Merge pull request #999 from simonbaird/default-pipeline-intention

Ensure schedule checks apply only to releases

antora/docs/modules/ROOT/pages/release_policy.adoc

@@ -1226,14 +1226,14 @@ Rules that verify the current date conform to a given schedule.
 [#schedule__date_restriction]
 === link:#schedule__date_restriction[Date Restriction]
 
-Check if the current date is not allowed based on the rule data value from the key `disallowed_dates`. By default, the list is empty in which case *any* day is allowed.
+Check if the current date is not allowed based on the rule data value from the key `disallowed_dates`. By default, the list is empty in which case *any* day is allowed. This check is enforced only for a "release" pipeline, as determined by the value of the `pipeline_intention` rule data.
 
 *Solution*: Try again on a different day.
 
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s is a disallowed date: %s`
 * Code: `schedule.date_restriction`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/schedule.rego#L33[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/schedule.rego#L36[Source, window="_blank"]
 
 [#schedule__rule_data_provided]
 === link:#schedule__rule_data_provided[Rule data provided]
@@ -1245,12 +1245,12 @@ Confirm the expected rule data keys have been provided in the expected format. T
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `schedule.rule_data_provided`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/schedule.rego#L53[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/schedule.rego#L58[Source, window="_blank"]
 
 [#schedule__weekday_restriction]
 === link:#schedule__weekday_restriction[Weekday Restriction]
 
-Check if the current weekday is allowed based on the rule data value from the key `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed.
+Check if the current weekday is allowed based on the rule data value from the key `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed. This check is enforced only for a "release" pipeline, as determined by the value of the `pipeline_intention` rule data.
 
 *Solution*: Try again on a different weekday.
 

policy/lib/rule_data.rego

@@ -80,6 +80,11 @@ rule_data_defaults := {
 		"features.operators.openshift.io/token-auth-azure",
 		"features.operators.openshift.io/token-auth-gcp",
 	],
+	# This will be set to "release" in Konflux release pipelines defined at
+	# https://github.com/konflux-ci/release-service-catalog/tree/development/pipelines
+	# Some checks are influenced by this value. Let's use null as a default instead
+	# of the usual empty list.
+	"pipeline_intention": null,
 }
 
 # Returns the "first found" of the following:

policy/release/schedule.rego

@@ -14,7 +14,9 @@ import data.lib
 # title: Weekday Restriction
 # description: >-
 #   Check if the current weekday is allowed based on the rule data value from the key
-#   `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is allowed.
+#   `disallowed_weekdays`. By default, the list is empty in which case *any* weekday is
+#   allowed. This check is enforced only for a "release" pipeline, as determined by
+#   the value of the `pipeline_intention` rule data.
 # custom:
 #   short_name: weekday_restriction
 #   failure_msg: '%s is a disallowed weekday: %s'
@@ -23,6 +25,7 @@ import data.lib
 #   - redhat
 #
 deny contains result if {
+	_schedule_restrictions_apply
 	today := lower(time.weekday(lib.time.effective_current_time_ns))
 	disallowed := {lower(w) | some w in lib.rule_data("disallowed_weekdays")}
 	count(disallowed) > 0
@@ -35,7 +38,8 @@ deny contains result if {
 # description: >-
 #   Check if the current date is not allowed based on the rule data value
 #   from the key `disallowed_dates`. By default, the list is empty in which
-#   case *any* day is allowed.
+#   case *any* day is allowed. This check is enforced only for a "release" pipeline,
+#   as determined by the value of the `pipeline_intention` rule data.
 # custom:
 #   short_name: date_restriction
 #   failure_msg: '%s is a disallowed date: %s'
@@ -44,6 +48,7 @@ deny contains result if {
 #   - redhat
 #
 deny contains result if {
+	_schedule_restrictions_apply
 	today := time.format([lib.time.effective_current_time_ns, "UTC", "2006-01-02"])
 	disallowed := lib.rule_data("disallowed_dates")
 	today in disallowed
@@ -64,10 +69,19 @@ deny contains result if {
 #   - policy_data
 #
 deny contains result if {
+	# (For this one let's do it always)
 	some error in _rule_data_errors
 	result := lib.result_helper(rego.metadata.chain(), [error])
 }
 
+# We want these checks to apply only if we're doing a release. Detect that by checking
+# the `pipeline_intention` value which is set to "release" for Konflux release pipelines.
+default _schedule_restrictions_apply := false
+
+_schedule_restrictions_apply if {
+	lib.rule_data("pipeline_intention") == "release"
+}
+
 _rule_data_errors contains msg if {
 	key := "disallowed_weekdays"
 

policy/release/schedule_test.rego

@@ -9,41 +9,40 @@ test_no_restriction_by_default if {
 	lib.assert_empty(schedule.deny)
 }
 
