policy: add Agent.Validate() method

Add a method to validate the policy rules without actually evaluating
them against a particular input. For OPA, this validation amounts to a
syntax check of the specified rules.

This is intended for use by the forthcoming policy management API
implementation.

Signed-off-by: Sergei Trofimov <[email protected]>

policy/agent.go

@@ -135,6 +135,15 @@ func (o *Agent) Evaluate(
 	}
 }
 
+// Validate performs basic validation of the provided policy rules, returning
+// an error if it fails. the nature of the validation performed is
+// backend-specific, however it would typically amount to a syntax check.
+// Successful validation does not guarantee that the policy will execute
+// correctly againt actual inputs.
+func (o *Agent) Validate(ctx context.Context, policyRules string) error {
+	return o.Backend.Validate(ctx, policyRules)
+}
+
 func (o *Agent) GetBackend() IBackend {
 	return o.Backend
 }

policy/iagent.go

@@ -21,5 +21,6 @@ type IAgent interface {
 		evidence *proto.EvidenceContext,
 		endorsements []string,
 	) (*ear.Appraisal, error)
+	Validate(ctx context.Context, policyRules string) error
 	Close()
 }

policy/ibackend.go

@@ -19,5 +19,6 @@ type IBackend interface {
 		evidence map[string]interface{},
 		endorsements []string,
 	) (map[string]interface{}, error)
+	Validate(ctx context.Context, policy string) error
 	Close()
 }

policy/opa.go

@@ -56,7 +56,7 @@ func (o *OPA) Evaluate(
 	rego := rego.New(
 		rego.Package("policy"),
 		rego.Module("opa.rego", preambleText),
-		rego.Module("policy.rego", string(policy)),
+		rego.Module("policy.rego", policy),
 		rego.Input(input),
 		rego.Query("outcome"),
 		rego.Dump(log.Writer()),
@@ -78,6 +78,19 @@ func (o *OPA) Evaluate(
 	return resultUpdate, nil
 }
 
+func (o *OPA) Validate(ctx context.Context, policy string) error {
+	rego := rego.New(
+		rego.Package("policy"),
+		rego.Module("opa.rego", preambleText),
+		rego.Module("policy.rego", policy),
+		rego.Query("outcome"),
+		rego.Dump(log.NamedWriter("opa", log.DebugLevel)),
+	)
+
+	_, err := rego.Compile(ctx)
+	return err
+}
+
 func (o *OPA) Close() {
 }
 

policy/opa_test.go

@@ -20,7 +20,7 @@ type TestResult struct {
 	Outcome *ear.AttestationResult `json:"outcome"`
 }
 
-type TestVector struct {
+type EvaluateTestVector struct {
 	Title            string     `json:"title"`
 	Scheme           string     `json:"scheme"`
 	ResultPath       string     `json:"result"`
@@ -30,7 +30,7 @@ type TestVector struct {
 	Expected         TestResult `json:"expected"`
 }
 
-func (o TestVector) Run(t *testing.T, ctx context.Context, pa *OPA) {
+func (o EvaluateTestVector) Run(t *testing.T, ctx context.Context, pa *OPA) {
 	resultMap, err := jsonFileToResultMap(o.ResultPath)
 	require.NoError(t, err)
 
@@ -54,6 +54,24 @@ func (o TestVector) Run(t *testing.T, ctx context.Context, pa *OPA) {
 	assert.Equal(t, expected, res)
 }
 
+type ValidateTestVector struct {
+	Title      string `json:"title"`
+	PolicyPath string `json:"policy"`
+	Error      string `json:"error"`
+}
+
+func (o ValidateTestVector) Run(t *testing.T, ctx context.Context, pa *OPA) {
+	policy, err := os.ReadFile(o.PolicyPath)
+	require.NoError(t, err)
+
+	err = pa.Validate(ctx, string(policy))
+	if o.Error == "" {
+		assert.NoError(t, err)
+	} else {
+		assert.EqualError(t, err, o.Error)
+	}
+}
+
 func Test_OPA_GetName(t *testing.T) {
 	pa, err := NewOPA(nil)
 	require.NoError(t, err)
@@ -63,7 +81,7 @@ func Test_OPA_GetName(t *testing.T) {
 }
 
 func Test_OPA_Evaluate(t *testing.T) {
-	bytes, err := os.ReadFile("test/vectors.json")
+	bytes, err := os.ReadFile("test/evaluate-vectors.json")
 	require.NoError(t, err)
 
 	ctx := context.Background()
@@ -72,7 +90,7 @@ func Test_OPA_Evaluate(t *testing.T) {
 	require.NoError(t, err)
 	defer pa.Close()
 
-	var vectors []TestVector
+	var vectors []EvaluateTestVector
 
 	err = json.Unmarshal(bytes, &vectors)
 	require.NoError(t, err)
@@ -94,6 +112,27 @@ func Test_OPA_Evaluate(t *testing.T) {
 
 }
 
+func Test_OPA_Validate(t *testing.T) {
+	bytes, err := os.ReadFile("test/validate-vectors.json")
+	require.NoError(t, err)
+
+	ctx := context.Background()
+
+	pa, err := NewOPA(nil)
+	require.NoError(t, err)
+	defer pa.Close()
+
+	var vectors []ValidateTestVector
+
+	err = json.Unmarshal(bytes, &vectors)
+	require.NoError(t, err)
+
+	for _, v := range vectors {
+		fmt.Printf("running %q\n", v.Title)
+		v.Run(t, ctx, pa)
+	}
+}
+
 func jsonFileToMap(path string) (map[string]interface{}, error) {
 	bytes, err := os.ReadFile(path)
 	if err != nil {

policy/test/policies/simple.rego

@@ -0,0 +1,3 @@
+package policy
+
+executables = APPROVED_RT

policy/test/policies/undefined.rego

@@ -0,0 +1,3 @@
+package policy
+
+executables = ok

policy/test/validate-vectors.json

@@ -0,0 +1,37 @@
+[
+	{
+		"title": "malformed policy",
+		"policy": "test/policies/malformed.rego",
+		"error": "1 error occurred: 1 error occurred: policy.rego:1: rego_parse_error: unexpected : token\n\tbad_rule:;;\n\t        ^"
+	},
+	{
+		"title": "bad policy",
+		"policy": "test/policies/bad.rego",
+		"error": "1 error occurred: policy.rego:6: rego_unsafe_var_error: var y is unsafe"
+	},
+	{
+		"title": "empty policy",
+		"policy": "test/policies/empty.rego",
+		"error": null
+	},
+	{
+		"title": "empty string",
+		"policy": "test/policies/null.rego",
+		"error": "1 error occurred: policy.rego:0: rego_parse_error: empty module"
+	},
+	{
+		"title": "undefined variable",
+		"policy": "test/policies/undefined.rego",
+		"error": "1 error occurred: policy.rego:3: rego_unsafe_var_error: var ok is unsafe"
+	},
+	{
+		"title": "valid simple",
+		"policy": "test/policies/simple.rego",
+		"error": null
+	},
+	{
+		"title": "valid complex",
+		"policy": "test/policies/sw-up-to-dateness.rego",
+		"error": null
+	}
+]