From 550d096cb2167269b13cd6757cedc86b3c951d6b Mon Sep 17 00:00:00 2001 From: tegwick Date: Sun, 17 May 2026 05:30:40 +0200 Subject: [PATCH] Implement policy package loader --- examples/caring/README.md | 8 +- examples/caring/policy_package.md | 137 ++++ go.mod | 38 +- go.sum | 152 +++- internal/policy/package.go | 684 ++++++++++++++++++ internal/policy/package_test.go | 138 ++++ pkg/api/canonical.go | 5 + schemas/policy_package.schema.json | 13 + ...-WP-0002-standalone-policy-as-code-core.md | 2 +- 9 files changed, 1170 insertions(+), 7 deletions(-) create mode 100644 examples/caring/policy_package.md create mode 100644 internal/policy/package.go diff --git a/examples/caring/README.md b/examples/caring/README.md index 86d8bf6..31b1532 100644 --- a/examples/caring/README.md +++ b/examples/caring/README.md @@ -1,8 +1,8 @@ # CARING examples Small fixtures for the executable CARING 0.4.0-RC2 profile used by -`FLEX-WP-0002 P2.1`. +`FLEX-WP-0002`. -These are intentionally compact. They are not policy-engine fixtures yet; -they prove that the canonical descriptor, request, decision, registry, and -audit shapes can round-trip through `pkg/api`. +These are intentionally compact. They prove that the canonical descriptor, +request, decision, registry, audit, and Rego-in-Markdown policy package +shapes can round-trip through `pkg/api` and `internal/policy`. diff --git a/examples/caring/policy_package.md b/examples/caring/policy_package.md new file mode 100644 index 0000000..fda3e42 --- /dev/null +++ b/examples/caring/policy_package.md @@ -0,0 +1,137 @@ +--- +id: markitect.documents.internal-read +name: Markitect internal document read +namespace: markitect:document +version: v1 +status: draft +package: flexauth.markitect.documents +actions: + - read +owner: team:platform-architecture +fixtures: + - policy_fixture.yaml +caring: + profile: caring-0.4.0-rc2 + enforce: false + canonical_roles: + - Doer + organization_relations: + - Customer + scopes: + - level: Resource + id: document:internal-note + tenant: tenant:alpha + planes: + - Data + capabilities: + - View + exposure_modes: + - Masked + - Plaintext + conditions: + - PurposeBound + - Logged + restrictions: + - ExportBlocked +activation: + mode: local +metadata: + source: examples/caring/policy_package.md +--- + +# Markitect Internal Document Read + +This package authorizes read access to an internal Markitect document when +the request carries a CARING descriptor for a customer Doer with View +capability on the document resource and an explicit ExportBlocked restriction. + +## Rules + +```rego +import future.keywords.if +import future.keywords.in + +default decision := {"effect": "deny", "reason": "no_matching_rule"} + +decision := { + "effect": "allow", + "reason": "reader_relation", + "conformance_findings": [{ + "code": "CARING-EXPORT-SEPARATION", + "severity": "info", + "message": "View is allowed, but Exportable exposure remains separately blocked." + }] +} if { + input.action == "read" + input.resource.system == "markitect-tool" + input.resource.type == "document" + input.caring_context.profile == "caring-0.4.0-rc2" + input.caring_context.organization_relation == "Customer" + input.caring_context.canonical_role == "Doer" + "View" in input.caring_context.capabilities + "ExportBlocked" in input.caring_context.restrictions +} +``` + +## Tests + +```rego test +package flexauth.markitect.documents_test + +import future.keywords.if +import data.flexauth.markitect.documents + +test_reader_relation_allows if { + documents.decision.effect == "allow" with input as { + "action": "read", + "resource": { + "id": "document:internal-note", + "type": "document", + "system": "markitect-tool", + "tenant": "tenant:alpha" + }, + "caring_context": { + "profile": "caring-0.4.0-rc2", + "organization_relation": "Customer", + "canonical_role": "Doer", + "capabilities": ["View"], + "restrictions": ["ExportBlocked"] + } + } +} + +test_missing_caring_context_denies if { + documents.decision.effect == "deny" with input as { + "action": "read", + "resource": { + "id": "document:internal-note", + "type": "document", + "system": "markitect-tool", + "tenant": "tenant:alpha" + } + } +} +``` + +## Fixtures + +```yaml fixture +id: fixture:markitect-internal-read-deny +request: + id: check:tenant-alpha-internal-note-deny + subject: + id: user:bob + type: Human + tenant: tenant:alpha + action: read + resource: + id: document:internal-note + type: document + system: markitect-tool + tenant: tenant:alpha +expect: + effect: deny + reason: no_matching_rule +metadata: + source: examples/caring/policy_package.md +``` diff --git a/go.mod b/go.mod index e877523..f472555 100644 --- a/go.mod +++ b/go.mod @@ -2,4 +2,40 @@ module github.com/netkingdom/flex-auth go 1.22 -require gopkg.in/yaml.v3 v3.0.1 +require ( + github.com/open-policy-agent/opa v0.70.0 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/OneOfOne/xxhash v1.2.8 // indirect + github.com/agnivade/levenshtein v1.2.0 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/go-ini/ini v1.67.0 // indirect + github.com/go-logr/logr v1.4.2 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/google/uuid v1.6.0 // indirect + github.com/gorilla/mux v1.8.1 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/prometheus/client_golang v1.20.5 // indirect + github.com/prometheus/client_model v0.6.1 // indirect + github.com/prometheus/common v0.55.0 // indirect + github.com/prometheus/procfs v0.15.1 // indirect + github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/tchap/go-patricia/v2 v2.3.1 // indirect + github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect + github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect + github.com/yashtewari/glob-intersection v0.2.0 // indirect + go.opentelemetry.io/otel v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect + golang.org/x/sys v0.26.0 // indirect + google.golang.org/protobuf v1.34.2 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect +) diff --git a/go.sum b/go.sum index a62c313..e6512e1 100644 --- a/go.sum +++ b/go.sum @@ -1,4 +1,154 @@ -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= +github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= +github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrtYH3SY= +github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= +github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= +github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= +github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= +github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo= +github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= +github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= +github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= +github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY= +github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM= +github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U= +github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y= +github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= +github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= +github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= +github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= +github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= +github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= +github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= +github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= +github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4= +golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= +golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= +golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 h1:wKguEg1hsxI2/L3hUYrpo1RVi48K+uTyzKqprwLXsb8= +google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142/go.mod h1:d6be+8HhtEtucleCbxpPW9PA9XwISACu8nvpPqF0BVo= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 h1:e7S5W7MGGLaSu8j3YjdezkZ+m1/Nm0uRVRMEMGk26Xs= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/internal/policy/package.go b/internal/policy/package.go new file mode 100644 index 0000000..0311435 --- /dev/null +++ b/internal/policy/package.go @@ -0,0 +1,684 @@ +package policy + +import ( + "context" + "encoding/json" + "fmt" + "os" + "path/filepath" + "reflect" + "sort" + "strings" + + "github.com/open-policy-agent/opa/ast" + "github.com/open-policy-agent/opa/rego" + "gopkg.in/yaml.v3" + + "github.com/netkingdom/flex-auth/pkg/api" +) + +// Diagnostic is a validation message emitted while loading or evaluating a +// policy package. +type Diagnostic struct { + Code string `json:"code"` + Severity string `json:"severity"` + Message string `json:"message"` + Fields []string `json:"fields,omitempty"` + Metadata map[string]any `json:"metadata,omitempty"` +} + +// CodeBlock is a fenced code block extracted from a policy package document. +type CodeBlock struct { + Language string `json:"language"` + Tags []string `json:"tags,omitempty"` + Info string `json:"info,omitempty"` + Body string `json:"body"` + StartLine int `json:"start_line"` +} + +// Package is a loaded Rego-in-Markdown policy package. +type Package