Move Sentinel versioning to organization settings and prepare policy engines for future OPA support

Author: ilans

Dockerfile

@@ -32,19 +32,6 @@ ARG TARGETPLATFORM
 # STAGE: otfd
 # Final stage that takes the `base` stage and the `otfd` binary
 FROM base AS otfd
-ARG TARGETARCH
-ARG SENTINEL_VERSION=0.40.0
-RUN --mount=type=cache,target=/etc/apk/cache \
-  apk add --no-cache curl unzip && \
-  case "$TARGETARCH" in \
-    amd64) arch=amd64 ;; \
-    arm64) arch=arm64 ;; \
-    *) echo "unsupported TARGETARCH: $TARGETARCH" >&2; exit 1 ;; \
-  esac && \
-  curl -fsSLo /tmp/sentinel.zip "https://releases.hashicorp.com/sentinel/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_linux_${arch}.zip" && \
-  unzip -d /usr/local/bin /tmp/sentinel.zip && \
-  chmod +x /usr/local/bin/sentinel && \
-  rm /tmp/sentinel.zip
 COPY $TARGETPLATFORM/otfd /usr/local/bin/
 USER otf
 ENTRYPOINT ["/usr/local/bin/otfd"]

internal/daemon/daemon.go

@@ -412,20 +412,21 @@ func New(ctx context.Context, logger logr.Logger, cfg Config) (*Daemon, error) {
 		RunClient:        runService,
 	})
 	policyService := policy.NewService(policy.Options{
-		Logger:          logger,
-		Authorizer:      authorizer,
-		DB:              db,
-		Runs:            policyRunAdapter{runs: runService, workspaces: workspaceService},
-		Workspaces:      workspaceService,
-		Configs:         configService,
-		VCSProviders:    vcsService,
-		RepoHooks:       repoService,
-		States:          stateService,
-		Variables:       policyVariableAdapter{variables: variableService},
-		Plans:           policyPlanAdapter{runs: runService},
-		VCSEventSub:     vcsEventBroker,
-		SentinelPath:    cfg.RunnerConfig.SentinelPath,
-		SentinelWorkDir: cfg.RunnerConfig.SentinelWorkDir,
+		Logger:              logger,
+		Authorizer:          authorizer,
+		DB:                  db,
+		Runs:                policyRunAdapter{runs: runService, workspaces: workspaceService},
+		Organizations:       orgService,
+		Workspaces:          workspaceService,
+		Configs:             configService,
+		VCSProviders:        vcsService,
+		RepoHooks:           repoService,
+		States:              stateService,
+		Variables:           policyVariableAdapter{variables: variableService},
+		Plans:               policyPlanAdapter{runs: runService},
+		VCSEventSub:         vcsEventBroker,
+		PolicyEngineBinDir:  cfg.RunnerConfig.PolicyEngineBinDir,
+		PolicyEngineWorkDir: cfg.RunnerConfig.PolicyEngineWorkDir,
 	})
 	runService.SetPolicyService(policyService)
 	dynamiccredsService, err := dynamiccreds.NewService(dynamiccreds.Options{
@@ -681,12 +682,12 @@ func New(ctx context.Context, logger logr.Logger, cfg Config) (*Daemon, error) {
 			*user.UserService
 			*workspace.WorkspaceService
 			*configversion.ConfigService
-			}{
-				RunService:       runService,
-				UserService:      userService,
-				WorkspaceService: workspaceService,
-				ConfigService:    configService,
-			},
+		}{
+			RunService:       runService,
+			UserService:      userService,
+			WorkspaceService: workspaceService,
+			ConfigService:    configService,
+		},
 		policyService,
 		authorizer,
 	)

internal/integration/organization_test.go

@@ -20,6 +20,7 @@ func TestIntegration_Organization(t *testing.T) {
 			Name: new(uuid.NewString()),
 		})
 		require.NoError(t, err)
+		assert.Equal(t, organization.DefaultSentinelVersion, org.SentinelVersion)
 
 		t.Run("duplicate error", func(t *testing.T) {
 			_, err := daemon.Organizations.CreateOrganization(ctx, organization.CreateOptions{
@@ -56,6 +57,18 @@ func TestIntegration_Organization(t *testing.T) {
 		assert.Equal(t, want, updated.Name)
 	})
 
+	t.Run("update sentinel version", func(t *testing.T) {
+		daemon, _, ctx := setup(t, skipDefaultOrganization())
+		org := daemon.createOrganization(t, ctx)
+
+		updated, err := daemon.Organizations.UpdateOrganization(ctx, org.Name, organization.UpdateOptions{
+			SentinelVersion: new("0.40.0"),
+		})
+		require.NoError(t, err)
+
+		assert.Equal(t, "0.40.0", updated.SentinelVersion)
+	})
+
 	t.Run("list with pagination", func(t *testing.T) {
 		daemon, _, ctx := setup(t)
 		_ = daemon.createOrganization(t, ctx)

internal/integration/organization_ui_test.go

@@ -59,12 +59,16 @@ func TestIntegration_OrganizationUI(t *testing.T) {
 		require.NoError(t, err)
 		err = page.Locator("input#name").Fill("super-duper-org")
 		require.NoError(t, err)
+		err = page.Locator("input#sentinel-version").Fill("0.40.0")
+		require.NoError(t, err)
 
-		err = page.Locator(`//button[text()='Update organization name']`).Click()
+		err = page.Locator(`//button[text()='Update organization settings']`).Click()
 		require.NoError(t, err)
 
 		err = expect.Locator(page.GetByRole("alert")).ToHaveText("updated organization")
 		require.NoError(t, err)
+		err = expect.Locator(page.Locator("input#sentinel-version")).ToHaveValue("0.40.0")
+		require.NoError(t, err)
 
 		// delete the organization
 		err = page.Locator(`//button[@id='delete-organization-button']`).Click()

internal/organization/db.go

@@ -25,8 +25,9 @@ func (db *pgdb) create(ctx context.Context, org *Organization) error {
 			cost_estimation_enabled,
 			session_remember,
 			session_timeout,
-			allow_force_delete_workspaces
-		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)`,
+			allow_force_delete_workspaces,
+			sentinel_version
+		) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11)`,
 		org.ID,
 		org.CreatedAt,
 		org.UpdatedAt,
@@ -37,6 +38,7 @@ func (db *pgdb) create(ctx context.Context, org *Organization) error {
 		org.SessionRemember,
 		org.SessionTimeout,
 		org.AllowForceDeleteWorkspaces,
+		org.SentinelVersion,
 	)
 	return err
 }
@@ -66,15 +68,17 @@ SET
 	session_remember = $5,
 	session_timeout = $6,
 	allow_force_delete_workspaces = $7,
-	updated_at = $8
-WHERE name = $9`,
+	sentinel_version = $8,
+	updated_at = $9
+WHERE name = $10`,
 				org.Name,
 				org.Email,
 				org.CollaboratorAuthPolicy,
 				org.CostEstimationEnabled,
 				org.SessionRemember,
 				org.SessionTimeout,
 				org.AllowForceDeleteWorkspaces,
+				org.SentinelVersion,
 				org.UpdatedAt,
 				name,
 			)

internal/organization/organization.go

@@ -2,10 +2,12 @@
 package organization
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/leg100/otf/internal"
 	"github.com/leg100/otf/internal/resource"
+	"github.com/leg100/otf/internal/semver"
 )
 
 const (
@@ -29,6 +31,7 @@ type (
 		SessionTimeout             *int    `db:"session_timeout"`
 		AllowForceDeleteWorkspaces bool    `db:"allow_force_delete_workspaces"`
 		CostEstimationEnabled      bool    `db:"cost_estimation_enabled"`
+		SentinelVersion            string  `db:"sentinel_version"`
 	}
 
 	// UpdateOptions represents the options for updating an organization.
@@ -43,6 +46,7 @@ type (
 		CollaboratorAuthPolicy     *string
 		CostEstimationEnabled      *bool
 		AllowForceDeleteWorkspaces *bool
+		SentinelVersion            *string
 	}
 
 	// CreateOptions represents the options for creating an organization. See
@@ -58,9 +62,12 @@ type (
 		SessionRemember            *int
 		SessionTimeout             *int
 		AllowForceDeleteWorkspaces *bool
+		SentinelVersion            *string
 	}
 )
 
+const DefaultSentinelVersion = "latest"
+
 func NewOrganization(opts CreateOptions) (*Organization, error) {
 	if opts.Name == nil {
 		return nil, internal.ErrRequiredName
@@ -76,6 +83,7 @@ func NewOrganization(opts CreateOptions) (*Organization, error) {
 		ID:                     resource.NewTfeID(resource.OrganizationKind),
 		Email:                  opts.Email,
 		CollaboratorAuthPolicy: opts.CollaboratorAuthPolicy,
+		SentinelVersion:        DefaultSentinelVersion,
 	}
 	if opts.SessionTimeout != nil {
 		org.SessionTimeout = opts.SessionTimeout
@@ -89,6 +97,12 @@ func NewOrganization(opts CreateOptions) (*Organization, error) {
 	if opts.CostEstimationEnabled != nil {
 		org.CostEstimationEnabled = *opts.CostEstimationEnabled
 	}
+	if opts.SentinelVersion != nil {
+		if err := ValidateSentinelVersion(*opts.SentinelVersion); err != nil {
+			return nil, err
+		}
+		org.SentinelVersion = *opts.SentinelVersion
+	}
 	return &org, nil
 }
 
