cmd: Move policy and enabled checks to policy package

Signed-off-by: Stephen Augustus <[email protected]>
ossf · Feb 22, 2022 · c5eba98 · c5eba98
1 parent d85a4e3
commit c5eba98
Show file tree

Hide file tree

Showing 4 changed files with 121 additions and 167 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -32,9 +32,8 @@ import (
 	sclog "github.com/ossf/scorecard/v4/log"
 	"github.com/ossf/scorecard/v4/options"
 	"github.com/ossf/scorecard/v4/pkg"
-	"github.com/ossf/scorecard/v4/refactor/check"
+	"github.com/ossf/scorecard/v4/policy"
 	"github.com/ossf/scorecard/v4/refactor/format"
-	"github.com/ossf/scorecard/v4/refactor/policy"
 )
 
 const (
@@ -78,7 +77,7 @@ func init() {
 		&opts.Metadata, "metadata", []string{}, "metadata for the project. It can be multiple separated by commas")
 	rootCmd.Flags().BoolVar(&opts.ShowDetails, "show-details", false, "show extra details about each check")
 	checkNames := []string{}
-	for checkName := range check.GetAll() {
+	for checkName := range policy.GetAll() {
 		checkNames = append(checkNames, checkName)
 	}
 	rootCmd.Flags().StringSliceVar(&opts.ChecksToRun, "checks", []string{},
@@ -127,7 +126,7 @@ func RunScorecard(args []string) {
 		opts.Repo = pkgResp.associatedRepo
 	}
 
-	pol, err := policy.FromFile(opts.PolicyFile)
+	pol, err := policy.ParseFromFile(opts.PolicyFile)
 	if err != nil {
 		log.Panicf("readPolicy: %v", err)
 	}
@@ -157,7 +156,7 @@ func RunScorecard(args []string) {
 	if !strings.EqualFold(opts.Commit, clients.HeadSHA) {
 		requiredRequestTypes = append(requiredRequestTypes, checker.CommitBased)
 	}
-	enabledChecks, err := check.GetEnabled(pol, opts.ChecksToRun, requiredRequestTypes)
+	enabledChecks, err := policy.GetEnabled(pol, opts.ChecksToRun, requiredRequestTypes)
 	if err != nil {
 		log.Panic(err)
 	}

diff --git a/policy/policy.go b/policy/policy.go
@@ -17,9 +17,13 @@ package policy
 import (
 	"errors"
 	"fmt"
+	"log"
+	"os"
+	"strings"
 
 	"gopkg.in/yaml.v3"
 
+	"github.com/ossf/scorecard/v4/checker"
 	"github.com/ossf/scorecard/v4/checks"
 	sce "github.com/ossf/scorecard/v4/errors"
 )
@@ -62,6 +66,26 @@ func modeToProto(m string) CheckPolicy_Mode {
 	}
 }
 
+func ParseFromFile(policyFile string) (*ScorecardPolicy, error) {
+	if policyFile != "" {
+		data, err := os.ReadFile(policyFile)
+		if err != nil {
+			return nil, sce.WithMessage(sce.ErrScorecardInternal,
+				fmt.Sprintf("os.ReadFile: %v", err))
+		}
+
+		sp, err := ParseFromYAML(data)
+		if err != nil {
+			return nil,
+				sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("spol.ParseFromYAML: %v", err))
+		}
+
+		return sp, nil
+	}
+
+	return nil, nil
+}
+
 // ParseFromYAML parses a policy file and returns
 // a scorecardPolicy.
 func ParseFromYAML(b []byte) (*ScorecardPolicy, error) {
@@ -112,3 +136,96 @@ func ParseFromYAML(b []byte) (*ScorecardPolicy, error) {
 
 	return &retPolicy, nil
 }
+
+func GetAll() checker.CheckNameToFnMap {
+	// Returns the full list of checks, given any environment variable constraints.
+	possibleChecks := checks.AllChecks
+	return possibleChecks
+}
+
+func GetEnabled(sp *ScorecardPolicy, argsChecks []string,
+	requiredRequestTypes []checker.RequestType) (checker.CheckNameToFnMap, error) {
+	enabledChecks := checker.CheckNameToFnMap{}
+
+	switch {
+	case len(argsChecks) != 0:
+		// Populate checks to run with the `--repo` CLI argument.
+		for _, checkName := range argsChecks {
+			if !isSupportedCheck(checkName, requiredRequestTypes) {
+				return enabledChecks,
+					sce.WithMessage(sce.ErrScorecardInternal,
+						fmt.Sprintf("Unsupported RequestType %s by check: %s",
+							fmt.Sprint(requiredRequestTypes), checkName))
+			}
+			if !enableCheck(checkName, &enabledChecks) {
+				return enabledChecks,
+					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
+			}
+		}
+	case sp != nil:
+		// Populate checks to run with policy file.
+		for checkName := range sp.GetPolicies() {
+			if !isSupportedCheck(checkName, requiredRequestTypes) {
+				// We silently ignore the check, like we do
+				// for the default case when no argsChecks
+				// or policy are present.
+				continue
+			}
+
+			if !enableCheck(checkName, &enabledChecks) {
+				return enabledChecks,
+					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
+			}
+		}
+	default:
+		// Enable all checks that are supported.
+		for checkName := range GetAll() {
+			if !isSupportedCheck(checkName, requiredRequestTypes) {
+				continue
+			}
+			if !enableCheck(checkName, &enabledChecks) {
+				return enabledChecks,
+					sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("invalid check: %s", checkName))
+			}
+		}
+	}
+
+	// If a policy was passed as argument, ensure all checks
+	// to run have a corresponding policy.
+	if sp != nil && !checksHavePolicies(sp, enabledChecks) {
+		return enabledChecks, sce.WithMessage(sce.ErrScorecardInternal, "checks don't have policies")
+	}
+
+	return enabledChecks, nil
+}
+
+func checksHavePolicies(sp *ScorecardPolicy, enabledChecks checker.CheckNameToFnMap) bool {
+	for checkName := range enabledChecks {
+		_, exists := sp.Policies[checkName]
+		if !exists {
+			log.Printf("check %s has no policy declared", checkName)
+			return false
+		}
+	}
+	return true
+}
+
+func isSupportedCheck(checkName string, requiredRequestTypes []checker.RequestType) bool {
+	unsupported := checker.ListUnsupported(
+		requiredRequestTypes,
+		checks.AllChecks[checkName].SupportedRequestTypes)
+	return len(unsupported) == 0
+}
+
+// Enables checks by name.
+func enableCheck(checkName string, enabledChecks *checker.CheckNameToFnMap) bool {
+	if enabledChecks != nil {
+		for key, checkFn := range GetAll() {
+			if strings.EqualFold(key, checkName) {
+				(*enabledChecks)[key] = checkFn
+				return true
+			}
+		}
+	}
+	return false
+}
diff --git a/refactor/check/check.go b/refactor/check/check.go
diff --git a/refactor/policy/policy.go b/refactor/policy/policy.go