fix ec validate input failing when policy has publicKey

[robnester-rh]

When a policy spec includes a publicKey field, ec validate input would fail with 'no check options or sig verifier configured' because the signature verifier isn't initialized for input validation scenarios.

Return the publicKey from the policy spec directly when SigVerifier is not initialized.

Ref: #1528
Ref: EC-1666

[qodo-code-review]

Review Summary by Qodo

Fix ec validate input with publicKey in policy spec

🐞 Bug fix

Walkthroughs

Description

• Fix ec validate input failing when policy spec includes publicKey field
• Return publicKey directly from policy spec when SigVerifier not initialized
• Add test case for publicKey in policy configuration
• Add acceptance test scenario for issue #1528

Diagram

flowchart LR
  A["Policy with publicKey"] -->|"SigVerifier not initialized"| B["PublicKeyPEM method"]
  B -->|"Previous: error"| C["Failed validation"]
  B -->|"Fixed: return publicKey"| D["Successful validation"]

Loading

File Changes

1. internal/policy/policy.go 🐞 Bug fix +5/-1

Return publicKey when SigVerifier not initialized

• Modified PublicKeyPEM() to return publicKey directly from policy spec when SigVerifier is not
 initialized
• Changed error return to []byte(p.PublicKey) instead of error for nil SigVerifier case
• Added explanatory comment referencing issue #1528

internal/policy/policy.go

---

2. internal/policy/policy_test.go 🧪 Tests +5/-3

Update test for publicKey without SigVerifier

• Updated test case name to reflect new behavior: "checkOpts is nil but publicKey in spec"
• Changed test expectation from error to successful publicKey return
• Fixed test data to use utils.TestPublicKeyJSON for proper JSON formatting
• Added comment explaining the fix for issue #1528

internal/policy/policy_test.go

---

3. acceptance/examples/happy_config_with_public_key.yaml 📝 Documentation +7/-0

Add example policy config with publicKey

• New example policy configuration file with embedded publicKey field
• Includes reference to happy-day-policy for testing
• Demonstrates valid policy structure for issue #1528 scenario

acceptance/examples/happy_config_with_public_key.yaml

---

View more (1)

4. features/validate_input.feature 🧪 Tests +24/-0

Add acceptance test for publicKey validation

• Added new acceptance test scenario for issue #1528
• Tests ec validate input with policy containing publicKey field
• Verifies successful validation with exit status 0
• Uses new happy-day-config-with-public-key repository

features/validate_input.feature

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (1) 📎 Requirement gaps (0)

1. PublicKeyPEM returns non-PEM 📘 Rule violation ✓ Correctness

Description

When SigVerifier is not initialized, PublicKeyPEM() returns p.PublicKey verbatim (which may be
a reference like k8s://..., not PEM). This contradicts the method’s name/contract and can confuse
callers or cause downstream failures if PEM is assumed.

Code

internal/policy/policy.go[R101-106]

+	// If SigVerifier is not initialized but we have PublicKey in the policy spec,
+	// return it directly. This handles scenarios like "ec validate input" where
+	// signature verification is not performed but the policy spec may contain a
+	// publicKey field (fixes issue #1528).
	if p.checkOpts == nil || p.checkOpts.SigVerifier == nil {
-		return nil, errors.New("no check options or sig verifier configured")
+		return []byte(p.PublicKey), nil

Evidence

The compliance checklist requires self-documenting identifiers; however, PublicKeyPEM() now
returns raw PublicKey bytes in some cases rather than PEM-encoded key material, making the API
misleading.

Rule 2: Generic: Meaningful Naming and Self-Documenting Code
internal/policy/policy.go[101-106]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`PublicKeyPEM()` can return `p.PublicKey` verbatim when `SigVerifier` is nil, which may not be PEM. This makes the method name/contract misleading and risks callers treating non-PEM values as PEM.

## Issue Context
This change was introduced to allow `ec validate input` to succeed when `policy.yaml` specifies `publicKey` without initializing signature verification.

## Fix Focus Areas
- internal/policy/policy.go[101-113]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.60% <100.00%> (+0.01%)	⬆️
generative	18.49% <0.00%> (ø)
integration	27.50% <0.00%> (ø)
unit	68.44% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/policy/policy.go	92.03% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.