@@ -118,6 +132,22 @@ func (org *Organization) Update(opts UpdateOptions) error {
 	if opts.AllowForceDeleteWorkspaces != nil {
 		org.AllowForceDeleteWorkspaces = *opts.AllowForceDeleteWorkspaces
 	}
+	if opts.SentinelVersion != nil {
+		if err := ValidateSentinelVersion(*opts.SentinelVersion); err != nil {
+			return err
+		}
+		org.SentinelVersion = *opts.SentinelVersion
+	}
 	org.UpdatedAt = internal.CurrentTimestamp(nil)
 	return nil
 }
+
+func ValidateSentinelVersion(v string) error {
+	if v == "latest" {
+		return nil
+	}
+	if !semver.IsValid(v) {
+		return fmt.Errorf("sentinel version must be a semantic version or 'latest'")
+	}
+	return nil
+}

internal/organization/organization_test.go

@@ -0,0 +1,50 @@
+package organization
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewOrganizationDefaultsSentinelVersion(t *testing.T) {
+	org, err := NewOrganization(CreateOptions{
+		Name: new(t.Name()),
+	})
+	require.NoError(t, err)
+
+	assert.Equal(t, DefaultSentinelVersion, org.SentinelVersion)
+}
+
+func TestNewOrganizationAllowsExplicitSentinelVersion(t *testing.T) {
+	org, err := NewOrganization(CreateOptions{
+		Name:            new(t.Name()),
+		SentinelVersion: new("0.40.0"),
+	})
+	require.NoError(t, err)
+
+	assert.Equal(t, "0.40.0", org.SentinelVersion)
+}
+
+func TestNewOrganizationRejectsInvalidSentinelVersion(t *testing.T) {
+	_, err := NewOrganization(CreateOptions{
+		Name:            new(t.Name()),
+		SentinelVersion: new("not-a-version"),
+	})
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "sentinel version")
+}
+
+func TestOrganizationUpdateSentinelVersion(t *testing.T) {
+	org, err := NewOrganization(CreateOptions{
+		Name: new(t.Name()),
+	})
+	require.NoError(t, err)
+
+	err = org.Update(UpdateOptions{
+		SentinelVersion: new("0.40.0"),
+	})
+	require.NoError(t, err)
+
+	assert.Equal(t, "0.40.0", org.SentinelVersion)
+}

internal/organization/ui/handlers.go

@@ -159,16 +159,18 @@ func (h *Handlers) editOrganization(w http.ResponseWriter, r *http.Request) {
 
 func (h *Handlers) updateOrganization(w http.ResponseWriter, r *http.Request) {
 	var params struct {
-		Name        organization.Name `schema:"name,required"`
-		UpdatedName string            `schema:"new_name,required"`
+		Name            organization.Name `schema:"name,required"`
+		UpdatedName     string            `schema:"new_name,required"`
+		SentinelVersion string            `schema:"sentinel_version"`
 	}
 	if err := decode.All(&params, r); err != nil {
 		helpers.Error(r, w, err.Error(), helpers.WithStatus(http.StatusUnprocessableEntity))
 		return
 	}
 
 	org, err := h.Organizations.UpdateOrganization(r.Context(), params.Name, organization.UpdateOptions{
-		Name: &params.UpdatedName,
+		Name:            &params.UpdatedName,
+		SentinelVersion: &params.SentinelVersion,
 	})
 	if err != nil {
 		helpers.Error(r, w, err.Error())

internal/organization/ui/templates.templ

@@ -74,7 +74,12 @@ templ organizationEdit(org *organization.Organization) {
 			<input class="input w-80" type="text" name="new_name" id="name" value={ org.Name.String() } required/>
 		</div>
 		<div class="field">
-			<button class="btn w-72">Update organization name</button>
+			<label for="sentinel-version">Sentinel version</label>
+			<input class="input w-80" type="text" name="sentinel_version" id="sentinel-version" value={ org.SentinelVersion } required/>
+			<span class="description">Use <span class="font-mono">latest</span> or an explicit semantic version such as <span class="font-mono">0.40.0</span>.</span>
+		</div>
+		<div class="field">
+			<button class="btn w-72">Update organization settings</button>
 		</div>
 	</form>
 	<hr class="my-4"/>