Merge pull request #1624 from joejstuart/volatile-config-warnings

Volatile config warnings

Author: robnester-rh

antora/docs/modules/ROOT/pages/packages/release_volatile_config.adoc

@@ -0,0 +1,69 @@
+= Volatile Configuration Warnings Package
+
+This package generates warnings for volatile configuration rules that have lifecycle events requiring attention. Volatile config rules can include or exclude policy rules with time-based constraints (effectiveOn/effectiveUntil). Warnings help users proactively manage rule expirations and activations. The optional `reference` field in volatile criteria can be used to link to related documentation (e.g., Jira issues) but is not included in warnings.
+
+== Package Name
+
+* `volatile_config`
+
+== Rules Included
+
+[#volatile_config__expiring_rule]
+=== link:#volatile_config__expiring_rule[Volatile rule expiring soon]
+
+Generates a warning when a volatile configuration rule will expire within the configured warning threshold (default 30 days). This provides advance notice to extend or replace the rule before it expires.
+
+*Solution*: Review the volatile configuration rule and decide whether to extend its effectiveUntil date or remove it. If the rule is no longer needed, you can safely let it expire.
+
+* Rule type: [rule-type-indicator warning]#WARNING#
+* WARNING message: `Volatile %s rule '%s' expires in %d days (effective until: %s)`
+* Code: `volatile_config.expiring_rule`
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L59[Source, window="_blank"]
+
+[#volatile_config__expired_rule]
+=== link:#volatile_config__expired_rule[Volatile rule has expired]
+
+Generates a warning when a volatile configuration rule has passed its effectiveUntil date. Expired rules are no longer active and should be removed from the policy configuration.
+
+*Solution*: Remove the expired volatile configuration rule from your policy. The rule is no longer having any effect and keeping it may cause confusion.
+
+* Rule type: [rule-type-indicator warning]#WARNING#
+* WARNING message: `Volatile %s rule '%s' has expired (effective until: %s)`
+* Code: `volatile_config.expired_rule`
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L112[Source, window="_blank"]
+
+[#volatile_config__invalid_config]
+=== link:#volatile_config__invalid_config[Volatile rule has invalid configuration]
+
+Generates a warning when a volatile configuration rule has invalid date values that cannot be parsed. This indicates a configuration error that should be corrected.
+
+*Solution*: Correct the date format in the volatile configuration rule. Dates must be in RFC 3339 format (e.g., "2024-12-31T00:00:00Z").
+
+* Rule type: [rule-type-indicator warning]#WARNING#
+* WARNING message: `Volatile %s rule '%s' has invalid date configuration (effectiveOn: %s, effectiveUntil: %s)`
+* Code: `volatile_config.invalid_config`
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L137[Source, window="_blank"]
+
+[#volatile_config__no_expiration]
+=== link:#volatile_config__no_expiration[Volatile rule has no expiration]
+
+Generates a warning when a volatile configuration rule has no effectiveUntil date set. Rules without expiration dates may accumulate over time and should be periodically reviewed.
+
+*Solution*: Consider adding an effectiveUntil date to the volatile configuration rule to ensure it is reviewed periodically. Permanent exceptions should be documented with justification.
+
+* Rule type: [rule-type-indicator warning]#WARNING#
+* WARNING message: `Volatile %s rule '%s' has no expiration date set`
+* Code: `volatile_config.no_expiration`
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L86[Source, window="_blank"]
+
+[#volatile_config__pending_rule]
+=== link:#volatile_config__pending_rule[Volatile rule pending activation]
+
+Generates a warning when a volatile configuration rule has an effectiveOn date in the future, indicating it will become active at that time.
+
+*Solution*: This is informational. The volatile configuration rule will automatically become active on the effective date. No action is required unless you want to adjust the activation timing.
+
+* Rule type: [rule-type-indicator warning]#WARNING#
+* WARNING message: `Volatile %s rule '%s' is pending activation (effective on: %s)`
+* Code: `volatile_config.pending_rule`
+* https://github.com/conforma/policy/blob/{page-origin-refhash}/policy/release/volatile_config/volatile_config.rego#L34[Source, window="_blank"]

