eric/onix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Policy Enforcer Configuration Keys

Browse Source 
- Changed configuration key from `policyDir` to `policyPaths` across multiple YAML files and related code to standardize the naming convention.
- Updated documentation to reflect the new key name and its usage for specifying local directories containing `.rego` policy files.
- Adjusted tests to ensure compatibility with the updated configuration structure.
This commit is contained in:
Ayush Rawat
2026-03-03 15:02:04 +05:30
parent e22b79e137
commit a806af3228
9 changed files with 41 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/local-beckn-one-bap.yaml
View File

@@ -89,7 +89,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
middleware:
- id: reqpreprocessor
config:

2
config/local-beckn-one-bpp.yaml
View File

@@ -87,7 +87,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
steps:
- validateSign
- policyEnforcer

4
config/local-simple.yaml
View File

@@ -69,7 +69,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
middleware:
- id: reqpreprocessor
config:
@@ -170,7 +170,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
steps:
- validateSign
- policyEnforcer

8
config/onix/adapter.yaml
View File

@@ -51,7 +51,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
signValidator:
id: signvalidator
publisher:
@@ -106,7 +106,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
signer:
id: signer
publisher:
@@ -162,7 +162,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
signValidator:
id: signvalidator
publisher:
@@ -217,7 +217,7 @@ modules:
policyEnforcer:
id: policyenforcer
config:
policyDir: "./policies"
policyPaths: "./policies"
signer:
id: signer
publisher:

2
pkg/plugin/implementation/policyenforcer/README.md
View File

@@ -18,7 +18,7 @@ All config keys are passed via `map[string]string` in the adapter YAML config.
| Key | Required | Default | Description |
|-----|----------|---------|-------------|
| `policyUrls` | At least one of `policyUrls`, `policyDir`, or `policyFile` required | — | Comma-separated list of URLs, local file paths, or directory paths to `.rego` files |
| `policyDir` | | `./policies` | Local directory containing `.rego` files |
| `policyPaths` | | `./policies` | Local directory or path containing `.rego` files |
| `policyFile` | | — | Single local `.rego` file path |
| `query` | No | `data.policy.violations` | Rego query returning violation strings |
| `actions` | No | *(empty — all actions)* | Comma-separated beckn actions to enforce. When omitted, all actions are evaluated and the Rego policy itself decides which to gate. |

18
pkg/plugin/implementation/policyenforcer/config.go
View File

@@ -8,9 +8,9 @@ import (
// Config holds the configuration for the Policy Enforcer plugin.
type Config struct {
// PolicyDir is a local directory containing .rego policy files (all loaded).
// At least one policy source (PolicyDir, PolicyFile, or PolicyUrls) is required.
PolicyDir string
// PolicyPaths is a local directory containing .rego policy files (all loaded).
// At least one policy source (PolicyPaths, PolicyFile, or PolicyUrls) is required.
PolicyPaths string
// PolicyFile is a single local .rego file path.
PolicyFile string
@@ -42,7 +42,7 @@ type Config struct {
// Known config keys that are handled directly (not forwarded to RuntimeConfig).
var knownKeys = map[string]bool{
"policyDir": true,
"policyPaths": true,
"policyFile": true,
"policyUrls": true,
"query": true,
@@ -65,8 +65,8 @@ func DefaultConfig() *Config {
func ParseConfig(cfg map[string]string) (*Config, error) {
config := DefaultConfig()
if dir, ok := cfg["policyDir"]; ok && dir != "" {
config.PolicyDir = dir
if dir, ok := cfg["policyPaths"]; ok && dir != "" {
config.PolicyPaths = dir
}
if file, ok := cfg["policyFile"]; ok && file != "" {
config.PolicyFile = file
@@ -82,12 +82,12 @@ func ParseConfig(cfg map[string]string) (*Config, error) {
}
}
if config.PolicyDir == "" && config.PolicyFile == "" && len(config.PolicyUrls) == 0 {
if config.PolicyPaths == "" && config.PolicyFile == "" && len(config.PolicyUrls) == 0 {
// Fall back to the default ./policies directory if it exists on disk.
if info, err := os.Stat("./policies"); err == nil && info.IsDir() {
config.PolicyDir = "./policies"
config.PolicyPaths = "./policies"
} else {
return nil, fmt.Errorf("at least one policy source is required (policyDir, policyFile, or policyUrls)")
return nil, fmt.Errorf("at least one policy source is required (policyPaths, policyFile, or policyUrls)")
}
}

2
pkg/plugin/implementation/policyenforcer/enforcer.go
View File

@@ -24,7 +24,7 @@ func New(cfg map[string]string) (*PolicyEnforcer, error) {
return nil, fmt.Errorf("policyenforcer: config error: %w", err)
}
evaluator, err := NewEvaluator(config.PolicyDir, config.PolicyFile, config.PolicyUrls, config.Query, config.RuntimeConfig)
evaluator, err := NewEvaluator(config.PolicyPaths, config.PolicyFile, config.PolicyUrls, config.Query, config.RuntimeConfig)
if err != nil {
return nil, fmt.Errorf("policyenforcer: failed to initialize OPA evaluator: %w", err)
}

