feat(core): programmatic setting of authz policy #6666
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Checks' | |
env: | |
IS_RELEASE_BRANCH: ${{ startsWith(github.head_ref, 'release-please-') }} | |
on: | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
push: | |
branches: | |
- main | |
merge_group: | |
branches: | |
- main | |
types: | |
- checks_requested | |
workflow_call: | |
jobs: | |
go: | |
runs-on: ubuntu-22.04 | |
permissions: | |
checks: write | |
contents: read | |
pull-requests: read | |
strategy: | |
matrix: | |
directory: | |
- examples | |
- sdk | |
- service | |
- lib/ocrypto | |
- lib/fixtures | |
- lib/flattening | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
with: | |
fetch-depth: 0 | |
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
with: | |
go-version-file: 'service/go.mod' | |
check-latest: false | |
cache-dependency-path: | | |
examples/go.sum | |
protocol/go/go.sum | |
sdk/go.sum | |
service/go.sum | |
- if: env.IS_RELEASE_BRANCH == 'true' | |
name: prevent depending on unreleased upstream changes | |
run: ./.github/scripts/work-init.sh | |
- if: github.head_ref == format('release-please--branches--main--components--{0}', matrix.directory) | |
name: prevent tagging with replace directives | |
run: go mod edit --json | jq -e '.Replace | not' | |
working-directory: ${{ matrix.directory }} | |
- run: go mod download | |
working-directory: ${{ matrix.directory }} | |
- run: go mod verify | |
working-directory: ${{ matrix.directory }} | |
- run: go work use . | |
if: env.IS_RELEASE_BRANCH == 'true' | |
working-directory: ${{ matrix.directory }} | |
- name: golangci-lint | |
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 | |
with: | |
version: v1.61 | |
working-directory: ${{ matrix.directory }} | |
skip-cache: true | |
args: --out-format=colored-line-number | |
- if: matrix.directory == 'service' | |
run: .github/scripts/init-temp-keys.sh | |
- run: go test ./... -short | |
working-directory: ${{ matrix.directory }} | |
- if: matrix.directory == 'service' | |
run: go test ./service/integration -race -failfast | |
- name: check go fmt and go mod tidy | |
run: |- | |
go mod tidy | |
go fmt ./... | |
git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum" | |
working-directory: ${{ matrix.directory }} | |
- run: git diff | |
- run: git diff-files --ignore-submodules | |
- name: Check that files have been formatted before PR submission; see above for error details | |
run: git diff-files --quiet --ignore-submodules | |
if: env.IS_RELEASE_BRANCH == 'false' | |
integration: | |
name: integration tests | |
runs-on: ubuntu-22.04 | |
env: | |
TLS_ENABLED: "true" | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
with: | |
go-version-file: 'service/go.mod' | |
check-latest: false | |
cache-dependency-path: | | |
service/go.sum | |
examples/go.sum | |
protocol/go/go.sum | |
sdk/go.sum | |
- if: env.IS_RELEASE_BRANCH == 'true' | |
run: ./.github/scripts/work-init.sh | |
- run: go mod download | |
- run: go mod verify | |
- name: Install mkcert | |
run: | | |
sudo apt-get install -y libnss3-tools | |
curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64" | |
chmod +x mkcert-v*-linux-amd64 | |
sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert | |
- run: | | |
.github/scripts/init-temp-keys.sh | |
mkcert -install | |
mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost | |
cp opentdf-dev.yaml opentdf.yaml | |
yq eval '.server.tls.enabled = true' -i opentdf.yaml | |
- name: Added Trusted Certs | |
run: | | |
sudo chmod -R 777 ./keys | |
sudo apt-get install -y ca-certificates | |
sudo cp ./keys/localhost.crt /usr/local/share/ca-certificates | |
sudo update-ca-certificates | |
- run: docker compose up -d --wait --wait-timeout 240 || (docker compose logs && exit 1) | |
- run: go run ./service provision keycloak | |
- run: go run ./service provision fixtures | |
- uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635 | |
name: start server in background | |
with: | |
run: > | |
go build -o opentdf -v service/main.go | |
&& .github/scripts/watch.sh opentdf.yaml ./opentdf start | |
wait-on: | | |
tcp:localhost:8080 | |
log-output-if: true | |
