-
Notifications
You must be signed in to change notification settings - Fork 232
/
policy.go
356 lines (295 loc) · 11.4 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
package policy
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"net/url"
"strconv"
"strings"
"time"
"github.com/CircleCI-Public/circleci-cli/api/header"
"github.com/CircleCI-Public/circleci-cli/settings"
"github.com/CircleCI-Public/circleci-cli/version"
)
// Policy-service endpoints documentation : https://github.com/circleci/policy-service/blob/main/cmd/server/openapi.yaml
// Client communicates with the CircleCI policy-service to ask questions
// about policies. It satisfies policy.ClientInterface.
type Client struct {
serverUrl string
client *http.Client
}
// httpError represents error response json payload as sent by the policy-server: internal/error.go
type httpError struct {
Error string `json:"error"`
Context map[string]interface{} `json:"context,omitempty"`
}
// ListPolicies calls the view policy-service list policy API
func (c Client) ListPolicies(ownerID string) (interface{}, error) {
req, err := http.NewRequest("GET", fmt.Sprintf("%s/api/v1/owner/%s/policy", c.serverUrl, ownerID), nil)
if err != nil {
return nil, fmt.Errorf("failed to construct request: %v", err)
}
resp, err := c.client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
var payload httpError
if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
return nil, fmt.Errorf("unexpected status-code: %d", resp.StatusCode)
}
return nil, fmt.Errorf("unexpected status-code: %d - %s", resp.StatusCode, payload.Error)
}
var body interface{}
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
return nil, fmt.Errorf("failed to decode response body: %v", err)
}
return body, nil
}
// Creation types taken from policy-service: internal/policy/api.go
// CreationRequest represents the json payload to create a Policy in the Policy-Service
type CreationRequest struct {
Name string `json:"name"`
Context string `json:"context"`
Content string `json:"content"`
}
// CreatePolicy call the Create Policy API in the Policy-Service. It creates a policy for the specified owner and returns the created
// policy response as an interface{}.
func (c Client) CreatePolicy(ownerID string, policy CreationRequest) (interface{}, error) {
data, err := json.Marshal(policy)
if err != nil {
return nil, fmt.Errorf("failed to encode policy payload: %w", err)
}
req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("%s/api/v1/owner/%s/policy", c.serverUrl, ownerID), bytes.NewReader(data))
if err != nil {
return nil, fmt.Errorf("failed to construct request: %v", err)
}
req.Header.Set("Content-Length", strconv.Itoa(len(data)))
resp, err := c.client.Do(req)
if err != nil {
return nil, fmt.Errorf("failed to get response from policy-service: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusCreated {
var response httpError
if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
return nil, fmt.Errorf("unexpected status-code: %d", resp.StatusCode)
}
return nil, fmt.Errorf("unexpected status-code: %d - %s", resp.StatusCode, response.Error)
}
var response interface{}
if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
return nil, fmt.Errorf("failed to parse response: %w", err)
}
return &response, nil
}
type UpdateRequest struct {
Name *string `json:"name,omitempty"`
Context *string `json:"context,omitempty"`
Content *string `json:"content,omitempty"`
}
// UpdatePolicy calls the UPDATE policy API in the policy-service. It updates a policy in the policy-service matching the given owner-id and policy-id.
func (c Client) UpdatePolicy(ownerID string, policyID string, policy UpdateRequest) (interface{}, error) {
data, err := json.Marshal(policy)
if err != nil {
return nil, fmt.Errorf("failed to encode policy payload: %w", err)
}
req, err := http.NewRequest(
"PATCH",
fmt.Sprintf("%s/api/v1/owner/%s/policy/%s", c.serverUrl, ownerID, policyID),
bytes.NewReader(data),
)
if err != nil {
return nil, fmt.Errorf("failed to construct request: %v", err)
}
req.Header.Set("Content-Length", strconv.Itoa(len(data)))
resp, err := c.client.Do(req)
if err != nil {
return nil, fmt.Errorf("failed to get response from policy-service: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
var response httpError
if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
return nil, fmt.Errorf("unexpected status-code: %d", resp.StatusCode)
}
return nil, fmt.Errorf("unexpected status-code: %d - %s", resp.StatusCode, response.Error)
}
var response interface{}
if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
return nil, fmt.Errorf("failed to parse response: %w", err)
}
return &response, nil
}
// GetPolicy calls the GET policy API in the policy-service.It fetches the policy from policy-service matching the given owner-id and policy-id.
// It returns an error if the call fails or the policy could not be found.
func (c Client) GetPolicy(ownerID string, policyID string) (interface{}, error) {
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/api/v1/owner/%s/policy/%s", c.serverUrl, ownerID, policyID), nil)
if err != nil {
return nil, fmt.Errorf("failed to construct request: %v", err)
}
resp, err := c.client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
var payload httpError
if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
return nil, fmt.Errorf("unexpected status-code: %d", resp.StatusCode)
}
return nil, fmt.Errorf("unexpected status-code: %d - %s", resp.StatusCode, payload.Error)
}
var body interface{}
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
return nil, fmt.Errorf("failed to decode response body: %v", err)
}
return body, nil
}
// DeletePolicy calls the DELETE Policy API in the policy-service.
