Add SchemaVersion and PackageVersion to packages

Signed-off-by: Jose Fuentes <[email protected]>

Author: j-fuentes

go.mod

@@ -7,13 +7,15 @@ require (
 	github.com/aws/aws-sdk-go v1.25.30
 	github.com/gomarkdown/markdown v0.0.0-20191104174740-4d42851d4d5a
 	github.com/gookit/color v1.2.0
+	github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 // indirect
 	github.com/open-policy-agent/opa v0.15.0
 	github.com/pkg/errors v0.8.1
 	github.com/sergi/go-diff v1.0.0 // indirect
 	github.com/spf13/cobra v0.0.5
 	github.com/spf13/viper v1.5.0
 	github.com/yudai/gojsondiff v1.0.0
 	github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect
+	golang.org/x/arch v0.0.0-20191126211547-368ea8f32fff // indirect
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
 	google.golang.org/api v0.13.0
 	gopkg.in/yaml.v2 v2.2.5

go.sum

@@ -92,6 +92,7 @@ github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSN
 github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f h1:Jnx61latede7zDD3DiiP4gmNz33uK0U5HDUaF0a/HVQ=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -117,6 +118,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6 h1:UDMh68UUwekSh5iP2OMhRRZJiiBccgV7axzUG8vi56c=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
@@ -238,6 +241,8 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ=
+golang.org/x/arch v0.0.0-20191126211547-368ea8f32fff h1:k/MrR0lKiCokRu1JUDDAWhWZinfBAOZRzz3LkPOkFMs=
+golang.org/x/arch v0.0.0-20191126211547-368ea8f32fff/go.mod h1:flIaEI6LNU6xOCD5PaJvn9wGP0agmIOqjrtsKGRguv4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181025213731-e84da0312774/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -398,5 +403,6 @@ k8s.io/kube-openapi v0.0.0-20190228160746-b3a7cee44a30/go.mod h1:BXM9ceUBTj2QnfH
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da h1:ElyM7RPonbKnQqOcw7dG2IK5uvQQn3b/WPHqD5mBvP4=
 k8s.io/utils v0.0.0-20190221042446-c2654d5206da/go.mod h1:8k8uAuAQ0rXslZKaEWd0c3oVhZz7sSzSiPnVZayjIX0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=

pkg/lint/manifest.go

@@ -24,6 +24,18 @@ func LintPolicyManifest(manifest packaging.PolicyManifest) []LintError {
 		lint("Manifest Namespace absent")
 	}
 
+	if manifest.SchemaVersion == "" {
+		lint("Manifest SchemaVersion absent")
+	} else if !isSemver(manifest.SchemaVersion) {
+		lint("Manifest SchemaVersion must be semver")
+	}
+
+	if manifest.PackageVersion == "" {
+		lint("Manifest PackageVersion absent")
+	} else if !isSemver(manifest.PackageVersion) {
+		lint("Manifest PackageVersion must be semver")
+	}
+
 	sections := manifest.Sections
 	if len(sections) == 0 {
 		lint("No sections in manifest")
@@ -172,3 +184,8 @@ func LintRule(sectionID string, rule packaging.Rule) []LintError {
 
 	return lints
 }
+
+func isSemver(version string) bool {
+	match, _ := regexp.MatchString("^v?\\d+.\\d+.\\d+(-.+)?$", version)
+	return match
+}

