Add policy enforcement for attribute registry. (open-telemetry#1208)

jsuereth · lmolkova · web-flow · commit 459fbdbe0aca · 2024-07-23T07:37:06.000-04:00
Co-authored-by: Liudmila Molkova &lt;limolkova@microsoft.com&gt;
diff --git a/Makefile b/Makefile
@@ -111,6 +111,15 @@ install-yamllint:
 yamllint:
 	yamllint .
 
+# Check semantic convention policies on YAML files
+.PHONY: check-policies
+check-policies:
+	docker run --rm -v $(PWD)/model:/source -v $(PWD)/policies:/policies -v $(PWD)/templates:/templates \
+		otel/weaver:${WEAVER_VERSION} registry check \
+		--registry=/source \
+		--diagnostic-format=ansi \
+		--policy=/policies/registry.rego
+
 # Generate markdown tables from YAML definitions
 .PHONY: table-generation
 table-generation:
@@ -180,7 +189,7 @@ fix-format:
 # Run all checks in order of speed / likely failure.
 # As a last thing, run attribute registry generation and git-diff for differences.
 .PHONY: check
-check: misspell markdownlint check-format markdown-toc compatibility-check markdown-link-check attribute-registry-generation
+check: misspell markdownlint check-format markdown-toc compatibility-check markdown-link-check check-policies attribute-registry-generation
 	git diff --exit-code ':*.md' || (echo 'Generated markdown Table of Contents is out of date, please run "make markdown-toc" and commit the changes in this PR.' && exit 1)
 	@echo "All checks complete"
 
diff --git a/policies/registry.rego b/policies/registry.rego
@@ -0,0 +1,42 @@
+package before_resolution
+
+# This file enforces policies requiring all attributes to be defined within
+# a semantic convention "registry".  This is a naming/structure convention
+# used by semantic conventions.
+
+# Helper to create attribute registry violations.
+attr_registry_violation(violation_id, group_id, attr_id) = violation {
+	violation := {
+		"id": violation_id,
+		"type": "semantic_convention_policies",
+		"category": "attribute_registry_checks",
+		"group": group_id,
+		"attr": attr_id,
+	}
+}
+
+# We only allow attribute groups in the attribute registry.
+deny[attr_registry_violation("attribute_registry_can_only_contain_attribute_groups", group.id, "")] {
+	group := input.groups[_]
+	startswith(group.id, "registry.")
+	group.type != "attribute_group"
+}
+
+# Any group that is NOT in the attribute registry that has an attribute id is
+# in violation of not using the attribute registry.
+deny[attr_registry_violation("attributes_must_be_defined_in_attribute_registry", group.id, attr.id)] {
+	group := input.groups[_]
+	not startswith(group.id, "registry.")
+	attr := group.attributes[_]
+	attr.id != null
+}
+
+# A registry `attribute_group` containing at least one `ref` attribute is
+# considered invalid if it's not in the registry group.
+deny[attr_registry_violation("attributes_in_registry_cannot_reference_each_other", group.id, attr.ref)] {
+	# TODO - this will need to be updated to support `embed` in the future.
+	group := input.groups[_]
+	startswith(group.id, "registry.")
+	attr := group.attributes[_]
+	attr.ref != null
+}
