feat: validate expr vith policy

Author: chen-keinan

go.mod

@@ -3,6 +3,7 @@ module github.com/chen-keinan/go-opa-validate
 go 1.16
 
 require (
+	github.com/golang/mock v1.6.0 // indirect
 	github.com/open-policy-agent/opa v0.33.1
 	gopkg.in/yaml.v2 v2.4.0
 )

go.sum

@@ -137,6 +137,8 @@ github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -407,6 +409,7 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -591,10 +594,13 @@ golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=

validator/fixture/deny_strict.policy

@@ -0,0 +1,8 @@
+package itsio
+default allow = false
+allow {
+	some i
+	input.items[i].kind == "PeerAuthentication"
+	mtlsMode := input.items[i].spec.mtls.mode
+	mtlsMode ==  "STRICT"
+ }

validator/fixture/strict_policy.json

@@ -0,0 +1,54 @@
+{
+  "apiVersion": "v1",
+  "items": [
+    {
+      "apiVersion": "security.istio.io/v1beta1",
+      "kind": "PeerAuthentication",
+      "metadata": {
+        "annotations": {
+          "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"security.istio.io/v1beta1\",\"kind\":\"PeerAuthentication\",\"metadata\":{\"annotations\":{},\"name\":\"default\",\"namespace\":\"foo\"},\"spec\":{\"mtls\":{\"mode\":\"STRICT\"}}}\n"
+        },
+        "creationTimestamp": "2021-10-10T06:59:40Z",
+        "generation": 1,
+        "managedFields": [
+          {
+            "apiVersion": "security.istio.io/v1beta1",
+            "fieldsType": "FieldsV1",
+            "fieldsV1": {
+              "f:metadata": {
+                "f:annotations": {
+                  ".": {},
+                  "f:kubectl.kubernetes.io/last-applied-configuration": {}
+                }
+              },
+              "f:spec": {
+                ".": {},
+                "f:mtls": {
+                  ".": {},
+                  "f:mode": {}
+                }
+              }
+            },
+            "manager": "kubectl-client-side-apply",
+            "operation": "Update",
+            "time": "2021-10-10T06:59:40Z"
+          }
+        ],
+        "name": "default",
+        "namespace": "foo",
+        "resourceVersion": "930055",
+        "uid": "4497fa88-a8d7-4abd-b34f-4e2dd91bfbf0"
+      },
+      "spec": {
+        "mtls": {
+          "mode": "STRICT"
+        }
+      }
+    }
+  ],
+  "kind": "List",
+  "metadata": {
+    "resourceVersion": "",
+    "selfLink": ""
+  }
+}

validator/policyeval_test.go

@@ -21,6 +21,7 @@ func Test_PolicyEval(t *testing.T) {
 		{name: "test validate policy allow pod name", data: "./fixture/allow_pod.json", policyRule: []string{"example.deny"}, policy: "./fixture/pod_policy_deny", want: false, wantError: nil},
 		{name: "test validate policy bad data", data: "./fixture/badJson.json", policyRule: []string{"example.deny"}, policy: "./fixture/pod_policy_deny", want: false, wantError: nil},
 		{name: "test validate policy bad policy", data: "./fixture/badJson.json", policyRule: []string{"example.deny"}, policy: "./fixture/pod_policy_deny_bad", want: false, wantError: fmt.Errorf("1 error occurred: eval.rego:5: rego_parse_error: unexpected } token\n\t}\n\t^")},
+		{name: "test validate policy bad policy", data: "./fixture/strict_policy.json", policyRule: []string{"itsio.allow"}, policy: "./fixture/deny_strict.policy", want: true, wantError: nil},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {