Over the past week in CFEngine core dev, some results of refactoring work have come to fruition. We want to make cf-promises a flexible tool for analyzing policy code. Previously, cf-promises required a runnable policy, i.e. a policy that includes a body common control. This made it impractical to use for other policy files than the main file (typically promises.cf), as well as for policy still in development. We want to make it easier for people to use cf-promises while they are developing policy, and to enable the community to integrate with the tool.
This week we changed the semantics of cf-promises a bit to enable this. We have split static policy checks into two categories, partial checks and integrity checks. If you give cf-promises a partial policy, it will only apply the partial checks. These include things like syntax checking, duplicate definitions, and other checks. This basically corresponds to the compilation stage in a typical C program. If you give cf-promises a runnable policy, it will additionally apply integrity checks, e.g. checking that statically resolvable body references exists. This can be compared to the linking stage in a C program. Optionally, passing the –full-check flag to cf-promises will ensure that it attempts to apply policy integrity checks. All other agents program use this flag to make sure the policy is validated as runnable before attempting evaluation.
Please try it out and let us know your feedback!
Sigurd Teigen
I’m a programmer working for CFEngine, currently mainly on the community code base. Let me know what new features you would like to see in CFEngine Community. Twitter: @sigurdteigen
