implement allow list for check command

scripts/test-e2e.sh

@@ -55,21 +55,26 @@ function run_app() {
 }
 
 # scenarios:
-echo "1. automation lock before deploy"
+echo "1. automation lock before deploy, should prevent the deploy"
 start_ddb
 run_app lock apps --type automation --duration 5m
 run_app check apps/foo --type deploy && exit 1
 
-echo "2. incident lock before deploy"
+echo "2. incident lock before deploy, should allow the deploy"
 start_ddb
-run_app lock apps --type incident --duration 5m
-run_app check apps/foo --type deploy && exit 1
+run_app lock apps --type incident --duration 5m --allow deploy
+run_app check apps/foo --type deploy || exit 1
 
-echo "3. duplicate deploys"
+echo "3. duplicate deploys, should prevent the deploy"
 start_ddb
 run_app lock apps --type deploy --duration 5m
 run_app check apps/bar --type deploy && exit 1
 
+echo "4. automation during a release freeze, should allow the automation"
+start_ddb
+run_app lock apps --type freeze --duration 5m --allow automation
+run_app check apps/foo --type automation || exit 1
+
 # clean up
 stop_ddb
-echo "Done."
+echo "Done, all tests passed."

src/args.ts

@@ -26,6 +26,7 @@ export interface ParsedArgs {
   type: LockType;
   path: string;
   author?: string;
+  allow: Array<LockType>;
   duration?: string;
   until?: string;
   recursive: boolean;
@@ -86,6 +87,12 @@ export async function parseArgs(argv: Array<string>): Promise<ParsedArgs> {
       command = 'prune';
     })
     .options({
+      'allow': {
+        choices: Object.keys(LOCK_TYPES) as ReadonlyArray<LockType>,
+        default: [] as Array<LockType>,
+        type: 'array',
+        string: true,
+      },
       'author': {
         type: 'string',
       },

src/command/check.ts

@@ -20,7 +20,7 @@ export async function checkCommand(context: CommandContext) {
       } else {
         const friendly = printLock(path, lock);
         logger.info({ lock, friendly, path }, 'found active lock');
-        return false;
+        return lock.allow.includes(args.type);
       }
     }
   }

src/lock.ts

@@ -26,6 +26,11 @@ export interface LockData {
    */
   author: string;
 
+  /**
+   * Check types that should be allowed during this lock.
+   */
+  allow: Array<LockType>;
+
   /**
    * Links with more information about the lock.
    */

src/storage/dynamo.ts

@@ -187,6 +187,9 @@ export function attributesFromLock(lock: LockData): Record<string, AttributeValu
     source: {
       S: lock.source,
     },
+    allow: {
+      S: lock.allow.join(','),
+    },
     links: attributesFromLinks(lock.links),
   };
 
@@ -223,6 +226,7 @@ export function lockFromAttributes(attributes: Record<string, AttributeValue>):
     path: mustExist(attributes.path.S),
     author: mustExist(attributes.author.S),
     source: mustExist(attributes.source.S),
+    allow: mustExist(attributes.allow.S).split(',') as Array<LockType>,
     created_at: parseInt(mustExist(attributes.created_at.N), 10),
     expires_at: parseInt(mustExist(attributes.expires_at.N), 10),
     updated_at: parseInt(mustExist(attributes.updated_at.N), 10),

src/utils.ts

@@ -82,6 +82,7 @@ export function buildLock(args: ParsedArgs, env = process.env): LockData {
     path: args.path,
     author: buildAuthor(args, env),
     links: buildLinks(args),
+    allow: args.allow,
     created_at: args.now,
     updated_at: args.now,
     expires_at: calculateExpires(args),