feat: opa bundle json patch

mxab · mxab · commit c776047d578e · 2025-10-08T23:24:44.000+02:00
diff --git a/pkg/admissionctrl/mutator/opa_bundle_json_patch.go b/pkg/admissionctrl/mutator/opa_bundle_json_patch.go
@@ -0,0 +1,105 @@
+package mutator
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/nomad/api"
+	"github.com/mxab/nacp/pkg/admissionctrl/mutator/jsonpatcher"
+	"github.com/open-policy-agent/opa/v1/sdk"
+)
+
+type OpaBundleMutator struct {
+	name   string
+	path   string
+	logger *slog.Logger
+	opa    *sdk.OPA
+}
+
+func (m *OpaBundleMutator) Mutate(context context.Context, job *api.Job) (result *api.Job, mutated bool, warns []error, err error) {
+	mutated = false
+	warns = []error{}
+	err = nil
+
+	decision, err := m.opa.Decision(context, sdk.DecisionOptions{
+		Input: job,
+		Path:  m.path,
+	})
+	if err != nil {
+		err = fmt.Errorf("failed to perform policy decision: %w", err)
+		return
+	}
+	m.logger.DebugContext(context, "OPA decision", slog.Any("result", decision))
+
+	if rmap, ok := decision.Result.(map[string]interface{}); ok {
+		if errs, found := rmap["errors"]; found {
+			if errlist, ok := errs.([]interface{}); ok {
+
+				for _, e := range errlist {
+					if emsg, ok := e.(string); ok {
+						err = multierror.Append(err, errors.New(emsg))
+					} else if e != nil {
+						err = fmt.Errorf("policy yielded an invalid error entry value: %v", e)
+						return
+					}
+
+				}
+				if err != nil {
+					return
+				}
+			} else if errs != nil {
+				err = fmt.Errorf("policy yielded an invalid errors value: %v", errs)
+				return
+			}
+		}
+		if warnsRaw, found := rmap["warnings"]; found {
+			if warnlist, ok := warnsRaw.([]interface{}); ok {
+
+				for _, w := range warnlist {
+					if wmsg, ok := w.(string); ok {
+						warns = append(warns, errors.New(wmsg))
+					} else if w != nil {
+						err = fmt.Errorf("policy yielded an invalid warning entry value: %v", w)
+						return
+					}
+				}
+			} else if warnsRaw != nil {
+				err = fmt.Errorf("policy yielded an invalid warnings value: %v", warnsRaw)
+				return
+			}
+		}
+		if patch, found := rmap["patch"]; found {
+			if ops, ok := patch.([]interface{}); ok {
+				result, mutated, err = jsonpatcher.PatchJob(job, ops)
+				if err != nil {
+					err = fmt.Errorf("policy yielded patch failed: %w", err)
+					return
+				}
+			} else if patch != nil {
+				err = fmt.Errorf("policy yielded an invalid patch value: %v", patch)
+				return
+			}
+		} else {
+			// No patch, return original job
+			result = job
+		}
+	}
+
+	return
+}
+
+func NewOpaBundleMutator(name string, path string, logger *slog.Logger, sdk *sdk.OPA) (*OpaBundleMutator, error) {
+	return &OpaBundleMutator{
+		name:   name,
+		path:   path,
+		logger: logger,
+		opa:    sdk,
+	}, nil
+}
+
+func (m *OpaBundleMutator) Name() string {
+	return m.name
+}
diff --git a/pkg/admissionctrl/mutator/opa_bundle_json_patch_test.go b/pkg/admissionctrl/mutator/opa_bundle_json_patch_test.go
@@ -0,0 +1,222 @@
+package mutator
+
+import (
+	"log/slog"
+	"testing"
+
+	"github.com/hashicorp/nomad/api"
+	"github.com/mxab/nacp/testutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOpaBundleMutatorName(t *testing.T) {
+
+	opa := testutil.SetupOpa(t, "package mypolicy")
+	mutator, err := NewOpaBundleMutator("test", "test/path", slog.Default(), opa)
+
+	require.NoError(t, err, "No error creating mutator")
+
+	assert.Equal(t, "test", mutator.Name(), "Name is correct")
+}
+
+func TestOpaBundleMutator(t *testing.T) {
+
+	tt := []struct {
+		name     string
+		policy   string
+		path     string
+		inputJob *api.Job
+
+		expectedJob     *api.Job
+		expectedMutated bool
+		expectedWarns   []string
+		expectedErrs    []string
+	}{
+		{
+			name: "no changes",
+			policy: `package mypolicy
+			`,
+			path:            "/mypolicy",
+			inputJob:        testutil.BaseJob(),
+			expectedJob:     testutil.BaseJob(),
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{},
+		},
+		{
+			name: "handle policy eval error",
+			policy: `package mypolicy
+			`,
+			path:            "/nonexistentpath",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{"failed to perform policy decision"},
