engine+reporter: enable print() output (#629)

Any `print()` calls that happened while a query was evaluated should now
be printed to stdout, with a "PRNT" label.

This depends on OPA 0.34.0.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Author: srenatus

acceptance.bats

@@ -78,7 +78,7 @@
 }
 
 @test "Verify command has trace flag" {
-    run ./conftest verify --policy ./examples/kubernetes/policy --trace
+  run ./conftest verify --policy ./examples/kubernetes/policy --trace
   [ "$status" -eq 0 ]
   [[ "$output" =~ "data.kubernetes.is_service" ]]
 }
@@ -92,8 +92,17 @@
     run ./conftest verify --policy ./examples/report/policy --policy ./examples/report/success --report fails
     [ "$status" -eq 0 ]
     [[ "${lines[0]}" =~ "data.main.test_no_missing_label: PASS" ]]
-    [[ "${lines[1]}" =~ "--------------------------------------------------------------------------------" ]]
-    [[ "${lines[2]}" =~ "PASS: 1/1" ]]
+    [[ "${lines[1]}" == "--------------------------------------------------------------------------------" ]]
+    [[ "${lines[2]}" == "PASS: 1/1" ]]
+}
+
+@test "Verify command has report flag - success with print output" {
+    run ./conftest verify --policy ./examples/report/policy_print --policy ./examples/report/success --report fails
+    [ "$status" -eq 0 ]
+    [[ "${lines[0]}" =~ "data.main.test_no_missing_label: PASS" ]]
+    [[ "${lines[2]}" == "--------------------------------------------------------------------------------" ]]
+    [[ "${lines[3]}" == "PASS: 1/1" ]]
+    [[ "${lines[1]}" == '  sample' ]]
 }
 
 @test "Verify command does not support report flag with table output" {
@@ -159,6 +168,12 @@
   [[ "$output" =~ "Terraform plan will change prohibited resources in the following namespaces: google_iam, google_container" ]]
 }
 
+@test "Supports print() output" {
+  run ./conftest test -p examples/report/policy_print/labels.rego examples/kubernetes/deployment.yaml --no-color
+  [ "$status" -eq 1 ]
+  [[ "${lines[0]}" == "PRNT   examples/report/policy_print/labels.rego:12: hello-kubernetes" ]]
+}
+
 @test "Can parse hcl1 files" {
   run ./conftest test -p examples/hcl1/policy/gke.rego examples/hcl1/gke.tf
   [ "$status" -eq 0 ]

examples/report/policy/labels.rego

@@ -11,5 +11,5 @@ deny[msg] {
 	input.kind = "Deployment"
 	not required_deployment_labels
 	trace("just testing notes flag")
-	msg = sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [name])
+	msg := sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [name])
 }

examples/report/policy_print/labels.rego

@@ -0,0 +1,15 @@
+package main
+
+name = input.metadata.name
+
+required_deployment_labels {
+	input.metadata.labels["app.kubernetes.io/name"]
+	input.metadata.labels["app.kubernetes.io/instance"]
+}
+
+deny[msg] {
+	input.kind = "Deployment"
+	print(name)
+	not required_deployment_labels
+	msg := sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels", [name])
+}

internal/runner/verify.go

@@ -50,7 +50,12 @@ func (r *VerifyRunner) Run(ctx context.Context) ([]output.CheckResult, []*tester
 		engine.EnableTracing()
 	}
 
-	runner := tester.NewRunner().SetCompiler(engine.Compiler()).SetStore(engine.Store()).SetModules(engine.Modules()).EnableTracing(enableTracing).SetRuntime(engine.Runtime())
+	runner := tester.NewRunner().
+		SetCompiler(engine.Compiler()).
+		SetStore(engine.Store()).
+		SetModules(engine.Modules()).
+		EnableTracing(enableTracing).
+		SetRuntime(engine.Runtime())
 	ch, err := runner.RunTests(ctx, nil)
 	if err != nil {
 		return nil, nil, fmt.Errorf("running tests: %w", err)

output/result.go

@@ -6,6 +6,7 @@ import "fmt"
 type Result struct {
 	Message  string                 `json:"msg"`
 	Metadata map[string]interface{} `json:"metadata,omitempty"`
+	Outputs  []string               `json:"outputs,omitempty"`
 }
 
 // NewResult creates a new result. An error is returned if the
@@ -52,6 +53,10 @@ type QueryResult struct {
 	// Traces represents a single trace of how the query was
 	// evaluated. Each trace value is a trace line.
 	Traces []string `json:"traces"`
+
+	// Output represents anything print()'ed during the query
+	// evaluation. Each value is a print() call's result.
+	Outputs []string `json:"outputs,omitempty"`
 }
 
 // Passed returns true if all of the results in the query

output/standard.go

@@ -53,6 +53,8 @@ func (s *Standard) Output(results []CheckResult) error {
 		return nil
 	}
 
