feat: add glob pattern support for --namespace flag

acceptance.bats

@@ -84,6 +84,27 @@
   [ "${lines[1]}" = "1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions" ]
 }
 
+@test "Test command with namespace exact match" {
+  run ./conftest test -p examples/docker/policy examples/docker/Dockerfile --namespace 'main'
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "unallowed image found" ]]
+  [[ ! "$output" =~ "unallowed commands found" ]]
+}
+
+@test "Test command with namespace wildcard matching all" {
+  run ./conftest test -p examples/docker/policy examples/docker/Dockerfile --namespace '*'
+  [ "$status" -eq 1 ]
+  [[ "$output" =~ "unallowed image found" ]]
+  [[ "$output" =~ "unallowed commands found" ]]
+}
+
+@test "Test command with namespace wildcard prefix pattern" {
+  run ./conftest test -p examples/docker/policy examples/docker/Dockerfile --namespace 'c*'
+  [ "$status" -eq 1 ]
+  [[ ! "$output" =~ "unallowed image found" ]]
+  [[ "$output" =~ "unallowed commands found" ]]
+}
+
 @test "Verify command has trace flag" {
   run ./conftest verify --policy ./examples/kubernetes/policy --trace
   [ "$status" -eq 0 ]

runner/test.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 	"regexp"
+	"strings"
 
 	"github.com/open-policy-agent/conftest/downloader"
 	"github.com/open-policy-agent/conftest/output"
@@ -89,6 +91,8 @@ func (t *TestRunner) Run(ctx context.Context, fileList []string) (output.CheckRe
 	namespaces := t.Namespace
 	if t.AllNamespaces {
 		namespaces = engine.Namespaces()
+	} else if hasWildcard(t.Namespace) {
+		namespaces = filterNamespaces(engine.Namespaces(), t.Namespace)
 	}
 
 	var results output.CheckResults
@@ -211,3 +215,36 @@ func getFilesFromDirectory(directory string, ignoreRegex string) ([]string, erro
 
 	return files, nil
 }
+
+// hasWildcard checks if any of the given patterns contain wildcard characters.
+func hasWildcard(patterns []string) bool {
+	for _, pattern := range patterns {
+		if strings.ContainsAny(pattern, "*?[") {
+			return true
+		}
+	}
+	return false
+}
+
+// filterNamespaces filters the available namespaces using the given patterns.
+// Patterns support glob-style matching with *, ?, and [...] syntax.
+func filterNamespaces(available []string, patterns []string) []string {
+	seen := make(map[string]bool)
+	var result []string
+	for _, pattern := range patterns {
+		for _, ns := range available {
+			if seen[ns] {
+				continue
+			}
+			matched, err := path.Match(pattern, ns)
+			if err != nil {
+				continue
+			}
+			if matched {
+				seen[ns] = true
+				result = append(result, ns)
+			}
+		}
+	}
+	return result
+}

runner/test_test.go

@@ -0,0 +1,138 @@
+package runner
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestHasWildcard(t *testing.T) {
+	tests := []struct {
+		name     string
+		patterns []string
+		want     bool
+	}{
+		{
+			name:     "no wildcard",
+			patterns: []string{"main", "test"},
+			want:     false,
+		},
+		{
+			name:     "asterisk wildcard",
+			patterns: []string{"main.*"},
+			want:     true,
+		},
+		{
+			name:     "question mark wildcard",
+			patterns: []string{"main.?"},
+			want:     true,
+		},
+		{
+			name:     "bracket wildcard",
+			patterns: []string{"main.[abc]"},
+			want:     true,
+		},
+		{
+			name:     "mixed patterns",
+			patterns: []string{"main", "test.*"},
+			want:     true,
+		},
+		{
+			name:     "empty patterns",
+			patterns: []string{},
+			want:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := hasWildcard(tt.patterns); got != tt.want {
+				t.Errorf("hasWildcard() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestFilterNamespaces(t *testing.T) {
+	tests := []struct {
+		name      string
+		available []string
+		patterns  []string
+		want      []string
+	}{
+		{
+			name:      "asterisk matches suffix",
+			available: []string{"main", "main.gke", "main.aws", "test"},
+			patterns:  []string{"main.*"},
+			want:      []string{"main.gke", "main.aws"},
+		},
+		{
+			name:      "asterisk matches prefix",
+			available: []string{"main.gke", "test.gke", "main.aws"},
+			patterns:  []string{"*.gke"},
+			want:      []string{"main.gke", "test.gke"},
+		},
+		{
+			name:      "exact match without wildcard",
+			available: []string{"main", "main.gke"},
+			patterns:  []string{"main"},
+			want:      []string{"main"},
+		},
+		{
+			name:      "multiple patterns",
+			available: []string{"main", "main.gke", "test", "test.aws"},
+			patterns:  []string{"main.*", "test.*"},
+			want:      []string{"main.gke", "test.aws"},
+		},
+		{
+			name:      "no matches",
+			available: []string{"main", "test"},
+			patterns:  []string{"foo.*"},
+			want:      nil,
+		},
+		{
+			name:      "match all with star",
+			available: []string{"main", "test", "foo"},
+			patterns:  []string{"*"},
+			want:      []string{"main", "test", "foo"},
+		},
+		{
+			name:      "question mark pattern",
+			available: []string{"main.a", "main.b", "main.ab"},
+			patterns:  []string{"main.?"},
+			want:      []string{"main.a", "main.b"},
+		},
+		{
+			name:      "bracket pattern",
+			available: []string{"main.a", "main.b", "main.c"},
+			patterns:  []string{"main.[ab]"},
+			want:      []string{"main.a", "main.b"},
+		},
+		{
+			name:      "deduplicate matches",
+			available: []string{"main.gke"},
+			patterns:  []string{"main.*", "*.gke"},
+			want:      []string{"main.gke"},
+		},
+		{
+			name:      "empty available",
+			available: []string{},
+			patterns:  []string{"main.*"},
+			want:      nil,
+		},
+		{
+			name:      "empty patterns",
+			available: []string{"main", "test"},
+			patterns:  []string{},
+			want:      nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := filterNamespaces(tt.available, tt.patterns)
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("filterNamespaces() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}