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -56,7 +56,12 @@ Rules included:
 * xref:packages/release_slsa_source_correlated.adoc#slsa_source_correlated__attested_source_code_reference[SLSA - Verification model - Source: Source reference]        
 * xref:packages/release_sbom_spdx.adoc#sbom_spdx__valid[SPDX SBOM: Valid]        
 * xref:packages/release_tasks.adoc#tasks__pipeline_has_tasks[Tasks: Pipeline run includes at least one task]        
-* xref:packages/release_tasks.adoc#tasks__successful_pipeline_tasks[Tasks: Successful pipeline tasks]
+* xref:packages/release_tasks.adoc#tasks__successful_pipeline_tasks[Tasks: Successful pipeline tasks]        
+* xref:packages/release_volatile_config.adoc#volatile_config__expiring_rule[Volatile Configuration Warnings: Volatile rule expiring soon]        
+* xref:packages/release_volatile_config.adoc#volatile_config__expired_rule[Volatile Configuration Warnings: Volatile rule has expired]        
+* xref:packages/release_volatile_config.adoc#volatile_config__invalid_config[Volatile Configuration Warnings: Volatile rule has invalid configuration]        
+* xref:packages/release_volatile_config.adoc#volatile_config__no_expiration[Volatile Configuration Warnings: Volatile rule has no expiration]        
+* xref:packages/release_volatile_config.adoc#volatile_config__pending_rule[Volatile Configuration Warnings: Volatile rule pending activation]
 
 | [#policy_data]`policy_data`
 a| Include policy rules responsible for validating rule data.
@@ -214,6 +219,11 @@ Rules included:
 * xref:packages/release_trusted_task.adoc#trusted_task__current[Trusted Task checks: Tasks using the latest versions]        
 * xref:packages/release_trusted_task.adoc#trusted_task__valid_trusted_artifact_inputs[Trusted Task checks: Trusted Artifact produced in pipeline]        
 * xref:packages/release_trusted_task.adoc#trusted_task__trusted_parameters[Trusted Task checks: Trusted parameters]        
+* xref:packages/release_volatile_config.adoc#volatile_config__expiring_rule[Volatile Configuration Warnings: Volatile rule expiring soon]        
+* xref:packages/release_volatile_config.adoc#volatile_config__expired_rule[Volatile Configuration Warnings: Volatile rule has expired]        
+* xref:packages/release_volatile_config.adoc#volatile_config__invalid_config[Volatile Configuration Warnings: Volatile rule has invalid configuration]        
+* xref:packages/release_volatile_config.adoc#volatile_config__no_expiration[Volatile Configuration Warnings: Volatile rule has no expiration]        
+* xref:packages/release_volatile_config.adoc#volatile_config__pending_rule[Volatile Configuration Warnings: Volatile rule pending activation]        
 * xref:packages/release_rpm_ostree_task.adoc#rpm_ostree_task__builder_image_param[rpm-ostree Task: Builder image parameter]        
 * xref:packages/release_rpm_ostree_task.adoc#rpm_ostree_task__rule_data[rpm-ostree Task: Rule data]
 
@@ -470,6 +480,9 @@ a| Conforma requires that each build was subjected to a set of tests and that th
 | xref:packages/release_trusted_task.adoc[trusted_task]
 a| This package is used to verify all the Tekton Tasks involved in building the image are trusted. Trust is established by comparing the Task references found in the SLSA Provenance with a pre-defined list of trusted Tasks, which is expected to be provided as a data source that creates the `data.trusted_tasks` in the format demonstrated at https://github.com/conforma/policy/blob/main/example/data/trusted_tekton_tasks.yml. The list can be extended or customized using the `trusted_tasks` rule data key which is merged into the `trusted_tasks` data.
 
+| xref:packages/release_volatile_config.adoc[volatile_config]
+a| This package generates warnings for volatile configuration rules that have lifecycle events requiring attention. Volatile config rules can include or exclude policy rules with time-based constraints (effectiveOn/effectiveUntil). Warnings help users proactively manage rule expirations and activations. The optional `reference` field in volatile criteria can be used to link to related documentation (e.g., Jira issues) but is not included in warnings.
+
 | xref:packages/release_rpm_ostree_task.adoc[rpm_ostree_task]
 a| This package is responsible for verifying the rpm-ostree Tekton Task was executed with the expected parameters.
 

