diff --git a/cli/cmd/digger/default.go b/cli/cmd/digger/default.go index 74eeebb6b..b221311c4 100644 --- a/cli/cmd/digger/default.go +++ b/cli/cmd/digger/default.go @@ -5,6 +5,7 @@ import ( "github.com/diggerhq/digger/cli/pkg/digger" "github.com/diggerhq/digger/cli/pkg/drift" "github.com/diggerhq/digger/cli/pkg/github" + "github.com/diggerhq/digger/cli/pkg/policy" "github.com/diggerhq/digger/cli/pkg/usage" comment_updater "github.com/diggerhq/digger/libs/comment_utils/summary" dg_github "github.com/diggerhq/digger/libs/orchestrator/github" @@ -23,7 +24,7 @@ var defaultCmd = &cobra.Command{ switch ci { case digger.GitHub: logLeader = os.Getenv("GITHUB_ACTOR") - github.GitHubCI(lock, PolicyChecker, BackendApi, ReportStrategy, dg_github.GithubServiceProviderBasic{}, comment_updater.CommentUpdaterProviderBasic{}, drift.DriftNotificationProviderBasic{}) + github.GitHubCI(lock, policy.PolicyCheckerProviderBasic{}, BackendApi, ReportStrategy, dg_github.GithubServiceProviderBasic{}, comment_updater.CommentUpdaterProviderBasic{}, drift.DriftNotificationProviderBasic{}) case digger.None: print("No CI detected.") os.Exit(10) diff --git a/cli/cmd/digger/root.go b/cli/cmd/digger/root.go index b7bd9f7f8..374d8c990 100644 --- a/cli/cmd/digger/root.go +++ b/cli/cmd/digger/root.go @@ -6,7 +6,6 @@ import ( "github.com/diggerhq/digger/cli/pkg/bitbucket" core_backend "github.com/diggerhq/digger/cli/pkg/core/backend" core_policy "github.com/diggerhq/digger/cli/pkg/core/policy" - "github.com/diggerhq/digger/cli/pkg/policy" "github.com/diggerhq/digger/cli/pkg/utils" "github.com/diggerhq/digger/libs/comment_utils/reporting" locking2 "github.com/diggerhq/digger/libs/locking" @@ -90,9 +89,9 @@ func PreRun(cmd *cobra.Command, args []string) { hostName := os.Getenv("DIGGER_HOSTNAME") token := os.Getenv("DIGGER_TOKEN") - orgName := os.Getenv("DIGGER_ORGANISATION") + //orgName := os.Getenv("DIGGER_ORGANISATION") BackendApi = backend.NewBackendApi(hostName, token) - PolicyChecker = policy.NewPolicyChecker(hostName, orgName, token) + //PolicyChecker = policy.NewPolicyChecker(hostName, orgName, token) if os.Getenv("REPORTING_STRATEGY") == "comments_per_run" || os.Getenv("ACCUMULATE_PLANS") == "true" { ReportStrategy = &reporting.CommentPerRunStrategy{ diff --git a/cli/pkg/core/policy/policy.go b/cli/pkg/core/policy/policy.go index d520d9153..9fd879ad9 100644 --- a/cli/pkg/core/policy/policy.go +++ b/cli/pkg/core/policy/policy.go @@ -18,6 +18,10 @@ type Checker interface { CheckDriftPolicy(SCMOrganisation string, SCMrepository string, projectname string) (bool, error) } +type PolicyCheckerProvider interface { + Get(hostname string, organisationName string, authToken string) (Checker, error) +} + type AccessPolicyContext struct { SCMOrganisation string SCMrepository string diff --git a/cli/pkg/digger/digger.go b/cli/pkg/digger/digger.go index 5dc849329..ab9261dc4 100644 --- a/cli/pkg/digger/digger.go +++ b/cli/pkg/digger/digger.go @@ -87,7 +87,7 @@ func RunJobs(jobs []orchestrator.Job, prService orchestrator.PullRequestService, } if !allowedToPerformCommand { - msg := reportPolicyError(job.ProjectName, job.RequestedBy, command, reporter) + msg := reportPolicyError(job.ProjectName, command, job.RequestedBy, reporter) log.Printf("Skipping command ... %v for project %v", command, job.ProjectName) log.Println(msg) appliesPerProject[job.ProjectName] = false diff --git a/cli/pkg/github/github.go b/cli/pkg/github/github.go index a8dc1a322..e61fe4915 100644 --- a/cli/pkg/github/github.go +++ b/cli/pkg/github/github.go @@ -10,7 +10,6 @@ import ( "github.com/diggerhq/digger/cli/pkg/digger" "github.com/diggerhq/digger/cli/pkg/drift" github_models "github.com/diggerhq/digger/cli/pkg/github/models" - "github.com/diggerhq/digger/cli/pkg/policy" "github.com/diggerhq/digger/cli/pkg/storage" "github.com/diggerhq/digger/cli/pkg/usage" "github.com/diggerhq/digger/cli/pkg/utils" @@ -31,7 +30,7 @@ import ( "time" ) -func GitHubCI(lock core_locking.Lock, policyChecker core_policy.Checker, backendApi core_backend.Api, reportingStrategy reporting.ReportStrategy, githubServiceProvider dg_github.GithubServiceProvider, commentUpdaterProvider comment_updater.CommentUpdaterProvider, driftNotifcationProvider drift.DriftNotificationProvider) { +func GitHubCI(lock core_locking.Lock, policyCheckerProvider core_policy.PolicyCheckerProvider, backendApi core_backend.Api, reportingStrategy reporting.ReportStrategy, githubServiceProvider dg_github.GithubServiceProvider, commentUpdaterProvider comment_updater.CommentUpdaterProvider, driftNotifcationProvider drift.DriftNotificationProvider) { log.Printf("Using GitHub.\n") githubActor := os.Getenv("GITHUB_ACTOR") if githubActor != "" { @@ -40,6 +39,12 @@ func GitHubCI(lock core_locking.Lock, policyChecker core_policy.Checker, backend usage.SendUsageRecord("", "log", "non github initialisation") } + // default policy checker for backwards compatability, will be overriden in orchestrator flow + hostName := os.Getenv("DIGGER_HOSTNAME") + token := os.Getenv("DIGGER_TOKEN") + orgName := os.Getenv("DIGGER_ORGANISATION") + var policyChecker, _ = policyCheckerProvider.Get(hostName, token, orgName) + ghToken := os.Getenv("GITHUB_TOKEN") if ghToken == "" { usage.ReportErrorAndExit(githubActor, "GITHUB_TOKEN is not defined", 1) @@ -119,7 +124,8 @@ func GitHubCI(lock core_locking.Lock, policyChecker core_policy.Checker, backend if jobSpec.BackendHostname != "" && jobSpec.BackendOrganisationName != "" && jobSpec.BackendJobToken != "" { log.Printf("Found settings sent by backend in jobSpec string, overriding backendApi and policyCheckecd r. setting: (orgName: %v BackedHost: %v token: %v)", jobSpec.BackendOrganisationName, jobSpec.BackendHostname, "****") backendApi = backend.NewBackendApi(jobSpec.BackendHostname, jobSpec.BackendJobToken) - policyChecker = policy.NewPolicyChecker(jobSpec.BackendHostname, jobSpec.BackendOrganisationName, jobSpec.BackendJobToken) + policyChecker, _ = policyCheckerProvider.Get(jobSpec.BackendHostname, jobSpec.BackendOrganisationName, jobSpec.BackendJobToken) + } else { usage.ReportErrorAndExit(githubActor, fmt.Sprintf("Missing values from job spec: hostname, orgName, token: %v %v", jobSpec.BackendHostname, jobSpec.BackendOrganisationName), 4) } diff --git a/cli/pkg/policy/providers.go b/cli/pkg/policy/providers.go new file mode 