Allow disabling of rules in a package (#67)

* Change structure of enabled packages list in config

Signed-off-by: wwwil <[email protected]>

* Pass list of disabled rules to NewResultCollectionFromRegoResultSet so they can be skipped

Signed-off-by: wwwil <[email protected]>

* Add function to list all rule IDs from policy manifest

Signed-off-by: wwwil <[email protected]>

* Use map of string to bool rather than list of strings to indicate which rules are enabled or disabled

Signed-off-by: wwwil <[email protected]>

* Add functionality to specify list of enabled rules

Signed-off-by: wwwil <[email protected]>

* Move result filtering to separate function

Signed-off-by: wwwil <[email protected]>

* Add backwards compatible config loading

Signed-off-by: wwwil <[email protected]>

* Change name field to be ID

Signed-off-by: wwwil <[email protected]>

Author: wwwil

cmd/check.go

@@ -21,6 +21,7 @@ import (
 	"github.com/jetstack/preflight/pkg/packagesources/local"
 	"github.com/jetstack/preflight/pkg/packaging"
 	"github.com/jetstack/preflight/pkg/reports"
+	"github.com/jetstack/preflight/pkg/results"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -301,19 +302,31 @@ func check() {
 		outputs = append(outputs, op)
 	}
 
-	// Loop over enabled packages and evaluate.
-	enabledPackages := viper.GetStringSlice("enabled-packages")
-
+	type EnabledPackage struct {
+		ID              string
+		EnabledRuleIDs  []string `mapstructure:"enabled-rules"`
+		DisabledRuleIDs []string `mapstructure:"disabled-rules"`
+	}
+	var enabledPackages []EnabledPackage
+	err := viper.UnmarshalKey("enabled-packages", &enabledPackages)
+	if err != nil {
+		log.Printf("unable to decode into struct, %v", err)
+		log.Print("using legacy enabled-packages format")
+		enabledPackageIDs := viper.GetStringSlice("enabled-packages")
+		for _, enabledPackageID := range enabledPackageIDs {
+			enabledPackages = append(enabledPackages, EnabledPackage{ID: enabledPackageID})
+		}
+	}
 	if len(enabledPackages) == 0 {
 		log.Fatal("No packages were enabled. Use 'enables-packages' option in configuration to enable the packages you want to use.")
 	}
 
 	missingRules := false
-	for _, pkgID := range enabledPackages {
+	for _, enabledPackage := range enabledPackages {
 		// Make sure we loaded the package for this.
-		pkg := packages[pkgID]
+		pkg := packages[enabledPackage.ID]
 		if pkg == nil {
-			log.Fatalf("Package with ID %q was specified in configuration but it wasn't found.", pkgID)
+			log.Fatalf("Package with ID %q was specified in configuration but it wasn't found.", enabledPackage.ID)
 		}
 
 		manifest := pkg.PolicyManifest()
@@ -340,6 +353,8 @@ func check() {
 			}
 		}
 
+		rc = results.FilterResultCollection(rc, enabledPackage.DisabledRuleIDs, enabledPackage.EnabledRuleIDs)
+
 		intermediateBytes, err := json.Marshal(input)
 		if err != nil {
 			log.Fatalf("Cannot marshal intermediate result: %v", err)

pkg/packaging/eval.go

@@ -27,5 +27,10 @@ func EvalPackage(ctx context.Context, pkg Package, input interface{}) (*results.
 		allResults = append(allResults, rs...)
 	}
 
-	return results.NewResultCollectionFromRegoResultSet(&allResults)
+	rc, err := results.NewResultCollectionFromRegoResultSet(&allResults)
+	if err != nil {
+		return nil, fmt.Errorf("cannot read results from rego: %s", err)
+	}
+
+	return rc, nil
 }

pkg/packaging/packaging.go

@@ -47,6 +47,17 @@ func (m *PolicyManifest) GlobalID() string {
 	return fmt.Sprintf("%s/%s", m.Namespace, m.ID)
 }
 
+// RuleIDs returns a list of the IDs of all the rules in this policy manifest
+func (m *PolicyManifest) RuleIDs() []string {
+	var ruleIDs []string
+	for _, section := range m.Sections {
+		for _, rule := range section.Rules {
+			ruleIDs = append(ruleIDs, rule.ID)
+		}
+	}
+	return ruleIDs
+}
+
 // Section holds the information for a section of the policy manifest.
 type Section struct {
 	// ID is the ID of the section.

pkg/results/results.go

@@ -162,6 +162,35 @@ func NewResultCollectionFromRegoResultSet(rs *rego.ResultSet) (*ResultCollection
 	return &rc, nil
 }
 
+// FilterResultCollection filters a collection of results based on lists of
+// disabled and enabled rule IDs and returns a filtered ResultCollection. The
+// filtered ResultCollection does not include results for disabled rules. If the
+// enabled rules list is not empty the filtered ResultCollection only contains
+// results for enabled rules.
+func FilterResultCollection(resultCollection *ResultCollection, disabledRuleIDs, enabledRuleIDs []string) *ResultCollection {
+	filteredResultCollection := NewResultCollection()
+	for _, result := range resultCollection.ByID() {
+		filterResult := false
+		if len(enabledRuleIDs) != 0 {
+			filterResult = true
+			for _, enabledRuleID := range enabledRuleIDs {
+				if result.ID == enabledRuleID {
+					filterResult = true
+				}
+			}
+		}
+		for _, disabledRuleID := range disabledRuleIDs {
+			if result.ID == disabledRuleID {
+				filterResult = true
+			}
+		}
+		if !filterResult {
+			filteredResultCollection.Add([]*Result{result})
+		}
+	}
+	return filteredResultCollection
+}
+
 // Parse takes the raw result of evaluating a set of rego rules in preflight and returns a ResultCollection collection.
 func Parse(rawResult []byte) (*ResultCollection, error) {
 	// parse raw data with opa.rego package