Support policies in buf.lock

Author: emcfarlane

private/bufpkg/bufconfig/buf_lock_file.go

@@ -81,6 +81,23 @@ type BufLockFile interface {
 	// Files with FileVersionV1Beta1 or FileVersionV1 will not have PluginKeys.
 	// Only files with FileVersionV2 will have PluginKeys with Digests of DigestTypeP1.
 	RemotePluginKeys() []bufplugin.PluginKey
+	// RemotePolicyKeys returns the PolicyKeys representing the remote policies as specified in the buf.lock file.
+	//
+	// All PolicyKeys will have unique FullNames.
+	// PolicyKeys are sorted by FullName.
+	//
+	// Files with FileVersionV1Beta1 or FileVersionV1 will not have PolicyKeys.
+	// Only files with FileVersionV2 will have PolicyKeys with Digests of DigestTypeP1.
+	RemotePolicyKeys() []bufpolicy.PolicyKey
+	// RemotePluginKeysForPolicy returns the PluginKeys representing the remote plugins as specified in the buf.lock file
+	// for the given policy.
+	//
+	// All PluginKeys will have unique FullNames.
+	// PluginKeys are sorted by FullName.
+	//
+	// Files with FileVersionV1Beta1 or FileVersionV1 will not have PluginKeys.
+	// Only files with FileVersionV2 will have PluginKeys with Digests of DigestTypeP1.
+	RemotePluginKeysForPolicy(bufpolicy.PluginKey) []bufplugin.PluginKey
 
 	isBufLockFile()
 }
@@ -190,17 +207,21 @@ func BufLockFileWithDigestResolver(
 // *** PRIVATE ***
 
 type bufLockFile struct {
-	fileVersion      FileVersion
-	objectData       ObjectData
-	depModuleKeys    []bufmodule.ModuleKey
-	remotePluginKeys []bufplugin.PluginKey
+	fileVersion               FileVersion
+	objectData                ObjectData
+	depModuleKeys             []bufmodule.ModuleKey
+	remotePluginKeys          []bufplugin.PluginKey
+	remotePolicyKeys          []bufpolicy.PolicyKey
+	remotePluginKeysForPolicy map[bufpolicy.PluginKey][]bufplugin.PluginKey
 }
 
 func newBufLockFile(
 	fileVersion FileVersion,
 	objectData ObjectData,
 	depModuleKeys []bufmodule.ModuleKey,
 	remotePluginKeys []bufplugin.PluginKey,
+	remotePolicyKeys []bufpolicy.PolicyKey,
+	remotePluginKeysForPolicy map[string][]bufplugin.PluginKey,
 ) (*bufLockFile, error) {
 	if err := validateNoDuplicateModuleKeysByFullName(depModuleKeys); err != nil {
 		return nil, err
@@ -216,13 +237,22 @@ func newBufLockFile(
 		if len(remotePluginKeys) > 0 {
 			return nil, errors.New("remote plugins are not supported in v1 or v1beta1 buf.lock files")
 		}
+		if len(remotePolicyKeys) > 0 || len(remotePluginKeysForPolicy) > 0 {
+			return nil, errors.New("remote policies are not supported in v1 or v1beta1 buf.lock files")
+		}
 	case FileVersionV2:
 		if err := validateModuleExpectedDigestType(depModuleKeys, fileVersion, bufmodule.DigestTypeB5); err != nil {
 			return nil, err
 		}
 		if err := validatePluginExpectedDigestType(remotePluginKeys, fileVersion, bufplugin.DigestTypeP1); err != nil {
 			return nil, err
 		}
+		if err := validatePolicyExpectedDigestType(remotePolicyKeys, fileVersion, bufpolicy.DigestTypeP1); err != nil {
+			return nil, err
+		}
+		if err := validatePluginKeysForPolicy(remotePluginKeysForPolicy, fileVersion); err != nil {
+			return nil, err
+		}
 	default:
 		return nil, syserror.Newf("unknown FileVersion: %v", fileVersion)
 	}
@@ -273,6 +303,17 @@ func (l *bufLockFile) RemotePluginKeys() []bufplugin.PluginKey {
 	return l.remotePluginKeys
 }
 
