genpolicy: backport path handling fixes to msft fork

cli/constants.go

@@ -13,7 +13,6 @@ const (
 	manifestFilename       = "manifest.json"
 	settingsFilename       = "settings.json"
 	rulesFilename          = "rules.rego"
-	policyDir              = "."
 	verifyDir              = "./verify"
 	cacheDirEnv            = "NUNKI_CACHE_DIR"
 )

cli/generate.go

@@ -52,7 +52,7 @@ func newGenerateCmd() *cobra.Command {
 		RunE: runGenerate,
 	}
 
-	cmd.Flags().StringP("policy", "p", policyDir, "path to policy (.rego) file")
+	cmd.Flags().StringP("policy", "p", rulesFilename, "path to policy (.rego) file")
 	cmd.Flags().StringP("settings", "s", settingsFilename, "path to settings (.json) file")
 	cmd.Flags().StringP("manifest", "m", manifestFilename, "path to manifest (.json) file")
 	cmd.Flags().StringArrayP("workload-owner-key", "w", []string{workloadOwnerPEM}, "path to workload owner key (.pem) file")
@@ -188,11 +188,11 @@ func filterNonCoCoRuntime(runtimeClassName string, paths []string, logger *slog.
 	return filtered
 }
 
-func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPaths []string, logger *slog.Logger) error {
-	if err := createFileWithDefault(filepath.Join(regoPath, policyPath), func() ([]byte, error) { return defaultGenpolicySettings, nil }); err != nil {
+func generatePolicies(ctx context.Context, regoRulesPath, policySettingsPath string, yamlPaths []string, logger *slog.Logger) error {
+	if err := createFileWithDefault(policySettingsPath, func() ([]byte, error) { return defaultGenpolicySettings, nil }); err != nil {
 		return fmt.Errorf("creating default policy file: %w", err)
 	}
-	if err := createFileWithDefault(filepath.Join(regoPath, rulesFilename), func() ([]byte, error) { return defaultRules, nil }); err != nil {
+	if err := createFileWithDefault(regoRulesPath, func() ([]byte, error) { return defaultRules, nil }); err != nil {
 		return fmt.Errorf("creating default policy.rego file: %w", err)
 	}
 	binaryInstallDir, err := installDir()
@@ -209,7 +209,7 @@ func generatePolicies(ctx context.Context, regoPath, policyPath string, yamlPath
 		}
 	}()
 	for _, yamlPath := range yamlPaths {
-		policyHash, err := generatePolicyForFile(ctx, genpolicyInstall.Path(), regoPath, policyPath, yamlPath, logger)
+		policyHash, err := generatePolicyForFile(ctx, genpolicyInstall.Path(), regoRulesPath, policySettingsPath, yamlPath, logger)
 		if err != nil {
 			return fmt.Errorf("failed to generate policy for %s: %w", yamlPath, err)
 		}
@@ -263,8 +263,8 @@ func generatePolicyForFile(ctx context.Context, genpolicyPath, regoPath, policyP
 	args := []string{
 		"--raw-out",
 		"--use-cached-files",
-		fmt.Sprintf("--input-files-path=%s", regoPath),
-		fmt.Sprintf("--settings-file-name=%s", policyPath),
+		fmt.Sprintf("--rego-rules-path=%s", regoPath),
+		fmt.Sprintf("--json-settings-path=%s", policyPath),
 		fmt.Sprintf("--yaml-file=%s", yamlPath),
 	}
 	genpolicy := exec.CommandContext(ctx, genpolicyPath, args...)

justfile

@@ -39,8 +39,8 @@ generate target=default_deploy_target:
     t=$(date +%s)
     nix run .#cli -- generate \
         -m ./{{ workspace_dir }}/manifest.json \
-        -p ./{{ workspace_dir }} \
-        -s genpolicy-msft.json \
+        -p ./{{ workspace_dir }}/rules.rego \
+        -s ./{{ workspace_dir }}/genpolicy-msft.json \
         ./{{ workspace_dir }}/deployment/*.yml > ./{{ workspace_dir }}/just.coordinator-policy-hash
     duration=$(( $(date +%s) - $t ))
     echo "Generated policies in $duration seconds."

packages/genpolicy_msft.nix

@@ -1,6 +1,7 @@
 { lib
 , fetchFromGitHub
 , fetchurl
+, fetchpatch
 , applyPatches
 , rustPlatform
 , openssl
@@ -17,13 +18,28 @@ rustPlatform.buildRustPackage rec {
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = "kata-containers";
-    rev = "genpolicy-${version}";
-    hash = "sha256-R+kiyG3xLsoLBVTy1lmmqvDgoQuqfcV3DkfQtRCiYCw=";
+    # Latest released version of genpolicy
+    # is too old for the path handling patch.
+    # Using a commit from main for now.
+    # rev = "genpolicy-${version}";
+    rev = "401db3a3e75c699422537551e7862cd510fb68b0";
+    hash = "sha256-dyYGGQPGWe6oVcAa48Kr/SsdSpUhwQZrRQ2d54BIac8=";
   };
 
+  patches = [
+    # TODO(malt3): drop this patch when msft fork adopted this from upstream
+    (fetchpatch {
+      name = "genpolicy_path_handling.patch";
+      url = "https://github.com/kata-containers/kata-containers/commit/befef119ff4df2868cdc88d4273c8be965387793.patch";
+      sha256 = "sha256-4pfYrP9KaPVcrFbm6DkiZUNckUq0fKWZPfCONW8/kso=";
+    })
+  ];
+
+  patchFlags = [ "-p4" ];
+
   sourceRoot = "${src.name}/src/tools/genpolicy";
 
-  cargoHash = "sha256-MRVtChYQkiU92n/z+5r4ge58t9yVeOCdqs0zx81IQUY=";
+  cargoHash = "sha256-WRSDqrOgSZVcJGN7PuyIqqmOSbrob75QNE2Ztb1L9Ww=";
 
   OPENSSL_NO_VENDOR = 1;