+		},
+		{
+			name: "add meta",
+			policy: `package mypolicy
+			patch = [
+			{"op": "add", "path": "/Meta", "value": {}},
+			{"op": "add", "path": "/Meta/hello", "value": "world"}
+			]
+			`,
+			path:     "/mypolicy",
+			inputJob: &api.Job{},
+			expectedJob: &api.Job{
+				Meta: map[string]string{
+					"hello": "world",
+				},
+			},
+			expectedMutated: true,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{},
+		},
+		{
+			name: "handle errors",
+			policy: `package mypolicy
+			errors = ["This is an error message", "This is another error message"]
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{"This is an error message", "This is another error message"},
+		},
+		{
+			name: "handle warnings",
+			policy: `package mypolicy
+			warnings = ["This is a warning message", "This is another warning message"]
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     &api.Job{},
+			expectedMutated: false,
+			expectedWarns:   []string{"This is a warning message", "This is another warning message"},
+			expectedErrs:    []string{},
+		},
+		{
+			name: "handle patch and warnings",
+			policy: `package mypolicy
+			patch = [
+				{"op": "add", "path": "/Meta", "value": {}},
+				{"op": "add", "path": "/Meta/hello", "value": "world"}
+			]
+			warnings = ["This is a warning message", "This is another warning message"]
+			`,
+			path:     "/mypolicy",
+			inputJob: &api.Job{},
+			expectedJob: &api.Job{
+				Meta: map[string]string{
+					"hello": "world",
+				},
+			},
+			expectedMutated: true,
+			expectedWarns:   []string{"This is a warning message", "This is another warning message"},
+			expectedErrs:    []string{},
+		},
+		{
+			name: "handle invalid error type",
+			policy: `package mypolicy
+			errors = 5
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{"policy yielded an invalid errors value"},
+		},
+		{
+			name: "handle invalid warning type as error",
+			policy: `package mypolicy
+			warnings = 5
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{"policy yielded an invalid warnings value"},
+		},
+		{
+			name: "handle invalid error entry type as error",
+			policy: `package mypolicy
+			errors = ["this is fine", 5]
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{"policy yielded an invalid error entry value"},
+		},
+		{
+			name: "handle invalid warning entry type as warning",
+			policy: `package mypolicy
+			warnings = ["this is fine", 5]
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{"this is fine"},
+			expectedErrs:    []string{"policy yielded an invalid warning entry value"},
+		},
+		{
+			name: "handle invalid patch type as error",
+			policy: `package mypolicy
+			patch = 5
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{"policy yielded an invalid patch value"},
+		},
+		{
+			name: "handle invalid patch entry type as error",
+			policy: `package mypolicy
+			patch = [5]
+			`,
+			path:            "/mypolicy",
+			inputJob:        &api.Job{},
+			expectedJob:     nil,
+			expectedMutated: false,
+			expectedWarns:   []string{},
+			expectedErrs:    []string{"policy yielded patch failed"},
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			opa := testutil.SetupOpa(t, tc.policy)
+			mutator, err := NewOpaBundleMutator(tc.name, tc.path, slog.New(slog.DiscardHandler), opa)
+
+			require.NoError(t, err, "No error creating mutator")
+			result, mutated, warns, err := mutator.Mutate(t.Context(), tc.inputJob)
+
+			assert.Equal(t, tc.expectedJob, result, "Job is correct")
+			assert.Equal(t, tc.expectedMutated, mutated, "Mutated is correct")
+			// warns
+			assert.Len(t, warns, len(tc.expectedWarns), "Warnings length is correct")
+
+			for i, expectedWarn := range tc.expectedWarns {
+				assert.ErrorContains(t, warns[i], expectedWarn, "Warning is correct")
+			}
+			// errs
+			if len(tc.expectedErrs) == 0 {
+				assert.NoError(t, err, "No error")
+			} else {
+				for _, expectedErr := range tc.expectedErrs {
+					assert.ErrorContains(t, err, expectedErr, "Error is correct")
+				}
+			}
+
+		})
+	}
+}