100644 index 000000000..7da37be79 --- /dev/null +++ b/cli/pkg/policy/providers.go @@ -0,0 +1,27 @@ +package policy + +import ( + core_policy "github.com/diggerhq/digger/cli/pkg/core/policy" + "log" + "net/http" + "os" +) + +type PolicyCheckerProviderBasic struct{} + +func (p PolicyCheckerProviderBasic) Get(hostname string, organisationName string, authToken string) (core_policy.Checker, error) { + var policyChecker core_policy.Checker + if os.Getenv("NO_BACKEND") == "true" { + log.Println("WARNING: running in 'backendless' mode. No policies will be supported.") + policyChecker = NoOpPolicyChecker{} + } else { + policyChecker = DiggerPolicyChecker{ + PolicyProvider: &DiggerHttpPolicyProvider{ + DiggerHost: hostname, + DiggerOrganisation: organisationName, + AuthToken: authToken, + HttpClient: http.DefaultClient, + }} + } + return policyChecker, nil +} diff --git a/ee/cli/cmd/digger/default.go b/ee/cli/cmd/digger/default.go index 03a44f059..347c3c738 100644 --- a/ee/cli/cmd/digger/default.go +++ b/ee/cli/cmd/digger/default.go @@ -8,6 +8,7 @@ import ( "github.com/diggerhq/digger/ee/cli/pkg/comment_updater" "github.com/diggerhq/digger/ee/cli/pkg/drift" github2 "github.com/diggerhq/digger/ee/cli/pkg/github" + "github.com/diggerhq/digger/ee/cli/pkg/policy" "github.com/spf13/cobra" "log" "os" @@ -23,7 +24,7 @@ var defaultCmd = &cobra.Command{ switch ci { case digger.GitHub: logLeader = os.Getenv("GITHUB_ACTOR") - github.GitHubCI(lock, PolicyChecker, BackendApi, ReportStrategy, github2.GithubServiceProviderAdvanced{}, comment_updater.CommentUpdaterProviderAdvanced{}, drift.DriftNotificationProviderAdvanced{}) + github.GitHubCI(lock, policy.PolicyCheckerProviderAdvanced{}, BackendApi, ReportStrategy, github2.GithubServiceProviderAdvanced{}, comment_updater.CommentUpdaterProviderAdvanced{}, drift.DriftNotificationProviderAdvanced{}) case digger.None: print("No CI detected.") os.Exit(10) diff --git a/ee/cli/cmd/digger/root.go b/ee/cli/cmd/digger/root.go index 047b57f7d..d52d79686 100644 --- a/ee/cli/cmd/digger/root.go +++ b/ee/cli/cmd/digger/root.go @@ -78,7 +78,6 @@ func (r *RunConfig) GetServices() (*orchestrator.PullRequestService, *orchestrat return &prService, &orgService, &reporter, nil } -var PolicyChecker core_policy.Checker var BackendApi core_backend.Api var ReportStrategy reporting.ReportStrategy var lock locking.Lock @@ -87,9 +86,7 @@ func PreRun(cmd *cobra.Command, args []string) { hostName := os.Getenv("DIGGER_HOSTNAME") token := os.Getenv("DIGGER_TOKEN") - orgName := os.Getenv("DIGGER_ORGANISATION") BackendApi = NewBackendApi(hostName, token) - PolicyChecker = NewPolicyChecker(hostName, orgName, token) if os.Getenv("REPORTING_STRATEGY") == "comments_per_run" || os.Getenv("ACCUMULATE_PLANS") == "true" { ReportStrategy = &reporting.CommentPerRunStrategy{ diff --git a/ee/cli/pkg/policy/policy.go b/ee/cli/pkg/policy/policy.go index 1c27c43f6..d3d2e3932 100644 --- a/ee/cli/pkg/policy/policy.go +++ b/ee/cli/pkg/policy/policy.go @@ -3,6 +3,7 @@ package policy import ( "fmt" "github.com/diggerhq/digger/ee/cli/pkg/utils" + "log" "os" "path" ) @@ -30,19 +31,20 @@ func getContents(filePath string) (string, error) { return