Add OPA support to the policy API's:

Updated Api's: - Create Policy: Adds the kind and Query options for OPA and enforcement_level - Update Policy: Adds option to update the Query - List Policy: List allows filtering by kind Adds integration tests for the above
hashicorp · Nov 2, 2022 · ed92d07 · ed92d07
1 parent c435011
commit ed92d07
Show file tree

Hide file tree

Showing 5 changed files with 444 additions and 3 deletions.
diff --git a/errors.go b/errors.go
@@ -199,6 +199,8 @@ var (
 
 	ErrRequiredName = errors.New("name is required")
 
+	ErrRequiredQuery = errors.New("invalid attribute\n\nQuery can't be blank")
+
 	ErrRequiredEnabled = errors.New("enabled is required")
 
 	ErrRequiredEnforce = errors.New("enforce is required")

diff --git a/helper_test.go b/helper_test.go
@@ -613,6 +613,40 @@ func createPolicy(t *testing.T, client *Client, org *Organization) (*Policy, fun
 	}
 }
 
+func createPolicyWithOptions(t *testing.T, client *Client, org *Organization, opts *PolicyCreateOptions) (*Policy, func()) {
+	var orgCleanup func()
+
+	if org == nil {
+		org, orgCleanup = createOrganization(t, client)
+	}
+
+	name := randomString(t)
+	options := PolicyCreateOptions{
+		Name:    String(name),
+		Kind:    opts.Kind,
+		Query:   opts.Query,
+		Enforce: opts.Enforce,
+	}
+
+	ctx := context.Background()
+	p, err := client.Policies.Create(ctx, org.Name, options)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return p, func() {
+		if err := client.Policies.Delete(ctx, p.ID); err != nil {
+			t.Errorf("Error destroying policy! WARNING: Dangling resources\n"+
+				"may exist! The full error is shown below.\n\n"+
+				"Policy: %s\nError: %s", p.ID, err)
+		}
+
+		if orgCleanup != nil {
+			orgCleanup()
+		}
+	}
+}
+
 func createUploadedPolicy(t *testing.T, client *Client, pass bool, org *Organization) (*Policy, func()) {
 	var orgCleanup func()
 
@@ -642,6 +676,35 @@ func createUploadedPolicy(t *testing.T, client *Client, pass bool, org *Organiza
 	}
 }
 
+func createUploadedPolicyWithOptions(t *testing.T, client *Client, pass bool, org *Organization, opts *PolicyCreateOptions) (*Policy, func()) {
+	var orgCleanup func()
+
+	if org == nil {
+		org, orgCleanup = createOrganization(t, client)
+	}
+
+	p, pCleanup := createPolicyWithOptions(t, client, org, opts)
+
+	ctx := context.Background()
+	err := client.Policies.Upload(ctx, p.ID, []byte(fmt.Sprintf("main = rule { %t }", pass)))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	p, err = client.Policies.Read(ctx, p.ID)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	return p, func() {
+		pCleanup()
+
+		if orgCleanup != nil {
+			orgCleanup()
+		}
+	}
+}
+
 func createOAuthClient(t *testing.T, client *Client, org *Organization) (*OAuthClient, func()) {
 	var orgCleanup func()
 

diff --git a/policy.go b/policy.go
@@ -48,9 +48,10 @@ type EnforcementLevel string
 
 // List the available enforcement types.
 const (
-	EnforcementAdvisory EnforcementLevel = "advisory"
-	EnforcementHard     EnforcementLevel = "hard-mandatory"
-	EnforcementSoft     EnforcementLevel = "soft-mandatory"
+	EnforcementAdvisory  EnforcementLevel = "advisory"
+	EnforcementHard      EnforcementLevel = "hard-mandatory"
+	EnforcementSoft      EnforcementLevel = "soft-mandatory"
+	EnforcementMandatory EnforcementLevel = "mandatory"
 )
 
 // PolicyList represents a list of policies..
@@ -63,6 +64,8 @@ type PolicyList struct {
 type Policy struct {
 	ID             string         `jsonapi:"primary,policies"`
 	Name           string         `jsonapi:"attr,name"`
+	Kind           PolicyKind     `jsonapi:"attr,kind"`
+	Query          *string        `jsonapi:"attr,query"`
 	Description    string         `jsonapi:"attr,description"`
 	Enforce        []*Enforcement `jsonapi:"attr,enforce"`
 	PolicySetCount int            `jsonapi:"attr,policy-set-count"`
@@ -90,6 +93,10 @@ type PolicyListOptions struct {
 
 	// Optional: A search string (partial policy name) used to filter the results.
 	Search string `url:"search[name],omitempty"`
+
+	// **Note: This field is still in BETA and subject to change.**
+	// Optional: A kind string used to filter the results by the policy kind.
+	Kind PolicyKind `url:"filter[kind],omitempty"`
 }
 
 // PolicyCreateOptions represents the options for creating a new policy.
@@ -103,6 +110,14 @@ type PolicyCreateOptions struct {
 	// Required: The name of the policy.
 	Name *string `jsonapi:"attr,name"`
 
+	// **Note: This field is still in BETA and subject to change.**
+	// Optional: The underlying technology that the policy supports.
+	Kind PolicyKind `jsonapi:"attr,kind,omitempty"`
+
+	// **Note: This field is still in BETA and subject to change.**
+	// Optional: The query passed to policy evaluation to determine the result of the policy. Only valid for OPA.
+	Query *string `jsonapi:"attr,query,omitempty"`
+
 	// Optional: A description of the policy's purpose.
 	Description *string `jsonapi:"attr,description,omitempty"`
 
@@ -121,6 +136,10 @@ type PolicyUpdateOptions struct {
 	// Optional: A description of the policy's purpose.
 	Description *string `jsonapi:"attr,description,omitempty"`
 
+	// **Note: This field is still in BETA and subject to change.**
+	// Optional: The query passed to policy evaluation to determine the result of the policy. Only valid for OPA.
+	Query *string `jsonapi:"attr,query,omitempty"`
+
 	// Optional: The enforcements of the policy.
 	Enforce []*EnforcementOptions `jsonapi:"attr,enforce,omitempty"`
 }