+func (l *bufLockFile) RemotePolicyKeys() []bufpolicy.PolicyKey {
+	return l.remotePolicyKeys
+}
+
+func (l *bufLockFile) RemotePluginKeysForPolicy(pluginKey bufpolicy.PluginKey) []bufplugin.PluginKey {
+	if l.remotePluginKeysForPolicy == nil {
+		return nil
+	}
+	return l.remotePluginKeysForPolicy[pluginKey.String()]
+}
+
 func (*bufLockFile) isBufLockFile() {}
 func (*bufLockFile) isFile()        {}
 func (*bufLockFile) isFileInfo()    {}
@@ -346,7 +387,7 @@ func readBufLockFile(
 			}
 			depModuleKeys[i] = depModuleKey
 		}
-		return newBufLockFile(fileVersion, objectData, depModuleKeys, nil /* remotePluginKeys */)
+		return newBufLockFile(fileVersion, objectData, depModuleKeys, nil /* remotePluginKeys */, nil /* remotePolicyKeys */, nil /* remotePluginKeysForPolicy */)
 	case FileVersionV2:
 		var externalBufLockFile externalBufLockFileV2
 		if err := getUnmarshalStrict(allowJSON)(data, &externalBufLockFile); err != nil {
@@ -387,44 +428,92 @@ func readBufLockFile(
 			}
 			depModuleKeys[i] = depModuleKey
 		}
-		remotePluginKeys := make([]bufplugin.PluginKey, len(externalBufLockFile.Plugins))
-		for i, plugin := range externalBufLockFile.Plugins {
-			if plugin.Name == "" {
-				return nil, errors.New("no plugin name specified")
+		remotePluginKeys, err := parseRemotePluginDeps(externalBufLockFile.Plugins)
+		if err != nil {
+			return nil, err
+		}
+		remotePolicyKeys := make([]bufpolicy.PolicyKey, len(externalBufLockFile.Policies))
+		remotePluginKeysForPolicy := make(map[string][]bufplugin.PluginKey)
+		for i, policy := range externalBufLockFile.Policies {
+			if policy.Name == "" {
+				return nil, errors.New("no policy name specified")
 			}
-			pluginFullName, err := bufparse.ParseFullName(plugin.Name)
+			policyFullName, err := bufparse.ParseFullName(policy.Name)
 			if err != nil {
-				return nil, fmt.Errorf("invalid plugin name: %w", err)
+				return nil, fmt.Errorf("invalid policy name: %w", err)
 			}
-			if plugin.Commit == "" {
-				return nil, fmt.Errorf("no commit specified for plugin %s", pluginFullName.String())
+			if policy.Commit == "" {
+				return nil, fmt.Errorf("no commit specified for policy %s", policyFullName.String())
 			}
-			if plugin.Digest == "" {
-				return nil, fmt.Errorf("no digest specified for plugin %s", pluginFullName.String())
+			if policy.Digest == "" {
+				return nil, fmt.Errorf("no digest specified for policy %s", policyFullName.String())
 			}
-			commitID, err := uuidutil.FromDashless(plugin.Commit)
+			commitID, err := uuidutil.FromDashless(policy.Commit)
 			if err != nil {
 				return nil, err
 			}
-			pluginKey, err := bufplugin.NewPluginKey(
-				pluginFullName,
+			policyKey, err := bufpolicy.NewpolicyKey(
+				policyFullName,
 				commitID,
-				func() (bufplugin.Digest, error) {
-					return bufplugin.ParseDigest(plugin.Digest)
+				func() (bufpolicy.Digest, error) {
+					return bufpolicy.ParseDigest(policy.Digest)
 				},
 			)
 			if err != nil {
 				return nil, err
 			}
-			remotePluginKeys[i] = pluginKey
+			remotePolicyKeys[i] = policyKey
+			// Parse the plugins for this policy.
+			remotePluginKeys, err := parseRemotePluginDeps(policy.Plugins)
+			if err != nil {
+				return nil, fmt.Errorf("invalid plugins for policy %q: %w", policyFullName.String(), err)
+			}
+			if len(remotePluginKeys) > 0 {
+				remotePluginKeysForPolicy[policyKey.String()] = remotePluginKeys
+			}
 		}
-		return newBufLockFile(fileVersion, objectData, depModuleKeys, remotePluginKeys)
+		return newBufLockFile(fileVersion, objectData, depModuleKeys, remotePluginKeys, remotePolicyKeys, remotePluginKeysForPolicy)
 	default:
 		// This is a system error since we've already parsed.
 		return nil, syserror.Newf("unknown FileVersion: %v", fileVersion)
 	}
 }
 
