Add tests for rego policies (#1334)

Co-authored-by: Aaron Clawson <MadVikingGod@users.noreply.github.com>
Co-authored-by: Liudmila Molkova <limolkova@microsoft.com>

Makefile

@@ -120,6 +120,11 @@ check-policies:
 		--diagnostic-format=ansi \
 		--policy=/policies/registry.rego
 
+# Test rego policies
+.PHONY: test-policies
+test-policies:
+	docker run --rm -v $(PWD)/policies:/policies openpolicyagent/opa:0.67.1 test --explain fails /policies
+
 # Generate markdown tables from YAML definitions
 .PHONY: table-generation
 table-generation:

policies/registry_test.rego

@@ -0,0 +1,24 @@
+package before_resolution_test
+
+import data.before_resolution
+
+import future.keywords.if
+
+test_registry_attribute_groups if {
+	count(before_resolution.deny) > 0 with input as {"groups": [{"id": "registry.test", "type": "foo"}]}
+	count(before_resolution.deny) == 0 with input as {"groups": [{"id": "registry.test", "type": "attribute_group"}]}
+}
+
+test_attribute_ids if {
+	# This requires a prefix for use with opa, but weaver will fill in.
+	count(before_resolution.deny) > 0 with input as {"groups": [{"id": "not_registry", "prefix": "", "attributes": [{"id": "foo"}]}]}
+	count(before_resolution.deny) == 0 with input as {"groups": [
+		{"id": "registry.test", "prefix": "", "attributes": [{"id": "foo"}]},
+		{"id": "not_registry", "prefix": "", "attributes": [{"ref": "foo"}]},
+	]}
+}
+
+test_attribute_refs if {
+	count(before_resolution.deny) > 0 with input as {"groups": [{"id": "registry.foo", "attributes": [{"ref": "foo"}]}]}
+	count(before_resolution.deny) == 0 with input as {"groups": [{"id": "not_registry", "attributes": [{"ref": "foo"}]}]}
+}