Merge pull request #2945 from joejstuart/compare-ecp-specs

feat(equivalence): Compare EnterpriseContractPolicy specs

Author: joejstuart

cmd/compare/README.md

@@ -0,0 +1,194 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package compare
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"time"
+
+	ecc "github.com/conforma/crds/api/v1alpha1"
+	"github.com/spf13/cobra"
+	"sigs.k8s.io/yaml"
+
+	"github.com/conforma/cli/internal/policy/equivalence"
+)
+
+var (
+	effectiveTime string
+	imageDigest   string
+	imageRef      string
+	imageURL      string
+	outputFormat  string
+)
+
+var CompareCmd *cobra.Command
+
+func init() {
+	CompareCmd = NewCompareCmd()
+}
+
+func NewCompareCmd() *cobra.Command {
+	compareCmd := &cobra.Command{
+		Use:   "compare <policy1> <policy2>",
+		Short: "Compare two Conforma Policy specs for equivalence",
+		Long: `Compare two Conforma Policy specs to determine if they would
+produce the same evaluation result for a given image at a specific time.
+
+The comparison is based on:
+- Policy and data source URIs (treated as sets)
+- RuleData content (canonicalized JSON comparison)
+- Include/exclude matchers (normalized and deduplicated)
+- Active volatile configuration (filtered by effective time and image matching)
+- Global configuration merging
+
+Examples:
+  # Compare two policy files
+  ec compare policy1.yaml policy2.yaml
+
+  # Compare with specific effective time
+  ec compare policy1.yaml policy2.yaml --effective-time "2024-01-15T12:00:00Z"
+
+  # Compare with image information for volatile config matching
+  ec compare policy1.yaml policy2.yaml --image-digest "sha256:abc123" --image-ref "registry.redhat.io/ubi8/ubi:latest"
+
+  # Compare with JSON output
+  ec compare policy1.yaml policy2.yaml --output json`,
+		Args: cobra.ExactArgs(2),
+		RunE: runCompare,
+	}
+
+	compareCmd.Flags().StringVar(&effectiveTime, "effective-time", "now", "Effective time for policy evaluation (RFC3339 format, 'now')")
+	compareCmd.Flags().StringVar(&imageDigest, "image-digest", "", "Image digest for volatile config matching")
+	compareCmd.Flags().StringVar(&imageRef, "image-ref", "", "Image reference for volatile config matching")
+	compareCmd.Flags().StringVar(&imageURL, "image-url", "", "Image URL for volatile config matching")
+	compareCmd.Flags().StringVar(&outputFormat, "output", "text", "Output format (text, json)")
+
+	return compareCmd
+}
+
+func runCompare(cmd *cobra.Command, args []string) error {
+
+	// Parse effective time
+	var effectiveTimeValue time.Time
+	switch effectiveTime {
+	case "now":
+		effectiveTimeValue = time.Now().UTC()
+	case "attestation":
+		// For now, use current time as default for attestation time
+		effectiveTimeValue = time.Now().UTC()
+	default:
+		var err error
+		effectiveTimeValue, err = time.Parse(time.RFC3339, effectiveTime)
+		if err != nil {
+			return fmt.Errorf("invalid effective time format: %w", err)
+		}
+	}
+
+	// Create image info if provided
+	var imageInfo *equivalence.ImageInfo
+	if imageDigest != "" || imageRef != "" || imageURL != "" {
+		imageInfo = &equivalence.ImageInfo{
+			Digest: imageDigest,
+			Ref:    imageRef,
+			URL:    imageURL,
+		}
+	}
+
+	// Load first policy
+	spec1, err := loadPolicySpec(args[0])
+	if err != nil {
+		return fmt.Errorf("failed to load first policy: %w", err)
+	}
+
+	// Load second policy
+	spec2, err := loadPolicySpec(args[1])
+	if err != nil {
+		return fmt.Errorf("failed to load second policy: %w", err)
+	}
+
+	// Create equivalence checker
+	checker := equivalence.NewEquivalenceChecker(effectiveTimeValue, imageInfo)
+
+	// Compare policies
+	equivalent, err := checker.AreEquivalent(spec1, spec2)
+	if err != nil {
+		return fmt.Errorf("failed to compare policies: %w", err)
+	}
+
+	// Output result
+	if outputFormat == "json" {
+		result := map[string]interface{}{
+			"equivalent":     equivalent,
+			"effective_time": effectiveTimeValue.Format(time.RFC3339),
+			"policy1":        args[0],
+			"policy2":        args[1],
+		}
+		if imageInfo != nil {
+			result["image_info"] = imageInfo
+		}
+		encoder := json.NewEncoder(os.Stdout)
+		encoder.SetIndent("", "  ")
+		return encoder.Encode(result)
+	}
+
+	// Text output
+	if equivalent {
+		fmt.Println("✅ Policies are equivalent")
+	} else {
+		fmt.Println("❌ Policies are not equivalent")
+	}
+
+	fmt.Printf("Effective time: %s\n", effectiveTimeValue.Format(time.RFC3339))
+	if imageInfo != nil {
+		fmt.Printf("Image digest: %s\n", imageInfo.Digest)
+		fmt.Printf("Image ref: %s\n", imageInfo.Ref)
+		fmt.Printf("Image URL: %s\n", imageInfo.URL)
+	}
+
+	return nil
+}
+
+func loadPolicySpec(policyRef string) (ecc.EnterpriseContractPolicySpec, error) {
+	content, err := os.ReadFile(policyRef)
+	if err != nil {
+		return ecc.EnterpriseContractPolicySpec{}, fmt.Errorf("failed to read policy file %q: %w", policyRef, err)
+	}
+
+	var ecp ecc.EnterpriseContractPolicy
+	if err := yaml.Unmarshal(content, &ecp); err != nil {
+		// If parsing as EnterpriseContractPolicy fails, try as EnterpriseContractPolicySpec
+		var spec ecc.EnterpriseContractPolicySpec
+		if err := yaml.Unmarshal(content, &spec); err != nil {
+			return ecc.EnterpriseContractPolicySpec{}, fmt.Errorf("unable to parse EnterpriseContractPolicySpec: %w", err)
+		}
+		return spec, nil
+	}
+
+	// Check if this is actually a valid CRD (has required fields)
+	if ecp.APIVersion == "" || ecp.Kind == "" {
+		// This is not a valid CRD, try parsing as EnterpriseContractPolicySpec
+		var spec ecc.EnterpriseContractPolicySpec
+		if err := yaml.Unmarshal(content, &spec); err != nil {
+			return ecc.EnterpriseContractPolicySpec{}, fmt.Errorf("unable to parse EnterpriseContractPolicySpec: %w", err)
+		}
+		return spec, nil
+	}
+
+	return ecp.Spec, nil
+}