+func parseRemotePluginDeps(pluginDeps []externalBufLockFileDepV2) ([]bufplugin.PluginKey, error) {
+	remotePluginKeys := make([]bufplugin.PluginKey, len(pluginDeps))
+	for i, plugin := range pluginDeps {
+		if plugin.Name == "" {
+			return nil, errors.New("no plugin name specified")
+		}
+		pluginFullName, err := bufparse.ParseFullName(plugin.Name)
+		if err != nil {
+			return nil, fmt.Errorf("invalid plugin name: %w", err)
+		}
+		if plugin.Commit == "" {
+			return nil, fmt.Errorf("no commit specified for plugin %s", pluginFullName.String())
+		}
+		if plugin.Digest == "" {
+			return nil, fmt.Errorf("no digest specified for plugin %s", pluginFullName.String())
+		}
+		commitID, err := uuidutil.FromDashless(plugin.Commit)
+		if err != nil {
+			return nil, err
+		}
+		pluginKey, err := bufplugin.NewPluginKey(
+			pluginFullName,
+			commitID,
+			func() (bufplugin.Digest, error) {
+				return bufplugin.ParseDigest(plugin.Digest)
+			},
+		)
+		if err != nil {
+			return nil, err
+		}
+		remotePluginKeys[i] = pluginKey
+	}
+	return remotePluginKeys, nil
+}
+
 func writeBufLockFile(
 	writer io.Writer,
 	bufLockFile BufLockFile,
@@ -609,6 +698,45 @@ func validatePluginExpectedDigestType(
 	return nil
 }
 
+func validatePolicyExpectedDigestType(
+	policyKeys []bufpolicy.PolicyKey,
+	fileVersion FileVersion,
+	expectedDigestType bufpolicy.DigestType,
+) error {
+	for _, policyKey := range policyKeys {
+		digest, err := policyKey.Digest()
+		if err != nil {
+			return err
+		}
+		if digest.Type() != expectedDigestType {
+			return fmt.Errorf(
+				"%s lock files must use digest type %v, but remote policy %s had a digest type of %v",
+				fileVersion,
+				expectedDigestType,
+				policyKey.String(),
+				digest.Type(),
+			)
+		}
+	}
+	return nil
+}
+
+func validatePluginKeysForPolicy(
+	pluginKeysForPolicy map[bufplugin.PluginKey][]bufplugin.PluginKey,
+	fileVersion FileVersion,
+	expectedDigestType bufplugin.DigestType,
+) error {
+	for policyKey, pluginKeys := range pluginKeysForPolicy {
+		if err := validateNoDuplicatePluginKeysByFullName(pluginKeys); err != nil {
+			return fmt.Errorf("duplicate plugins attempted to be added to policy %q: %w", policyKey.String(), err)
+		}
+		if err := validatePluginExpectedDigestType(pluginKeys, fileVersion, expectedDigestType); err != nil {
+			return fmt.Errorf("invalid plugins for policy %q: %w", policyKey.String(), err)
+		}
+	}
+	return nil
+}
+
 // externalBufLockFileV1Beta1V1 represents the v1 or v1beta1 buf.lock file,
 // which have the same shape.
 type externalBufLockFileV1Beta1V1 struct {
@@ -631,9 +759,10 @@ type externalBufLockFileDepV1Beta1V1 struct {
 
 // externalBufLockFileV2 represents the v2 buf.lock file.
 type externalBufLockFileV2 struct {
-	Version string                     `json:"version,omitempty" yaml:"version,omitempty"`
-	Deps    []externalBufLockFileDepV2 `json:"deps,omitempty" yaml:"deps,omitempty"`
-	Plugins []externalBufLockFileDepV2 `json:"plugins,omitempty" yaml:"plugins,omitempty"`
+	Version  string                        `json:"version,omitempty" yaml:"version,omitempty"`
+	Deps     []externalBufLockFileDepV2    `json:"deps,omitempty" yaml:"deps,omitempty"`
+	Plugins  []externalBufLockFileDepV2    `json:"plugins,omitempty" yaml:"plugins,omitempty"`
+	Policies []externalBufLockFilePolicyV2 `json:"policies,omitempty" yaml:"policies,omitempty"`
 }
 
