Policy is blocking a go_install and I can't get it past the aqua policy allow command

[sheldonhull]

aqua info

$ aqua info

{
  "version": "2.16.0",
  "commit_hash": "70f84d66ba9af98008360fd7b846094f020b4c6f",
  "os": "darwin",
  "arch": "arm64",
  "pwd": "/Users/(USER)/.config/aqua",
  "root_dir": "/Users/(USER)/.local/share/aquaproj-aqua",
  "env": {
    "AQUA_DISABLE_POLICY": "true",
    "AQUA_GITHUB_TOKEN": "(masked)",
    "AQUA_GLOBAL_CONFIG": "/Users/(USER)/.config/aqua/aqua.yaml",
    "AQUA_LOG_LEVEL": "error",
    "AQUA_POLICY_CONFIG": "/Users/(USER)/.config/aqua/aqua-policy.yaml",
    "AQUA_PROGRESS_BAR": "true"
  },
  "config_files": [
    {
      "path": "/Users/(USER)/.config/aqua/aqua.yaml"
    },
    {
      "path": "/Users/(USER)/.config/aqua/aqua.yaml"
    }
  ]
}

aqua < v2.10.0

$ aqua -v
aqua version 2.16.0 (70f84d66ba9af98008360fd7b846094f020b4c6f)

OS (Windows, Linux, macOS, etc): Darwin
CPU Architecture (amd64, arm64, etc): arm64

Overview

I've run the following commands (and done this directly in the global aqua directory).

pushd "${HOME}/.local/share/chezmoi/private_dot_config/exact_aqua" || (echo '❌ can not find target directory' && return)
token=$(gh auth token)
export AQUA_GITHUB_TOKEN="${token}"
echo "⚙️ aqua update-aqua"
aqua update-aqua
echo "⚙️ aqua update"
aqua update
echo "⚙️ aqua update-checksum"
aqua update-checksum
echo "aqua policy allow"
aqua policy allow "${XDG_CONFIG_HOME:-${HOME}/.config/}/aqua/aqua-policy.yaml"
echo "chezmoi apply"
chezmoi apply --keep-going

IMPORTANT: export AQUA_DISABLE_POLICY=true is set!

I disabled policy check a while back due to a blocker and not it doesn't seem to honor the setting. Ideally I want to use it, but now it's not honoring this check either so it finally brought it back to my attention. I just ran an update and got rid of the brew managed version so I think it's showing up for me as I wasn't updated.

I just cleared out my settings and this is all that shows up for AQUA in the environment variables.

$ env | grep AQUA

AQUA_DISABLE_POLICY=true
AQUA_GLOBAL_CONFIG=/Users/(USER)/.config/aqua/aqua.yaml
AQUA_PROGRESS_BAR=true
AQUA_LOG_LEVEL=error

How to reproduce

# aqua-policy.yaml
registries:
  - name: local
    type: local
    path: registry.yaml
  - type: standard
    ref: semver(">= 3.0.0")
packages:
  - registry: local # allow all packages in the Registry
  - registry: standard
  

#registry.yaml

---
packages:
  - type: go_install
    name: mage-select
    path: github.com/iwittkau/mage-select
    description: CLI frontend for mage based on promptui.
    search_words:
      - mage
      - module
      - go

# aqua.yaml
---
# aqua - Declarative CLI Version Manager
# https://aquaproj.github.io/
checksum:
  enabled: true
  require_checksum: false
registries:
  - type: standard
    ref: v4.74.0 # renovate: depName=aquaproj/aqua-registry
  - name: local
    type: local
    path: registry.yaml
packages:
  - name: mage-select
    version: v1.4.0
    registry: local

Expected behaviour

I thought running the aqua policy against it would work.

Actual behaviour

Blocks this and other packages from my local registry. Most of these are go_install type packages. However, I have one github_release type and it also fails.

Important Factoids

I can't remember what caused this in the past as I ran into it again. Kinda stuck on those tools. Not sure why i can't get those allowed. Disabling policy globally temporarily solves this blocker.

[suzuki-shunsuke]

Let me confirm your situation.

• aqua.yaml is at ${HOME}/.local/share/chezmoi/private_dot_config/exact_aqua/aqua.yaml
• a policy file is at ${XDG_CONFIG_HOME:-${HOME}/.config/}/aqua/aqua-policy.yaml and you allow this policy by aqua policy allow command
• AQUA_POLICY_CONFIG isn't set
• you expect the policy file should be applied against ${HOME}/.local/share/chezmoi/private_dot_config/exact_aqua/aqua.yaml

${HOME}/.local/share/chezmoi/private_dot_config/exact_aqua/
  aqua.yaml
${XDG_CONFIG_HOME:-${HOME}/.config/}/aqua/aqua-policy.yaml

Is my understanding correct?
If so, you are misunderstanding the specification of the policy.
This is expected behaviour.
Indeed, the specification of Policy is a little complicated and confusing.

https://aquaproj.github.io/docs/reference/security/policy-as-code/#policy-types

aqua looks for Policy files from the Git repository root directory and the environment variable AQUA_POLICY_CONFIG.
If you want to apply the global config AQUA_GLOBAL_CONFIG, there are two options.

