From 55236583a42bf63947b87055e56a571141e15a25 Mon Sep 17 00:00:00 2001
From: Sagar Gupta <sagar@circleci.com>
Date: Thu, 3 Aug 2023 09:28:03 -0400
Subject: [PATCH] [SNC-387] in policy/decide+eval, perform policy compilation
 only when context=config. (#983)

---
 cmd/policy/policy.go                               | 13 ++++---------
 cmd/policy/policy_test.go                          |  5 -----
 cmd/policy/testdata/policy/eval-expected-usage.txt |  1 +
 3 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/cmd/policy/policy.go b/cmd/policy/policy.go
index 693bfb0c3..dfecd3371 100644
--- a/cmd/policy/policy.go
+++ b/cmd/policy/policy.go
@@ -283,9 +283,6 @@ This group of commands allows the management of polices to be verified against b
 				if policyPath == "" && ownerID == "" {
 					return fmt.Errorf("either [policy_file_or_dir_path] or --owner-id is required")
 				}
-				if !noCompile && ownerID == "" {
-					return fmt.Errorf("--owner-id is required for compiling config (use --no-compile to evaluate policy against source config only)")
-				}
 
 				metadata, err := readMetadata(meta, metaFile)
 				if err != nil {
@@ -297,7 +294,7 @@ This group of commands allows the management of polices to be verified against b
 					return fmt.Errorf("failed to read input file: %w", err)
 				}
 
-				if !noCompile {
+				if !noCompile && context == "config" {
 					compiler := config.New(globalConfig)
 					input, err = mergeCompiledConfig(compiler, config.ProcessConfigOpts{
 						ConfigPath:             inputPath,
@@ -356,6 +353,7 @@ This group of commands allows the management of polices to be verified against b
 			inputPath              string
 			meta                   string
 			metaFile               string
+			context                string
 			ownerID                string
 			query                  string
 			noCompile              bool
@@ -367,10 +365,6 @@ This group of commands allows the management of polices to be verified against b
 			RunE: func(cmd *cobra.Command, args []string) error {
 				policyPath := args[0]
 
-				if !noCompile && ownerID == "" {
-					return fmt.Errorf("--owner-id is required for compiling config (use --no-compile to evaluate policy against source config only)")
-				}
-
 				metadata, err := readMetadata(meta, metaFile)
 				if err != nil {
 					return fmt.Errorf("failed to read metadata: %w", err)
@@ -381,7 +375,7 @@ This group of commands allows the management of polices to be verified against b
 					return fmt.Errorf("failed to read input file: %w", err)
 				}
 
-				if !noCompile {
+				if !noCompile && context == "config" {
 					compiler := config.New(globalConfig)
 					input, err = mergeCompiledConfig(compiler, config.ProcessConfigOpts{
 						ConfigPath:             inputPath,
@@ -410,6 +404,7 @@ This group of commands allows the management of polices to be verified against b
 
 		cmd.Flags().StringVar(&ownerID, "owner-id", "", "the id of the policy's owner")
 		cmd.Flags().StringVar(&inputPath, "input", "", "path to input file")
+		cmd.Flags().StringVar(&context, "context", "config", "policy context for decision")
 		cmd.Flags().StringVar(&meta, "meta", "", "decision metadata (json string)")
 		cmd.Flags().StringVar(&metaFile, "metafile", "", "decision metadata file")
 		cmd.Flags().StringVar(&query, "query", "data", "policy decision query")
diff --git a/cmd/policy/policy_test.go b/cmd/policy/policy_test.go
index 39b414649..8fbe1a72c 100644
--- a/cmd/policy/policy_test.go
+++ b/cmd/policy/policy_test.go
@@ -826,11 +826,6 @@ test: config
 			Args:        []string{"decide", "./testdata/test0/policy.rego", "--input", "./testdata/test1/test.yml", "--meta", "{}", "--metafile", "somefile", "--no-compile"},
 			ExpectedErr: "failed to read metadata: use either --meta or --metafile flag, but not both",
 		},
-		{
-			Name:        "fails if config compilation is enabled, but owner-id isn't provided",
-			Args:        []string{"decide", "./testdata/test0/policy.rego", "--input", "./testdata/test1/test.yml"},
-			ExpectedErr: "--owner-id is required for compiling config (use --no-compile to evaluate policy against source config only)",
-		},
 		{
 			Name:           "successfully performs decision for policy FILE provided locally",
 			Args:           []string{"decide", "./testdata/test0/policy.rego", "--input", "./testdata/test0/config.yml", "--no-compile"},
diff --git a/cmd/policy/testdata/policy/eval-expected-usage.txt b/cmd/policy/testdata/policy/eval-expected-usage.txt
index 304aaf167..a7e33ae87 100644
--- a/cmd/policy/testdata/policy/eval-expected-usage.txt
+++ b/cmd/policy/testdata/policy/eval-expected-usage.txt
@@ -5,6 +5,7 @@ Examples:
 circleci policy eval ./policies --input ./.circleci/config.yml
 
 Flags:
+      --context string               policy context for decision (default "config")
       --input string                 path to input file
       --meta string                  decision metadata (json string)
       --metafile string              decision metadata file