struct { + Source string `json:"source,omitempty"` + Metadata api.PolicyPackageMetadata `json:"metadata"` + Prose string `json:"prose,omitempty"` + RuleBlocks []CodeBlock `json:"rule_blocks,omitempty"` + TestBlocks []CodeBlock `json:"test_blocks,omitempty"` + FixtureBlocks []CodeBlock `json:"fixture_blocks,omitempty"` + RegoModule string `json:"rego_module,omitempty"` + TestModule string `json:"test_module,omitempty"` + TestPackage string `json:"test_package,omitempty"` + Fixtures []api.PolicyFixture `json:"fixtures,omitempty"` + Validation ValidationResult `json:"validation,omitempty"` + Valid bool `json:"valid"` +} + +// ValidationResult captures OPA and CARING validation outcomes for a package. +type ValidationResult struct { + Valid bool `json:"valid"` + Diagnostics []Diagnostic `json:"diagnostics,omitempty"` + CaringFindings []api.CaringConformanceFinding `json:"caring_findings,omitempty"` + Tests []TestResult `json:"tests,omitempty"` + Fixtures []FixtureResult `json:"fixtures,omitempty"` +} + +// TestResult captures one OPA test rule result. +type TestResult struct { + Name string `json:"name"` + Passed bool `json:"passed"` + Error string `json:"error,omitempty"` +} + +// FixtureResult captures one embedded or referenced fixture evaluation result. +type FixtureResult struct { + ID string `json:"id,omitempty"` + Passed bool `json:"passed"` + Expected api.DecisionExpectation `json:"expected"` + Actual api.DecisionExpectation `json:"actual"` + Error string `json:"error,omitempty"` +} + +// LoadFile loads a policy package Markdown document from disk. +func LoadFile(path string) (*Package, error) { + data, err := os.ReadFile(path) + if err != nil { + return nil, fmt.Errorf("read policy package: %w", err) + } + + pkg, err := Load(data, path) + if err != nil { + return nil, err + } + if err := pkg.loadExternalFixtures(filepath.Dir(path)); err != nil { + return nil, err + } + return pkg, nil +} + +// Load parses a policy package Markdown document. +func Load(data []byte, source string) (*Package, error) { + frontmatter, body, err := splitFrontmatter(string(data)) + if err != nil { + return nil, err + } + + var metadata api.PolicyPackageMetadata + if err := yaml.Unmarshal([]byte(frontmatter), &metadata); err != nil { + return nil, fmt.Errorf("unmarshal policy package frontmatter: %w", err) + } + + extracted, err := extractMarkdown(body) + if err != nil { + return nil, err + } + + pkg := &Package{ + Source: source, + Metadata: metadata, + Prose: strings.TrimSpace(extracted.prose), + RuleBlocks: extracted.ruleBlocks, + TestBlocks: extracted.testBlocks, + FixtureBlocks: extracted.fixtureBlocks, + } + + pkg.RegoModule, _ = normalizeRuleModule(metadata.Package, pkg.RuleBlocks) + pkg.TestModule, pkg.TestPackage, _ = normalizeTestModule(metadata.Package, pkg.TestBlocks) + + for _, block := range pkg.FixtureBlocks { + fixtures, err := parseFixtureYAML(block.Body) + if err != nil { + return nil, fmt.Errorf("parse fixture block at line %d: %w", block.StartLine, err) + } + pkg.Fixtures = append(pkg.Fixtures, fixtures...) + } + + return pkg, nil +} + +// LoadAndValidateFile loads a policy package and immediately validates it. +func LoadAndValidateFile(ctx context.Context, path string) (*Package, error) { + pkg, err := LoadFile(path) + if err != nil { + return nil, err + } + pkg.Validate(ctx) + return pkg, nil +} + +// Validate runs metadata, CARING, OPA parse/test, and fixture validation. +func (p *Package) Validate(ctx context.Context) ValidationResult { + result := ValidationResult{} + + result.Diagnostics = append(result.Diagnostics, p.metadataDiagnostics()...) + result.CaringFindings = append(result.CaringFindings, p.caringFindings()...) + if len(p.Fixtures) == 0 { + result.Diagnostics = append(result.Diagnostics, Diagnostic{ + Code: "POLICY-FIXTURE-MISSING", + Severity: "error", + Message: "policy package must include at least one embedded or referenced fixture", + }) + } + + regoModule, regoDiagnostics := normalizeRuleModule(p.Metadata.Package, p.RuleBlocks) + result.Diagnostics = append(result.Diagnostics, regoDiagnostics...) + p.RegoModule = regoModule + + testModule, testPackage, testDiagnostics := normalizeTestModule(p.Metadata.Package, p.TestBlocks) + result.Diagnostics = append(result.Diagnostics, testDiagnostics...) + p.TestModule = testModule + p.TestPackage = testPackage + + parseOK := true + if p.RegoModule != "" { + if _, err := ast.ParseModule(moduleFilename(p.Source, "rego"), p.RegoModule); err != nil { + parseOK = false + result.Diagnostics = append(result.Diagnostics, Diagnostic{ + Code: "OPA-PARSE", + Severity: "error", + Message: err.Error(), + }) + } + } + if p.TestModule != "" { + if _, err := ast.ParseModule(moduleFilename(p.Source, "test.rego"), p.TestModule); err != nil { + parseOK = false + result.Diagnostics = append(result.Diagnostics, Diagnostic{ + Code: "OPA-TEST-PARSE", + Severity: "error", + Message: err.Error(), + }) + } + } + + if parseOK && p.RegoModule != "" { + result.Tests = p.runTests(ctx) + result.Fixtures = p.runFixtures(ctx) + } + + result.Valid = validationPassed(result, p.Metadata.Caring.Enforce) + p.Validation = result + p.Valid = result.Valid + return result +} + +func (p *Package) loadExternalFixtures(baseDir string) error { + for _, fixturePath := range p.Metadata.Fixtures { + path := fixturePath + if !filepath.IsAbs(path) { + path = filepath.Join(baseDir, fixturePath) + } + + data, err := os.ReadFile(path) + if err != nil { + return fmt.Errorf("read policy fixture %q: %w", fixturePath, err) + } + fixtures, err := parseFixtureYAML(string(data)) + if err != nil { + return fmt.Errorf("parse policy fixture %q: %w", fixturePath, err) + } + p.Fixtures = append(p.Fixtures, fixtures...) + } + return nil +} + +func (p *Package) metadataDiagnostics() []Diagnostic { + var diagnostics []Diagnostic + if p.Metadata.ID == "" { + diagnostics = append(diagnostics, requiredDiagnostic("POLICY-METADATA-ID", "id", "policy package id is required")) + } + if p.Metadata.Version == "" { + diagnostics = append(diagnostics, requiredDiagnostic("POLICY-METADATA-VERSION", "version", "policy package version is required")) + } + if p.Metadata.Package == "" { + diagnostics = append(diagnostics, requiredDiagnostic("POLICY-METADATA-PACKAGE", "package", "OPA package path is required")) + } + return diagnostics +} + +func (p *Package) caringFindings() []api.CaringConformanceFinding { + var findings []api.CaringConformanceFinding + caring := p.Metadata.Caring + if caring.Profile == "" { + findings = append(findings, caringFinding("CARING-POLICY-PROFILE", "error", "policy package must declare a CARING profile", "caring.profile")) + } else if caring.Profile != api.CaringProfileCaring040RC2 { + findings = append(findings, caringFinding("CARING-POLICY-PROFILE", "error", fmt.Sprintf("unsupported CARING profile %q", caring.Profile), "caring.profile")) + } + + addMissing := func(empty bool, field, label string) { + if empty { + findings = append(findings, caringFinding("CARING-POLICY-MISSING-DIMENSION", "warning", "policy package should declare governed "+label, field)) + } + } + addMissing(len(caring.CanonicalRoles) == 0, "caring.canonical_roles", "canonical roles") + addMissing(len(caring.OrganizationRelations) == 0, "caring.organization_relations", "organization relations") + addMissing(len(caring.Scopes) == 0, "caring.scopes", "scopes") + addMissing(len(caring.Planes) == 0, "caring.planes", "planes") + addMissing(len(caring.Capabilities) == 0, "caring.capabilities", "capabilities") + addMissing(len(caring.ExposureModes) == 0, "caring.exposure_modes", "exposure modes") + addMissing(len(caring.Conditions) == 0, "caring.conditions", "conditions") + addMissing(len(caring.Restrictions) == 0, "caring.restrictions", "restrictions") + return findings +} + +func requiredDiagnostic(code, field, message string) Diagnostic { + return Diagnostic{ + Code: code, + Severity: "error", + Message: message, + Fields: []string{field}, + } +} + +func caringFinding(code, severity, message, field string) api.CaringConformanceFinding { + return api.CaringConformanceFinding{ + Code: code, + Severity: severity, + Message: message, + Fields: []string{field}, + } +} + +func (p *Package) runTests(ctx context.Context) []TestResult { + if p.TestModule == "" { + return nil + } + + module, err := ast.ParseModule(moduleFilename(p.Source, "test.rego"), p.TestModule) + if err != nil { + return []TestResult{{Name: "parse", Passed: false, Error: err.Error()}} + } + + var names []string + for _, rule := range module.Rules { + name := string(rule.Head.Name) + if strings.HasPrefix(name, "test_") { + names = append(names, name) + } + } + sort.Strings(names) + if len(names) == 0 { + return []TestResult{{ + Name: "test_*", + Passed: false, + Error: "test module does not contain any test_* rules", + }} + } + + results := make([]TestResult, 0, len(names)) + for _, name := range names { + query := "data." + p.TestPackage + "." + name + passed, err := p.evalBool(ctx, query, nil, true) + result := TestResult{Name: name, Passed: passed} + if err != nil { + result.Error = err.Error() + } else if !passed { + result.Error = "test rule evaluated to false or undefined" + } + results = append(results, result) + } + return results +} + +func (p *Package) runFixtures(ctx context.Context) []FixtureResult { + results := make([]FixtureResult, 0, len(p.Fixtures)) + for _, fixture := range p.Fixtures { + actual, err := p.evaluateDecision(ctx, fixture.Request) + result := FixtureResult{ + ID: fixture.ID, + Expected: fixture.Expect, + Actual: actual, + } + if err != nil { + result.Error = err.Error() + } else if expectationMatches(fixture.Expect, actual) { + result.Passed = true + } else { + result.Error = "fixture expectation did not match actual decision" + } + results = append(results, result) + } + return results +} + +func (p *Package) evaluateDecision(ctx context.Context, request api.CheckRequest) (api.DecisionExpectation, error) { + input, err := toRegoInput(request) + if err != nil { + return api.DecisionExpectation{}, err + } + + query := "data." + p.Metadata.Package + ".decision" + results, err := p.eval(ctx, query, input, false) + if err != nil { + return api.DecisionExpectation{}, err + } + if len(results) == 0 || len(results[0].Expressions) == 0 { + return api.DecisionExpectation{}, fmt.Errorf("decision query %q was undefined", query) + } + + data, err := json.Marshal(results[0].Expressions[0].Value) + if err != nil { + return api.DecisionExpectation{}, fmt.Errorf("marshal decision result: %w", err) + } + + var decision api.DecisionExpectation + if err := json.Unmarshal(data, &decision); err != nil { + return api.DecisionExpectation{}, fmt.Errorf("unmarshal decision result: %w", err) + } + return decision, nil +} + +func (p *Package) evalBool(ctx context.Context, query string, input map[string]any, includeTests bool) (bool, error) { + results, err := p.eval(ctx, query, input, includeTests) + if err != nil { + return false, err + } + for _, result := range results { + if len(result.Expressions) == 0 { + return true, nil + } + if passed, ok := result.Expressions[0].Value.(bool); ok && passed { + return true, nil + } + } + return false, nil +} + +func (p *Package) eval(ctx context.Context, query string, input map[string]any, includeTests bool) (rego.ResultSet, error) { + options := []func(*rego.Rego){ + rego.Query(query), + rego.Module(moduleFilename(p.Source, "rego"), p.RegoModule), + } + if includeTests && p.TestModule != "" { + options = append(options, rego.Module(moduleFilename(p.Source, "test.rego"), p.TestModule)) + } + if input != nil { + options = append(options, rego.Input(input)) + } + + prepared, err := rego.New(options...).PrepareForEval(ctx) + if err != nil { + return nil, err + } + return prepared.Eval(ctx) +} + +func expectationMatches(expected, actual api.DecisionExpectation) bool { + if expected.Effect != "" && expected.Effect != actual.Effect { + return false + } + if expected.Reason != "" && expected.Reason != actual.Reason { + return false + } + if len(expected.Obligations) > 0 && !reflect.DeepEqual(expected.Obligations, actual.Obligations) { + return false + } + if len(expected.ConformanceFindings) > 0 && !reflect.DeepEqual(expected.ConformanceFindings, actual.ConformanceFindings) { + return false + } + return true +} + +func toRegoInput(value any) (map[string]any, error) { + data, err := json.Marshal(value) + if err != nil { + return nil, fmt.Errorf("marshal input: %w", err) + } + var out map[string]any + if err := json.Unmarshal(data, &out); err != nil { + return nil, fmt.Errorf("unmarshal input: %w", err) + } + return out, nil +} + +func validationPassed(result ValidationResult, enforceCaring bool) bool { + for _, diagnostic := range result.Diagnostics { + if diagnostic.Severity == "error" { + return false + } + } + for _, finding := range result.CaringFindings { + if finding.Severity == "error" || (enforceCaring && finding.Severity != "info") { + return false + } + } + for _, test := range result.Tests { + if !test.Passed { + return false + } + } + for _, fixture := range result.Fixtures { + if !fixture.Passed { + return false + } + } + return true +} + +func normalizeRuleModule(packageName string, blocks []CodeBlock) (string, []Diagnostic) { + module, _, diagnostics := normalizeModule(packageName, "", blocks, "POLICY-REGO") + return module, diagnostics +} + +func normalizeTestModule(packageName string, blocks []CodeBlock) (string, string, []Diagnostic) { + if len(blocks) == 0 { + return "", "", []Diagnostic{{ + Code: "POLICY-REGO-TEST-MISSING", + Severity: "error", + Message: "policy package must include at least one rego test block", + }} + } + + defaultPackage := "" + if packageName != "" { + defaultPackage = packageName + "_test" + } + module, testPackage, diagnostics := normalizeModule(defaultPackage, "test", blocks, "POLICY-REGO-TEST") + return module, testPackage, diagnostics +} + +func normalizeModule(defaultPackage, label string, blocks []CodeBlock, codePrefix string) (string, string, []Diagnostic) { + if len(blocks) == 0 { + return "", "", []Diagnostic{{ + Code: codePrefix + "-MISSING", + Severity: "error", + Message: "policy package must include at least one " + labelOrDefault(label, "rule") + " block", + }} + } + + var packageName string + var parts []string + var diagnostics []Diagnostic + for _, block := range blocks { + body, declared := stripPackageDeclaration(block.Body) + if declared != "" { + if packageName == "" { + packageName = declared + } else if declared != packageName { + diagnostics = append(diagnostics, Diagnostic{ + Code: codePrefix + "-PACKAGE-MISMATCH", + Severity: "error", + Message: fmt.Sprintf("block at line %d declares package %q, expected %q", block.StartLine, declared, packageName), + Fields: []string{"package"}, + }) + } + } + if strings.TrimSpace(body) != "" { + parts = append(parts, strings.TrimSpace(body)) + } + } + + if defaultPackage != "" { + if packageName != "" && packageName != defaultPackage { + diagnostics = append(diagnostics, Diagnostic{ + Code: codePrefix + "-PACKAGE-MISMATCH", + Severity: "error", + Message: fmt.Sprintf("declared package %q does not match frontmatter package %q", packageName, defaultPackage), + Fields: []string{"package"}, + }) + } + packageName = defaultPackage + } + if packageName == "" { + diagnostics = append(diagnostics, Diagnostic{ + Code: codePrefix + "-PACKAGE-MISSING", + Severity: "error", + Message: "policy package cannot build a Rego module without a package name", + Fields: []string{"package"}, + }) + return "", "", diagnostics + } + + module := "package " + packageName + "\n\n" + strings.Join(parts, "\n\n") + return strings.TrimSpace(module) + "\n", packageName, diagnostics +} + +func labelOrDefault(label, fallback string) string { + if label == "" { + return fallback + } + return label +} + +func stripPackageDeclaration(body string) (string, string) { + lines := strings.Split(body, "\n") + for i, line := range lines { + trimmed := strings.TrimSpace(line) + if trimmed == "" || strings.HasPrefix(trimmed, "#") { + continue + } + if strings.HasPrefix(trimmed, "package ") { + declared := strings.TrimSpace(strings.TrimPrefix(trimmed, "package ")) + lines = append(lines[:i], lines[i+1:]...) + return strings.Join(lines, "\n"), declared + } + return body, "" + } + return body, "" +} + +func parseFixtureYAML(body string) ([]api.PolicyFixture, error) { + var node yaml.Node + if err := yaml.Unmarshal([]byte(body), &node); err != nil { + return nil, err + } + if len(node.Content) == 0 { + return nil, nil + } + + root := node.Content[0] + if root.Kind == yaml.SequenceNode { + var fixtures []api.PolicyFixture + if err := root.Decode(&fixtures); err != nil { + return nil, err + } + return fixtures, nil + } + + var fixture api.PolicyFixture + if err := root.Decode(&fixture); err != nil { + return nil, err + } + return []api.PolicyFixture{fixture}, nil +} + +type markdownExtraction struct { + prose string + ruleBlocks []CodeBlock + testBlocks []CodeBlock + fixtureBlocks []CodeBlock +} + +func extractMarkdown(body string) (markdownExtraction, error) { + var out markdownExtraction + var prose strings.Builder + var block strings.Builder + var current *CodeBlock + + lines := strings.Split(body, "\n") + for i, line := range lines { + lineNo := i + 1 + trimmed := strings.TrimSpace(line) + if current == nil { + if strings.HasPrefix(trimmed, "```") { + info := strings.TrimSpace(strings.TrimPrefix(trimmed, "```")) + current = &CodeBlock{ + Info: info, + StartLine: lineNo, + } + current.Language, current.Tags = parseFenceInfo(info) + block.Reset() + continue + } + prose.WriteString(line) + if i < len(lines)-1 { + prose.WriteByte('\n') + } + continue + } + + if strings.HasPrefix(trimmed, "```") { + current.Body = strings.TrimRight(block.String(), "\n") + switch { + case current.Language == "rego" && hasTag(current.Tags, "test"): + out.testBlocks = append(out.testBlocks, *current) + case current.Language == "rego": + out.ruleBlocks = append(out.ruleBlocks, *current) + case (current.Language == "yaml" || current.Language == "yml") && hasTag(current.Tags, "fixture"): + out.fixtureBlocks = append(out.fixtureBlocks, *current) + } + current = nil + continue + } + + block.WriteString(line) + block.WriteByte('\n') + } + if current != nil { + return out, fmt.Errorf("unterminated fenced code block starting at line %d", current.StartLine) + } + out.prose = prose.String() + return out, nil +} + +func parseFenceInfo(info string) (string, []string) { + fields := strings.Fields(info) + if len(fields) == 0 { + return "", nil + } + language := strings.ToLower(fields[0]) + tags := make([]string, 0, len(fields)-1) + for _, field := range fields[1:] { + tags = append(tags, strings.ToLower(field)) + } + return language, tags +} + +func hasTag(tags []string, want string) bool { + for _, tag := range tags { + if tag == want { + return true + } + } + return false +} + +func splitFrontmatter(document string) (string, string, error) { + document = strings.TrimPrefix(document, "\ufeff") + lines := strings.SplitAfter(document, "\n") + if len(lines) == 0 || strings.TrimSpace(lines[0]) != "---" { + return "", "", fmt.Errorf("policy package must start with YAML frontmatter") + } + + for i := 1; i < len(lines); i++ { + if strings.TrimSpace(lines[i]) == "---" { + return strings.Join(lines[1:i], ""), strings.Join(lines[i+1:], ""), nil + } + } + return "", "", fmt.Errorf("policy package frontmatter is not closed") +} + +func moduleFilename(source, suffix string) string { + if source == "" { + return "policy." + suffix + } + return source + "." + suffix +} diff --git a/internal/policy/package_test.go b/internal/policy/package_test.go index 40c685e..6679e99 100644 --- a/internal/policy/package_test.go +++ b/internal/policy/package_test.go @@ -1,15 +1,96 @@ package policy_test import ( + "context" + "encoding/json" "os" "path/filepath" + "strings" "testing" "gopkg.in/yaml.v3" + "github.com/netkingdom/flex-auth/internal/policy" "github.com/netkingdom/flex-auth/pkg/api" ) +func TestLoadPolicyPackageMarkdownValidates(t *testing.T) { + pkg, err := policy.LoadAndValidateFile(context.Background(), filepath.Join("..", "..", "examples", "caring", "policy_package.md")) + if err != nil { + t.Fatalf("LoadAndValidateFile: %v", err) + } + + if !pkg.Valid { + t.Fatalf("pkg.Valid = false\n%s", formatValidation(pkg.Validation)) + } + if pkg.Metadata.Caring.Profile != api.CaringProfileCaring040RC2 { + t.Fatalf("metadata.Caring.Profile = %q; want %q", pkg.Metadata.Caring.Profile, api.CaringProfileCaring040RC2) + } + if pkg.Metadata.Namespace != "markitect:document" { + t.Errorf("metadata.Namespace = %q; want markitect:document", pkg.Metadata.Namespace) + } + if !strings.HasPrefix(pkg.RegoModule, "package flexauth.markitect.documents") { + t.Errorf("RegoModule prefix = %q; want flexauth.markitect.documents package", pkg.RegoModule[:min(len(pkg.RegoModule), 80)]) + } + if len(pkg.RuleBlocks) != 1 || len(pkg.TestBlocks) != 1 || len(pkg.Fixtures) != 2 { + t.Fatalf("blocks/fixtures = rules:%d tests:%d fixtures:%d; want 1/1/2", len(pkg.RuleBlocks), len(pkg.TestBlocks), len(pkg.Fixtures)) + } + if len(pkg.Validation.Tests) != 2 { + t.Fatalf("Validation.Tests len = %d; want 2", len(pkg.Validation.Tests)) + } + for _, test := range pkg.Validation.Tests { + if !test.Passed { + t.Fatalf("test %s failed: %s", test.Name, test.Error) + } + } + for _, fixture := range pkg.Validation.Fixtures { + if !fixture.Passed { + t.Fatalf("fixture %s failed: %s\nactual: %+v", fixture.ID, fixture.Error, fixture.Actual) + } + } +} + +func TestCaringFindingsAreAdvisoryUntilEnforced(t *testing.T) { + doc := inlinePolicy(false, "allow") + pkg, err := policy.Load([]byte(doc), "inline-policy.md") + if err != nil { + t.Fatalf("Load: %v", err) + } + + result := pkg.Validate(context.Background()) + if !result.Valid { + t.Fatalf("result.Valid = false without CARING enforcement\n%s", formatValidation(result)) + } + if len(result.CaringFindings) == 0 { + t.Fatal("expected advisory CARING findings for missing metadata dimensions") + } + + enforced := strings.Replace(doc, "enforce: false", "enforce: true", 1) + pkg, err = policy.Load([]byte(enforced), "inline-policy.md") + if err != nil { + t.Fatalf("Load enforced: %v", err) + } + result = pkg.Validate(context.Background()) + if result.Valid { + t.Fatalf("result.Valid = true with CARING enforcement; want invalid\n%s", formatValidation(result)) + } +} + +func TestFixtureMismatchInvalidatesPackage(t *testing.T) { + pkg, err := policy.Load([]byte(inlinePolicy(false, "deny")), "inline-policy.md") + if err != nil { + t.Fatalf("Load: %v", err) + } + + result := pkg.Validate(context.Background()) + if result.Valid { + t.Fatalf("result.Valid = true; want fixture mismatch to invalidate package\n%s", formatValidation(result)) + } + if len(result.Fixtures) != 1 || result.Fixtures[0].Passed { + t.Fatalf("fixture result = %+v; want one failed fixture", result.Fixtures) + } +} + func