+	s.outputPrints(results, colorizer)
+
 	var totalFailures int
 	var totalExceptions int
 	var totalWarnings int
@@ -150,6 +152,16 @@ func (s *Standard) Output(results []CheckResult) error {
 	return nil
 }
 
+func (s *Standard) outputPrints(results []CheckResult, colorizer aurora.Aurora) {
+	for _, result := range results {
+		for _, query := range result.Queries {
+			for _, t := range query.Outputs {
+				fmt.Fprintln(s.Writer, colorizer.Colorize("PRNT ", aurora.BlueFg), "", t)
+			}
+		}
+	}
+}
+
 func (s *Standard) outputTrace(results []CheckResult, colorizer aurora.Aurora) {
 	for _, result := range results {
 		for _, query := range result.Queries {
@@ -169,7 +181,7 @@ func (s *Standard) outputTrace(results []CheckResult, colorizer aurora.Aurora) {
 	}
 }
 
-// outputs results as a report - similar to OPA test output
+// Report outputs results similar to OPA test output
 func (s *Standard) Report(results []*tester.Result, flag string) error {
 	reporter := tester.PrettyReporter{
 		Verbose:     true,
@@ -192,7 +204,8 @@ func (s *Standard) Report(results []*tester.Result, flag string) error {
 	return nil
 }
 
-// Filter traces - returns only failed traces
+// filterTrace returns the traces according to flag: only "fails" or "notes", or, with
+// flag = "full", all of them
 func filterTrace(trace []*topdown.Event, flag string) []*topdown.Event {
 	if flag == "full" {
 		return trace

policy/engine.go

@@ -18,6 +18,7 @@ import (
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/open-policy-agent/opa/storage"
 	"github.com/open-policy-agent/opa/storage/inmem"
+	"github.com/open-policy-agent/opa/topdown/print"
 	"github.com/open-policy-agent/opa/version"
 )
 
@@ -40,13 +41,15 @@ func Load(ctx context.Context, policyPaths []string) (*Engine, error) {
 		return nil, fmt.Errorf("no policies found in %v", policyPaths)
 	}
 
-	compiler, err := policies.Compiler()
-	if err != nil {
-		return nil, fmt.Errorf("get compiler: %w", err)
+	modules := policies.ParsedModules()
+	compiler := ast.NewCompiler().WithEnablePrintStatements(true)
+	compiler.Compile(modules)
+	if compiler.Failed() {
+		return nil, fmt.Errorf("get compiler: %w", compiler.Errors)
 	}
 
-	policyContents := make(map[string]string)
-	for path, module := range policies.ParsedModules() {
+	policyContents := make(map[string]string, len(modules))
+	for path, module := range modules {
 		path = filepath.Clean(path)
 		path = filepath.ToSlash(path)
 
@@ -327,8 +330,7 @@ func (e *Engine) check(ctx context.Context, path string, config interface{}, nam
 		checkResult.Warnings = append(checkResult.Warnings, warnings...)
 		checkResult.Exceptions = append(checkResult.Exceptions, exceptions...)
 
-		checkResult.Queries = append(checkResult.Queries, exceptionQueryResult)
-		checkResult.Queries = append(checkResult.Queries, ruleQueryResult)
+		checkResult.Queries = append(checkResult.Queries, exceptionQueryResult, ruleQueryResult)
 	}
 
 	// Only a single success result is returned when a given rule succeeds, even if there are multiple occurrences
@@ -384,13 +386,15 @@ func (e *Engine) addFileInfo(ctx context.Context, path string) error {
 // data.main.deny to query the deny rule in the main namespace
 // data.main.warn to query the warn rule in the main namespace
 func (e *Engine) query(ctx context.Context, input interface{}, query string) (output.QueryResult, error) {
+	ph := printHook{s: &[]string{}}
 	options := []func(r *rego.Rego){
 		rego.Input(input),
 		rego.Query(query),
 		rego.Compiler(e.Compiler()),
 		rego.Store(e.Store()),
 		rego.Runtime(e.Runtime()),
 		rego.Trace(e.trace),
+		rego.PrintHook(ph),
 	}
 
 	regoInstance := rego.New(options...)
@@ -456,6 +460,7 @@ func (e *Engine) query(ctx context.Context, input interface{}, query string) (ou
 		Query:   query,
 		Results: results,
 		Traces:  traces,
+		Outputs: *ph.s,
 	}
 
 	return queryResult, nil
@@ -488,3 +493,12 @@ func removeRulePrefix(rule string) string {
 
 	return rule
 }
+
+type printHook struct {
+	s *[]string
+}
+
+func (ph printHook) Print(pctx print.Context, msg string) error {
+	*ph.s = append(*ph.s, fmt.Sprintf("%v: %s\n", pctx.Location, msg))
+	return nil
+}