cmd/compare/compare.go

@@ -22,6 +22,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/conforma/cli/cmd/compare"
 	"github.com/conforma/cli/cmd/fetch"
 	"github.com/conforma/cli/cmd/initialize"
 	"github.com/conforma/cli/cmd/inspect"
@@ -56,6 +57,7 @@ func init() {
 }
 
 func AddCommandsTo(cmd *cobra.Command) {
+	cmd.AddCommand(compare.CompareCmd)
 	cmd.AddCommand(fetch.FetchCmd)
 	cmd.AddCommand(initialize.InitCmd)
 	cmd.AddCommand(inspect.InspectCmd)

cmd/root.go

@@ -0,0 +1,59 @@
+= ec compare
+
+Compare two Conforma Policy specs for equivalence
+
+== Synopsis
+
+Compare two Conforma Policy specs to determine if they would
+produce the same evaluation result for a given image at a specific time.
+
+The comparison is based on:
+- Policy and data source URIs (treated as sets)
+- RuleData content (canonicalized JSON comparison)
+- Include/exclude matchers (normalized and deduplicated)
+- Active volatile configuration (filtered by effective time and image matching)
+- Global configuration merging
+
+Examples:
+  # Compare two policy files
+  ec compare policy1.yaml policy2.yaml
+
+  # Compare with specific effective time
+  ec compare policy1.yaml policy2.yaml --effective-time "2024-01-15T12:00:00Z"
+
+  # Compare with image information for volatile config matching
+  ec compare policy1.yaml policy2.yaml --image-digest "sha256:abc123" --image-ref "registry.redhat.io/ubi8/ubi:latest"
+
+  # Compare with JSON output
+  ec compare policy1.yaml policy2.yaml --output json
+[source,shell]
+----
+ec compare <policy1> <policy2> [flags]
+----
+== Options
+
+--effective-time:: Effective time for policy evaluation (RFC3339 format, 'now') (Default: now)
+-h, --help:: help for compare (Default: false)
+--image-digest:: Image digest for volatile config matching
+--image-ref:: Image reference for volatile config matching
+--image-url:: Image URL for volatile config matching
+--output:: Output format (text, json) (Default: text)
+
+== Options inherited from parent commands
+
+--debug:: same as verbose but also show function names and line numbers (Default: false)
+--kubeconfig:: path to the Kubernetes config file to use
+--logfile:: file to write the logging output. If not specified logging output will be written to stderr
+--quiet:: less verbose output (Default: false)
+--retry-duration:: base duration for exponential backoff calculation (Default: 1s)
+--retry-factor:: exponential backoff multiplier (Default: 2)
+--retry-jitter:: randomness factor for backoff calculation (0.0-1.0) (Default: 0.1)
+--retry-max-retry:: maximum number of retry attempts (Default: 3)
+--retry-max-wait:: maximum wait time between retries (Default: 3s)
+--timeout:: max overall execution duration (Default: 5m0s)
+--trace:: enable trace logging, set one or more comma separated values: none,all,perf,cpu,mem,opa,log (Default: none)
+--verbose:: more verbose output (Default: false)
+
+== See also
+
+ * xref:ec.adoc[ec - Conforma CLI]

docs/modules/ROOT/pages/ec_compare.adoc

@@ -1,5 +1,6 @@
 * xref:reference.adoc[Command Reference]
 ** xref:ec.adoc[ec]
+** xref:ec_compare.adoc[ec compare]
 ** xref:ec_fetch.adoc[ec fetch]
 ** xref:ec_fetch_policy.adoc[ec fetch policy]
 ** xref:ec_init.adoc[ec init]

docs/modules/ROOT/partials/cli_nav.adoc

@@ -7,9 +7,9 @@ require (
 	github.com/CycloneDX/cyclonedx-go v0.9.2
 	github.com/MakeNowJust/heredoc v1.0.0
 	github.com/Maldris/go-billy-afero v0.0.0-20200815120323-e9d3de59c99a
+	github.com/conforma/crds/api v0.1.0
 	github.com/conforma/go-gather v1.0.2
 	github.com/docker/docker v28.2.2+incompatible
-	github.com/conforma/crds/api v0.1.0
 	github.com/evanphx/json-patch v5.9.0+incompatible
 	github.com/gkampitakis/go-snaps v0.5.7
 	github.com/go-git/go-git/v5 v5.13.2
@@ -62,6 +62,8 @@ require (
 // use forked version until we can get the fixes merged see https://github.com/conforma/go-containerregistry/blob/main/hack/ec-patches.sh for a list of patches we carry
 replace github.com/google/go-containerregistry => github.com/conforma/go-containerregistry v0.20.7-0.20250703195040-6f40a3734728
 
+require github.com/go-openapi/runtime v0.28.0
+
 require (
 	cel.dev/expr v0.20.0 // indirect
 	cloud.google.com/go v0.116.0 // indirect
@@ -202,7 +204,6 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/loads v0.22.0 // indirect
-	github.com/go-openapi/runtime v0.28.0 // indirect
 	github.com/go-openapi/spec v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect

go.mod

@@ -438,8 +438,6 @@ github.com/emicklei/proto v1.14.0 h1:WYxC0OrBuuC+FUCTZvb8+fzEHdZMwLEF+OnVfZA3LXU
 github.com/emicklei/proto v1.14.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/enterprise-contract/enterprise-contract-controller/api v0.1.112 h1:4/PBvqANhDiJgpzOZG/zCj7Gl6jtsaMFRwCiFF2KNOg=
-github.com/enterprise-contract/enterprise-contract-controller/api v0.1.112/go.mod h1:YfIsqAmIc3ncPfxOw6LEsngWdeAVSO+V7svjoNpxyKs=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=

go.sum

@@ -0,0 +1,83 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package equivalence
+
+import (
+	"bytes"
+	"encoding/json"
+	"sort"
+)
+
+// marshalCanonical creates deterministic JSON by sorting map keys at every level
+func marshalCanonical(v any) ([]byte, error) {
+	var buf bytes.Buffer
+	if err := encodeCanonical(&buf, v); err != nil {
+		return nil, err
+	}
+	return buf.Bytes(), nil
+}
+
+// encodeCanonical recursively encodes JSON with sorted keys for deterministic output
+func encodeCanonical(buf *bytes.Buffer, v any) error {
+	switch x := v.(type) {
+	case map[string]any:
+		// Sort keys to ensure deterministic output
+		keys := make([]string, 0, len(x))
+		for k := range x {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		buf.WriteByte('{')
+		for i, k := range keys {
+			if i > 0 {
+				buf.WriteByte(',')
+			}
+			// Encode key (always a string, so use standard JSON encoding)
+			keyBytes, err := json.Marshal(k)
+			if err != nil {
+				return err
+			}
+			buf.Write(keyBytes)
+			buf.WriteByte(':')
+			// Recursively encode value
+			if err := encodeCanonical(buf, x[k]); err != nil {
+				return err
+			}
+		}
+		buf.WriteByte('}')
+	case []any:
+		buf.WriteByte('[')
+		for i, item := range x {
+			if i > 0 {
+				buf.WriteByte(',')
+			}
+			if err := encodeCanonical(buf, item); err != nil {
+				return err
+			}
+		}
+		buf.WriteByte(']')
+	default:
+		// For scalars (numbers, strings, bool, null), use standard JSON encoding
+		b, err := json.Marshal(x)
+		if err != nil {
+			return err
+		}
+		buf.Write(b)
+	}
+	return nil
+}