pkg/lint/manifest_test.go

@@ -211,9 +211,11 @@ func TestSectionLint(t *testing.T) {
 
 func TestLintPolicyManifestSuccess(t *testing.T) {
 	validPackage := packaging.PolicyManifest{
-		ID:        "mypackage",
-		Namespace: "mynamespace",
-		Name:      "My Package",
+		SchemaVersion:  "1.0.0",
+		ID:             "mypackage",
+		Namespace:      "mynamespace",
+		Name:           "My Package",
+		PackageVersion: "1.0.0",
 		Sections: []packaging.Section{
 			{
 				ID:   "1.2",
@@ -246,23 +248,65 @@ var invalidManifests = []struct {
 		name:         "No sections",
 		expectedLint: "No sections in manifest",
 		manifest: packaging.PolicyManifest{
-			ID:   "mypackage",
-			Name: "My Package",
+			SchemaVersion:  "1.0.0",
+			ID:             "mypackage",
+			Name:           "My Package",
+			PackageVersion: "1.0.0",
 		},
 	},
 	{
 		name:         "No ID",
 		expectedLint: "Manifest ID absent",
 		manifest: packaging.PolicyManifest{
-			Name: "My Package",
+			SchemaVersion:  "1.0.0",
+			Name:           "My Package",
+			PackageVersion: "1.0.0",
+		},
+	},
+	{
+		name:         "No SchemaVersion",
+		expectedLint: "Manifest SchemaVersion absent",
+		manifest: packaging.PolicyManifest{
+			ID:             "mypackage",
+			Name:           "My Package",
+			PackageVersion: "1.0.0",
+		},
+	},
+	{
+		name:         "SchemaVersion not semver",
+		expectedLint: "Manifest SchemaVersion must be semver",
+		manifest: packaging.PolicyManifest{
+			ID:            "mypackage",
+			Name:          "My Package",
+			SchemaVersion: "1",
+		},
+	},
+	{
+		name:         "No PackageVersion",
+		expectedLint: "Manifest PackageVersion absent",
+		manifest: packaging.PolicyManifest{
+			ID:            "mypackage",
+			Name:          "My Package",
+			SchemaVersion: "1.0.0",
+		},
+	},
+	{
+		name:         "PackageVersion not semver",
+		expectedLint: "Manifest PackageVersion must be semver",
+		manifest: packaging.PolicyManifest{
+			ID:             "mypackage",
+			Name:           "My Package",
+			PackageVersion: "1",
 		},
 	},
 	{
 		name:         "Duplicated section ID",
 		expectedLint: "Section ID 1.2 duplicated 2 times",
 		manifest: packaging.PolicyManifest{
-			ID:   "1",
-			Name: "My Package",
+			SchemaVersion:  "1.0.0",
+			ID:             "1",
+			Name:           "My Package",
+			PackageVersion: "1.0.0",
 			Sections: []packaging.Section{
 				{
 					ID:   "1.2",
@@ -291,8 +335,10 @@ var invalidManifests = []struct {
 		name:         "Duplicated section Name",
 		expectedLint: "Section Name 'foobar' duplicated 2 times",
 		manifest: packaging.PolicyManifest{
-			ID:   "1",
-			Name: "My Package",
+			SchemaVersion:  "1.0.0",
+			ID:             "1",
+			Name:           "My Package",
+			PackageVersion: "1.0.0",
 			Sections: []packaging.Section{
 				{
 					ID:   "1.1",
@@ -321,8 +367,10 @@ var invalidManifests = []struct {
 		name:         "Duplicated section Name",
 		expectedLint: "Rule Name 'My Rule' duplicated 3 times",
 		manifest: packaging.PolicyManifest{
-			ID:   "1",
-			Name: "My Package",
+			SchemaVersion:  "1.0.0",
+			ID:             "1",
+			Name:           "My Package",
+			PackageVersion: "1.0.0",
 			Sections: []packaging.Section{
 				{
 					ID:   "1.1",
@@ -382,3 +430,27 @@ func TestManfiestLint(t *testing.T) {
 		)
 	}
 }
+
+func TestIsSemver(t *testing.T) {
+	semverTcs := []struct {
+		version string
+		result  bool
+	}{
+		{"v1.0.0", true},
+		{"1.0.0", true},
+		{"v1.0.0-alpha", true},
+		{"1.0.0-alpha", true},
+		{"1", false},
+		{"a", false},
+		{"a.b.c", false},
+		{"", false},
+	}
+
+	for _, tc := range semverTcs {
+		t.Run(tc.version, func(t *testing.T) {
+			if got, want := isSemver(tc.version), tc.result; got != want {
+				t.Errorf("Failed to check if %s is semver: got = %v, want = %v", tc.version, got, want)
+			}
+		})
+	}
+}

