From 7fe118d2036f37cd18c7c2a021c185904ab76863 Mon Sep 17 00:00:00 2001
From: Malte Poll <1780588+malt3@users.noreply.github.com>
Date: Wed, 31 Jan 2024 16:50:01 +0100
Subject: [PATCH] cli: install embedded genpolicy tool at runtime

---
 cli/assets/genpolicy |  1 +
 cli/constants.go     |  2 ++
 cli/generate.go      | 26 ++++++++++++++++++++++++--
 cli/runtime.go       | 12 ++++--------
 packages/default.nix |  2 +-
 5 files changed, 32 insertions(+), 11 deletions(-)
 create mode 100644 cli/assets/genpolicy

diff --git a/cli/assets/genpolicy b/cli/assets/genpolicy
new file mode 100644
index 0000000000..5c169759e7
--- /dev/null
+++ b/cli/assets/genpolicy
@@ -0,0 +1 @@
+# THIS FILE IS REPLACED DURING BUILD AND ONLY HERE TO SATISFY GO TOOLING
diff --git a/cli/constants.go b/cli/constants.go
index c695bdd79d..1c82909b9c 100644
--- a/cli/constants.go
+++ b/cli/constants.go
@@ -18,6 +18,8 @@ const (
 )
 
 var (
+	//go:embed assets/genpolicy
+	genpolicyBin []byte
 	//go:embed assets/genpolicy-settings.json
 	defaultGenpolicySettings []byte
 	//go:embed assets/genpolicy-rules.rego
diff --git a/cli/generate.go b/cli/generate.go
index ce741b8c47..45fa4eed9d 100644
--- a/cli/generate.go
+++ b/cli/generate.go
@@ -13,6 +13,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/edgelesssys/nunki/internal/embedbin"
 	"github.com/edgelesssys/nunki/internal/manifest"
 	"github.com/spf13/cobra"
 )
@@ -154,8 +155,21 @@ func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPath
 	if err := createFileWithDefault(filepath.Join(regoPath, rulesFilename), defaultRules); err != nil {
 		return fmt.Errorf("creating default policy.rego file: %w", err)
 	}
+	binaryInstallDir, err := installDir()
+	if err != nil {
+		return fmt.Errorf("failed to get install dir: %w", err)
+	}
+	genpolicyInstall, err := embedbin.Install(binaryInstallDir, genpolicyBin)
+	if err != nil {
+		return fmt.Errorf("failed to install genpolicy: %w", err)
+	}
+	defer func() {
+		if err := genpolicyInstall.Uninstall(); err != nil {
+			logger.Warn("Failed to uninstall genpolicy tool", "err", err)
+		}
+	}()
 	for _, yamlPath := range yamlPaths {
-		policyHash, err := generatePolicyForFile(ctx, regoPath, policyPath, yamlPath, logger)
+		policyHash, err := generatePolicyForFile(ctx, genpolicyInstall.Path(), regoPath, policyPath, yamlPath, logger)
 		if err != nil {
 			return fmt.Errorf("failed to generate policy for %s: %w", yamlPath, err)
 		}
@@ -167,7 +181,7 @@ func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPath
 	return nil
 }
 
-func generatePolicyForFile(ctx context.Context, regoPath, policyPath, yamlPath string, logger *slog.Logger) ([32]byte, error) {
+func generatePolicyForFile(ctx context.Context, genpolicyPath, regoPath, policyPath, yamlPath string, logger *slog.Logger) ([32]byte, error) {
 	args := []string{
 		"--raw-out",
 		"--use-cached-files",
@@ -248,3 +262,11 @@ func createFileWithDefault(path string, deflt []byte) error {
 	_, err = file.Write(deflt)
 	return err
 }
+
+func installDir() (string, error) {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return "", err
+	}
+	return filepath.Join(home, ".nunki"), nil
+}
diff --git a/cli/runtime.go b/cli/runtime.go
index c5befb8f86..b0aabd088b 100644
--- a/cli/runtime.go
+++ b/cli/runtime.go
@@ -1,10 +1,6 @@
 package main
 
-var (
-	genpolicyPath = "genpolicy"
-
-	// DefaultCoordinatorPolicyHash is derived from the coordinator release candidate and injected at release build time.
-	//
-	// It is intentionally left empty for dev builds.
-	DefaultCoordinatorPolicyHash = "" // TODO(burgerdev): actually inject something at build time.
-)
+// DefaultCoordinatorPolicyHash is derived from the coordinator release candidate and injected at release build time.
+//
+// It is intentionally left empty for dev builds.
+var DefaultCoordinatorPolicyHash = "" // TODO(burgerdev): actually inject something at build time.
diff --git a/packages/default.nix b/packages/default.nix
index bec64ccea4..18e1191357 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -45,6 +45,7 @@ rec {
       vendorHash = "sha256-dkFAlqAzVD82yWrrdscZumY4hP/XP3hn8CuZ0tkZuhg=";
 
       prePatch = ''
+        install -D ${lib.getExe genpolicy} cli/assets/genpolicy
         install -D ${genpolicy.settings-dev}/genpolicy-settings.json cli/assets/genpolicy-settings.json
         install -D ${genpolicy.rules}/genpolicy-rules.rego cli/assets/genpolicy-rules.rego
       '';
@@ -53,7 +54,6 @@ rec {
       ldflags = [
         "-s"
         "-w"
-        "-X main.genpolicyPath=${genpolicy}/bin/genpolicy"
       ];
 
       preCheck = ''