-# regal ignore:rule-length
 test_weekday_restriction if {
-	disallowed := ["friday", "saturday", "sunday"]
+	_rule_data := weekday_rule_data(["friday", "saturday", "sunday"])
 
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_weekdays as disallowed
+	lib.assert_empty(schedule.deny) with data.rule_data as _rule_data
 		with data.config.policy.when_ns as monday
 
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_weekdays as disallowed
+	lib.assert_empty(schedule.deny) with data.rule_data as _rule_data
 		with data.config.policy.when_ns as tuesday
 
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_weekdays as disallowed
+	lib.assert_empty(schedule.deny) with data.rule_data as _rule_data
 		with data.config.policy.when_ns as wednesday
 
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_weekdays as disallowed
+	lib.assert_empty(schedule.deny) with data.rule_data as _rule_data
 		with data.config.policy.when_ns as thursday
 
 	friday_violation := {{
 		"code": "schedule.weekday_restriction",
 		"msg": "friday is a disallowed weekday: friday, saturday, sunday",
 	}}
-	lib.assert_equal_results(schedule.deny, friday_violation) with data.rule_data.disallowed_weekdays as disallowed
+	lib.assert_equal_results(schedule.deny, friday_violation) with data.rule_data as _rule_data
 		with data.config.policy.when_ns as friday
 
 	saturday_violation := {{
 		"code": "schedule.weekday_restriction",
 		"msg": "saturday is a disallowed weekday: friday, saturday, sunday",
 	}}
-	lib.assert_equal_results(schedule.deny, saturday_violation) with data.rule_data.disallowed_weekdays as disallowed
+	lib.assert_equal_results(schedule.deny, saturday_violation) with data.rule_data as _rule_data
 		with data.config.policy.when_ns as saturday
 
 	sunday_violation := {{
 		"code": "schedule.weekday_restriction",
 		"msg": "sunday is a disallowed weekday: friday, saturday, sunday",
 	}}
-	lib.assert_equal_results(schedule.deny, sunday_violation) with data.rule_data.disallowed_weekdays as disallowed
+	lib.assert_equal_results(schedule.deny, sunday_violation) with data.rule_data as _rule_data
 		with data.config.policy.when_ns as sunday
 }
 
@@ -53,14 +52,14 @@ test_weekday_restriction_case_insensitive if {
 		"msg": "friday is a disallowed weekday: friday",
 	}}
 
-	lib.assert_equal_results(schedule.deny, violation) with data.rule_data.disallowed_weekdays as ["FRIDAY"]
+	lib.assert_equal_results(schedule.deny, violation) with data.rule_data as weekday_rule_data(["FRIDAY"])
 		with data.config.policy.when_ns as friday
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_weekdays as ["FRIDAY"]
+	lib.assert_empty(schedule.deny) with data.rule_data as weekday_rule_data(["FRIDAY"])
 		with data.config.policy.when_ns as monday
 
-	lib.assert_equal_results(schedule.deny, violation) with data.rule_data.disallowed_weekdays as ["friday"]
+	lib.assert_equal_results(schedule.deny, violation) with data.rule_data as weekday_rule_data(["friday"])
 		with data.config.policy.when_ns as friday
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_weekdays as ["friday"]
+	lib.assert_empty(schedule.deny) with data.rule_data as weekday_rule_data(["friday"])
 		with data.config.policy.when_ns as monday
 }
 
@@ -69,19 +68,56 @@ test_date_restriction if {
 		"code": "schedule.date_restriction",
 		"msg": "2023-01-01 is a disallowed date: 2023-01-01",
 	}}
-	lib.assert_equal_results(schedule.deny, violation) with data.rule_data.disallowed_dates as ["2023-01-01"]
+	lib.assert_equal_results(schedule.deny, violation) with data.rule_data as date_rule_data(["2023-01-01"])
 		with data.config.policy.when_ns as time.parse_rfc3339_ns("2023-01-01T00:00:00Z")
 