string(contents), nil } -func (p *DiggerRepoPolicyProvider) getPolicyFileContents(repo string, projectName string, fileName string) (string, error) { +func (p DiggerRepoPolicyProvider) getPolicyFileContents(repo string, projectName string, fileName string) (string, error) { var contents string err := utils.CloneGitRepoAndDoAction(p.ManagementRepoUrl, "main", p.GitToken, func(basePath string) error { orgAccesspath := path.Join(basePath, "policies", fileName) repoAccesspath := path.Join(basePath, "policies", repo, fileName) projectAccessPath := path.Join(basePath, "policies", repo, projectName, fileName) + log.Printf("loading repo orgAccess %v repoAccess %v projectAcces %v", orgAccesspath, repoAccesspath, projectAccessPath) var err error - contents, err = getContents(orgAccesspath) + contents, err = getContents(projectAccessPath) if os.IsNotExist(err) { contents, err = getContents(repoAccesspath) if os.IsNotExist(err) { - contents, err = getContents(projectAccessPath) + contents, err = getContents(orgAccesspath) if os.IsNotExist(err) { return nil } else { @@ -63,19 +65,19 @@ func (p *DiggerRepoPolicyProvider) getPolicyFileContents(repo string, projectNam } // GetPolicy fetches policy for particular project, if not found then it will fallback to org level policy -func (p *DiggerRepoPolicyProvider) GetAccessPolicy(organisation string, repo string, projectName string) (string, error) { +func (p DiggerRepoPolicyProvider) GetAccessPolicy(organisation string, repo string, projectName string) (string, error) { return p.getPolicyFileContents(repo, projectName, "access.rego") } -func (p *DiggerRepoPolicyProvider) GetPlanPolicy(organisation string, repo string, projectName string) (string, error) { +func (p DiggerRepoPolicyProvider) GetPlanPolicy(organisation string, repo string, projectName string) (string, error) { return "", nil } -func (p *DiggerRepoPolicyProvider) GetDriftPolicy() (string, error) { +func (p DiggerRepoPolicyProvider) GetDriftPolicy() (string, error) { return "", nil } -func (p *DiggerRepoPolicyProvider) GetOrganisation() string { +func (p DiggerRepoPolicyProvider) GetOrganisation() string { return "" } diff --git a/ee/cli/pkg/policy/providers.go b/ee/cli/pkg/policy/providers.go new file mode 100644 index 000000000..71a7f0406 --- /dev/null +++ b/ee/cli/pkg/policy/providers.go @@ -0,0 +1,27 @@ +package policy + +import ( + "fmt" + core_policy "github.com/diggerhq/digger/cli/pkg/core/policy" + "github.com/diggerhq/digger/cli/pkg/policy" + "os" +) + +type PolicyCheckerProviderAdvanced struct{} + +func (p PolicyCheckerProviderAdvanced) Get(hostname string, organisationName string, authToken string) (core_policy.Checker, error) { + managementRepo := os.Getenv("DIGGER_MANAGEMENT_REPO") + if managementRepo != "" { + token := os.Getenv("GITHUB_TOKEN") + if token == "" { + return nil, fmt.Errorf("failed to get managent repo policy provider: GITHUB_TOKEN not specified") + } + return policy.DiggerPolicyChecker{ + PolicyProvider: DiggerRepoPolicyProvider{ + ManagementRepoUrl: managementRepo, + GitToken: token, + }, + }, nil + } + return policy.PolicyCheckerProviderBasic{}.Get(hostname, organisationName, authToken) +}