allow-policy-legacy 0.1.9

Legacy policy adapters for cargo-allow migrations.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

use allow_core::{AllowEntry, FindingKind, Selector, normalize_path};
use std::path::PathBuf;

use crate::converter_workflow_support::{lifecycle_from_workflow_rule, slug_id};
use crate::types::LegacyWorkflowRule;

pub(crate) fn workflow_file_entry(rule: &LegacyWorkflowRule) -> AllowEntry {
    let path = normalize_path(&rule.path);
    AllowEntry {
        id: format!("workflow-file-{}", slug_id(&path)),
        kind: FindingKind::PolicyException,
        family: Some("github_workflow".to_string()),
        path: Some(PathBuf::from(&path)),
        glob: None,
        owner: rule.owner.clone(),
        classification: "github_workflow".to_string(),
        reason: rule.reason.clone(),
        evidence: workflow_evidence(rule),
        links: vec![format!("legacy-policy:workflow:{path}")],
        occurrence_limit: None,
        lifecycle: lifecycle_from_workflow_rule(rule),
        selector: Selector {
            ast_kind: Some("github_workflow".to_string()),
            symbol: Some(path.clone()),
            glob: Some(path),
            ..Selector::default()
        },
        last_seen: None,
    }
}

fn workflow_evidence(rule: &LegacyWorkflowRule) -> Vec<String> {
    let mut evidence = rule.evidence.clone();
    evidence.push(format!(
        "legacy-policy:workflow:{}",
        normalize_path(&rule.path)
    ));
    evidence.extend(
        rule.permissions
            .iter()
            .map(|permission| format!("permission:{permission}")),
    );
    evidence.extend(
        rule.secrets_used
            .iter()
            .map(|secret| format!("secret:{secret}")),
    );
    if let Some(lane) = &rule.duplicate_of_lane {
        evidence.push(format!("duplicate_of_lane:{lane}"));
    }
    evidence
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::path::PathBuf;

    #[test]
    fn workflow_file_entry_maps_legacy_rule_to_policy_exception() {
        let rule = workflow_rule();
        let entry = workflow_file_entry(&rule);

        assert_eq!(entry.id, "workflow-file-github-workflows-ci-yml");
        assert_eq!(entry.kind, FindingKind::PolicyException);
        assert_eq!(entry.family.as_deref(), Some("github_workflow"));
        assert_eq!(entry.path, Some(PathBuf::from(".github/workflows/ci.yml")));
        assert_eq!(entry.glob, None);
        assert_eq!(entry.owner, "platform");
        assert_eq!(entry.classification, "github_workflow");
        assert_eq!(entry.reason, "required CI lane");
        assert_eq!(
            entry.evidence,
            vec![
                "docs/ci.md".to_string(),
                "legacy-policy:workflow:.github/workflows/ci.yml".to_string(),
                "permission:contents:read".to_string(),
                "permission:id-token:write".to_string(),
                "secret:CARGO_REGISTRY_TOKEN".to_string(),
                "duplicate_of_lane:ci-shadow".to_string(),
            ]
        );
        assert_eq!(
            entry.links,
            vec!["legacy-policy:workflow:.github/workflows/ci.yml".to_string()]
        );
        assert_eq!(entry.occurrence_limit, None);
        assert_eq!(entry.lifecycle.created.as_deref(), Some("2026-01-02"));
        assert_eq!(entry.lifecycle.review_after.as_deref(), Some("2026-07-02"));
        assert_eq!(entry.lifecycle.expires.as_deref(), Some("never"));
        assert_eq!(entry.selector.ast_kind.as_deref(), Some("github_workflow"));
        assert_eq!(
            entry.selector.symbol.as_deref(),
            Some(".github/workflows/ci.yml")
        );
        assert_eq!(
            entry.selector.glob.as_deref(),
            Some(".github/workflows/ci.yml")
        );
        assert_eq!(entry.selector.target_fingerprint, None);
        assert_eq!(entry.last_seen, None);
    }

    #[test]
    fn workflow_evidence_keeps_minimal_rule_evidence() {
        let rule = LegacyWorkflowRule {
            path: ".github\\workflows\\release.yml".to_string(),
            owner: "release".to_string(),
            reason: "publish lane".to_string(),
            permissions: Vec::new(),
            secrets_used: Vec::new(),
            external_actions: Vec::new(),
            duplicate_of_lane: None,
            evidence: Vec::new(),
            created: None,
            review_after: None,
            expires: None,
        };

        assert_eq!(
            workflow_evidence(&rule),
            vec!["legacy-policy:workflow:.github/workflows/release.yml".to_string()]
        );
    }

    fn workflow_rule() -> LegacyWorkflowRule {
        LegacyWorkflowRule {
            path: ".github\\workflows\\ci.yml".to_string(),
            owner: "platform".to_string(),
            reason: "required CI lane".to_string(),
            permissions: vec!["contents:read".to_string(), "id-token:write".to_string()],
            secrets_used: vec!["CARGO_REGISTRY_TOKEN".to_string()],
            external_actions: vec!["actions/checkout@v4".to_string()],
            duplicate_of_lane: Some("ci-shadow".to_string()),
            evidence: vec!["docs/ci.md".to_string()],
            created: Some("2026-01-02".to_string()),
            review_after: Some("2026-07-02".to_string()),
            expires: Some("never".to_string()),
        }
    }
}