EE Fix/support management repo policies (#1588)

* support management policy repo in EE

Author: motatoes

cli/cmd/digger/default.go

@@ -5,6 +5,7 @@ import (
 	"github.com/diggerhq/digger/cli/pkg/digger"
 	"github.com/diggerhq/digger/cli/pkg/drift"
 	"github.com/diggerhq/digger/cli/pkg/github"
+	"github.com/diggerhq/digger/cli/pkg/policy"
 	"github.com/diggerhq/digger/cli/pkg/usage"
 	comment_updater "github.com/diggerhq/digger/libs/comment_utils/summary"
 	dg_github "github.com/diggerhq/digger/libs/orchestrator/github"
@@ -23,7 +24,7 @@ var defaultCmd = &cobra.Command{
 		switch ci {
 		case digger.GitHub:
 			logLeader = os.Getenv("GITHUB_ACTOR")
-			github.GitHubCI(lock, PolicyChecker, BackendApi, ReportStrategy, dg_github.GithubServiceProviderBasic{}, comment_updater.CommentUpdaterProviderBasic{}, drift.DriftNotificationProviderBasic{})
+			github.GitHubCI(lock, policy.PolicyCheckerProviderBasic{}, BackendApi, ReportStrategy, dg_github.GithubServiceProviderBasic{}, comment_updater.CommentUpdaterProviderBasic{}, drift.DriftNotificationProviderBasic{})
 		case digger.None:
 			print("No CI detected.")
 			os.Exit(10)

cli/cmd/digger/root.go

@@ -6,7 +6,6 @@ import (
 	"github.com/diggerhq/digger/cli/pkg/bitbucket"
 	core_backend "github.com/diggerhq/digger/cli/pkg/core/backend"
 	core_policy "github.com/diggerhq/digger/cli/pkg/core/policy"
-	"github.com/diggerhq/digger/cli/pkg/policy"
 	"github.com/diggerhq/digger/cli/pkg/utils"
 	"github.com/diggerhq/digger/libs/comment_utils/reporting"
 	locking2 "github.com/diggerhq/digger/libs/locking"
@@ -90,9 +89,9 @@ func PreRun(cmd *cobra.Command, args []string) {
 
 	hostName := os.Getenv("DIGGER_HOSTNAME")
 	token := os.Getenv("DIGGER_TOKEN")
-	orgName := os.Getenv("DIGGER_ORGANISATION")
+	//orgName := os.Getenv("DIGGER_ORGANISATION")
 	BackendApi = backend.NewBackendApi(hostName, token)
-	PolicyChecker = policy.NewPolicyChecker(hostName, orgName, token)
+	//PolicyChecker = policy.NewPolicyChecker(hostName, orgName, token)
 
 	if os.Getenv("REPORTING_STRATEGY") == "comments_per_run" || os.Getenv("ACCUMULATE_PLANS") == "true" {
 		ReportStrategy = &reporting.CommentPerRunStrategy{

cli/pkg/core/policy/policy.go

@@ -18,6 +18,10 @@ type Checker interface {
 	CheckDriftPolicy(SCMOrganisation string, SCMrepository string, projectname string) (bool, error)
 }
 
+type PolicyCheckerProvider interface {
+	Get(hostname string, organisationName string, authToken string) (Checker, error)
+}
+
 type AccessPolicyContext struct {
 	SCMOrganisation  string
 	SCMrepository    string

cli/pkg/digger/digger.go

@@ -87,7 +87,7 @@ func RunJobs(jobs []orchestrator.Job, prService orchestrator.PullRequestService,
 			}
 
 			if !allowedToPerformCommand {
-				msg := reportPolicyError(job.ProjectName, job.RequestedBy, command, reporter)
+				msg := reportPolicyError(job.ProjectName, command, job.RequestedBy, reporter)
 				log.Printf("Skipping command ... %v for project %v", command, job.ProjectName)
 				log.Println(msg)
 				appliesPerProject[job.ProjectName] = false

cli/pkg/github/github.go

@@ -10,7 +10,6 @@ import (
 	"github.com/diggerhq/digger/cli/pkg/digger"
 	"github.com/diggerhq/digger/cli/pkg/drift"
 	github_models "github.com/diggerhq/digger/cli/pkg/github/models"
-	"github.com/diggerhq/digger/cli/pkg/policy"
 	"github.com/diggerhq/digger/cli/pkg/storage"
 	"github.com/diggerhq/digger/cli/pkg/usage"
 	"github.com/diggerhq/digger/cli/pkg/utils"
@@ -31,7 +30,7 @@ import (
 	"time"
 )
 
