revision: add complete-bundle hash as input.bundle.hash

Computed on demand only, like the other hashes. This is for users
that only need a stable revision, without combining existing sources'
hashes, for example because there are too many of them to be convenient.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Author: srenatus

e2e/cli/build_revision_bundle_hash.txtar

@@ -0,0 +1,27 @@
+# Test revision using input.bundle.hash
+exec $OPACTL build --config config.d/bundle.yml --data-dir tmp
+stderr '^1/1 bundles built and pushed successfully$'
+! stdout .
+
+exec tar xf bundles/hello-world/bundle.tar.gz /.manifest
+cmp .manifest exp_manifest
+
+-- config.d/bundle.yml --
+bundles:
+  hello-world:
+    object_storage:
+      filesystem:
+        path: bundles/hello-world/bundle.tar.gz
+    requirements:
+    - source: http-data
+    revision: 'input.bundle.hash'
+sources:
+  http-data:
+    datasources:
+    - type: http
+      name: users
+      path: users
+      config:
+        url: http://${HTTP_ENDPOINT}/users
+-- exp_manifest --
+{"revision":"0aa9261ac4e2c8c267a28b261acd98a17607b504bf2c9b51cddeb7dec7c750bb","roots":["users"],"rego_version":0}

internal/fs/hash.go

@@ -4,8 +4,8 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"io"
+	"io/fs"
 	"os"
-	"path/filepath"
 	"sort"
 )
 
@@ -14,18 +14,21 @@ import (
 // (null-terminated) followed by its contents to the hash. An empty directory produces
 // the hash of an empty input.
 func HashDirectory(root string) (string, error) {
+	return HashFS(os.DirFS(root))
+}
+
+// HashFS computes a deterministic SHA-256 hash over all files in an fs.FS.
+// Files are sorted by path, each contributing its path (null-terminated)
+// followed by its contents.
+func HashFS(fsys fs.FS) (string, error) {
 	var files []string
 
-	err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error {
+	err := fs.WalkDir(fsys, ".", func(path string, d fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
 		if !d.IsDir() {
-			relPath, err := filepath.Rel(root, path)
-			if err != nil {
-				return err
-			}
-			files = append(files, relPath)
+			files = append(files, path)
 		}
 		return nil
 	})
@@ -40,8 +43,7 @@ func HashDirectory(root string) (string, error) {
 		h.Write([]byte(file))
 		h.Write([]byte{0})
 
-		fullPath := filepath.Join(root, file)
-		f, err := os.Open(fullPath)
+		f, err := fsys.Open(file)
 		if err != nil {
 			return "", err
 		}

internal/fs/hash_test.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+	"testing/fstest"
 )
 
