A ruby script we use to test our Rego policies. They need to be in the policies/
folder. Each line that is not exercised by tests will make it fail.
desc "Test policies"
task test: ["update:opa"] do
output = `opa test --coverage --verbose policies/* 2>&1`
abort output unless $?.success?
coverage = JSON.parse(output).fetch("files")
errors = policy_files.flat_map do |policy|
return [policy] unless result = coverage[policy] # untested
(result["not_covered"] || []).map do |line|
start = line.dig("start", "row")
finish = line.dig("end", "row")
"#{policy}:#{start}#{"-#{finish}" if start != finish}"
end
end
abort "Missing coverage:\n#{errors.join("\n")}" if errors.any?
end