antora/docs/modules/ROOT/partials/release_policy_nav.adoc

@@ -177,6 +177,12 @@
 **** xref:packages/release_trusted_task.adoc#trusted_task__current[Tasks using the latest versions]
 **** xref:packages/release_trusted_task.adoc#trusted_task__valid_trusted_artifact_inputs[Trusted Artifact produced in pipeline]
 **** xref:packages/release_trusted_task.adoc#trusted_task__trusted_parameters[Trusted parameters]
+*** xref:packages/release_volatile_config.adoc[Volatile Configuration Warnings]
+**** xref:packages/release_volatile_config.adoc#volatile_config__expiring_rule[Volatile rule expiring soon]
+**** xref:packages/release_volatile_config.adoc#volatile_config__expired_rule[Volatile rule has expired]
+**** xref:packages/release_volatile_config.adoc#volatile_config__invalid_config[Volatile rule has invalid configuration]
+**** xref:packages/release_volatile_config.adoc#volatile_config__no_expiration[Volatile rule has no expiration]
+**** xref:packages/release_volatile_config.adoc#volatile_config__pending_rule[Volatile rule pending activation]
 *** xref:packages/release_rpm_ostree_task.adoc[rpm-ostree Task]
 **** xref:packages/release_rpm_ostree_task.adoc#rpm_ostree_task__builder_image_param[Builder image parameter]
 **** xref:packages/release_rpm_ostree_task.adoc#rpm_ostree_task__rule_data[Rule data]

policy/lib/rule_data.rego

@@ -132,6 +132,9 @@ rule_data_defaults := {
 	"trusted_tasks": {},
 	# Number of days before a version of the Task expires that warnings are reported
 	"task_expiry_warning_days": 0,
+	# Number of days before a volatile config rule expires that warnings are reported
+	# Used in release/volatile_config
+	"volatile_config_warning_threshold_days": 30,
 	# The gpg-pubkey RPM does not abide to the rule of a single RPM name being installed.
 	"non_unique_rpm_names": ["gpg-pubkey"],
 }