1. Manage global config and policy file with Git (Recommended)

dotfiles/ # Git repository
  aqua.yaml
  aqua-policy.yaml

2. Specify the policy file with AQUA_POLICY_CONFIG

export AQUA_POLICY_CONFIG="$ABSOLUTE_PATH_TO_AQUA_POLICY_YAML:$AQUA_POLICY_CONFIG"

[suzuki-shunsuke]

I really apprecate it if you can reproduce the issue with a container and share the procedure like https://github.com/orgs/aquaproj/discussions/2389#discussioncomment-7387787 so that we can reproduce the issue easily by coping and pasting the code.

[sheldonhull]

I'll have to try again. I've been traveling. It has caused issues in more than one place.

[sheldonhull]

Please confirm your statement aqua looks for Policy files from the Git repository root directory and the environment variable AQUA_POLICY_CONFIG. actually meant it looks in the git repo root, plus supported .aqua directory. Just making sure as I choose to always put them in the subdirectory for keeping it organized.

[suzuki-shunsuke]

I confirmed .aqua/aqua-policy.yaml works well.

Please set up the environment by following the procedure. https://github.com/orgs/aquaproj/discussions/2389#discussioncomment-7387787
After executing export AQUA_GLOBAL_CONFIG=~/.config/aqua/aqua.yaml , please execute the following commands.

apt install -y git
cd ~/.config/aqua
git init
mkdir .aqua
mv aqua-policy.yaml .aqua

echo 'registries:
  - name: local
    type: local
    path: ../registry.yaml # You need to fix path properly
  - type: standard
    ref: semver(">= 3.0.0")
packages:
  - registry: local
  - registry: standard' > .aqua/aqua-policy.yaml

aqua policy allow
cd ~/workspace/
aqua i -a

If you forgot to fix registry's path in aqua-policy.yaml, the policy wouldn't allow the local registry.

$ aqua i -a
INFO[0000] download and unarchive the package            aqua_version=2.17.1 env=linux/arm64 package_name=aqua-proxy package_version=v1.2.4 program=aqua registry=
INFO[0000] create a symbolic link                        aqua_version=2.17.1 command=aqua-proxy env=linux/arm64 package_name=aqua-proxy package_version=v1.2.4 program=aqua registry=
INFO[0001] create a symbolic link                        aqua_version=2.17.1 command=go env=linux/arm64 program=aqua
INFO[0001] create a symbolic link                        aqua_version=2.17.1 command=gofmt env=linux/arm64 program=aqua
INFO[0001] create a symbolic link                        aqua_version=2.17.1 command=mage-select env=linux/arm64 program=aqua
ERRO[0001] install the package                           aqua_version=2.17.1 doc="https://aquaproj.github.io/docs/reference/codes/002" env=linux/arm64 error="this package isn't allowed" package_name=mage-select package_version=v1.4.0 program=aqua registry=local
INFO[0001] download and unarchive the package            aqua_version=2.17.1 env=linux/arm64 package_name=golang/go package_version=go1.21.3 program=aqua registry=standard
FATA[0005] aqua failed                                   aqua_version=2.17.1 env=linux/arm64 error="it failed to install some packages" program=aqua

[suzuki-shunsuke]

Or

cd ~/.config/aqua
mv aqua-checksums.json aqua.yaml registry.yaml .aqua

echo 'registries:
  - name: local
    type: local
    path: registry.yaml
  - type: standard
    ref: semver(">= 3.0.0")
packages:
  - registry: local
  - registry: standard' > .aqua/aqua-policy.yaml

aqua policy allow
cd ~/workspace/
aqua i -a

[sheldonhull]

I will close for now and reopen when I can reproduce.
I just was able to reference my global files and not sure really what changed.
I'll save this to come back to if it shows up again or in another repo and I can't resolve it.

Can you confirm that AQUA_POLICY_CONFIG is required or not please?
I prefer to avoid environment variables required for new contributors as I work with a lot of windows based engineers who don't have access to tooling like direnv and it's more intrusive for them. I would like to make sure that just running aqua policy allow against the file is enough or confirm if the environment variable is a strict requirement.

[suzuki-shunsuke]

As I described with the code, AQUA_POLICY_CONFIG is unnecessary if you locate aqua-policy.yaml on Git repository root.

I prefer to avoid environment variables required for new contributors as I work with a lot of windows based engineers who don't have access to tooling like direnv and it's more intrusive for them.

Yeah, I understand your thought. I thought the same thing so I introduced Git Repository root's policy file and policy commands.