Add external secrets rule

Signed-off-by: Djordje Lukic <[email protected]>

Author: rumpl

internal/validator/rules/externalsecrets.go

@@ -0,0 +1,40 @@
+package rules
+
+import (
+	"github.com/pkg/errors"
+)
+
+type externalSecretsValidator struct {
+}
+
+func NewExternalSecretsRule() Rule {
+	return &externalSecretsValidator{}
+}
+
+func (s *externalSecretsValidator) Collect(parent string, key string, value interface{}) {
+
+}
+
+func (s *externalSecretsValidator) Accept(parent string, key string) bool {
+	return key == "secrets"
+}
+
+func (s *externalSecretsValidator) Validate(cfgMap interface{}) []error {
+	errs := []error{}
+	if value, ok := cfgMap.(map[string]interface{}); ok {
+		for secretName, secret := range value {
+			if v1, ok := secret.(map[string]interface{}); ok {
+				var hasExternal = false
+				for key := range v1 {
+					if key == "external" {
+						hasExternal = true
+					}
+				}
+				if !hasExternal {
+					errs = append(errs, errors.Errorf(`secret %q should be external`, secretName))
+				}
+			}
+		}
+	}
+	return errs
+}

internal/validator/rules/externalsecrets_test.go

@@ -0,0 +1,58 @@
+package rules
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func TestExternalSecrets(t *testing.T) {
+	s := NewExternalSecretsRule()
+
+	t.Run("should accept secrets", func(t *testing.T) {
+		// The secrets key is on the root path, that's why it doesn't
+		// have a parent
+		assert.Equal(t, s.Accept("", "secrets"), true)
+	})
+
+	t.Run("should return nil if all secrets are external", func(t *testing.T) {
+		input := map[string]interface{}{
+			"my_secret": map[string]interface{}{
+				"external": "true",
+			},
+		}
+
+		errs := s.Validate(input)
+		assert.Equal(t, len(errs), 0)
+	})
+
+	t.Run("should return error if no external secrets", func(t *testing.T) {
+		input := map[string]interface{}{
+			"my_secret": map[string]interface{}{
+				"file": "./my_secret.txt",
+			},
+		}
+
+		errs := s.Validate(input)
+		assert.Equal(t, len(errs), 1)
+		assert.ErrorContains(t, errs[0], `secret "my_secret" should be external`)
+	})
+
+	t.Run("should return all errors", func(t *testing.T) {
+		input := map[string]interface{}{
+			"my_secret": map[string]interface{}{
+				"file": "./my_secret.txt",
+			},
+			"my_other_secret": map[string]interface{}{
+				"file": "./my_secret.txt",
+			},
+		}
+
+		errs := s.Validate(input)
+		assert.Equal(t, len(errs), 2)
+
+		assert.ErrorContains(t, errs[0], `secret "my_secret" should be external`)
+		assert.ErrorContains(t, errs[1], `secret "my_other_secret" should be external`)
+	})
+
+}

internal/validator/rules/rule.go

@@ -0,0 +1,7 @@
+package rules
+
+type Rule interface {
+	Collect(path string, key string, value interface{})
+	Accept(parent string, key string) bool
+	Validate(value interface{}) []error
+}