34
pkg/plugin/implementation/policyenforcer/enforcer_test.go
View File

@@ -37,12 +37,12 @@ func writePolicyDir(t *testing.T, filename, content string) string {
func TestParseConfig_RequiresPolicySource(t *testing.T) {
_, err := ParseConfig(map[string]string{})
if err == nil {
t.Fatal("expected error when no policyDir, policyFile, or policyUrls given")
t.Fatal("expected error when no policyPaths, policyFile, or policyUrls given")
}
}
func TestParseConfig_Defaults(t *testing.T) {
cfg, err := ParseConfig(map[string]string{"policyDir": "/tmp"})
cfg, err := ParseConfig(map[string]string{"policyPaths": "/tmp"})
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
@@ -59,7 +59,7 @@ func TestParseConfig_Defaults(t *testing.T) {
func TestParseConfig_RuntimeConfigForwarding(t *testing.T) {
cfg, err := ParseConfig(map[string]string{
"policyDir": "/tmp",
"policyPaths": "/tmp",
"minDeliveryLeadHours": "6",
"customParam": "value",
})
@@ -76,8 +76,8 @@ func TestParseConfig_RuntimeConfigForwarding(t *testing.T) {
func TestParseConfig_CustomActions(t *testing.T) {
cfg, err := ParseConfig(map[string]string{
"policyDir": "/tmp",
"actions": "confirm, select, init",
"policyPaths": "/tmp",
"actions": "confirm, select, init",
})
if err != nil {
t.Fatalf("unexpected error: %v", err)
@@ -380,9 +380,9 @@ violations contains "blocked" if { input.context.action == "confirm"; input.bloc
dir := writePolicyDir(t, "test.rego", policy)
enforcer, err := New(map[string]string{
"policyDir": dir,
"query": "data.policy.violations",
"actions": "confirm",
"policyPaths": dir,
"query": "data.policy.violations",
"actions": "confirm",
})
if err != nil {
t.Fatalf("New failed: %v", err)
@@ -404,9 +404,9 @@ violations contains "blocked" if { input.context.action == "confirm" }
dir := writePolicyDir(t, "test.rego", policy)
enforcer, err := New(map[string]string{
"policyDir": dir,
"query": "data.policy.violations",
"actions": "confirm",
"policyPaths": dir,
"query": "data.policy.violations",
"actions": "confirm",
})
if err != nil {
t.Fatalf("New failed: %v", err)
@@ -433,9 +433,9 @@ violations contains "blocked" if { true }
dir := writePolicyDir(t, "test.rego", policy)
enforcer, err := New(map[string]string{
"policyDir": dir,
"query": "data.policy.violations",
"actions": "confirm",
"policyPaths": dir,
"query": "data.policy.violations",
"actions": "confirm",
})
if err != nil {
t.Fatalf("New failed: %v", err)
@@ -458,9 +458,9 @@ violations contains "blocked" if { true }
dir := writePolicyDir(t, "test.rego", policy)
enforcer, err := New(map[string]string{
"policyDir": dir,
"query": "data.policy.violations",
"enabled": "false",
"policyPaths": dir,
"query": "data.policy.violations",
"enabled": "false",
})
if err != nil {
t.Fatalf("New failed: %v", err)

10
pkg/plugin/implementation/policyenforcer/evaluator.go
View File

@@ -40,14 +40,14 @@ const maxPolicySize = 1 << 20
// NewEvaluator creates an Evaluator by loading .rego files from local paths
// and/or URLs, then compiling them. runtimeConfig is passed to Rego as data.config.
func NewEvaluator(policyDir, policyFile string, policyUrls []string, query string, runtimeConfig map[string]string) (*Evaluator, error) {
func NewEvaluator(policyPaths, policyFile string, policyUrls []string, query string, runtimeConfig map[string]string) (*Evaluator, error) {
modules := make(map[string]string)
// Load from local directory
if policyDir != "" {
entries, err := os.ReadDir(policyDir)
if policyPaths != "" {
entries, err := os.ReadDir(policyPaths)
if err != nil {
return nil, fmt.Errorf("failed to read policy directory %s: %w", policyDir, err)
return nil, fmt.Errorf("failed to read policy directory %s: %w", policyPaths, err)
}
for _, entry := range entries {
if entry.IsDir() {
@@ -60,7 +60,7 @@ func NewEvaluator(policyDir, policyFile string, policyUrls []string, query strin
if strings.HasSuffix(entry.Name(), "_test.rego") {
continue
}
fpath := filepath.Join(policyDir, entry.Name())
fpath := filepath.Join(policyPaths, entry.Name())
data, err := os.ReadFile(fpath)
if err != nil {
return nil, fmt.Errorf("failed to read policy file %s: %w", fpath, err)