open-telemetry · lquerel · Jun 26, 2024 · Jun 12, 2024 · Jun 18, 2024 · Jun 19, 2024
@@ -24,7 +24,8 @@ walkdir.workspace = true
 globset.workspace = true
 miette.workspace = true
 
-regorus = { version = "0.1.5", default-features = false, features = [
+regorus = { version = "0.2.0", default-features = false, features = [
+    "std",
     "arc",
     "base64",
     "base64url",

@@ -3,6 +3,7 @@
 #![allow(rustdoc::broken_intra_doc_links)]
 #![doc = include_str!("../README.md")]
 
+use std::collections::HashSet;
 use std::fmt::{Display, Formatter};
 use std::path::Path;
 
@@ -11,8 +12,8 @@
 use serde::Serialize;
 use serde_json::to_value;
 use walkdir::DirEntry;
-use weaver_common::diagnostic::{DiagnosticMessage, DiagnosticMessages};
 
+use weaver_common::diagnostic::{DiagnosticMessage, DiagnosticMessages};
 use weaver_common::error::{format_errors, handle_errors, WeaverError};
 
 use crate::violation::Violation;
@@ -146,6 +147,13 @@
 pub struct Engine {
     // The `regorus` policy engine.
     engine: regorus::Engine,
+    // Flag to enable the coverage report.
+    coverage_enabled: bool,
+    // Number of policy packages added.
+    policy_package_count: usize,
+    // Policy packages loaded. This is used to check if a policy package has been imported
+    // before evaluating it.
+    policy_packages: HashSet<String>,
 }
 
 impl Engine {
@@ -155,21 +163,36 @@
         Default::default()
     }
 
+    /// Enables the coverage report.
+    pub fn enable_coverage(&mut self) {
+        self.engine.set_enable_coverage(true);
+        self.coverage_enabled = true;
+    }
+
     /// Adds a policy file to the policy engine.
     /// A policy file is a `rego` file that contains the policies to be evaluated.
     ///
     /// # Arguments
     ///
     /// * `policy_path` - The path to the policy file.
-    pub fn add_policy<P: AsRef<Path>>(&mut self, policy_path: P) -> Result<(), Error> {
+    pub fn add_policy<P: AsRef<Path>>(&mut self, policy_path: P) -> Result<String, Error> {
         let policy_path_str = policy_path.as_ref().to_string_lossy().to_string();
 
-        self.engine
+        let policy_package = self
+            .engine
             .add_policy_from_file(policy_path)
             .map_err(|e| Error::InvalidPolicyFile {
                 file: policy_path_str.clone(),
                 error: e.to_string(),
             })
+            .inspect(|_| {
+                self.policy_package_count += 1;
+            })?;
+        // Add the policy package defined in the imported policy file.
+        // Nothing prevent multiple policy files to import the same policy package.
+        // All the rules will be combined and evaluated together.
+        _ = self.policy_packages.insert(policy_package.clone());
+        Ok(policy_package)
     }
 
     /// Adds all the policy files present in the given directory that match the
@@ -224,9 +247,16 @@
 
         handle_errors(errors)?;
 
+        self.policy_package_count += added_policy_count;
         Ok(added_policy_count)
     }
 
+    /// Returns the number of policy packages added to the policy engine.
+    #[must_use]
+    pub fn policy_package_count(&self) -> usize {
+        self.policy_package_count
+    }
+
     /// Adds a data document to the policy engine.
     ///
     /// Data versus Input: In essence, data is about what the policy engine
@@ -280,14 +310,39 @@
 
     /// Returns a list of violations based on the policies, the data, the
     /// input, and the given policy stage.
+    #[allow(clippy::print_stdout)] // Used to display the coverage (debugging purposes only)
     pub fn check(&mut self, stage: PolicyStage) -> Result<Vec<Violation>, Error> {
+        // If we don't have any policy package that matches the stage,
+        // return an empty list of violations.
+        if !self.policy_packages.contains(&format!("data.{}", stage)) {
+            return Ok(vec![]);
+        }
+
         let value = self
             .engine
             .eval_rule(format!("data.{}.deny", stage))
             .map_err(|e| Error::ViolationEvaluationError {
                 error: e.to_string(),
             })?;
 
+        // Print the coverage report if enabled
+        // This is useful for debugging purposes
+        if self.coverage_enabled {
+            let report =
+                self.engine
+                    .get_coverage_report()
+                    .map_err(|e| Error::ViolationEvaluationError {
+                        error: e.to_string(),
+                    })?;
+            let pretty_report =
+                report
+                    .to_string_pretty()
+                    .map_err(|e| Error::ViolationEvaluationError {
+                        error: e.to_string(),
+                    })?;
+            println!("{}", pretty_report);
+        }
+
         // convert `regorus` value to `serde_json` value
         let json_value = to_value(&value).map_err(|e| Error::ViolationEvaluationError {
             error: e.to_string(),
@@ -317,7 +372,8 @@
     #[test]
     fn test_policy() -> Result<(), Box<dyn std::error::Error>> {
         let mut engine = Engine::new();
-        engine.add_policy("data/policies/otel_policies.rego")?;
+        let policy_package = engine.add_policy("data/policies/otel_policies.rego")?;
+        assert_eq!(policy_package, "data.before_resolution");
 
         let old_semconv = std::fs::read_to_string("data/registries/registry.network.old.yaml")?;
         let old_semconv: Value = serde_yaml::from_str(&old_semconv)?;
@@ -378,7 +434,7 @@
     #[test]
     fn test_invalid_violation_object() {
         let mut engine = Engine::new();
-        engine
+        _ = engine
             .add_policy("data/policies/invalid_violation_object.rego")
             .unwrap();
 

