Skip to content

Commit 378ca5b

Browse files
authored
Merge pull request #1016 from jvanz/rename-url-field
fix!: renames "url" field into "module".
2 parents 323ee15 + 6847459 commit 378ca5b

7 files changed

+59
-59
lines changed

README.md

+9-9
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,11 @@ This is an example of the policies file:
3737

3838
```yml
3939
psp-apparmor:
40-
url: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.3
40+
module: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.3
4141
psp-capabilities:
42-
url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
42+
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.3
4343
namespace_simple:
44-
url: file:///tmp/namespace-validate-policy.wasm
44+
module: file:///tmp/namespace-validate-policy.wasm
4545
settings:
4646
valid_namespace: kubewarden-approved
4747
```
@@ -98,22 +98,22 @@ This is an example of the policies file with a policy group:
9898
pod-image-signatures: # policy group
9999
policies:
100100
- name: sigstore_pgp
101-
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
101+
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
102102
settings:
103103
signatures:
104104
- image: "*"
105105
pubKeys:
106106
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
107107
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
108108
- name: sigstore_gh_action
109-
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
109+
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
110110
settings:
111111
signatures:
112112
- image: "*"
113113
githubActions:
114114
owner: "kubewarden"
115115
- name: reject_latest_tag
116-
url: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
116+
module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
117117
settings:
118118
tags:
119119
reject:
@@ -133,7 +133,7 @@ that is allowed to access:
133133
strict-ingress-checks:
134134
policies:
135135
- name: unique_ingress
136-
url: ghcr.io/kubewarden/policies/cel-policy:latest
136+
module: ghcr.io/kubewarden/policies/cel-policy:latest
137137
contextAwareResources:
138138
- apiVersion: networking.k8s.io/v1
139139
kind: Ingress
@@ -154,13 +154,13 @@ strict-ingress-checks:
154154
!variables.knownHost.exists_one(hosts, sets.intersects(hosts, variables.desiredHosts))
155155
message: "Cannot reuse a host across multiple ingresses"
156156
- name: https_only
157-
url: ghcr.io/kubewarden/policies/ingress:latest
157+
module: ghcr.io/kubewarden/policies/ingress:latest
158158
settings:
159159
requireTLS: true
160160
allowPorts: [443]
161161
denyPorts: [80]
162162
- name: http_only
163-
url: ghcr.io/kubewarden/policies/ingress:latest
163+
module: ghcr.io/kubewarden/policies/ingress:latest
164164
settings:
165165
requireTLS: false
166166
allowPorts: [80]

policies.yml.example

+5-5
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,30 @@
11
psp-apparmor:
2-
url: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.7
2+
module: registry://ghcr.io/kubewarden/policies/psp-apparmor:v0.1.7
33
psp-capabilities:
4-
url: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.7
4+
module: registry://ghcr.io/kubewarden/policies/psp-capabilities:v0.1.7
55
allowedToMutate: true
66
settings:
77
allowed_capabilities: ["*"]
88
required_drop_capabilities: ["KILL"]
99
pod-image-signatures: # policy group
1010
policies:
1111
sigstore_pgp:
12-
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
12+
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
1313
settings:
1414
signatures:
1515
- image: "*"
1616
pubKeys:
1717
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
1818
- "-----BEGIN PUBLIC KEY-----xxxxx-----END PUBLIC KEY-----"
1919
sigstore_gh_action:
20-
url: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
20+
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.8
2121
settings:
2222
signatures:
2323
- image: "*"
2424
githubActions:
2525
owner: "kubewarden"
2626
reject_latest_tag:
27-
url: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
27+
module: ghcr.io/kubewarden/policies/trusted-repos-policy:v0.1.12
2828
settings:
2929
tags:
3030
reject:

src/config.rs

+20-20
Original file line numberDiff line numberDiff line change
@@ -318,7 +318,7 @@ pub enum PolicyOrPolicyGroupSettings {
318318
#[serde(deny_unknown_fields, rename_all = "camelCase")]
319319
pub struct PolicyGroupMember {
320320
/// Thge URL where the policy is located
321-
pub url: String,
321+
pub module: String,
322322
/// The settings for the policy
323323
pub settings: Option<HashMap<String, serde_yaml::Value>>,
324324
/// The list of Kubernetes resources the policy is allowed to access
@@ -341,7 +341,7 @@ pub enum PolicyOrPolicyGroup {
341341
#[serde(rename_all = "camelCase")]
342342
Policy {
343343
/// The URL where the policy is located
344-
url: String,
344+
module: String,
345345
#[serde(default)]
346346
/// The mode of the policy
347347
policy_mode: PolicyMode,
@@ -485,7 +485,7 @@ mod tests {
485485
let policies_yaml = r#"
486486
---
487487
example:
488-
url: ghcr.io/kubewarden/policies/context-aware-policy:0.1.0
488+
module: ghcr.io/kubewarden/policies/context-aware-policy:0.1.0
489489
settings: {}
490490
allowedToMutate: true
491491
contextAwareResources:
@@ -499,10 +499,10 @@ group_policy:
499499
message: "group policy message"
500500
policies:
501501
policy1:
502-
url: ghcr.io/kubewarden/policies/policy1:0.1.0
502+
module: ghcr.io/kubewarden/policies/policy1:0.1.0
503503
settings: {}
504504
policy2:
505-
url: ghcr.io/kubewarden/policies/policy2:0.1.0
505+
module: ghcr.io/kubewarden/policies/policy2:0.1.0
506506
settings: {}
507507
"#;
508508