wait-for: 90s | |
- run: go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.8.9 | |
- name: Setup Bats and bats libs | |
uses: bats-core/bats-action@3.0.0 | |
- run: test/service-start.bats | |
- run: test/tdf-roundtrips.bats | |
- run: test/policy-service.bats | |
- name: create roundtrip test data and run tests | |
run: go test ./service/rttests -v | |
- name: enable static entitlements rego policy | |
run: yq eval '.services.authorization.rego.path = "./test/rego/static-entitlements.rego"' -i opentdf.yaml | |
- run: sleep 30 | |
- name: validate static rego policy | |
run: test/rego/static-entitlements.bats | |
- name: enable custom entity rego policy | |
run: yq eval '.services.authorization.rego.path = "./test/rego/custom-entity.rego"' -i opentdf.yaml | |
- run: sleep 30 | |
- name: validate custom entity rego policy | |
run: test/rego/custom-entity.bats | |
image: | |
name: image build | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
- uses: docker/setup-buildx-action@v3 | |
- uses: docker/build-push-action@v6.3.0 | |
with: | |
context: . | |
file: ./Dockerfile | |
push: false | |
platform-xtest: | |
uses: opentdf/tests/.github/workflows/xtest.yml@main | |
with: | |
# use commit instead of ref so we can "go get" specific sdk version | |
platform-ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
# test latest otdfctl CLI 'main' against platform PR branch | |
otdfctl-test: | |
name: otdfctl e2e tests | |
runs-on: ubuntu-latest | |
steps: | |
- uses: opentdf/platform/test/start-up-with-containers@main | |
with: | |
platform-ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
- uses: opentdf/otdfctl/e2e@main | |
with: | |
otdfctl-ref: 'main' | |
buflint: | |
name: Protocol Buffer Lint and Gencode Up-to-date check | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
- uses: bufbuild/buf-setup-action@62ee92603c244ad0da98bab36a834a999a5329e6 | |
with: | |
github_token: ${{ github.token }} | |
- uses: bufbuild/buf-lint-action@06f9dd823d873146471cfaaf108a993fe00e5325 | |
with: | |
input: service | |
- uses: bufbuild/buf-breaking-action@c57b3d842a5c3f3b454756ef65305a50a587c5ba | |
with: | |
input: service | |
against: 'https://github.com/opentdf/platform.git#branch=main,subdir=service' | |
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
with: | |
go-version-file: 'service/go.mod' | |
check-latest: false | |
cache-dependency-path: | | |
service/go.sum | |
protocol/go/go.sum | |
sdk/go.sum | |
examples/go.sum | |
- run: cd service && go get github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
- run: cd service && go install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc | |
- run: make proto-generate | |
- name: Restore go.mod after installing protoc-gen-doc | |
run: git restore {service,protocol/go}/go.{mod,sum} | |
- name: validate go mod tidy | |
run: |- | |
cd protocol/go | |
go mod tidy | |
git restore go.sum "${GITHUB_WORKSPACE}/go.work.sum" | |
- run: git diff | |
- run: git diff-files --ignore-submodules | |
- name: Check that make proto-generate has run before PR submission; see above for error details | |
run: git diff-files --quiet --ignore-submodules | |
ci: | |
needs: | |
- buflint | |
- go | |
- image | |
- integration | |
- license | |
- platform-xtest | |
- otdfctl-test | |
runs-on: ubuntu-22.04 | |
if: ${{ !cancelled() }} | |
steps: | |
- if: contains(needs.*.result, 'failure') | |
run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1 | |
license: | |
name: license check | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 | |
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 | |
with: | |
go-version-file: 'service/go.mod' | |
check-latest: false | |
cache: false | |
- name: install go-licenses | |
run: go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e | |
- name: check service licenses | |
run: > | |
go-licenses check --disallowed_types=forbidden --include_tests | |
./service | |
- name: check sdk licenses | |
run: > | |
go-licenses check --disallowed_types=forbidden --include_tests | |
./sdk | |
- name: check examples licenses | |
run: > | |
go-licenses check --disallowed_types=forbidden --include_tests | |
./examples |