Add policy name when computing policy arguments (#2289)

Signed-off-by: Rafał Kuć <[email protected]>
Signed-off-by: Rafał Kuć <[email protected]>
Co-authored-by: Miguel Martinez Trivino <[email protected]>

Author: gr0

app/cli/internal/action/attestation_init.go

@@ -316,7 +316,7 @@ func getGroupMaterialsToAdd(group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachme
 // translates materials and interpolates material names
 func groupMaterialToCraftingSchemaMaterial(gm *v1.PolicyGroup_Material, group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachment, logger *zerolog.Logger) (*v1.CraftingSchema_Material, error) {
 	// Validates and computes arguments
-	args, err := policies.ComputeArguments(group.GetSpec().GetInputs(), pgAtt.GetWith(), nil, logger)
+	args, err := policies.ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), pgAtt.GetWith(), nil, logger)
 	if err != nil {
 		return nil, err
 	}

pkg/policies/policies.go

@@ -140,7 +140,7 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme
 		pv.logger.Debug().Msgf("evaluating policy %s against attestation", policy.Metadata.Name)
 	}
 
-	args, err := ComputeArguments(policy.GetSpec().GetInputs(), attachment.GetWith(), opts.bindings, pv.logger)
+	args, err := ComputeArguments(policy.GetMetadata().GetName(), policy.GetSpec().GetInputs(), attachment.GetWith(), opts.bindings, pv.logger)
 	if err != nil {
 		return nil, NewPolicyError(err)
 	}
@@ -215,7 +215,7 @@ func (pv *PolicyVerifier) evaluatePolicyAttachment(ctx context.Context, attachme
 }
 
 // ComputeArguments takes a list of arguments, and matches it against the expected inputs. It also applies a set of interpolations if needed.
-func ComputeArguments(inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) {
+func ComputeArguments(name string, inputs []*v1.PolicyInput, args map[string]string, bindings map[string]string, logger *zerolog.Logger) (map[string]string, error) {
 	result := make(map[string]string)
 
 	// Policies without inputs in the spec
@@ -263,7 +263,7 @@ func ComputeArguments(inputs []*v1.PolicyInput, args map[string]string, bindings
 			return input.Name == k
 		})
 		if !expected {
-			logger.Warn().Msgf("argument %q will be ignored", k)
+			logger.Warn().Msgf("argument %q not defined in policy %q spec, ignoring it", k, name)
 			continue
 		}
 		value, err := templates.ApplyBinding(v, bindings)

pkg/policies/policies_test.go

@@ -814,22 +814,25 @@ func (s *testSuite) TestGetInputArguments() {
 
 func (s *testSuite) TestComputePolicyArguments() {
 	cases := []struct {
-		name      string
-		inputs    []*v12.PolicyInput
-		args      map[string]string
-		bindings  map[string]string
-		expected  map[string]string
-		expectErr bool
-		errMsg    string
+		name       string
+		policyName string
+		inputs     []*v12.PolicyInput
+		args       map[string]string
+		bindings   map[string]string
+		expected   map[string]string
+		expectErr  bool
+		errMsg     string
 	}{
 		{
-			name:     "all args passed when no inputs present",
-			inputs:   nil,
-			args:     map[string]string{"arg1": "value1", "arg2": "value2"},
-			expected: map[string]string{"arg1": "value1", "arg2": "value2"},
+			name:       "all args passed when no inputs present",
+			policyName: "test-policy",
+			inputs:     nil,
+			args:       map[string]string{"arg1": "value1", "arg2": "value2"},
+			expected:   map[string]string{"arg1": "value1", "arg2": "value2"},
 		},
 		{
-			name: "required inputs",
+			name:       "required inputs",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name:     "arg1",
 				Required: true,
@@ -839,7 +842,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			errMsg:    "missing required input \"arg1\"",
 		},
 		{
-			name: "default values are set",
+			name:       "default values are set",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name:    "arg1",
 				Default: "value1",
@@ -851,7 +855,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "value1", "arg2": "value2"},
 		},
 		{
-			name: "unexpected arguments are ignored",
+			name:       "unexpected arguments are ignored",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name:    "arg1",
 				Default: "value1",
@@ -862,7 +867,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "value1"},
 		},
 		{
-			name: "expected arguments with values are respected",
+			name:       "expected arguments with values are respected",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name:    "arg1",
 				Default: "value1",
@@ -873,7 +879,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "value1", "arg2": "value2"},
 		},
 		{
-			name: "simple bindings",
+			name:       "simple bindings",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name: "arg1",
 			}},
@@ -882,7 +889,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "Hello world"},
 		},
 		{
-			name: "multiple bindings",
+			name:       "multiple bindings",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name: "arg1",
 			}, {
@@ -893,7 +901,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "Hello world template", "arg2": "Bye template"},
 		},
 		{
-			name: "no variable found in bindings, renders zero value",
+			name:       "no variable found in bindings, renders zero value",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name: "arg1",
 			}},
@@ -902,7 +911,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "Hello "},
 		},
 		{
-			name: "no interpolation needed",
+			name:       "no interpolation needed",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name: "arg1",
 			}},
@@ -911,7 +921,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "Hello world"},
 		},
 		{
-			name: "required and default is illegal",
+			name:       "required and default is illegal",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name:     "arg1",
 				Required: true,
@@ -922,7 +933,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			errMsg:    "input arg1 can not be required and have a default at the same time",
 		},
 		{
-			name: "inputs prefix without dot",
+			name:       "inputs prefix without dot",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name: "arg1",
 			}, {
@@ -933,7 +945,8 @@ func (s *testSuite) TestComputePolicyArguments() {
 			expected: map[string]string{"arg1": "Hello world template", "arg2": "Bye template"},
 		},
 		{
-			name: "required input with missing binding",
+			name:       "required input with missing binding",
+			policyName: "test-policy",
 			inputs: []*v12.PolicyInput{{
 				Name:     "arg1",
 				Required: true,
@@ -945,7 +958,7 @@ func (s *testSuite) TestComputePolicyArguments() {
 
 	for _, tc := range cases {
 		s.Run(tc.name, func() {
-			computed, err := ComputeArguments(tc.inputs, tc.args, tc.bindings, &s.logger)
+			computed, err := ComputeArguments(tc.policyName, tc.inputs, tc.args, tc.bindings, &s.logger)
 			if tc.expectErr {
 				s.Error(err)
 				s.Contains(err.Error(), tc.errMsg)

pkg/policies/policy_groups.go

@@ -62,7 +62,7 @@ func (pgv *PolicyGroupVerifier) VerifyMaterial(ctx context.Context, material *ap
 		}
 
 		// matches group arguments against spec and apply defaults
-		groupArgs, err := ComputeArguments(group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
+		groupArgs, err := ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
 		if err != nil {
 			return nil, NewPolicyError(err)
 		}
@@ -121,7 +121,7 @@ func (pgv *PolicyGroupVerifier) VerifyStatement(ctx context.Context, statement *
 			continue
 		}
 		// compute group arguments
-		groupArgs, err := ComputeArguments(group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
+		groupArgs, err := ComputeArguments(group.GetMetadata().GetName(), group.GetSpec().GetInputs(), groupAtt.GetWith(), nil, pgv.logger)
 		if err != nil {
 			return nil, NewPolicyError(err)
 		}