@@ -516,7 +516,7 @@ group_policy:
516516
(
517517
"example".to_owned(),
518518
PolicyOrPolicyGroup::Policy {
519-
url: "ghcr.io/kubewarden/policies/context-aware-policy:0.1.0".to_owned(),
519+
module: "ghcr.io/kubewarden/policies/context-aware-policy:0.1.0".to_owned(),
520520
policy_mode: PolicyMode::Protect,
521521
allowed_to_mutate: Some(true),
522522
settings: Some(HashMap::new()),
@@ -542,15 +542,15 @@ group_policy:
542542
(
543543
"policy1".to_owned(),
544544
PolicyGroupMember {
545-
url: "ghcr.io/kubewarden/policies/policy1:0.1.0".to_owned(),
545+
module: "ghcr.io/kubewarden/policies/policy1:0.1.0".to_owned(),
546546
settings: Some(HashMap::new()),
547547
context_aware_resources: BTreeSet::new(),
548548
},
549549
),
550550
(
551551
"policy2".to_string(),
552552
PolicyGroupMember {
553-
url: "ghcr.io/kubewarden/policies/policy2:0.1.0".to_owned(),
553+
module: "ghcr.io/kubewarden/policies/policy2:0.1.0".to_owned(),
554554
settings: Some(HashMap::new()),
555555
context_aware_resources: BTreeSet::new(),
556556
},
@@ -568,30 +568,30 @@ group_policy:
568568
r#"
569569
---
570570
example:
571-
url: file:///tmp/namespace-validate-policy.wasm
571+
module: file:///tmp/namespace-validate-policy.wasm
572572
settings: {}
573573
"#, json!({})
574574
)]
575575
#[case::settings_missing(
576576
r#"
577577
---
578578
example:
579-
url: file:///tmp/namespace-validate-policy.wasm
579+
module: file:///tmp/namespace-validate-policy.wasm
580580
"#, json!({})
581581
)]
582582
#[case::settings_null(
583583
r#"
584584
---
585585
example:
586-
url: file:///tmp/namespace-validate-policy.wasm
586+
module: file:///tmp/namespace-validate-policy.wasm
587587
settings: null
588588
"#, json!({})
589589
)]
590590
#[case::settings_provided(
591591
r#"
592592
---
593593
example:
594-
url: file:///tmp/namespace-validate-policy.wasm
594+
module: file:///tmp/namespace-validate-policy.wasm
595595
settings:
596596
"counter": 1
597597
"items": ["a", "b"]
@@ -617,7 +617,7 @@ example:
617617
let policies_yaml = r#"
618618
---
619619
example:
620-
url: file:///tmp/namespace-validate-policy.wasm
620+
module: file:///tmp/namespace-validate-policy.wasm
621621
settings: {}
622622
"#;
623623
let mut temp_file = NamedTempFile::new().unwrap();
@@ -654,17 +654,17 @@ example:
654654
r#"
655655
---
656656
example:
657-
url: file:///tmp/namespace-validate-policy.wasm
657+
module: file:///tmp/namespace-validate-policy.wasm
658658
settings: {}
659659
group_policy:
660660
expression: "true"
661661
message: "group policy message"
662662
policies:
663663
policy1:
664-
url: file:///tmp/namespace-validate-policy.wasm
664+
module: file:///tmp/namespace-validate-policy.wasm
665665
settings: {}
666666
policy2:
667-
url: file:///tmp/namespace-validate-policy.wasm
667+
module: file:///tmp/namespace-validate-policy.wasm
668668
settings: {}
669669
"#,
670670
true
@@ -673,7 +673,7 @@ group_policy:
673673
r#"
674674
---
675675
example/invalid:
676-
url: file:///tmp/namespace-validate-policy.wasm
676+
module: file:///tmp/namespace-validate-policy.wasm
677677
settings: {}
678678
"#,
679679
false
@@ -682,17 +682,17 @@ example/invalid:
682682
r#"
683683
---
684684
example:
685-
url: file:///tmp/namespace-validate-policy.wasm
685+
module: file:///tmp/namespace-validate-policy.wasm
686686
settings: {}
687687
group_policy:
688688
expression: "true"
689689
message: "group policy message"
690690
policies:
691691
policy1/a:
692-
url: file:///tmp/namespace-validate-policy.wasm
692+
module: file:///tmp/namespace-validate-policy.wasm
693693
settings: {}
694694
policy2:
695-
url: file:///tmp/namespace-validate-policy.wasm
695+
module: file:///tmp/namespace-validate-policy.wasm
696696
settings: {}
697697
"#,
698698
false