pkg/packaging/packaging.go

@@ -22,13 +22,24 @@ type Package interface {
 
 // PolicyManifest contains all the information about the policy manifest of the package.
 type PolicyManifest struct {
-	Namespace     string    `yaml:"namespace"`
-	ID            string    `yaml:"id"`
-	DataGatherers []string  `yaml:"data-gatherers,omitempty"`
-	RootQuery     string    `yaml:"root-query"`
-	Name          string    `yaml:"name"`
-	Description   string    `yaml:"description,omitempty"`
-	Sections      []Section `yaml:"sections,omitempty"`
+	// SchemaVersion is the version of the PolicyManifest schema, and thus the version of the Preflight Package format. It follows semver.
+	SchemaVersion string `yaml:"schema-version"`
+	// PackageVersion is the version of the package. No format is enforced, but it is recommended to follow semver.
+	PackageVersion string `yaml:"package-version"`
+	// Namespace is the namespace of the package. We recommend to use FQDNs.
+	Namespace string `yaml:"namespace"`
+	// ID is the ID of the package itself.
+	ID string `yaml:"id"`
+	// DataGatherers is the list of data-gatherers the package depends on.
+	DataGatherers []string `yaml:"data-gatherers,omitempty"`
+	// RootQuery is the query needed in the REGO context to access the result of the checks.
+	RootQuery string `yaml:"root-query"`
+	// Name is the name of the package.
+	Name string `yaml:"name"`
+	// Description is a text describing the package.
+	Description string `yaml:"description,omitempty"`
+	// Sections contains the different sections inside the package.
+	Sections []Section `yaml:"sections,omitempty"`
 }
 
 // GlobalID returns a global unique ID that contains the namespace and the ID.
@@ -38,20 +49,30 @@ func (m *PolicyManifest) GlobalID() string {
 
 // Section holds the information for a section of the policy manifest.
 type Section struct {
-	ID          string `yaml:"id"`
-	Name        string `yaml:"name"`
+	// ID is the ID of the section.
+	ID string `yaml:"id"`
+	// Name is the name of the section.
+	Name string `yaml:"name"`
+	// Description is the description of the section.
 	Description string `yaml:"description,omitempty"`
-	Rules       []Rule `yaml:"rules,omitempty"`
+	// Rules contain all the rules in the section.
+	Rules []Rule `yaml:"rules,omitempty"`
 }
 
 // Rule holds the information for a rule.
 type Rule struct {
-	ID          string   `yaml:"id"`
-	Name        string   `yaml:"name"`
-	Description string   `yaml:"description,omitempty"`
-	Manual      bool     `yaml:"manual,omitempty"`
-	Remediation string   `yaml:"remediation,omitempty"`
-	Links       []string `yaml:"links,omitempty"`
+	// ID is the id of the rule.
+	ID string `yaml:"id"`
+	// Name is a shortname for the rule.
+	Name string `yaml:"name"`
+	// Description is a text describing what the rule is about.
+	Description string `yaml:"description,omitempty"`
+	// Manual indicated whether the rule can be evaluated automatically by Preflight or requires manual intervention.
+	Manual bool `yaml:"manual,omitempty"`
+	// Remediation is a text describing how to fix a failure of the rule.
+	Remediation string `yaml:"remediation,omitempty"`
+	// Links contains useful links related to the rule.
+	Links []string `yaml:"links,omitempty"`
 }
 
 // EvalPackage evaluated the rules in a package given an input

preflight-packages/examples.jetstack.io/gke_basic/policy-manifest.yaml

@@ -1,5 +1,7 @@
+schema-version: "1.0.0"
 id: "gke_basic"
 namespace: "examples.jetstack.io"
+package-version: "1.0.0"
 data-gatherers:
 - gke
 # `root-query` selects selects the rego package: `data.<repo_package>`.

preflight-packages/examples.jetstack.io/pods_basic/policy-manifest.yaml

@@ -1,5 +1,7 @@
+schema-version: "1.0.0"
 id: "pods_basic"
 namespace: "examples.jetstack.io"
+package-version: "1.0.0"
 data-gatherers:
 - k8s/pods
 # `root-query` selects selects the rego package: `data.<repo_package>`.