Add policy client and protocol plumbing#38514
Conversation
dsa0x
added
the
no-changelog-needed
SarahFrench
left a comment
SarahFrench
left a comment
There was a problem hiding this comment.
👋🏻 I've been taking a look at this today and will resume tomorrow, but here are some initial comments that mainly revolve around testing.
| } | ||
|
|
||
| func RegisterCallbackServiceServer(s grpc.ServiceRegistrar, srv CallbackServiceServer) { | ||
| // If the following call pancis, it indicates UnimplementedCallbackServiceServer was |
There was a problem hiding this comment.
| // If the following call pancis, it indicates UnimplementedCallbackServiceServer was | |
| // If the following call panics, it indicates UnimplementedCallbackServiceServer was |
| } | ||
| } | ||
|
|
||
| func (c *client) Evaluate(ctx context.Context, req EvaluationRequest[*proto.ResourceMetadata]) EvaluationResponse { |
There was a problem hiding this comment.
Given the existence of EvaluateModule and EvaluateProvider, what do you think about renaming this EvaluateResource? I think this would make the code resemble the proto definition, too.
| return s.evaluateModuleFn(req) | ||
| } | ||
|
|
||
| func TestClientEvaluate(t *testing.T) { |
There was a problem hiding this comment.
I think there can be more test coverages here, both for this and the other 2 Evaluate-type methods.
For example:
- You could have the
evaluateResourceFnreturn an empty or nil response alongside a non-nil error - does the response fromEvaluatehandle that error as expected? - You could also include more data in the response from
evaluateResourceFnand make more assertions about how it's transformed by the Evaluate method. E.g. if you include somePolicyDetailsdata and assert that diagnostics from in there are transformed as expected into diagnostics in the response fromEvaluate.
| return diags | ||
| } | ||
|
|
||
| func (diagnostic *Diagnostic) ToHCL() *hcl.Diagnostic { |
There was a problem hiding this comment.
Could this benefit from some test coverage?
I know the concept of 'diagnostic extras' isn't new to the codebase, but this implementation is and it might be worth adding some light tests asserting that these behave in the way we expect.
There was a problem hiding this comment.
➕ to that idea, I was also looking at the proto definition of diagnostic and it's a little difficult to understand exactly what data we will receive in a diagnostic. Perhaps some tests could serve as documentation of "these are some examples of what this extra info will look like"
| }, nil | ||
| }, | ||
| }, | ||
| callbackRegistry: callback.NewRegistry(), |
There was a problem hiding this comment.
Idea: could you make a mock callback registry to use in tests like this?
austinvalle
left a comment
austinvalle
left a comment
There was a problem hiding this comment.
Very nice 👍🏻, I appreciate you breaking these out 😆. I left some comments and questions!
|
|
||
| message GetResourcesRequest { | ||
| string type = 1; | ||
| bytes data = 2; |
There was a problem hiding this comment.
nit: This is a little generic for the name, I believe the data is a filter object so perhaps filter would be more descriptive? 😅
|
|
||
| message GetDataSourceRequest { | ||
| string type = 1; | ||
| bytes data = 2; |
There was a problem hiding this comment.
nit: similar to the above, maybe this could be config?
| uint32 evaluation_request_id = 3; | ||
| } | ||
|
|
||
| message GetResourcesResponse { |
There was a problem hiding this comment.
Should we also return diagnostics from this?
| uint32 evaluation_request_id = 3; | ||
| } | ||
|
|
||
| message GetDataSourceResponse { |
There was a problem hiding this comment.
similar to above, should we also return diagnostics from this?
| message Step { | ||
| oneof step { | ||
| string attribute = 1; | ||
| bytes index = 2; |
There was a problem hiding this comment.
is this a cty value that could be a string or number? 👀
| // module_source is the source for the module that is used (e.g., "./modules/s3_bucket") | ||
| string module_source = 1; |
There was a problem hiding this comment.
nit: Is this needed since the source is also defined in ModuleMetadata? (or perhaps it can be removed from that shared type)
| string source = 1; | ||
| string version = 2; |
There was a problem hiding this comment.
I'm assuming source and version are guaranteed to be evaluated at this point? So we don't need to worry about the recent dynamic module sourcing work impacting this 👀
| default: | ||
| panic(fmt.Errorf("unsupported Step type: %T", step)) |
There was a problem hiding this comment.
nit: Does this method need an error return if we're going to panic here anyways 👀 (similar question to the above ToCtyPath)
| Start: rng.Start.ToHclPos(), | ||
| End: rng.End.ToHclPos(), |
There was a problem hiding this comment.
Are these guaranteed to be non-nil? 👀
| // should be exhaustive | ||
| panic("unhandled EvaluateResult") |
There was a problem hiding this comment.
| // should be exhaustive | |
| panic("unhandled EvaluateResult") | |
| // should be exhaustive | |
| panic(fmt.Errorf("unhandled EvaluateResult type: %T", result)) |
3 participants
This is part of a stacked series to upstream the policy work in smaller, reviewable pieces:
This PR introduces the policy package and the basic protocol/client plumbing that the rest of the stack builds on.
The goal here is to land the policy-specific infrastructure first so the later PRs can focus on runtime behavior.
Included here
Target Release
1.16.x
Rollback Plan
Changes to Security Controls
Are there any changes to security controls (access controls, encryption, logging) in this pull request? If so, explain.
CHANGELOG entry