Comments (4)
hey @jlestrada
Thanks for reporting the issue!
I checked the acceptance tests for --update
however, there's only one: https://github.com/open-policy-agent/conftest/blob/master/acceptance.bats#L366 in which the -p
option didn't get used. From ui/ux perspective, specifying -p
shouldn't be necessary to run policies against files, should it? (It seems the file is stored anyway after the detection&download on the dir where conftest is executed: https://github.com/open-policy-agent/conftest/blob/master/acceptance.bats#L367 )
On the other hand, using a command like below, I'm able to download the content to a policy folder that doesn't exist previously
./conftest test -p ./my-policy --update git::github.com/open-policy-agent/library.git examples/kubernetes/service.yaml
0 tests, 0 passed, 0 warnings, 0 failures, 0 exceptions
ll my-policy
total 20
drwxr-xr-x 13 bseref staff 416 Apr 2 14:04 ./
drwxr-xr-x 41 bseref staff 1312 Apr 2 14:04 ../
drwxr-xr-x 12 bseref staff 384 Apr 2 14:04 .git/
drwxr-xr-x 3 bseref staff 96 Apr 2 14:04 .github/
-rw-r--r-- 1 bseref staff 11357 Apr 2 14:04 LICENSE
-rw-r--r-- 1 bseref staff 272 Apr 2 14:04 Makefile
-rw-r--r-- 1 bseref staff 995 Apr 2 14:04 README.md
drwxr-xr-x 6 bseref staff 192 Apr 2 14:04 aws/
drwxr-xr-x 4 bseref staff 128 Apr 2 14:04 build/
.
.
Could there be an issue with how git-URL
is defined or how it's considered by https://github.com/open-policy-agent/conftest/blob/master/downloader/downloader.go?
from conftest.
Circling back to quickly confirm that your example above does work so I believe you are on the right track that there is something unique to my case. Possibly the use of a private repository?
To your point, requirement of the -p
option should not be required but it should be supported to work in conjunction with --update
or at least specify otherwise.
I appear to now being having some issues with reproducing the error on my end. I wonder if my git host was having intermittent issues that day I filed the ticket.
To explain my use case a bit more I am using a private gitlab repository as my host. Given the correct credentials, I dont imagine that my use case is unique to what you have specified.
I will continue to try and reproduce and give a bit more information. If i am unable to after today then I think we should just mark this closed.
Thanks for the response!
from conftest.
Okay I am now able to confirm but I am not entirely certain this is a bug that others will run into.
The issue I believe is only triggered when using a pre-exisiting directory space and it is outside the current working directory. Please see the following output as what i believe a way to reproduce the behavior.
❯ git clone [email protected]:open-policy-agent/conftest.git
Cloning into 'conftest'...
remote: Enumerating objects: 6232, done.
remote: Counting objects: 100% (172/172), done.
remote: Compressing objects: 100% (128/128), done.
remote: Total 6232 (delta 71), reused 125 (delta 42), pack-reused 6060
Receiving objects: 100% (6232/6232), 3.89 MiB | 7.36 MiB/s, done.
Resolving deltas: 100% (3234/3234), done.
❯ cd conftest
❯ pwd
/Users/joseestrada/conftest
❯ conftest test --update git::https://github.com/open-policy-agent/library.git --policy ~/policy examples/kubernetes/service.yaml
0 tests, 0 passed, 0 warnings, 0 failures, 0 exceptions
❯ rm -rf ~/policy
❯ mkdir ~/policy
❯ conftest test --update git::https://github.com/open-policy-agent/library.git --policy ~/policy examples/kubernetes/service.yaml
Error: running test: update policies: client get: error downloading 'https://github.com/open-policy-agent/library.git': /usr/local/bin/git exited with 128: fatal: not a git repository (or any of the parent directories): .git
You can see above that the execution of the test worked the first time when the folder ~/policy
was not present but when I attempted the second time after manually creating the directory path it failed.
This I believe was somewhat unique to my situation when using Atlantis. I believe the working directory is under /home/atlantis
while I was attempting to use a policy directory path outside of this, ie /policies/
.
TBH I dont know if this is a major issue but it does seem to show some limitation, maybe especially so when using Atlantis. Let me know what you think and if you are able to reproduce with the above output.
from conftest.
yeah, I'm able to reproduce. Basically, it occurs when there is a custom policy folder and if the update source is a git
I have debugged the commands above, and saw the err is thrown by go-getter
, so it's probably go-getter
's behavior: https://github.com/hashicorp/go-getter/blob/v1.6.1/client.go#L323
"error downloading 'https://github.com/open-policy-agent/library.git': /opt/homebrew/bin/git exited with 128: fatal: not a git repository (or any of the parent directories): .git\n"
so conftest
is inheriting this indirectly. It might be a case where we can report to upstream too, also it might be something that got fixed on recent versions so we may consider bumping up go-getter
at some point
Actually, there wouldn't be a problem if it was like the following
conftest test --update git::https://github.com/open-policy-agent/library.git --policy ~/policy examples/kubernetes/service.yaml
rm -rf ~/policy
conftest test --update git::https://github.com/open-policy-agent/library.git --policy ~/policy examples/kubernetes/service.yaml
Do you need the policy folder to be created from scratch before each execution? Otherwise, I'd say it'd be more graceful to let it be handled by go-getter
rather than configuring it
if you need it, you can divide the execution to 2 phase
./conftest pull --policy ./policy2 git::https://github.com/open-policy-agent/library.git
echo "deny[...]{}" >> ./policy2/a.rego # do some ops
./conftest test -p ./policy2 path-to-json-yaml-files.yaml
from conftest.
Related Issues (20)
- Rules returning a boolean (no msg) HOT 2
- parse_config not working for dockerfile HOT 2
- OPA doesn't consider built-in error fatal, but Conftest does. Can we revert the change? HOT 1
- Conftest does not output detailed summary report HOT 1
- Dependabot should update all parsers
- Implement option for custom output destinations in `output.Get()`
- Sarif Format Support HOT 2
- Has anyone used conftest in s390x environment? HOT 3
- Parser for nginx HOT 2
- Error in documentation for pulling OCI registry
- Using Conftest with OPA bundles HOT 1
- Invalid parsing of ResourceQuota yaml file HOT 1
- Improper if Usage seems to miss a valid case HOT 1
- Jsonnet parser cannot handle relative imports HOT 4
- Critical vulnerability in github.com/hashicorp/go-getter: CVE-2024-3817 HOT 2
- terraform policy does not work
- Bug: conftest pull breaks policy files if a file name is conflicted HOT 1
- Use OPA's improved test output
- fix: There is a regex issue in downloader HOT 1
- parse_config_file doesn't seem to work for terraform file HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from conftest.