add check flag, using similar logic from opa -check

open-policy-agent · Mar 12, 2018 · 3623937 · 3623937
1 parent 04efcc6
commit 3623937
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/main.go b/main.go
@@ -15,6 +15,8 @@ import (
 
 	"github.com/docker/go-plugins-helpers/authorization"
 	"github.com/open-policy-agent/opa/rego"
+	"github.com/open-policy-agent/opa/ast"
+	"github.com/open-policy-agent/opa/loader"
 )
 
 // DockerAuthZPlugin implements the authorization.Plugin interface. Every
@@ -123,6 +125,34 @@ func makeInput(r authorization.Request) (interface{}, error) {
 	return input, nil
 }
 
+func regoSyntax(p string) int {
+
+	stuffs := []string{p}
+
+	result, err := loader.AllRegos(stuffs)
+	if err != nil {
+		fmt.Fprintln(os.Stderr, err)
+		return 1
+	}
+
+	modules := map[string]*ast.Module{}
+
+	for _,m := range result.Modules {
+		modules[m.Name] = m.Parsed
+	}
+
+	compiler := ast.NewCompiler().SetErrorLimit(0)
+
+	if compiler.Compile(modules); compiler.Failed() {
+		for _, err := range compiler.Errors {
+			fmt.Fprintln(os.Stderr, err)
+		}
+		return 1
+	}
+
+	return 0
+}
+
 // Version is set by the build.
 var Version = ""
 
@@ -132,6 +162,7 @@ func main() {
 	allowPath := flag.String("allowPath", "data.docker.authz.allow", "sets the path of the allow decision in OPA")
 	policyFile := flag.String("policy-file", "policy.rego", "sets the path of the policy file to load")
 	version := flag.Bool("version", false, "print the version of the plugin")
+	check := flag.Bool("check", false , "checks the syntax of the policy-file")
 
 	flag.Parse()
 
@@ -145,6 +176,10 @@ func main() {
 		allowPath:  *allowPath,
 	}
 
+	if *check {
+		os.Exit(regoSyntax(*policyFile))
+	}
+
 	h := authorization.NewHandler(p)
 	log.Println("Starting server.")
 	h.ServeUnix(*pluginName, 0)