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_dates as ["2023-01-01"]
+	lib.assert_empty(schedule.deny) with data.rule_data as date_rule_data(["2023-01-01"])
 		with data.config.policy.when_ns as time.parse_rfc3339_ns("2023-01-02T00:00:00Z")
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_dates as ["2023-01-01"]
+	lib.assert_empty(schedule.deny) with data.rule_data as date_rule_data(["2023-01-01"])
 		with data.config.policy.when_ns as time.parse_rfc3339_ns("2023-02-01T00:00:00Z")
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_dates as ["2023-01-01"]
+	lib.assert_empty(schedule.deny) with data.rule_data as date_rule_data(["2023-01-01"])
 		with data.config.policy.when_ns as time.parse_rfc3339_ns("2024-01-01T00:00:00Z")
-	lib.assert_empty(schedule.deny) with data.rule_data.disallowed_dates as ["2023-01-01"]
+	lib.assert_empty(schedule.deny) with data.rule_data as date_rule_data(["2023-01-01"])
 		with data.config.policy.when_ns as time.parse_rfc3339_ns("2024-02-03T00:00:00Z")
 }
 
+test_pipeline_intention if {
+	# With pipeline intention set to "release" we get a violation
+	release_weekday_data := weekday_rule_data(["monday"])
+	monday_violation := {{
+		"code": "schedule.weekday_restriction",
+		"msg": "monday is a disallowed weekday: monday",
+	}}
+	lib.assert_equal_results(schedule.deny, monday_violation) with data.rule_data as release_weekday_data
+		with data.config.policy.when_ns as monday
+
+	release_date_data := date_rule_data(["2024-05-12"])
+	rfc_date := time.parse_rfc3339_ns("2024-05-12T00:00:00Z")
+	violation := {{
+		"code": "schedule.date_restriction",
+		"msg": "2024-05-12 is a disallowed date: 2024-05-12",
+	}}
+	lib.assert_equal_results(schedule.deny, violation) with data.rule_data as release_date_data
+		with data.config.policy.when_ns as rfc_date
+
+	# Without pipeline intention set to "release" we do not get a violation
+	build_weekday_data := object.union(release_weekday_data, {"pipeline_intention": null})
+	lib.assert_empty(schedule.deny) with data.rule_data as build_weekday_data
+		with data.config.policy.when_ns as monday
+
+	spam_weekday_data := object.union(release_weekday_data, {"pipeline_intention": "spam"})
+	lib.assert_empty(schedule.deny) with data.rule_data as spam_weekday_data
+		with data.config.policy.when_ns as monday
+
+	build_date_data := object.union(release_date_data, {"pipeline_intention": null})
+	lib.assert_empty(schedule.deny) with data.rule_data as build_date_data
+		with data.config.policy.when_ns as rfc_date
+
+	spam_date_data := object.union(release_date_data, {"pipeline_intention": "spam"})
+	lib.assert_empty(schedule.deny) with data.rule_data as spam_date_data
+		with data.config.policy.when_ns as rfc_date
+}
+
 test_rule_data_format_disallowed_weekdays if {
 	d := {"disallowed_weekdays": [
 		# Wrong type
@@ -158,16 +194,27 @@ test_rule_data_format_disallowed_dates if {
 		with data.config.policy.when_ns as sunday
 }
 
-sunday := time.parse_rfc3339_ns("2023-01-01T00:00:00Z")
+sunday := _rfc_time_helper("2023-01-01")
 
-monday := time.parse_rfc3339_ns("2023-01-02T00:00:00Z")
+monday := _rfc_time_helper("2023-01-02")
 
-tuesday := time.parse_rfc3339_ns("2023-01-03T00:00:00Z")
+tuesday := _rfc_time_helper("2023-01-03")
 
-wednesday := time.parse_rfc3339_ns("2023-01-04T00:00:00Z")
+wednesday := _rfc_time_helper("2023-01-04")
 
-thursday := time.parse_rfc3339_ns("2023-01-05T00:00:00Z")
+thursday := _rfc_time_helper("2023-01-05")
 
-friday := time.parse_rfc3339_ns("2023-01-06T00:00:00Z")
+friday := _rfc_time_helper("2023-01-06")
 
-saturday := time.parse_rfc3339_ns("2023-01-07T00:00:00Z")
+saturday := _rfc_time_helper("2023-01-07")
+
+_rfc_time_helper(date_string) := time.parse_rfc3339_ns(sprintf("%sT00:00:00Z", [date_string]))
+
+weekday_rule_data(disallowed_weekdays) := _rule_data_helper("disallowed_weekdays", disallowed_weekdays, "release")
+
+date_rule_data(disallowed_dates) := _rule_data_helper("disallowed_dates", disallowed_dates, "release")
+
+_rule_data_helper(disallowed_key, disallowed_values, pipeline_intention) := {
+	"pipeline_intention": pipeline_intention,
+	disallowed_key: disallowed_values,
+}