@@ -0,0 +1,21 @@
+package after_resolution
+
+# Example of rules that will be applied on resolved semconv files
+
+# Detect `http.request.method` attribute and consider it invalid.
+# This is just an example for testing purposes.
+deny[invalid_attr_violation("invalid_http_attr", group.id, attr.name)] {
+    group := input.groups[_]
+    attr := group.attributes[_]
+    attr.name == "http.request.method"
+}
+
+invalid_attr_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "attrigute",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}
@@ -0,0 +1,21 @@
+package after_resolution
+
+# Example of rules that will be applied on resolved semconv files
+
+# Detect `system.cpu.logical_number` attribute and consider it invalid.
+# This is just an example for testing purposes.
+deny[invalid_attr_violation("invalid_metric_attr", group.id, attr.name)] {
+    group := input.groups[_]
+    attr := group.attributes[_]
+    attr.name == "system.cpu.logical_number"
+}
+
+invalid_attr_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "attrigute",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}
@@ -39,7 +39,7 @@
 }
 
 /// A generic and serializable representation of a diagnostic message
-#[derive(Debug, serde::Serialize)]
+#[derive(Debug, serde::Serialize, Clone)]
 pub struct DiagnosticMessage {
     /// The error
     pub(crate) error: serde_json::Value,
@@ -48,7 +48,7 @@
 }
 
 /// A list of diagnostic messages
-#[derive(Debug, serde::Serialize)]
+#[derive(Debug, serde::Serialize, Clone)]
 #[serde(transparent)]
 pub struct DiagnosticMessages(Vec<DiagnosticMessage>);
 
@@ -86,6 +86,18 @@
         Self(diag_msgs)
     }
 
+    /// Creates an empty list of diagnostic messages
+    #[must_use]
+    pub fn empty() -> Self {
+        Self(Vec::new())
+    }
+
+    /// Extends the current `DiagnosticMessages` with the provided
+    /// `DiagnosticMessages`.
+    pub fn extend(&mut self, diag_msgs: DiagnosticMessages) {
+        self.0.extend(diag_msgs.0);
+    }
+
     /// Logs all the diagnostic messages
     pub fn log(&self, logger: impl Logger) {
         self.0
@@ -139,6 +151,43 @@
     }
 }
 
+/// An extension trait for `Result` that captures the diagnostic messages
+pub trait ResultExt<T, E> {
+    /// Captures the diagnostic messages into the provided `DiagnosticMessages`
+    /// or returns the value if there are no diagnostic messages.
+    fn capture_diag_msgs_into(self, diags: &mut DiagnosticMessages) -> Option<T>;
+
+    /// Combines the diagnostic messages with the provided `DiagnosticMessages`
+    /// and returns the `ok` value or the combined `DiagnosticMessages`.
+    fn combine_diag_msgs_with(self, diags: &DiagnosticMessages) -> Result<T, DiagnosticMessages>;
+}
+
+impl<T, E> ResultExt<T, E> for Result<T, E>
+where
+    E: Into<DiagnosticMessages>,
+{
+    fn capture_diag_msgs_into(self, diags: &mut DiagnosticMessages) -> Option<T> {
+        match self {
+            Ok(v) => Some(v),
+            Err(diag_msgs) => {
+                diags.extend(diag_msgs.into());
+                None
+            }
+        }
+    }
+
+    fn combine_diag_msgs_with(self, diags: &DiagnosticMessages) -> Result<T, DiagnosticMessages> {
+        match self {
+            Ok(v) => Ok(v),
+            Err(errs) => {
+                let mut diag_msgs: DiagnosticMessages = errs.into();
+                diag_msgs.extend(diags.clone());
+                Err(diag_msgs)
+            }
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;

@@ -2,6 +2,8 @@
 
 //! Semantic convention registry path.
 
+use std::fmt::{Display, Formatter};
+
 use serde::{Deserialize, Serialize};
 
 /// A semantic convention registry path.
@@ -23,3 +25,16 @@
         path: Option<String>,
     },
 }
+
+impl Display for RegistryPath {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        let path = match self {
+            RegistryPath::Local { path_pattern } => format!("LocalRegistry:{}", path_pattern),
+            RegistryPath::GitUrl { git_url, path } => match path {
+                Some(path) => format!("GitRegistry:{}/{:?}", git_url, path),
+                None => format!("GitRegistry:{}", git_url),
+            },
+        };
+        f.write_str(&path)
+    }
+}