TestPolicyPackageMetadataParses(t *testing.T) { var metadata api.PolicyPackageMetadata loadYAML(t, filepath.Join("..", "..", "examples", "caring", "policy_package.yaml"), &metadata) @@ -37,6 +118,63 @@ func TestPolicyFixtureParses(t *testing.T) { } } +func inlinePolicy(enforce bool, expectedEffect string) string { + enforceValue := "false" + if enforce { + enforceValue = "true" + } + + fence := "```" + doc := strings.ReplaceAll(`--- +id: inline.allow +version: v1 +package: flexauth.inline +caring: + profile: caring-0.4.0-rc2 + enforce: ENFORCE +--- + +# Inline Policy + +`+fence+`rego +default decision := {"effect": "allow", "reason": "ok"} +`+fence+` + +`+fence+`rego test +package flexauth.inline_test + +import future.keywords.if +import data.flexauth.inline + +test_allow if { + inline.decision.effect == "allow" +} +`+fence+` + +`+fence+`yaml fixture +id: fixture:inline +request: + subject: + id: user:alice + action: read + resource: + id: document:inline +expect: + effect: EXPECTED + reason: ok +`+fence+` +`, "ENFORCE", enforceValue) + return strings.ReplaceAll(doc, "EXPECTED", expectedEffect) +} + +func formatValidation(result policy.ValidationResult) string { + data, err := json.MarshalIndent(result, "", " ") + if err != nil { + return err.Error() + } + return string(data) +} + func loadYAML(t *testing.T, path string, out any) { t.Helper() diff --git a/pkg/api/canonical.go b/pkg/api/canonical.go index 755609f..5eeab8f 100644 --- a/pkg/api/canonical.go +++ b/pkg/api/canonical.go @@ -102,9 +102,13 @@ type RelationshipFact struct { type PolicyPackageMetadata struct { ID string `json:"id" yaml:"id"` Name string `json:"name,omitempty" yaml:"name,omitempty"` + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` Version string `json:"version" yaml:"version"` Status string `json:"status,omitempty" yaml:"status,omitempty"` Package string `json:"package" yaml:"package"` + Actions []string `json:"actions,omitempty" yaml:"actions,omitempty"` + Owner string `json:"owner,omitempty" yaml:"owner,omitempty"` + Fixtures []string `json:"fixtures,omitempty" yaml:"fixtures,omitempty"` Caring CaringPolicyMetadata `json:"caring" yaml:"caring"` Activation map[string]any `json:"activation,omitempty" yaml:"activation,omitempty"` Metadata map[string]any `json:"metadata,omitempty" yaml:"metadata,omitempty"` @@ -113,6 +117,7 @@ type PolicyPackageMetadata struct { // CaringPolicyMetadata declares the CARING envelope a policy governs. type CaringPolicyMetadata struct { Profile string `json:"profile" yaml:"profile"` + Enforce bool `json:"enforce,omitempty" yaml:"enforce,omitempty"` CanonicalRoles []CanonicalRole `json:"canonical_roles,omitempty" yaml:"canonical_roles,omitempty"` OrganizationRelations []OrganizationRelation `json:"organization_relations,omitempty" yaml:"organization_relations,omitempty"` Scopes []CaringScope `json:"scopes,omitempty" yaml:"scopes,omitempty"` diff --git a/schemas/policy_package.schema.json b/schemas/policy_package.schema.json index a850fd9..f7c2600 100644 --- a/schemas/policy_package.schema.json +++ b/schemas/policy_package.schema.json @@ -8,9 +8,21 @@ "properties": { "id": {"type": "string", "minLength": 1}, "name": {"type": "string", "minLength": 1}, + "namespace": {"type": "string", "minLength": 1}, "version": {"type": "string", "minLength": 1}, "status": {"type": "string", "minLength": 1}, "package": {"type": "string", "minLength": 1}, + "actions": { + "type": "array", + "items": {"type": "string", "minLength": 1}, + "uniqueItems": true + }, + "owner": {"type": "string", "minLength": 1}, + "fixtures": { + "type": "array", + "items": {"type": "string", "minLength": 1}, + "uniqueItems": true + }, "caring": {"$ref": "#/$defs/caring_policy_metadata"}, "activation": {"type": "object", "additionalProperties": true}, "metadata": {"type": "object", "additionalProperties": true} @@ -22,6 +34,7 @@ "required": ["profile"], "properties": { "profile": {"const": "caring-0.4.0-rc2"}, + "enforce": {"type": "boolean"}, "canonical_roles": { "type": "array", "items": {"$ref": "https://flex-auth.netkingdom/schemas/caring_access_descriptor.schema.json#/$defs/canonical_role"}, diff --git a/workplans/FLEX-WP-0002-standalone-policy-as-code-core.md b/workplans/FLEX-WP-0002-standalone-policy-as-code-core.md index 7a19cfa..c853afa 100644 --- a/workplans/FLEX-WP-0002-standalone-policy-as-code-core.md +++ b/workplans/FLEX-WP-0002-standalone-policy-as-code-core.md @@ -116,7 +116,7 @@ tests and local development. ```task id: FLEX-WP-0002-T003 -status: todo +status: done priority: high state_hub_task_id: "09be0f25-e5ba-42b5-8b2f-36fd0ef2fe6b" ```