src/evaluation/evaluation_environment.rs

+12-12
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,7 @@ impl<'engine, 'precompiled_policies> EvaluationEnvironmentBuilder<'engine, 'prec
214214

215215
match policy {
216216
PolicyOrPolicyGroup::Policy {
217-
url,
217+
module: url,
218218
policy_mode,
219219
allowed_to_mutate,
220220
context_aware_resources,
@@ -297,7 +297,7 @@ impl<'engine, 'precompiled_policies> EvaluationEnvironmentBuilder<'engine, 'prec
297297
if let Err(e) = self.bootstrap_policy(
298298
&mut eval_env,
299299
policy_id.clone(),
300-
&policy.url,
300+
&policy.module,
301301
policy_evaluation_settings,
302302
eval_ctx,
303303
) {
@@ -820,7 +820,7 @@ mod tests {
820820
policies.insert(
821821
policy_id.to_string(),
822822
PolicyOrPolicyGroup::Policy {
823-
url: policy_url.clone(),
823+
module: policy_url.clone(),
824824
policy_mode: PolicyMode::Protect,
825825
allowed_to_mutate: None,
826826
settings: None,
@@ -838,7 +838,7 @@ mod tests {
838838
policies: vec![(
839839
"happy_policy_1".to_string(),
840840
PolicyGroupMember {
841-
url: "file:///tmp/happy_policy_1.wasm".to_string(),
841+
module: "file:///tmp/happy_policy_1.wasm".to_string(),
842842
settings: None,
843843
context_aware_resources: BTreeSet::new(),
844844
},
@@ -865,7 +865,7 @@ mod tests {
865865
policies: vec![(
866866
"happy_policy_1".to_string(),
867867
PolicyGroupMember {
868-
url: "file:///tmp/happy_policy_1.wasm".to_string(),
868+
module: "file:///tmp/happy_policy_1.wasm".to_string(),
869869
settings: None,
870870
context_aware_resources: BTreeSet::new(),
871871
},
@@ -902,7 +902,7 @@ mod tests {
902902
policies: vec![(
903903
"happy_policy_1".to_string(),
904904
PolicyGroupMember {
905-
url: "file:///tmp/happy_policy_1.wasm".to_string(),
905+
module: "file:///tmp/happy_policy_1.wasm".to_string(),
906906
settings: None,
907907
context_aware_resources: BTreeSet::new(),
908908
},
@@ -921,23 +921,23 @@ mod tests {
921921
(
922922
"happy_policy_1".to_string(),
923923
PolicyGroupMember {
924-
url: "file:///tmp/happy_policy_1.wasm".to_string(),
924+
module: "file:///tmp/happy_policy_1.wasm".to_string(),
925925
settings: None,
926926
context_aware_resources: BTreeSet::new(),
927927
},
928928
),
929929
(
930930
"unhappy_policy_1".to_string(),
931931
PolicyGroupMember {
932-
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
932+
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
933933
settings: None,
934934
context_aware_resources: BTreeSet::new(),
935935
},
936936
),
937937
(
938938
"unhappy_policy_2".to_string(),
939939
PolicyGroupMember {
940-
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
940+
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
941941
settings: None,
942942
context_aware_resources: BTreeSet::new(),
943943
},
@@ -959,23 +959,23 @@ mod tests {
959959
(
960960
"happy_policy_1".to_string(),
961961
PolicyGroupMember {
962-
url: "file:///tmp/happy_policy_1.wasm".to_string(),
962+
module: "file:///tmp/happy_policy_1.wasm".to_string(),
963963
settings: None,
964964
context_aware_resources: BTreeSet::new(),
965965
},
966966
),
967967
(
968968
"unhappy_policy_1".to_string(),
969969
PolicyGroupMember {
970-
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
970+
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
971971
settings: None,
972972
context_aware_resources: BTreeSet::new(),
973973
},
974974
),
975975
(
976976
"unhappy_policy_2".to_string(),
977977
PolicyGroupMember {
978-
url: "file:///tmp/unhappy_policy_1.wasm".to_string(),
978+
module: "file:///tmp/unhappy_policy_1.wasm".to_string(),
979979
settings: None,
980980
context_aware_resources: BTreeSet::new(),
981981
},

0 commit comments

Comments
 (0)