Feat/policy provider repo (#1222)

* introduce repo policy provider (ee)
diggerhq · Feb 28, 2024 · f6e74e9 · f6e74e9
1 parent a84f89a
commit f6e74e9
Show file tree

Hide file tree

Showing 4 changed files with 152 additions and 5 deletions.
diff --git a/.github/workflows/ee_cli_release.yml b/.github/workflows/ee_cli_release.yml
@@ -0,0 +1,33 @@
+name: release ee cli
+on:
+  release:
+    branches:
+      - 'go'
+    types: [released]
+jobs:
+  binary:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: 1.21.1
+        id: go
+
+      - name: Check out repository
+        uses: actions/checkout@v4
+      - name: Build
+        run: |
+          echo "Tag that is going to be used as digger version: ${{ github.event.release.tag_name }}"
+          env GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-X digger/pkg/utils.version=${{ github.event.release.tag_name }}" -o digger ./ee/cli/cmd/digger
+
+      - name: Publish linux-x64 exec to github
+        id: upload-release-asset-linux-x64
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: 'digger'
+          asset_name: digger-ee-cli-Linux-X64
+          asset_content_type: application/octet-stream
diff --git a/ee/cli/cmd/digger/root.go b/ee/cli/cmd/digger/root.go
@@ -13,6 +13,7 @@ import (
 	"github.com/diggerhq/digger/cli/pkg/policy"
 	"github.com/diggerhq/digger/cli/pkg/reporting"
 	"github.com/diggerhq/digger/cli/pkg/utils"
+	ee_policy "github.com/diggerhq/digger/ee/cli/pkg/policy"
 	"github.com/diggerhq/digger/libs/orchestrator"
 	orchestrator_github "github.com/diggerhq/digger/libs/orchestrator/github"
 	"github.com/spf13/cobra"
@@ -100,11 +101,9 @@ func PreRun(cmd *cobra.Command, args []string) {
 			log.Fatalf("Token specified but missing organisation: DIGGER_ORGANISATION. Please set this value in action digger_config.")
 		}
 		PolicyChecker = policy.DiggerPolicyChecker{
-			PolicyProvider: &policy.DiggerHttpPolicyProvider{
-				DiggerHost:         os.Getenv("DIGGER_HOSTNAME"),
-				DiggerOrganisation: os.Getenv("DIGGER_ORGANISATION"),
-				AuthToken:          os.Getenv("DIGGER_TOKEN"),
-				HttpClient:         http.DefaultClient,
+			PolicyProvider: &ee_policy.DiggerRepoPolicyProvider{
+				ManagementRepoUrl: os.Getenv("DIGGER_MANAGEMENT_REPO"),
+				GitToken:          os.Getenv("GITHUB_TOKEN"),
 			}}
 		BackendApi = backend.DiggerApi{
 			DiggerHost: os.Getenv("DIGGER_HOSTNAME"),

diff --git a/ee/cli/pkg/policy/policy.go b/ee/cli/pkg/policy/policy.go
@@ -0,0 +1,63 @@
+package policy
+
+import (
+	"fmt"
+	"github.com/diggerhq/digger/ee/cli/pkg/utils"
+	"os"
+	"path"
+)
+
+const DefaultAccessPolicy = `
+package digger
+default allow = true
+allow = (count(input.planPolicyViolations) == 0)
+`
+
+type DiggerRepoPolicyProvider struct {
+	ManagementRepoUrl string
+	GitToken          string
+}
+
+// GetPolicy fetches policy for particular project,  if not found then it will fallback to org level policy
+func (p *DiggerRepoPolicyProvider) GetAccessPolicy(organisation string, repo string, projectName string) (string, error) {
+	var policycontents []byte
+	err := utils.CloneGitRepoAndDoAction(p.ManagementRepoUrl, "main", p.GitToken, func(basePath string) error {
+		orgAccesspath := path.Join(basePath, "policies", "access.rego")
+		//repoAccesspath := path.Join(basePath, "policies", repo, "access.rego")
+		//projectAccessPath := path.Join(basePath, "policies", repo, projectName, "access.rego")
+		var regoPath string
+		if _, err := os.Stat(orgAccesspath); err != nil {
+			if os.IsNotExist(err) {
+				return fmt.Errorf("Could not find org level path")
+			} else {
+				return err
+			}
+		} else {
+			regoPath = orgAccesspath
+		}
+
+		var err error
+		policycontents, err = os.ReadFile(regoPath)
+		if err != nil {
+			return err
+		}
+		return nil
+	})
+	if err != nil {
+		return "", err
+	}
+	return string(policycontents), nil
+}
+
+func (p *DiggerRepoPolicyProvider) GetPlanPolicy(organisation string, repo string, projectName string) (string, error) {
+	return "", nil
+}
+
+func (p *DiggerRepoPolicyProvider) GetDriftPolicy() (string, error) {
+	return "", nil
+
+}
+
+func (p *DiggerRepoPolicyProvider) GetOrganisation() string {
+	return ""
+}
diff --git a/ee/cli/pkg/utils/github.go b/ee/cli/pkg/utils/github.go
@@ -0,0 +1,52 @@
+package utils
+
+import (
+	"github.com/go-git/go-git/v5"
+	"github.com/go-git/go-git/v5/plumbing"
+	"github.com/go-git/go-git/v5/plumbing/transport/http"
+	"log"
+	"os"
+)
+
+func createTempDir() string {
+	tempDir, err := os.MkdirTemp("", "repo")
+	if err != nil {
+		log.Fatal(err)
+	}
+	return tempDir
+}
+
+type action func(string) error
+
+func CloneGitRepoAndDoAction(repoUrl string, branch string, token string, action action) error {
+	dir := createTempDir()
+	cloneOptions := git.CloneOptions{
+		URL:           repoUrl,
+		ReferenceName: plumbing.NewBranchReferenceName(branch),
+		Depth:         1,
+		SingleBranch:  true,
+	}
+
+	if token != "" {
+		cloneOptions.Auth = &http.BasicAuth{
+			Username: "x-access-token", // anything except an empty string
+			Password: token,
+		}
+	}
+
+	_, err := git.PlainClone(dir, false, &cloneOptions)
+	if err != nil {
+		log.Printf("PlainClone error: %v\n", err)
+		return err
+	}
+	defer os.RemoveAll(dir)
+
+	err = action(dir)
+	if err != nil {
+		log.Printf("error performing action: %v", err)
+		return err
+	}
+
+	return nil
+
+}