From 8d8f09661f981341edf8540acb5432ca6ab3ad90 Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 14 Aug 2024 16:10:54 -0500
Subject: [PATCH] test: add mapping no rego test

---
 pkg/policy/policy_test.go                     | 30 ++++++++++++-------
 .../mock-tuf-no-rego/doi/policy.not-rego      |  1 +
 .../testdata/mock-tuf-no-rego/mapping.yaml    | 11 +++++++
 3 files changed, 31 insertions(+), 11 deletions(-)
 create mode 100644 pkg/policy/testdata/mock-tuf-no-rego/doi/policy.not-rego
 create mode 100644 pkg/policy/testdata/mock-tuf-no-rego/mapping.yaml

diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go
index f185f7e..d5d4b09 100644
--- a/pkg/policy/policy_test.go
+++ b/pkg/policy/policy_test.go
@@ -32,7 +32,8 @@ func loadAttestation(t *testing.T, path string) *attestation.Envelope {
 
 func TestRegoEvaluator_Evaluate(t *testing.T) {
 	ctx, _ := test.Setup(t)
-	errorStr := "failed to resolve policy by id: policy with id non-existent-policy-id not found"
+	resolveErrorStr := "failed to resolve policy by id: policy with id non-existent-policy-id not found"
+	evalErrorStr := "rego_parse_error:"
 	TestDataPath := filepath.Join("..", "..", "test", "testdata")
 	ExampleAttestation := filepath.Join(TestDataPath, "example_attestation.json")
 
@@ -43,22 +44,24 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 	}
 
 	testCases := []struct {
-		repo          string
-		expectSuccess bool
-		isCanonical   bool
-		resolver      attestation.Resolver
-		policy        *policy.Options
-		policyID      string
-		errorStr      string
+		repo            string
+		expectSuccess   bool
+		isCanonical     bool
+		resolver        attestation.Resolver
+		policy          *policy.Options
+		policyID        string
+		resolveErrorStr string
+		evalErrorStr    string
 	}{
 		{repo: "testdata/mock-tuf-allow", expectSuccess: true, isCanonical: false, resolver: defaultResolver},
 		{repo: "testdata/mock-tuf-allow", expectSuccess: true, isCanonical: false, resolver: defaultResolver, policyID: "docker-official-images"},
-		{repo: "testdata/mock-tuf-allow", expectSuccess: false, isCanonical: false, resolver: defaultResolver, policyID: "non-existent-policy-id", errorStr: errorStr},
+		{repo: "testdata/mock-tuf-allow", expectSuccess: false, isCanonical: false, resolver: defaultResolver, policyID: "non-existent-policy-id", resolveErrorStr: resolveErrorStr},
 		{repo: "testdata/mock-tuf-deny", expectSuccess: false, isCanonical: false, resolver: defaultResolver},
 		{repo: "testdata/mock-tuf-verify-sig", expectSuccess: true, isCanonical: false, resolver: defaultResolver},
 		{repo: "testdata/mock-tuf-wrong-key", expectSuccess: false, isCanonical: false, resolver: defaultResolver},
 		{repo: "testdata/mock-tuf-allow-canonical", expectSuccess: true, isCanonical: true, resolver: defaultResolver},
 		{repo: "testdata/mock-tuf-allow-canonical", expectSuccess: false, isCanonical: false, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-no-rego", expectSuccess: false, isCanonical: false, resolver: defaultResolver, evalErrorStr: evalErrorStr},
 	}
 
 	for _, tc := range testCases {
@@ -86,14 +89,19 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 			resolver, err := policy.CreateImageDetailsResolver(src)
 			require.NoError(t, err)
 			policy, err := policy.ResolvePolicy(ctx, resolver, tc.policy)
-			if tc.errorStr != "" {
+			if tc.resolveErrorStr != "" {
 				require.Error(t, err)
-				assert.Contains(t, err.Error(), tc.errorStr)
+				assert.Contains(t, err.Error(), tc.resolveErrorStr)
 				return
 			}
 			require.NoErrorf(t, err, "failed to resolve policy")
 			require.NotNil(t, policy, "policy should not be nil")
 			result, err := re.Evaluate(ctx, tc.resolver, policy, input)
+			if tc.evalErrorStr != "" {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.evalErrorStr)
+				return
+			}
 			require.NoErrorf(t, err, "Evaluate failed")
 
 			if tc.expectSuccess {
diff --git a/pkg/policy/testdata/mock-tuf-no-rego/doi/policy.not-rego b/pkg/policy/testdata/mock-tuf-no-rego/doi/policy.not-rego
new file mode 100644
index 0000000..aa3513e
--- /dev/null
+++ b/pkg/policy/testdata/mock-tuf-no-rego/doi/policy.not-rego
@@ -0,0 +1 @@
+this isn't a rego policy
\ No newline at end of file
diff --git a/pkg/policy/testdata/mock-tuf-no-rego/mapping.yaml b/pkg/policy/testdata/mock-tuf-no-rego/mapping.yaml
new file mode 100644
index 0000000..2f0c252
--- /dev/null
+++ b/pkg/policy/testdata/mock-tuf-no-rego/mapping.yaml
@@ -0,0 +1,11 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - id: docker-official-images
+    description: Docker Official Images
+    files:
+      - path: doi/policy.not-rego
+rules:
+  - pattern: "^docker[.]io/library/(.*)$"
+    policy-id: docker-official-images