policy/lib/volatile_config.rego

@@ -0,0 +1,218 @@
+# Copyright The Conforma Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Library functions for evaluating volatile configuration rules and determining
+# warning categories based on lifecycle events (pending activation, expiring soon,
+# no expiration, expired, invalid dates).
+
+package lib
+
+import rego.v1
+
+import data.lib.time as time_lib
+
+# Get configurable warning threshold from rule_data (default defined in rule_data_defaults)
+warning_threshold_days := rule_data("volatile_config_warning_threshold_days")
+
+# Nanoseconds per day constant
+_ns_per_day := 86400000000000
+
+# Calculate days until a rule expires (returns integer days, can be negative if expired)
+days_until_expiration(rule) := days if {
+	until_ns := _get_effective_until_ns(rule)
+	now_ns := time_lib.effective_current_time_ns
+	diff_ns := until_ns - now_ns
+	days := floor(diff_ns / _ns_per_day)
+}
+
+# Check if rule applies to current image/component
+# context is an object with optional fields: imageRef, imageDigest, componentName
+# Returns true if the rule matches based on any of the following criteria:
+# - Global rule (no image/component constraints)
+# - Match by imageRef (DEPRECATED: same as imageDigest, both are digests)
+# - Match by imageUrl prefix (URL without tag)
+# - Match by imageDigest
+# - Match by componentNames
+is_rule_applicable(rule, _) if {
+	# Global rule: no constraints specified
+	object.get(rule, "imageRef", "") == ""
+	object.get(rule, "imageUrl", "") == ""
+	object.get(rule, "imageDigest", "") == ""
+	count(object.get(rule, "componentNames", [])) == 0
+}
+
+is_rule_applicable(rule, context) if {
+	# Match by imageRef (DEPRECATED: same as imageDigest, both are digests)
+	rule_image_ref := object.get(rule, "imageRef", "")
+	rule_image_ref != ""
+	context_digest := object.get(context, "imageDigest", "")
+	rule_image_ref == context_digest
+}
+
+is_rule_applicable(rule, context) if {
+	# Match by imageUrl prefix (URL without tag)
+	rule_image_url := object.get(rule, "imageUrl", "")
+	rule_image_url != ""
+	context_image_ref := object.get(context, "imageRef", "")
+	_image_url_matches(rule_image_url, context_image_ref)
+}
+
+is_rule_applicable(rule, context) if {
+	# Match by imageDigest
+	rule_image_digest := object.get(rule, "imageDigest", "")
+	rule_image_digest != ""
+	context_digest := object.get(context, "imageDigest", "")
+	rule_image_digest == context_digest
+}
+
+is_rule_applicable(rule, context) if {
+	# Match by componentNames
+	component_names := object.get(rule, "componentNames", [])
+	count(component_names) > 0
+	context_component_name := object.get(context, "componentName", "")
+	some name in component_names
+	name == context_component_name
+}
+
+# Determine warning category - check for invalid dates first
+warning_category(rule) := "invalid" if {
+	_is_date_invalid(_get_effective_on(rule))
+}
+
+warning_category(rule) := "invalid" if {
+	_is_date_invalid(_get_effective_until(rule))
+}
+
+# Pending: effectiveOn is in the future
+warning_category(rule) := "pending" if {
+	_is_effective_on_in_future(rule)
+	_is_effective_until_valid_or_empty(rule)
+}
+
+# Expired: effectiveUntil is in the past
+warning_category(rule) := "expired" if {
+	_is_effective_until_expired(rule)
+	_is_effective_on_valid_and_not_future(rule)
+}
+
+# Expiring: effectiveUntil is within the warning threshold
+warning_category(rule) := "expiring" if {
+	_is_effective_until_expiring(rule)
+	_is_effective_on_valid_and_not_future(rule)
+}
+
+# No expiration: rule is active (effectiveOn in past or not set) but has no effectiveUntil
+warning_category(rule) := "no_expiration" if {
+	_get_effective_until(rule) == ""
+	_is_effective_on_active_or_unset(rule)
+}
+
+# =============================================================================
+# Helper functions for date extraction and validation
+# =============================================================================
+
+# Extract effectiveOn date string from rule
+_get_effective_on(rule) := object.get(rule, "effectiveOn", "")
+
+# Extract effectiveUntil date string from rule
+_get_effective_until(rule) := object.get(rule, "effectiveUntil", "")
+
+# Safely parse RFC3339 date, undefined on failure
+_parse_date_safe(date_str) := ns if {
+	date_str != ""
+	ns := time.parse_rfc3339_ns(date_str)
+}
+
+# Check if a date string is invalid (non-empty but unparseable)
+# Empty strings are considered valid (not set, not invalid)
+_is_date_invalid(date_str) if {
+	date_str != ""
+	not _parse_date_safe(date_str)
+}
+
+# Get effectiveOn as nanoseconds, undefined if invalid or empty
+_get_effective_on_ns(rule) := _parse_date_safe(_get_effective_on(rule))
+
+# Get effectiveUntil as nanoseconds, undefined if invalid or empty
+_get_effective_until_ns(rule) := _parse_date_safe(_get_effective_until(rule))
+
+# Check if effectiveOn is in the future
+_is_effective_on_in_future(rule) if {
+	on_ns := _get_effective_on_ns(rule)
+	now_ns := time_lib.effective_current_time_ns
+	on_ns > now_ns
+}
+
+# Check if effectiveOn is active (in the past) or not set
+_is_effective_on_active_or_unset(rule) if {
+	_get_effective_on(rule) == ""
+} else if {
+	on_ns := _get_effective_on_ns(rule)
+	now_ns := time_lib.effective_current_time_ns
+	on_ns <= now_ns
+}
+
+# Check if effectiveOn is valid (if set) and not in the future
+_is_effective_on_valid_and_not_future(rule) if {
+	_get_effective_on(rule) == ""
+} else if {
+	on_ns := _get_effective_on_ns(rule)
+	now_ns := time_lib.effective_current_time_ns
+	on_ns <= now_ns
+}
+
+# Check if effectiveUntil is valid (if set) or empty
+_is_effective_until_valid_or_empty(rule) if {
+	_get_effective_until(rule) == ""
+} else if {
+	_get_effective_until_ns(rule)
+}
+
+# Check if effectiveUntil is expired (in the past)
+_is_effective_until_expired(rule) if {
+	until_ns := _get_effective_until_ns(rule)
+	now_ns := time_lib.effective_current_time_ns
+	until_ns < now_ns
+}
+
+# Check if effectiveUntil is expiring (within warning threshold)
+_is_effective_until_expiring(rule) if {
+	until_ns := _get_effective_until_ns(rule)
+	now_ns := time_lib.effective_current_time_ns
+	until_ns >= now_ns
+	days := days_until_expiration(rule)
+	days <= warning_threshold_days
+}
+
+# Helper: check if imageUrl matches the image reference
+# imageUrl is a URL pattern without tag (e.g., "quay.io/redhat/myimage")
+# image_ref may include tag and/or digest (e.g., "quay.io/redhat/myimage:v1@sha256:...")
+_image_url_matches(url_pattern, image_ref) if {
+	# Extract the repo portion (before any : or @)
+	ref_without_digest := split(image_ref, "@")[0]
+	ref_without_tag := split(ref_without_digest, ":")[0]
+
+	# Check if pattern matches exactly
+	ref_without_tag == url_pattern
+}
+
+_image_url_matches(url_pattern, image_ref) if {
+	ref_without_digest := split(image_ref, "@")[0]
+	ref_without_tag := split(ref_without_digest, ":")[0]
+
+	# Also allow prefix matching for broader scopes (e.g., "quay.io/redhat" matches "quay.io/redhat/myimage")
+	startswith(ref_without_tag, sprintf("%s/", [url_pattern]))
+}