm(parts[1]))+		}+	}++	obj := ast.NewObject()+	obj.Insert(ast.StringTerm("env"), ast.NewTerm(env))+	obj.Insert(ast.StringTerm("version"), ast.StringTerm(version.Version))+	obj.Insert(ast.StringTerm("commit"), ast.StringTerm(version.Vcs))++	return ast.NewTerm(obj) }  // Query the policy engine with the given query and given input. func (e *Engine) Query(ctx context.Context, query string, input interface{}) ([]output.Result, []output.Result, error) {-	rego, stdout := e.buildRego(e.Trace, query, input)-	resultSet, err := rego.Eval(ctx)+	var regoObj *rego.Rego+	var regoFunc []func(r *rego.Rego)+	stdout := topdown.NewBufferTracer()

Nitpick: would it not make sense to move this inside the if statement?

jpreese

comment created time in 16 days

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 import (  	"github.com/open-policy-agent/conftest/downloader" -	"github.com/open-policy-agent/opa/storage"+	"github.com/open-policy-agent/opa/loader" )  // Loader handles the retrieval of all rego policies and related data. type Loader struct { 	PolicyPaths []string 	DataPaths   []string 	URLs        []string--	test bool+	Tracing     bool } -// SetTestLoad configures the loader to load Rego test files as well-func (l *Loader) SetTestLoad(test bool) *Loader {-	l.test = test-	return l-}+// Load returns an Engine after loading all of the specified policies and data paths.+// If URLs are specified, Load will first download all of the policies at the spcified URLs.+func (l *Loader) Load(ctx context.Context) (*Engine, error) { -// Load retrieves policies from several locations:-// first it checks for any remote sources of policies and downloads-// the policies into the given policy paths.-// After retrieving the policies from the remote sources, all .rego, .json and .yaml-// files are recursively retrieved from disk and loaded into-// a rego Compiler and Store respectively.-func (l *Loader) Load(ctx context.Context) ([]string, storage.Store, error) { 	// Downloaded policies are put into the first policy directory specified 	for _, url := range l.URLs { 		sourcedURL, err := downloader.Detect(url, l.PolicyPaths[0]) 		if err != nil {-			return nil, nil, fmt.Errorf("detect policies: %w", err)+			return nil, fmt.Errorf("detect policies: %w", err) 		}  		if err := downloader.Download(ctx, l.PolicyPaths[0], []string{sourcedURL}); err != nil {-			return nil, nil, fmt.Errorf("update policies: %w", err)+			return nil, fmt.Errorf("update policies: %w", err) 		} 	} -	var regoFiles []string-	var err error-	if l.test {-		regoFiles, err = ReadFilesWithTests(l.PolicyPaths...)-	} else {-		regoFiles, err = ReadFiles(l.PolicyPaths...)+	paths := append(l.PolicyPaths, l.DataPaths...)+	result, err := loader.All(paths)

Does this deal with the differences in test vs non-test rego files? I guess the Query defines what gets executed and it is not the worst to just load all files.

jpreese

comment created time in 16 days

Pull request review commentopen-policy-agent/conftest

Load engine dependencies

 import ( 	"context" 	"errors" 	"fmt"+	"os" 	"strings"  	"github.com/open-policy-agent/conftest/output" 	"github.com/open-policy-agent/opa/ast"+	"github.com/open-policy-agent/opa/loader" 	"github.com/open-policy-agent/opa/rego" 	"github.com/open-policy-agent/opa/storage" 	"github.com/open-policy-agent/opa/topdown"+	"github.com/open-policy-agent/opa/version" ) -// Engine represents the policy engine+// Engine represents the policy engine. type Engine struct {-	Compiler *ast.Compiler-	Store    storage.Store-	Trace    bool+	result   *loader.Result+	compiler *ast.Compiler+	store    storage.Store+	tracing  bool } -// NewEngine returns a new instatiated Engine-func NewEngine(compiler *ast.Compiler, store storage.Store, trace bool) *Engine {-	return &Engine{-		Compiler: compiler,-		Store:    store,-		Trace:    trace,+// Namespaces returns all of the namespaces in the Engine.+func (e *Engine) Namespaces() []string {

I like the wrapping of all these utilities in a single struct! Definitely will make policy handling a lot easier in the code base!

jpreese

comment created time in 16 days

more