 func TestHashDirectory(t *testing.T) {
@@ -118,3 +119,120 @@ func TestHashDirectory(t *testing.T) {
 		}
 	})
 }
+
+func TestHashFS(t *testing.T) {
+	t.Run("empty fs", func(t *testing.T) {
+		fsys := fstest.MapFS{}
+
+		hash, err := HashFS(fsys)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if hash != "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" {
+			t.Fatalf("unexpected hash for empty fs: %s", hash)
+		}
+	})
+
+	t.Run("single file", func(t *testing.T) {
+		fsys := fstest.MapFS{
+			"data.json": &fstest.MapFile{Data: []byte(`{"key":"value"}`)},
+		}
+
+		hash, err := HashFS(fsys)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(hash) != 64 {
+			t.Fatalf("expected 64-char hex hash, got %d chars: %s", len(hash), hash)
+		}
+	})
+
+	t.Run("deterministic", func(t *testing.T) {
+		fs1 := fstest.MapFS{
+			"a.json":     &fstest.MapFile{Data: []byte(`{"a":1}`)},
+			"sub/b.json": &fstest.MapFile{Data: []byte(`{"b":2}`)},
+		}
+		fs2 := fstest.MapFS{
+			"a.json":     &fstest.MapFile{Data: []byte(`{"a":1}`)},
+			"sub/b.json": &fstest.MapFile{Data: []byte(`{"b":2}`)},
+		}
+
+		hash1, err := HashFS(fs1)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		hash2, err := HashFS(fs2)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if hash1 != hash2 {
+			t.Fatalf("expected identical hashes, got %s and %s", hash1, hash2)
+		}
+	})
+
+	t.Run("matches HashDirectory", func(t *testing.T) {
+		dir := t.TempDir()
+		if err := os.WriteFile(filepath.Join(dir, "data.json"), []byte(`{"key":"value"}`), 0644); err != nil {
+			t.Fatal(err)
+		}
+
+		dirHash, err := HashDirectory(dir)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		fsys := fstest.MapFS{
+			"data.json": &fstest.MapFile{Data: []byte(`{"key":"value"}`)},
+		}
+		fsHash, err := HashFS(fsys)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+
+		if dirHash != fsHash {
+			t.Fatalf("HashDirectory and HashFS produced different hashes: %s vs %s", dirHash, fsHash)
+		}
+	})
+
+	t.Run("different content produces different hash", func(t *testing.T) {
+		fs1 := fstest.MapFS{
+			"data.json": &fstest.MapFile{Data: []byte(`{"a":1}`)},
+		}
+		fs2 := fstest.MapFS{
+			"data.json": &fstest.MapFile{Data: []byte(`{"a":2}`)},
+		}
+
+		hash1, err := HashFS(fs1)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		hash2, err := HashFS(fs2)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if hash1 == hash2 {
+			t.Fatal("expected different hashes for different content")
+		}
+	})
+
+	t.Run("different filenames produce different hash", func(t *testing.T) {
+		fs1 := fstest.MapFS{
+			"a.json": &fstest.MapFile{Data: []byte(`same`)},
+		}
+		fs2 := fstest.MapFS{
+			"b.json": &fstest.MapFile{Data: []byte(`same`)},
+		}
+
+		hash1, err := HashFS(fs1)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		hash2, err := HashFS(fs2)
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if hash1 == hash2 {
+			t.Fatal("expected different hashes for different filenames")
+		}
+	})
+}

pkg/builder/builder.go

@@ -170,6 +170,7 @@ type Builder struct {
 	target            string
 	optimizationLevel int
 	revision          string
+	revisionFunc      func(fs.FS) (string, error)
 }
 
 func New() *Builder {
@@ -206,6 +207,13 @@ func (b *Builder) WithRevision(revision string) *Builder {
 	return b
 }
 
+// WithRevisionFunc sets a function to compute the revision from the assembled
+// bundle filesystem. It is called after FS assembly and before compilation.
+func (b *Builder) WithRevisionFunc(fn func(fs.FS) (string, error)) *Builder {
+	b.revisionFunc = fn
+	return b
+}
+
 type PackageConflictErr struct {
 	Requirement *Source
 	Package     *ast.Package
@@ -384,6 +392,14 @@ func (b *Builder) Build(ctx context.Context) error {
 	fsBuild := mountfs.New(buildSources.fs())
 	paths := slices.Collect(maps.Keys(fsBuild))
 
+	if b.revisionFunc != nil {
+		revision, err := b.revisionFunc(fsBuild)
+		if err != nil {
+			return fmt.Errorf("revision: %w", err)
+		}
+		b.revision = revision
+	}
+
 	target := cmp.Or(b.target, "rego")
 	if target == "ir" { // fix naming convention
 		target = "plan"

pkg/service/revision.go

@@ -19,20 +19,27 @@ type ReferencedSource struct {
 	Fields     []string // e.g., ["hashsum"], ["commit"]
 }
 
-func ExtractRevisionRefs(revision string) ([]ReferencedSource, error) {
+func ExtractRevisionRefs(revision string) ([]ReferencedSource, bool, error) {
 	if revision == "" {
-		return nil, nil
+		return nil, false, nil
 	}
 
 	query, err := ast.ParseExpr(revision)
 	if err != nil {
-		return nil, fmt.Errorf("invalid rego query: %w", err)
+		return nil, false, fmt.Errorf("invalid rego query: %w", err)
 	}
 
 	sourcesRef := ast.InputRootRef.Append(ast.StringTerm("sources"))
+	bundleRef := ast.InputRootRef.Append(ast.StringTerm("bundle"))
 	references := make(map[string]map[string]bool)
+	needsBundleHash := false
 
 	ast.WalkRefs(query, func(ref ast.Ref) bool {
+		if ref.HasPrefix(bundleRef) {
+			needsBundleHash = true
+			return false
+		}
+
 		if !ref.HasPrefix(sourcesRef) || len(ref) < 4 {
 			return false
 		}
@@ -64,33 +71,38 @@ func ExtractRevisionRefs(revision string) ([]ReferencedSource, error) {
 		})
 	}
 
