feat(policies): make material names templatable in groups (#1498)

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

Author: jiparis

app/cli/internal/action/attestation_init.go

@@ -224,7 +224,10 @@ func enrichContractMaterials(ctx context.Context, schema *v1.CraftingSchema, cli
 		}
 		logger.Debug().Msgf("adding materials from policy group '%s'", group.GetMetadata().GetName())
 
-		toAdd := getGroupMaterialsToAdd(group, contractMaterials, logger)
+		toAdd, err := getGroupMaterialsToAdd(group, pgAtt, contractMaterials, logger)
+		if err != nil {
+			return err
+		}
 		contractMaterials = append(contractMaterials, toAdd...)
 	}
 
@@ -234,21 +237,48 @@ func enrichContractMaterials(ctx context.Context, schema *v1.CraftingSchema, cli
 }
 
 // merge existing materials with group ones, taking the contract's one in case of conflict
-func getGroupMaterialsToAdd(group *v1.PolicyGroup, fromContract []*v1.CraftingSchema_Material, logger *zerolog.Logger) []*v1.CraftingSchema_Material {
+func getGroupMaterialsToAdd(group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachment, fromContract []*v1.CraftingSchema_Material, logger *zerolog.Logger) ([]*v1.CraftingSchema_Material, error) {
 	toAdd := make([]*v1.CraftingSchema_Material, 0)
 	for _, groupMaterial := range group.GetSpec().GetPolicies().GetMaterials() {
+		// apply bindings if needed
+		csm, err := groupMaterialToCraftingSchemaMaterial(groupMaterial, group, pgAtt, logger)
+		if err != nil {
+			return nil, err
+		}
+
 		// check if material already exists in the contract and skip it in that case
 		ignore := false
 		for _, mat := range fromContract {
-			if mat.GetName() == groupMaterial.GetName() {
+			if mat.GetName() == csm.GetName() {
 				logger.Warn().Msgf("material '%s' from policy group '%s' is also present in the contract and will be ignored", mat.GetName(), group.GetMetadata().GetName())
 				ignore = true
 			}
 		}
 		if !ignore {
-			toAdd = append(toAdd, groupMaterial)
+			toAdd = append(toAdd, csm)
 		}
 	}
 
-	return toAdd
+	return toAdd, nil
+}
+
+// translates materials and interpolates material names
+func groupMaterialToCraftingSchemaMaterial(gm *v1.PolicyGroup_Material, group *v1.PolicyGroup, pgAtt *v1.PolicyGroupAttachment, logger *zerolog.Logger) (*v1.CraftingSchema_Material, error) {
+	// Validates and computes arguments
+	args, err := policies.ComputeArguments(group.GetSpec().GetInputs(), pgAtt.GetWith(), nil, logger)
+	if err != nil {
+		return nil, err
+	}
+
+	// Apply arguments as interpolations for materials
+	gm, err = policies.InterpolateGroupMaterial(gm, args)
+	if err != nil {
+		return nil, err
+	}
+
+	return &v1.CraftingSchema_Material{
+		Type:     gm.Type,
+		Name:     gm.Name,
+		Optional: gm.Optional,
+	}, nil
 }

app/cli/internal/action/attestation_init_test.go

@@ -31,9 +31,9 @@ func TestEnrichMaterials(t *testing.T) {
 		name        string
 		materials   []*v1.CraftingSchema_Material
 		policyGroup string
+		args        map[string]string
 		expectErr   bool
 		nMaterials  int
-		nPolicies   int
 	}{
 		{
 			name: "existing material",
@@ -45,7 +45,6 @@ func TestEnrichMaterials(t *testing.T) {
 			},
 			policyGroup: "file://testdata/policy_group.yaml",
 			nMaterials:  2,
-			nPolicies:   0,
 		},
 		{
 			name: "new materials",
@@ -57,14 +56,12 @@ func TestEnrichMaterials(t *testing.T) {
 			},
 			policyGroup: "file://testdata/policy_group.yaml",
 			nMaterials:  3,
-			nPolicies:   1,
 		},
 		{
 			name:        "empty materials in schema",
 			materials:   []*v1.CraftingSchema_Material{},
 			policyGroup: "file://testdata/policy_group.yaml",
 			nMaterials:  2,
-			nPolicies:   1,
 		},
 		{
 			name:        "wrong policy group",
@@ -93,12 +90,77 @@ func TestEnrichMaterials(t *testing.T) {
 			}
 			require.NoError(t, err)
 			assert.Len(t, schema.Materials, tc.nMaterials)
-			// find "sbom" material and check it has proper policies
+			// find "sbom" material
 			if tc.nMaterials > 0 {
 				assert.True(t, slices.ContainsFunc(schema.Materials, func(m *v1.CraftingSchema_Material) bool {
-					return m.Name == "sbom" && len(m.Policies) == tc.nPolicies
+					return m.Name == "sbom"
 				}))
 			}
 		})
 	}
 }
+
+func TestTemplatedGroups(t *testing.T) {
+	cases := []struct {
+		name             string
+		materials        []*v1.CraftingSchema_Material
+		group            string
+		args             map[string]string
+		nMaterials       int
+		materialName     string
+		materialOptional bool
+	}{
+		{
+			name:         "interpolates material names, with defaults",
+			materials:    []*v1.CraftingSchema_Material{},
+			group:        "file://testdata/policy_group_with_arguments.yaml",
+			nMaterials:   1,
+			materialName: "sbom",
+		},
+		{
+			name:         "interpolates material names, custom material name",
+			materials:    []*v1.CraftingSchema_Material{},
+			group:        "file://testdata/policy_group_with_arguments.yaml",
+			args:         map[string]string{"sbom_name": "foo"},
+			nMaterials:   2,
+			materialName: "foo",
+		},
+		{
+			name: "interpolates material names, custom name, with material override",
+			materials: []*v1.CraftingSchema_Material{{
+				Type:     v1.CraftingSchema_Material_SBOM_SPDX_JSON,
+				Name:     "foo",
+				Optional: true,
+			},
+			},
+			group:            "file://testdata/policy_group_with_arguments.yaml",
+			args:             map[string]string{"sbom_name": "foo"},
+			nMaterials:       2,
+			materialName:     "foo",
+			materialOptional: true,
+		},
+	}
+
+	l := zerolog.Nop()
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			schema := v1.CraftingSchema{
+				Materials: tc.materials,
+				PolicyGroups: []*v1.PolicyGroupAttachment{
+					{
+						Ref:  tc.group,
+						With: tc.args,
+					},
+					{
+						Ref: tc.group,
+					},
+				},
+			}
+			err := enrichContractMaterials(context.TODO(), &schema, nil, &l)
+			assert.NoError(t, err)
+			assert.Len(t, schema.Materials, tc.nMaterials)
+			assert.Equal(t, tc.materialName, schema.Materials[0].Name)
+			assert.Equal(t, tc.materialOptional, schema.Materials[0].Optional)
+		})
+	}
+}

app/cli/internal/action/testdata/policy_group_with_arguments.yaml

@@ -0,0 +1,17 @@
+apiVersion: workflowcontract.chainloop.dev/v1
+kind: PolicyGroup
+metadata:
+  name: sbom-quality
+  description: This policy group applies a number of SBOM-related policies
+  annotations:
+    category: SBOM
+spec:
+  inputs:
+    - name: sbom_name
+      default: "sbom"
+  policies:
+    materials:
+      - name: "{{ inputs.sbom_name }}"
+        type: SBOM_SPDX_JSON
+        policies:
+          - ref: file://testdata/multi-kind.yaml