Policy enforcer actor that restricts to only wasmCloud signed resourc…

…es (#154) * initial commit of a wasmcloud-only policy actor Signed-off-by: Brooks Townsend <[email protected]> * addressed PR nits Signed-off-by: Brooks Townsend <[email protected]> * added action for build/release Signed-off-by: Brooks Townsend <[email protected]> * updated with camelcase json decoding Signed-off-by: Brooks Townsend <[email protected]> * updated to camelcase serialize Signed-off-by: Brooks Townsend <[email protected]> Signed-off-by: Brooks Townsend <[email protected]>
wasmCloud · Aug 17, 2022 · 4c76941 · 4c76941
1 parent 236176b
commit 4c76941
Show file tree

Hide file tree

Showing 9 changed files with 3,148 additions and 0 deletions.
diff --git a/.github/workflows/policy.yml b/.github/workflows/policy.yml
@@ -0,0 +1,103 @@
+name: POLICY
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "actor/policy/**"
+    tags:
+      - "policy-v*"
+  pull_request:
+    branches: [main]
+    paths:
+      - "actor/policy/**"
+
+env:
+  CARGO_TERM_COLOR: always
+  working-directory: ./actor/policy
+  WASH_ISSUER_KEY: ${{ secrets.WASMCLOUD_ACCOUNT_OFFICIAL }}
+  WASH_SUBJECT_KEY: ${{ secrets.WASMCLOUD_EXAMPLE_POLICY }}
+
+jobs:
+  rust_check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      # If your integration tests require nats or redis, run them here
+      - name: Add wasm32-unknown-unknown
+        run: rustup target add wasm32-unknown-unknown
+      - id: rust-check-action
+        uses: wasmcloud/common-actions/rust-check@main
+        with:
+          working-directory: ${{ env.working-directory }}
+          # The `--doc` is required for wasm, as cargo cannot execute wasm tests by default
+          test-options: "--verbose --doc"
+
+  build_artifact:
+    needs: rust_check
+    if: startswith(github.ref, 'refs/tags/') # Only run on tag push
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: wasmcloud/common-actions/install-wash@main
+
+      - name: Add wasm32-unknown-unknown
+        run: rustup target add wasm32-unknown-unknown
+
+      - name: Build wasmcloud actor
+        run: make
+        working-directory: ${{ env.working-directory }}
+
+      - name: Upload signed actor to GH Actions
+        uses: actions/upload-artifact@v2
+        with:
+          name: wasmcloud-actor
+          path: ${{ env.working-directory }}/build/*.wasm
+
+  github_release:
+    if: startswith(github.ref, 'refs/tags/') # Only run on tag push
+    needs: build_artifact
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download signed actor
+        uses: actions/download-artifact@v2
+        with:
+          name: wasmcloud-actor
+          path: ${{ env.working-directory }}/build
+
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: ${{ env.working-directory }}/build/*.wasm
+          token: ${{ secrets.GITHUB_TOKEN }}
+          prerelease: true
+          draft: false
+
+  artifact_release:
+    needs: build_artifact
+    if: startswith(github.ref, 'refs/tags/') # Only run on tag push
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Download signed actor
+        uses: actions/download-artifact@v2
+        with:
+          name: wasmcloud-actor
+          path: ${{ env.working-directory }}/build
+
+      - name: Determine artifact metadata
+        run: |
+          echo "oci-version=$(cargo metadata --no-deps --format-version 1 | jq -r '.packages[].version')" >> $GITHUB_ENV
+        working-directory: ${{ env.working-directory }}
+
+      - name: Push actor to AzureCR
+        uses: wasmcloud/common-actions/oci-artifact-release@main
+        env:
+          oci-repository: example_policy
+        with:
+          artifact-path: ${{ env.working-directory }}/build/${{ env.oci-repository }}_s.wasm
+          oci-url: ${{ secrets.AZURECR_PUSH_URL }}
+          oci-repository: ${{ env.oci-repository }}
+          oci-version: ${{ env.oci-version }}
+          oci-username: ${{ secrets.AZURECR_PUSH_USER }}
+          oci-password: ${{ secrets.AZURECR_PUSH_PASSWORD }}
diff --git a/actor/policy/.cargo/config.toml b/actor/policy/.cargo/config.toml
@@ -0,0 +1,2 @@
+[build]
+target = "wasm32-unknown-unknown"
diff --git a/actor/policy/.gitignore b/actor/policy/.gitignore
@@ -0,0 +1,41 @@
+# This file lists build byproducts, 
+# IDE-specific files (unless shared by your team)
+
+
+## Build
+/build
+/dist/
+/target
+**target
+
+## File system
+.DS_Store
+desktop.ini
+
+## Editor
+*.swp
+*.swo
+Session.vim
+.cproject
+.idea
+*.iml
+.vscode
+.project
+.favorites.json
+.settings/
+
+## Temporary files
+*~
+\#*
+\#*\#
+.#*
+
+## Python
+__pycache__/
+*.py[cod]
+*$py.class
+
+## Node
+**node_modules
+**package-lock.json
+