Add proto validation for RuleType

[rdimitrov]

Summary

Ref https://github.com/stacklok/minder-stories/issues/94

Change Type

Mark the type of change your PR introduces:

• Bug fix (resolves an issue without affecting existing features)
• Feature (adds new functionality without breaking changes)
• Breaking change (may impact existing functionalities or require documentation updates)
• Documentation (updates or additions to documentation)
• Refactoring or test improvements (no bug fixes or new functionality)

Testing

Outline how the changes were tested, including steps to reproduce and any relevant configurations.
Attach screenshots if helpful.

Review Checklist:

• Reviewed my own code for quality and clarity.
• Added comments to complex or tricky code sections.
• Updated any affected documentation.
• Included tests that validate the fix or feature.
• Checked that related changes are merged.

[coveralls]

coverage: 54.762% (+0.007%) from 54.755%
when pulling 9d2b131 on validate-ruletype
into 2683161 on main.

[evankanderson]

I only got partway through, this is a big one.

[evankanderson]

I'm not sure what this is trying to match. This may be a case where we can't qualify the contents or need to use CEL to do so.

[rdimitrov]

Yes, it's supposed to be JSON there. so I added the following ^\\s*\\{[\\s\\S]*\\}\\s*$ which should check for opening/closing bracket and match any character including new lines

[evankanderson]

I wonder what .bool means here.

[rdimitrov]

I think it's perhaps pool or a typo?

[evankanderson]

I suspect it's a typo. Want to fix it?

[evankanderson]

Is this a "URI with Go template values embedded"? Again, CEL might be an option, or combining prefix with some other expressions.

[rdimitrov]

Yes, I updated it to "^(https?:\\/\\/)?[a-zA-Z0-9._-]+(\\/[a-zA-Z0-9._{}\\/-]*)?$" which should allow for:

• "https://api.something.com"
• "https://api.something.com/path/to/resource"
• "/repos/{{.Entity.Owner}}/{{.Entity.Name}}/branches/main"
• "{{ $branch_param := index .Params "branch" }}/repos/{{.Entity.Owner}}/{{.Entity.Name}}"

[evankanderson]

Prefer in

Is capitalization important?

[rdimitrov]

Thanks, made it case insensitive 👍

[rdimitrov]

in doesn't work though as I couldn't find an option to ignore casing in parallel 👍 The other way was to expand the list with upper and lower case values which seems odd

[evankanderson]

You probably want to limit the RHS to avoid \n, among others.

[rdimitrov]

Adressed 👍

[evankanderson]

^[[:word:]./-]+$?

[evankanderson]

Again, I'd prefer just v1 than v1.1.7 here for now.

[rdimitrov]

Fixed 👍

[evankanderson]

Is this markdown, or plain-text?

[rdimitrov]

It should be markdown

[evankanderson]

This may be a case where we want to simply say "this field is markdown", and then do validation in the code, rather than via annotation.

[rdimitrov]

Removed the pattern check but left the length one 👍

[evankanderson]

Should this use in, or are there more types?

[rdimitrov]

I think there are, i.e. recently we added yq I believe

[evankanderson]

If this is still a small enum, I'd use those values, as it also provides documentation.

[rdimitrov]

Refactored it to using in 👍

[evankanderson]

Hey, this would have fixed my bad ruletype debugging experience! Thank you!

[evankanderson]

Do we need to accommodate " or array access ([])?

[rdimitrov]

Fixed 👍

[evankanderson]

Okay, I got through the rest of this one.

At some point, we should look at creating predefined constraints for a lot of our use cases. For example:

• rule_type_name, markdown_with_go_templates, profile_name, file_name etc.

I wouldn't do that here at this point, because it looks like it might be a lot of toolchaining, but we should leave a note somewhere for when someone is looking for a mid-sized cleanup project.

[evankanderson]

Suggested change

	pattern: "^(\\./)?([a-zA-Z0-9_]+\\/)*[a-zA-Z0-9_]+(\\.[a-zA-Z0-9]+)?$",
	pattern: "^(\\./)?([[:word:]]+\\/)*[[:word:]]+(\\.[[:alnum:]]+)?$",

Though, it seems like we should allow for . to show up in other file parts, so maybe:

Suggested change

	pattern: "^(\\./)?([a-zA-Z0-9_]+\\/)*[a-zA-Z0-9_]+(\\.[a-zA-Z0-9]+)?$",
	pattern: "^([[:word:].]+\\/)*[[:word:].]+$",

[evankanderson]

This may be a case where we want to simply say "this field is markdown", and then do validation in the code, rather than via annotation.

[evankanderson]

If this is still a small enum, I'd use those values, as it also provides documentation.

[evankanderson]

Do we allow uppercase letters here? I know that GitHub prefers lower_with_underscores, but I think these could also be camelCase.

[rdimitrov]

Updated it to allow for camelCase 👍

[evankanderson]

Can we use:

Suggested change

	pattern: "^[a-z]+(_[a-z]+)*$",
	in: ["deny-by-default", "constraints"]

[evankanderson]

Hmm, this is tricky, because it's arbitrary content, but in a structured format that may be interpreted by the rest of our rules.

I don't think we can do much here now, but we'll get a fun bug at some point later.

[rdimitrov]

yes 👍 I wonder if we should cover this by having custom validation functions or by updating our API to expect a better defined field for this

[evankanderson]

Maybe:

Suggested change

	pattern: "^[a-z]+(_[a-z]+)*$",
	in: ["security_advisory"]

[rdimitrov]

Applied 👍

[evankanderson]

This is a Severity enum as a string:

Suggested change

	pattern: "^[a-z]+(_[a-z]+)*$",
	in: ["unknown", "info", "low", "medium", "high", "critical"]

[rdimitrov]

Applied 👍

[evankanderson]

Again, this is markdown, so we can do this for now, but we may need to parse in Go code.

[rdimitrov]

Removed the pattern validation 👍

[evankanderson]

Again, I think this is markdown. We should add to the comment in all the markdown cases, saying:

This value should be rendered as markdown.

[rdimitrov]

Removed the pattern validation 👍

[evankanderson]

Just a few more comments, but I'm not sure they are blocking, you could probably revisit them in a future PR.

[evankanderson]

I suspect it's a typo. Want to fix it?

[evankanderson]

Is this trying to say "valid JSON"? This pattern doesn't seem meaningful.

[evankanderson]

I'm going to let this pass for now, but we should prefer a positive expression. From https://www.rfc-editor.org/rfc/rfc7230#section-3.2 :

Suggested change

	pattern: "^[a-zA-Z0-9-]+: [^\n\r]+$",
	pattern: "^[a-zA-Z0-9-]+:[[:graph:][:blank:]]+$",

[evankanderson]

Again, I think this is "is JSON", which I'd just leave as a comment here.

[evankanderson]

We don't want to allow . in the filename for the depfile path or multiple dots in the requirements file? (The python "standard" for development dependencies is requirements-dep.txt, but given how loose that standard is, I could see requirements.dep.txt slipping in.)

[rdimitrov]

yeah, I wasn't sure about this too, but I'm okay to leave it for now because of the reasons you mentioned 👍

[evankanderson]

No pattern here? That could be okay, given that GitHub will validate this, but you should put a comment as to why no pattern.

[evankanderson]

Again, add a comment that this is markdown?

[evankanderson]

Ditto on the markdown comment.