 // externalBufLockFileDepV2 represents a single dep within a v2 buf.lock file.
@@ -644,6 +773,11 @@ type externalBufLockFileDepV2 struct {
 	Digest string `json:"digest,omitempty" yaml:"digest,omitempty"`
 }
 
+type externalBufLockFilePolicyV2 struct {
+	externalBufLockFileDepV2
+	Plugins []externalBufLockFileDepV2 `json:"plugins,omitempty" yaml:"plugins,omitempty"`
+}
+
 type bufLockFileOptions struct {
 	digestResolver func(
 		ctx context.Context,

private/bufpkg/bufconfig/buf_lock_file_test.go

@@ -0,0 +1,113 @@
+// Copyright 2020-2025 Buf Technologies, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package bufconfig
+
+import (
+	"bytes"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReadWriteBufLockFileRoundTrip(t *testing.T) {
+	t.Parallel()
+
+	testReadWriteBufLockFileRoundTrip(
+		t,
+		// input
+		`version: v2
+`,
+		// expected output
+		`version: v2
+`,
+	)
+
+	testReadWriteBufLockFileRoundTrip(
+		t,
+		// input
+		`version: v2
+deps:
+  - name: buf.testing/acme/date
+    commit: ffded0b4cf6b47cab74da08d291a3c2f
+    digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+  - name: buf.testing/acme/extension
+    commit: b8488077ea6d4f6d9562a337b98259c8
+    digest: b5:d2c1da8f8331c5c75b50549c79fc360394dedfb6a11f5381c4523592018964119f561088fc8aaddfc9f5773ba02692e6fd9661853450f76a3355dec62c1f57b4
+plugins:
+  - name: buf.testing/acme/plugin
+    commit: ffded0b4cf6b47cab74da08d291a3c2f
+    digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+policies:
+  - name: buf.testing/acme/policy
+    commit: b8488077ea6d4f6d9562a337b98259c8
+    digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+    plugins:
+      - name: buf.testing/acme/plugin
+        commit: ffded0b4cf6b47cab74da08d291a3c2f
+        digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+`,
+		// expected output
+		`version: v2
+deps:
+  - name: buf.testing/acme/date
+    commit: ffded0b4cf6b47cab74da08d291a3c2f
+    digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+  - name: buf.testing/acme/extension
+    commit: b8488077ea6d4f6d9562a337b98259c8
+    digest: b5:d2c1da8f8331c5c75b50549c79fc360394dedfb6a11f5381c4523592018964119f561088fc8aaddfc9f5773ba02692e6fd9661853450f76a3355dec62c1f57b4
+plugins:
+  - name: buf.testing/acme/plugin
+    commit: ffded0b4cf6b47cab74da08d291a3c2f
+    digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+policies:
+  - name: buf.testing/acme/policy
+    commit: ffded0b4cf6b47cab74da08d291a3c2f
+    digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+    plugins:
+      - name: buf.testing/acme/plugin
+        commit: ffded0b4cf6b47cab74da08d291a3c2f
+        digest: b5:24ed4f13925cf89ea0ae0127fa28540704c7ae14750af027270221b737a1ce658f8014ca2555f6f7fcd95ea84e071d33f37f86cc36d07fe0d0963329a5ec2462
+`,
+	)
+
+}
+
+func testReadBufLockFile(
+	t *testing.T,
+	inputBufLockFileData string,
+) BufLockFile {
+	bufLockFile, err := ReadBufLockFile(
+		t.Context(),
+		strings.NewReader(testCleanYAMLData(inputBufLockFileData)),
+		defaultBufPolicyYAMLFileName,
+	)
+	require.NoError(t, err)
+	return bufLockFile
+}
+
+func testReadWriteBufLockFileRoundTrip(
+	t *testing.T,
+	inputBufLockFileData string,
+	expectedOutputBufLockFileData string,
+) {
+	bufLockFile := testReadBufLockFile(t, inputBufLockFileData)
+	buffer := bytes.NewBuffer(nil)
+	err := WriteBufLockFile(buffer, bufLockFile)
+	require.NoError(t, err)
+	outputBufLockData := testCleanYAMLData(buffer.String())
+	assert.Equal(t, testCleanYAMLData(expectedOutputBufLockFileData), outputBufLockData, "output:\n%s", outputBufLockData)
+}