-func GitHubCI(lock core_locking.Lock, policyChecker core_policy.Checker, backendApi core_backend.Api, reportingStrategy reporting.ReportStrategy, githubServiceProvider dg_github.GithubServiceProvider, commentUpdaterProvider comment_updater.CommentUpdaterProvider, driftNotifcationProvider drift.DriftNotificationProvider) {
+func GitHubCI(lock core_locking.Lock, policyCheckerProvider core_policy.PolicyCheckerProvider, backendApi core_backend.Api, reportingStrategy reporting.ReportStrategy, githubServiceProvider dg_github.GithubServiceProvider, commentUpdaterProvider comment_updater.CommentUpdaterProvider, driftNotifcationProvider drift.DriftNotificationProvider) {
 	log.Printf("Using GitHub.\n")
 	githubActor := os.Getenv("GITHUB_ACTOR")
 	if githubActor != "" {
@@ -40,6 +39,12 @@ func GitHubCI(lock core_locking.Lock, policyChecker core_policy.Checker, backend
 		usage.SendUsageRecord("", "log", "non github initialisation")
 	}
 
+	// default policy checker for backwards compatability, will be overriden in orchestrator flow
+	hostName := os.Getenv("DIGGER_HOSTNAME")
+	token := os.Getenv("DIGGER_TOKEN")
+	orgName := os.Getenv("DIGGER_ORGANISATION")
+	var policyChecker, _ = policyCheckerProvider.Get(hostName, token, orgName)
+
 	ghToken := os.Getenv("GITHUB_TOKEN")
 	if ghToken == "" {
 		usage.ReportErrorAndExit(githubActor, "GITHUB_TOKEN is not defined", 1)
@@ -119,7 +124,8 @@ func GitHubCI(lock core_locking.Lock, policyChecker core_policy.Checker, backend
 		if jobSpec.BackendHostname != "" && jobSpec.BackendOrganisationName != "" && jobSpec.BackendJobToken != "" {
 			log.Printf("Found settings sent by backend in jobSpec string, overriding backendApi and policyCheckecd r. setting: (orgName: %v BackedHost: %v token: %v)", jobSpec.BackendOrganisationName, jobSpec.BackendHostname, "****")
 			backendApi = backend.NewBackendApi(jobSpec.BackendHostname, jobSpec.BackendJobToken)
-			policyChecker = policy.NewPolicyChecker(jobSpec.BackendHostname, jobSpec.BackendOrganisationName, jobSpec.BackendJobToken)
+			policyChecker, _ = policyCheckerProvider.Get(jobSpec.BackendHostname, jobSpec.BackendOrganisationName, jobSpec.BackendJobToken)
+
 		} else {
 			usage.ReportErrorAndExit(githubActor, fmt.Sprintf("Missing values from job spec: hostname, orgName, token: %v %v", jobSpec.BackendHostname, jobSpec.BackendOrganisationName), 4)
 		}

cli/pkg/policy/providers.go

@@ -0,0 +1,27 @@
+package policy
+
+import (
+	core_policy "github.com/diggerhq/digger/cli/pkg/core/policy"
+	"log"
+	"net/http"
+	"os"
+)
+
+type PolicyCheckerProviderBasic struct{}
+
+func (p PolicyCheckerProviderBasic) Get(hostname string, organisationName string, authToken string) (core_policy.Checker, error) {
+	var policyChecker core_policy.Checker
+	if os.Getenv("NO_BACKEND") == "true" {
+		log.Println("WARNING: running in 'backendless' mode. No policies will be supported.")
+		policyChecker = NoOpPolicyChecker{}
+	} else {
+		policyChecker = DiggerPolicyChecker{
+			PolicyProvider: &DiggerHttpPolicyProvider{
+				DiggerHost:         hostname,
+				DiggerOrganisation: organisationName,
+				AuthToken:          authToken,
+				HttpClient:         http.DefaultClient,
+			}}
+	}
+	return policyChecker, nil
+}

ee/cli/cmd/digger/default.go

@@ -8,6 +8,7 @@ import (
 	"github.com/diggerhq/digger/ee/cli/pkg/comment_updater"
 	"github.com/diggerhq/digger/ee/cli/pkg/drift"
 	github2 "github.com/diggerhq/digger/ee/cli/pkg/github"
+	"github.com/diggerhq/digger/ee/cli/pkg/policy"
 	"github.com/spf13/cobra"
 	"log"
 	"os"
@@ -23,7 +24,7 @@ var defaultCmd = &cobra.Command{
 		switch ci {
 		case digger.GitHub:
 			logLeader = os.Getenv("GITHUB_ACTOR")
-			github.GitHubCI(lock, PolicyChecker, BackendApi, ReportStrategy, github2.GithubServiceProviderAdvanced{}, comment_updater.CommentUpdaterProviderAdvanced{}, drift.DriftNotificationProviderAdvanced{})
+			github.GitHubCI(lock, policy.PolicyCheckerProviderAdvanced{}, BackendApi, ReportStrategy, github2.GithubServiceProviderAdvanced{}, comment_updater.CommentUpdaterProviderAdvanced{}, drift.DriftNotificationProviderAdvanced{})
 		case digger.None:
 			print("No CI detected.")
 			os.Exit(10)

ee/cli/cmd/digger/root.go

@@ -78,7 +78,6 @@ func (r *RunConfig) GetServices() (*orchestrator.PullRequestService, *orchestrat
 	return &prService, &orgService, &reporter, nil
 }
 