// It attempts to delete the policy matching the given policy-id and belonging to the given ownerID.
// It returns an error if the call fails or the policy could not be deleted.
func (c Client) DeletePolicy(ownerID string, policyID string) error {
req, err := http.NewRequest(http.MethodDelete, fmt.Sprintf("%s/api/v1/owner/%s/policy/%s", c.serverUrl, ownerID, policyID), nil)
if err != nil {
return fmt.Errorf("failed to construct request: %v", err)
}
resp, err := c.client.Do(req)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusNoContent {
var payload httpError
if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
return fmt.Errorf("unexpected status-code: %d", resp.StatusCode)
}
return fmt.Errorf("unexpected status-code: %d - %s", resp.StatusCode, payload.Error)
}
return nil
}
type DecisionQueryRequest struct {
Status string
After *time.Time
Before *time.Time
Branch string
ProjectID string
Offset int
}
// GetDecisionLogs calls the GET decision query API of policy-service. The endpoint accepts multiple filter values as
// path query parameters (start-time, end-time, branch-name, project-id and offset).
func (c Client) GetDecisionLogs(ownerID string, request DecisionQueryRequest) ([]interface{}, error) {
req, err := http.NewRequest("GET", fmt.Sprintf("%s/api/v1/owner/%s/decision", c.serverUrl, ownerID), nil)
if err != nil {
return nil, fmt.Errorf("failed to construct request: %v", err)
}
query := make(url.Values)
if request.Status != "" {
query.Set("status", fmt.Sprint(request.Status))
}
if request.After != nil {
query.Set("after", request.After.Format(time.RFC3339))
}
if request.Before != nil {
query.Set("before", request.Before.Format(time.RFC3339))
}
if request.Branch != "" {
query.Set("branch", fmt.Sprint(request.Branch))
}
if request.ProjectID != "" {
query.Set("project_id", fmt.Sprint(request.ProjectID))
}
if request.Offset > 0 {
query.Set("offset", fmt.Sprint(request.Offset))
}
req.URL.RawQuery = query.Encode()
resp, err := c.client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
var payload httpError
if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
return nil, fmt.Errorf("unexpected status-code: %d", resp.StatusCode)
}
return nil, fmt.Errorf("unexpected status-code: %d - %s", resp.StatusCode, payload.Error)
}
var body []interface{}
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
return nil, fmt.Errorf("failed to decode response body: %v", err)
}
return body, nil
}
// DecisionRequest represents a request to Policy-Service to evaluate a given input against an organization's policies.
// The context determines which policies to apply.
type DecisionRequest struct {
Input string `json:"input"`
Context string `json:"context"`
}
// MakeDecision sends a requests to Policy-Service public decision endpoint and returns the decision response
func (c Client) MakeDecision(ownerID string, req DecisionRequest) (interface{}, error) {
payload, err := json.Marshal(req)
if err != nil {
return nil, fmt.Errorf("failed to marshal request: %w", err)
}
endpoint := fmt.Sprintf("%s/api/v1/owner/%s/decision", c.serverUrl, ownerID)
request, err := http.NewRequest("POST", endpoint, bytes.NewReader(payload))
if err != nil {
return nil, fmt.Errorf("failed to construct request: %w", err)
}
request.Header.Set("Content-Length", strconv.Itoa(len(payload)))
resp, err := c.client.Do(request)
if err != nil {
return nil, fmt.Errorf("failed to get response: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
var payload httpError
if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
return nil, fmt.Errorf("unexpected status-code: %d", resp.StatusCode)
}
return nil, fmt.Errorf("unexpected status-code: %d - %s", resp.StatusCode, payload.Error)
}
var body interface{}
if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
return nil, fmt.Errorf("failed to decode response body: %w", err)
}
return body, nil
}
// NewClient returns a new policy client that will use the provided settings.Config to automatically inject appropriate
// Circle-Token authentication and other relevant CLI headers.
func NewClient(baseURL string, config *settings.Config) *Client {
transport := config.HTTPClient.Transport
if transport == nil {
transport = http.DefaultTransport
}
// Throttling the client so that it cannot make more than 10 concurrent requests at time
sem := make(chan struct{}, 10)
config.HTTPClient.Transport = transportFunc(func(r *http.Request) (*http.Response, error) {
// Acquiring semaphore to respect throttling
sem <- struct{}{}
// releasing the semaphore after a second ensuring client doesn't make more than cap(sem)/second
time.AfterFunc(time.Second, func() { <-sem })
r.Header.Add("circle-token", config.Token)
r.Header.Add("Accept", "application/json")
r.Header.Add("Content-Type", "application/json")
r.Header.Add("User-Agent", version.UserAgent())
if commandStr := header.GetCommandStr(); commandStr != "" {
r.Header.Add("Circleci-Cli-Command", commandStr)
}
return transport.RoundTrip(r)
})
return &Client{
serverUrl: strings.TrimSuffix(baseURL, "/"),
client: config.HTTPClient,
}
}
// transportFunc is utility type for declaring a http.RoundTripper as a function literal
type transportFunc func(*http.Request) (*http.Response, error)
// RoundTrip implements the http.RoundTripper interface
func (fn transportFunc) RoundTrip(req *http.Request) (*http.Response, error) {
return fn(req)
}