diff --git a/src/macaron/__main__.py b/src/macaron/__main__.py index 8ef6b196d..66deeb776 100644 --- a/src/macaron/__main__.py +++ b/src/macaron/__main__.py @@ -18,7 +18,7 @@ from macaron.config.target_config import TARGET_CONFIG_SCHEMA from macaron.output_reporter.reporter import HTMLReporter, JSONReporter, PolicyReporter from macaron.parsers.yaml.loader import YamlLoader -from macaron.policy_engine.policy_engine import run_policy_engine +from macaron.policy_engine.policy_engine import run_policy_engine, show_prelude from macaron.slsa_analyzer.analyzer import Analyzer logger: logging.Logger = logging.getLogger(__name__) @@ -95,18 +95,25 @@ def verify_policy(verify_policy_args: argparse.Namespace) -> int: logger.critical("The database file does not exist.") return os.EX_OSFILE - if not os.path.isfile(verify_policy_args.file): - logger.critical('The policy file "%s" does not exist.', verify_policy_args.file) - return os.EX_OSFILE + if verify_policy_args.show_prelude: + show_prelude(verify_policy_args.database) + return os.EX_OK + + if verify_policy_args.file: + if not os.path.isfile(verify_policy_args.file): + logger.critical('The policy file "%s" does not exist.', verify_policy_args.file) + return os.EX_OSFILE + + result = run_policy_engine(verify_policy_args.database, verify_policy_args.file) + policy_reporter = PolicyReporter() + policy_reporter.generate(global_config.output_path, result) - result = run_policy_engine(verify_policy_args.database, verify_policy_args.show_prelude, verify_policy_args.file) - policy_reporter = PolicyReporter() - policy_reporter.generate(global_config.output_path, result) + if ("failed_policies" in result) and any(result["failed_policies"]): + return os.EX_DATAERR - if ("failed_policies" in result) and any(result["failed_policies"]): - return os.EX_DATAERR + return os.EX_OK - return os.EX_OK + return os.EX_USAGE def perform_action(action_args: argparse.Namespace) -> None: @@ -264,10 +271,11 @@ def main(argv: list[str] | None = None) -> None: # Verify the Datalog policy. vp_parser = sub_parser.add_parser(name="verify-policy") + vp_group = vp_parser.add_mutually_exclusive_group(required=True) vp_parser.add_argument("-d", "--database", required=True, type=str, help="Path to the database.") - vp_parser.add_argument("-f", "--file", required=True, type=str, help="Path to the Datalog policy.") - vp_parser.add_argument("-s", "--show-prelude", required=False, action="store_true", help="Show policy prelude.") + vp_group.add_argument("-f", "--file", type=str, help="Path to the Datalog policy.") + vp_group.add_argument("-s", "--show-prelude", action="store_true", help="Show policy prelude.") args = main_parser.parse_args(argv) diff --git a/src/macaron/policy_engine/policy_engine.py b/src/macaron/policy_engine/policy_engine.py index d7c7b1fb1..3ec053fa0 100644 --- a/src/macaron/policy_engine/policy_engine.py +++ b/src/macaron/policy_engine/policy_engine.py @@ -139,15 +139,25 @@ def _check_version(database_path: str) -> None: sys.exit(os.EX_DATAERR) -def run_policy_engine(database_path: str, show_prelude: bool, policy_file: str) -> dict: +def show_prelude(database_path: str) -> None: + """Show the Datalog prelude for a database and exit. + + Parameters + ---------- + database_path: str + The SQLite database file to show the prelude for. + """ + prelude = get_generated(database_path) + logger.info("\n%s", prelude) + + +def run_policy_engine(database_path: str, policy_file: str) -> dict: """Evaluate a policy based on configuration and exit. Parameters ---------- database_path: str The SQLite database file to evaluate the policy against - show_prelude: bool - Just show the policy prelude and exit. policy_file: str The policy file to evaluate @@ -156,11 +166,6 @@ def run_policy_engine(database_path: str, show_prelude: bool, policy_file: str) dict The policy engine result. """ - if show_prelude: - prelude = get_generated(database_path) - logger.info("\n%s", prelude) - return {} - # TODO: uncomment the following line when the check is improved. # _check_version(database_path)