-var PolicyChecker core_policy.Checker
 var BackendApi core_backend.Api
 var ReportStrategy reporting.ReportStrategy
 var lock locking.Lock
@@ -87,9 +86,7 @@ func PreRun(cmd *cobra.Command, args []string) {
 
 	hostName := os.Getenv("DIGGER_HOSTNAME")
 	token := os.Getenv("DIGGER_TOKEN")
-	orgName := os.Getenv("DIGGER_ORGANISATION")
 	BackendApi = NewBackendApi(hostName, token)
-	PolicyChecker = NewPolicyChecker(hostName, orgName, token)
 
 	if os.Getenv("REPORTING_STRATEGY") == "comments_per_run" || os.Getenv("ACCUMULATE_PLANS") == "true" {
 		ReportStrategy = &reporting.CommentPerRunStrategy{

ee/cli/pkg/policy/policy.go

@@ -3,6 +3,7 @@ package policy
 import (
 	"fmt"
 	"github.com/diggerhq/digger/ee/cli/pkg/utils"
+	"log"
 	"os"
 	"path"
 )
@@ -30,19 +31,20 @@ func getContents(filePath string) (string, error) {
 	return string(contents), nil
 }
 
-func (p *DiggerRepoPolicyProvider) getPolicyFileContents(repo string, projectName string, fileName string) (string, error) {
+func (p DiggerRepoPolicyProvider) getPolicyFileContents(repo string, projectName string, fileName string) (string, error) {
 	var contents string
 	err := utils.CloneGitRepoAndDoAction(p.ManagementRepoUrl, "main", p.GitToken, func(basePath string) error {
 		orgAccesspath := path.Join(basePath, "policies", fileName)
 		repoAccesspath := path.Join(basePath, "policies", repo, fileName)
 		projectAccessPath := path.Join(basePath, "policies", repo, projectName, fileName)
 
+		log.Printf("loading repo orgAccess %v repoAccess %v projectAcces %v", orgAccesspath, repoAccesspath, projectAccessPath)
 		var err error
-		contents, err = getContents(orgAccesspath)
+		contents, err = getContents(projectAccessPath)
 		if os.IsNotExist(err) {
 			contents, err = getContents(repoAccesspath)
 			if os.IsNotExist(err) {
-				contents, err = getContents(projectAccessPath)
+				contents, err = getContents(orgAccesspath)
 				if os.IsNotExist(err) {
 					return nil
 				} else {
@@ -63,19 +65,19 @@ func (p *DiggerRepoPolicyProvider) getPolicyFileContents(repo string, projectNam
 }
 
 // GetPolicy fetches policy for particular project,  if not found then it will fallback to org level policy
-func (p *DiggerRepoPolicyProvider) GetAccessPolicy(organisation string, repo string, projectName string) (string, error) {
+func (p DiggerRepoPolicyProvider) GetAccessPolicy(organisation string, repo string, projectName string) (string, error) {
 	return p.getPolicyFileContents(repo, projectName, "access.rego")
 }
 
-func (p *DiggerRepoPolicyProvider) GetPlanPolicy(organisation string, repo string, projectName string) (string, error) {
+func (p DiggerRepoPolicyProvider) GetPlanPolicy(organisation string, repo string, projectName string) (string, error) {
 	return "", nil
 }
 
-func (p *DiggerRepoPolicyProvider) GetDriftPolicy() (string, error) {
+func (p DiggerRepoPolicyProvider) GetDriftPolicy() (string, error) {
 	return "", nil
 
 }
 
-func (p *DiggerRepoPolicyProvider) GetOrganisation() string {
+func (p DiggerRepoPolicyProvider) GetOrganisation() string {
 	return ""
 }

ee/cli/pkg/policy/providers.go

@@ -0,0 +1,27 @@
+package policy
+
+import (
+	"fmt"
+	core_policy "github.com/diggerhq/digger/cli/pkg/core/policy"
+	"github.com/diggerhq/digger/cli/pkg/policy"
+	"os"
+)
+
+type PolicyCheckerProviderAdvanced struct{}
+
+func (p PolicyCheckerProviderAdvanced) Get(hostname string, organisationName string, authToken string) (core_policy.Checker, error) {
+	managementRepo := os.Getenv("DIGGER_MANAGEMENT_REPO")
+	if managementRepo != "" {
+		token := os.Getenv("GITHUB_TOKEN")
+		if token == "" {
+			return nil, fmt.Errorf("failed to get managent repo policy provider: GITHUB_TOKEN not specified")
+		}
+		return policy.DiggerPolicyChecker{
+			PolicyProvider: DiggerRepoPolicyProvider{
+				ManagementRepoUrl: managementRepo,
+				GitToken:          token,
+			},
+		}, nil
+	}
+	return policy.PolicyCheckerProviderBasic{}.Get(hostname, organisationName, authToken)
+}