-	return result, nil
+	return result, needsBundleHash, nil
 }
 
 // ResolveRevision evaluates a Rego revision expression with the given source metadata
 // and returns the final revision string.
-func ResolveRevision(ctx context.Context, revision string, sourceMetadata map[string]map[string]any) (string, error) {
+func ResolveRevision(ctx context.Context, revision string, sourceMetadata map[string]map[string]any, bundleHash string) (string, error) {
 	if revision == "" {
 		return "", nil
 	}
 
 	input := map[string]any{
 		"sources": sourceMetadata,
 	}
+	if bundleHash != "" {
+		input["bundle"] = map[string]any{
+			"hash": bundleHash,
+		}
+	}
 
 	query, err := ast.ParseExpr(revision)
 	if err != nil {
 		return "", fmt.Errorf("invalid rego query: %w", err)
 	}
 
-	result, err := evaluateRego(ctx, query, input, sourceMetadata)
+	result, err := evaluateRego(ctx, query, input, sourceMetadata, bundleHash)
 	if err != nil {
 		return "", fmt.Errorf("failed to resolve revision: %w", err)
 	}
 	return result, nil
 }
 
-func buildInputSchema(sourceMetadata map[string]map[string]any) *ast.SchemaSet {
+func buildInputSchema(sourceMetadata map[string]map[string]any, bundleHash string) *ast.SchemaSet {
 	sourceSchema := map[string]any{
 		"type": "object",
 		"properties": map[string]any{
@@ -127,21 +139,37 @@ func buildInputSchema(sourceMetadata map[string]map[string]any) *ast.SchemaSet {
 	}
 
 	schemas := ast.NewSchemaSet()
-	schemas.Put(ast.SchemaRootRef, map[string]any{
-		"$schema": "http://json-schema.org/draft-07/schema",
-		"type":    "object",
-		"properties": map[string]any{
-			"sources": map[string]any{
-				"type":       "object",
-				"properties": sourceProps,
-			},
+
+	properties := map[string]any{
+		"sources": map[string]any{
+			"type":       "object",
+			"properties": sourceProps,
 		},
-		"required": []string{"sources"},
+	}
+	if bundleHash != "" {
+		properties["bundle"] = map[string]any{
+			"type": "object",
+			"properties": map[string]any{
+				"hash": map[string]any{"type": "string"},
+			},
+		}
+	}
+
+	required := []string{"sources"}
+	if bundleHash != "" {
+		required = append(required, "bundle")
+	}
+
+	schemas.Put(ast.SchemaRootRef, map[string]any{
+		"$schema":    "http://json-schema.org/draft-07/schema",
+		"type":       "object",
+		"properties": properties,
+		"required":   required,
 	})
 	return schemas
 }
 
-func evaluateRego(ctx context.Context, query *ast.Expr, input map[string]any, sourceMetadata map[string]map[string]any) (string, error) {
+func evaluateRego(ctx context.Context, query *ast.Expr, input map[string]any, sourceMetadata map[string]map[string]any, bundleHash string) (string, error) {
 	opts := []func(*rego.Rego){
 		rego.ParsedQuery([]*ast.Expr{query}),
 		rego.Strict(true),
@@ -152,8 +180,11 @@ func evaluateRego(ctx context.Context, query *ast.Expr, input map[string]any, so
 		opts = append(opts, rego.Input(input))
 	}
 
-	if sourceMetadata != nil {
-		opts = append(opts, rego.Schemas(buildInputSchema(sourceMetadata)))
+	if sourceMetadata != nil || bundleHash != "" {
+		if sourceMetadata == nil {
+			sourceMetadata = make(map[string]map[string]any)
+		}
+		opts = append(opts, rego.Schemas(buildInputSchema(sourceMetadata, bundleHash)))
 	}
 
 	rs, err := rego.New(opts...).Eval(ctx)