oracle · tromai · Jun 2, 2023 · Jun 1, 2023
@@ -18,7 +18,7 @@
 from macaron.config.target_config import TARGET_CONFIG_SCHEMA
 from macaron.output_reporter.reporter import HTMLReporter, JSONReporter, PolicyReporter
 from macaron.parsers.yaml.loader import YamlLoader
-from macaron.policy_engine.policy_engine import run_policy_engine
+from macaron.policy_engine.policy_engine import run_policy_engine, show_prelude
 from macaron.slsa_analyzer.analyzer import Analyzer
 
 logger: logging.Logger = logging.getLogger(__name__)
@@ -95,18 +95,25 @@ def verify_policy(verify_policy_args: argparse.Namespace) -> int:
         logger.critical("The database file does not exist.")
         return os.EX_OSFILE
 
-    if not os.path.isfile(verify_policy_args.file):
-        logger.critical('The policy file "%s" does not exist.', verify_policy_args.file)
-        return os.EX_OSFILE
+    if verify_policy_args.show_prelude:
+        show_prelude(verify_policy_args.database)
+        return os.EX_OK
+
+    if verify_policy_args.file:
+        if not os.path.isfile(verify_policy_args.file):
+            logger.critical('The policy file "%s" does not exist.', verify_policy_args.file)
+            return os.EX_OSFILE
+
+        result = run_policy_engine(verify_policy_args.database, verify_policy_args.file)
+        policy_reporter = PolicyReporter()
+        policy_reporter.generate(global_config.output_path, result)
 
-    result = run_policy_engine(verify_policy_args.database, verify_policy_args.show_prelude, verify_policy_args.file)
-    policy_reporter = PolicyReporter()
-    policy_reporter.generate(global_config.output_path, result)
+        if ("failed_policies" in result) and any(result["failed_policies"]):
+            return os.EX_DATAERR
 
-    if ("failed_policies" in result) and any(result["failed_policies"]):
-        return os.EX_DATAERR
+        return os.EX_OK
 
-    return os.EX_OK
+    return os.EX_USAGE
 
 
 def perform_action(action_args: argparse.Namespace) -> None:
@@ -264,10 +271,11 @@ def main(argv: list[str] | None = None) -> None:
 
     # Verify the Datalog policy.
     vp_parser = sub_parser.add_parser(name="verify-policy")
+    vp_group = vp_parser.add_mutually_exclusive_group(required=True)
 
     vp_parser.add_argument("-d", "--database", required=True, type=str, help="Path to the database.")
-    vp_parser.add_argument("-f", "--file", required=True, type=str, help="Path to the Datalog policy.")
-    vp_parser.add_argument("-s", "--show-prelude", required=False, action="store_true", help="Show policy prelude.")
+    vp_group.add_argument("-f", "--file", type=str, help="Path to the Datalog policy.")
+    vp_group.add_argument("-s", "--show-prelude", action="store_true", help="Show policy prelude.")
 
     args = main_parser.parse_args(argv)
 

@@ -139,15 +139,25 @@ def _check_version(database_path: str) -> None:
             sys.exit(os.EX_DATAERR)
 
 
-def run_policy_engine(database_path: str, show_prelude: bool, policy_file: str) -> dict:
+def show_prelude(database_path: str) -> None:
+    """Show the Datalog prelude for a database and exit.
+
+    Parameters
+    ----------
+    database_path: str
+        The SQLite database file to show the prelude for.
+    """
+    prelude = get_generated(database_path)
+    logger.info("\n%s", prelude)
+
+
+def run_policy_engine(database_path: str, policy_file: str) -> dict:
     """Evaluate a policy based on configuration and exit.
 
     Parameters
     ----------
     database_path: str
         The SQLite database file to evaluate the policy against
-    show_prelude: bool
-        Just show the policy prelude and exit.
     policy_file: str
         The policy file to evaluate
 
@@ -156,11 +166,6 @@ def run_policy_engine(database_path: str, show_prelude: bool, policy_file: str)
     dict
         The policy engine result.
     """
-    if show_prelude:
-        prelude = get_generated(database_path)
-        logger.info("\n%s", prelude)
-        return {}
-
     # TODO: uncomment the following line when the check is improved.
     # _check_version(database_path)