Let policy flag accept directories.

crates/weaver_checker/data/multi-policies/otel_policies.rego

@@ -0,0 +1,79 @@
+package before_resolution
+
+# Conventions for OTel:
+# - `data` holds the current released semconv, which is known to be valid.
+# - `input` holds the new candidate semconv version, whose validity is unknown.
+#
+# Note: `data` and `input` are predefined variables in Rego.
+
+# ========= Violation rules applied on unresolved semconv files =========
+
+# A registry `attribute_group` containing at least one `ref` attribute is
+# considered invalid.
+deny[attr_registry_violation("registry_with_ref_attr", group.id, attr.ref)] {
+    group := input.groups[_]
+    startswith(group.id, "registry.")
+    attr := group.attributes[_]
+    attr.ref != null
+}
+
+# An attribute whose stability is not `deprecated` but has the deprecated field
+# set to true is invalid.
+deny[attr_violation("attr_stability_deprecated", group.id, attr.id)] {
+    group := input.groups[_]
+    attr := group.attributes[_]
+    attr.stability != "deprecaded"
+    attr.deprecated
+}
+
+# An attribute cannot be removed from a group that has already been released.
+deny[schema_evolution_violation("attr_removed", old_group.id, old_attr.id)] {
+    old_group := data.groups[_]
+    old_attr := old_group.attributes[_]
+    not attr_exists_in_new_group(old_group.id, old_attr.id)
+}
+
+
+# ========= Helper functions =========
+
+# Check if an attribute from the old group exists in the new
+# group's attributes
+attr_exists_in_new_group(group_id, attr_id) {
+    new_group := input.groups[_]
+    new_group.id == group_id
+    attr := new_group.attributes[_]
+    attr.id == attr_id
+}
+
+# Build an attribute registry violation
+attr_registry_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "attrigute_registry",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}
+
+# Build an attribute violation
+attr_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "attrigute",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}
+
+# Build a schema evolution violation
+schema_evolution_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "schema_evolution",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}

crates/weaver_checker/data/multi-policies/otel_policies_2.rego

@@ -0,0 +1,79 @@
+package before_resolution
+
+# Conventions for OTel:
+# - `data` holds the current released semconv, which is known to be valid.
+# - `input` holds the new candidate semconv version, whose validity is unknown.
+#
+# Note: `data` and `input` are predefined variables in Rego.
+
+# ========= Violation rules applied on unresolved semconv files =========
+
+# A registry `attribute_group` containing at least one `ref` attribute is
+# considered invalid.
+deny[attr_registry_violation("registry_with_ref_attr", group.id, attr.ref)] {
+    group := input.groups[_]
+    startswith(group.id, "registry.")
+    attr := group.attributes[_]
+    attr.ref != null
+}
+
+# An attribute whose stability is not `deprecated` but has the deprecated field
+# set to true is invalid.
+deny[attr_violation("attr_stability_deprecated", group.id, attr.id)] {
+    group := input.groups[_]
+    attr := group.attributes[_]
+    attr.stability != "deprecaded"
+    attr.deprecated
+}
+
+# An attribute cannot be removed from a group that has already been released.
+deny[schema_evolution_violation("attr_removed", old_group.id, old_attr.id)] {
+    old_group := data.groups[_]
+    old_attr := old_group.attributes[_]
+    not attr_exists_in_new_group(old_group.id, old_attr.id)
+}
+
+
+# ========= Helper functions =========
+
+# Check if an attribute from the old group exists in the new
+# group's attributes
+attr_exists_in_new_group(group_id, attr_id) {
+    new_group := input.groups[_]
+    new_group.id == group_id
+    attr := new_group.attributes[_]
+    attr.id == attr_id
+}
+
+# Build an attribute registry violation
+attr_registry_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "attrigute_registry",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}
+
+# Build an attribute violation
+attr_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "attrigute",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}
+
+# Build a schema evolution violation
+schema_evolution_violation(violation_id, group_id, attr_id) = violation {
+    violation := {
+        "id": violation_id,
+        "type": "semconv_attribute",
+        "category": "schema_evolution",
+        "group": group_id,
+        "attr": attr_id,
+    }
+}

crates/weaver_checker/src/lib.rs

@@ -5,6 +5,7 @@
 
 use std::collections::HashSet;
 use std::fmt::{Display, Formatter};
+use std::fs::metadata;
 use std::path::Path;
 
 use globset::Glob;
@@ -43,6 +44,24 @@
         error: String,
     },
 
+    /// An unsupported policy path.
+    #[error("Invalid policy path '{path}'")]
+    #[diagnostic(help("The specified path is neither a file nor a directory.”"))]
+    UnsupportedPolicyPath {
+        /// The path that caused the error.
+        path: String,
+    },
+
+    /// Unable to access policy path.
+    #[error("Invalid policy path '{path}'")]
+    #[diagnostic(help("Verify that the specified path exists and has the appropriate permissions."))]
+    AccessDenied {
+        /// The path that caused the error.
+        path: String,
+        /// The error that occurred.
+        error: String,
+    },
+
     /// An invalid policy glob pattern.
     #[error("Invalid policy glob pattern '{pattern}', error: {error})")]
     #[diagnostic(
@@ -205,6 +224,41 @@
         Ok(policy_package)
     }
 
+    /// Adds a policy files to the policy engine. If path is a directory it will add any file matching *.rego
+    /// A policy file is a `rego` file that contains the policies to be evaluated.
+    ///
+    /// # Arguments
+    ///
+    /// * `policy_path` - The path to the policy file or directory.
+    ///
+    /// # Returns
+    ///
+    /// The policy package name.
+    pub fn add_policy_from_file_or_dir<P: AsRef<Path>>(
+        &mut self,
+        policy_path: P,
+    ) -> Result<(), Error> {
+        let path = policy_path.as_ref();
+
+        let md = metadata(path).map_err(|err| Error::AccessDenied {
+            path: path.to_string_lossy().to_string(),
+            error: err.to_string(),
+        })?;
+        match (md.is_file(), md.is_dir()) {
+            (true, _) => {
+                _ = self.add_policy_from_file(path)?;
+            }
+            (false, true) => {
+                _ = self.add_policies(path, "*.rego")?;
+            }
+            _ => {
+                return Err(Error::UnsupportedPolicyPath {
+                    path: path.to_string_lossy().to_string(),
+                });
+            }
+        };
+        Ok(())
+    }
     /// Adds a policy file to the policy engine.
     /// A policy file is a `rego` file that contains the policies to be evaluated.
     ///
@@ -558,4 +612,16 @@
             panic!("Expected a CompoundError");
         }
     }
+
+    #[test]
+    fn test_policy_from_file_or_dir() -> Result<(), Box<dyn std::error::Error>> {
+        let mut engine = Engine::new();
+        _ = engine.add_policy_from_file_or_dir("data/policies/otel_policies.rego")?;
+        assert_eq!(1, engine.policy_package_count);
+
+        _ = engine.add_policy_from_file_or_dir("data/multi-policies")?;
+        // TODO: add_policies double counts the number of files it adds.
+        assert_eq!(5, engine.policy_package_count);
+        Ok(())
+    }
 }

src/util.rs

@@ -78,9 +78,8 @@ pub(crate) fn init_policy_engine(
 
     // Add policies from the command line
     for policy in policies {
-        _ = engine.add_policy_from_file(policy)?;
+        engine.add_policy_from_file_or_dir(policy)?;
     }
-
     Ok(engine)
 }