Support policy type manifest (#41)

Add support for Policy type manifests in policy generator.

Signed-off-by: Chunxi Luo <[email protected]>

Author: ChunxiAlexLuo

docs/policygenerator-reference.yaml

@@ -90,6 +90,12 @@ policies:
         # kustomization.yaml file. This path cannot be in a directory outside of the directory with
         # the kustomization.yaml file. Subdirectories within the directory with kustomization.yaml
         # file are allowed.
+        # Supported manifests:
+        #   1) Non-root policy type manifests such as IamPolicy, CertificatePolicy, and ConfigurationPolicy
+        #      that have a "Policy" suffix. These are not modified except for patches and are directly added 
+        #      as a Policy's policy-templates entry.
+        #   2) For everything else, ConfigurationPolicy objects are generated to wrap these manifests. 
+        #      The resulting ConfigurationPolicy is added as a Policy's policy-templates entry.
       - path: ""
         # Optional. (See policy[0].complianceType for description.)
         complianceType: "musthave"

examples/input-policy-type/iam.yaml

@@ -0,0 +1,11 @@
+apiVersion: policy.open-cluster-management.io/v1
+kind: IamPolicy
+metadata:
+  name: policy-limitclusteradmin-example
+spec:
+  severity: medium
+  namespaceSelector:
+    include: ["*"]
+    exclude: ["kube-*", "openshift-*"]
+  remediationAction: inform
+  maxClusterRoleBindingUsers: 5

examples/policyGenerator.yaml

@@ -57,6 +57,17 @@ policies:
     - path: input-gatekeeper/
   policySets:
     - policyset-gatekeeper
+- name: policy-limitclusteradmin
+  categories:
+    - AC Access Control
+  controls:
+    - AC-3 Access Enforcement
+  standards:
+    - NIST SP 800-53 
+  manifests:
+    - path: input-policy-type/iam.yaml
+  policySets:
+    - policyset-iam
 policySets:
 - name: policyset-kyverno
   description: this is a kyverno policy set.
@@ -67,4 +78,6 @@ policySets:
 - name: policyset-gatekeeper
   description: this is a gatekeeper policy set.
   placement:
-    placementRulePath: input/placementrule.yaml
+    placementRulePath: input/placementrule.yaml
+- name: policyset-iam
+  description: this is a iam policy set.

internal/plugin_config_test.go

@@ -28,6 +28,28 @@ data:
 	}
 }
 
+func createIamPolicyManifest(t *testing.T, tmpDir, filename string) {
+	t.Helper()
+	manifestsPath := path.Join(tmpDir, filename)
+	yamlContent := `
+apiVersion: policy.open-cluster-management.io/v1
+kind: IamPolicy
+metadata:
+  name: policy-limitclusteradmin-example
+spec:
+  severity: medium
+  namespaceSelector:
+    include: ["*"]
+    exclude: ["kube-*", "openshift-*"]
+  remediationAction: enforce
+  maxClusterRoleBindingUsers: 5
+`
+	err := ioutil.WriteFile(manifestsPath, []byte(yamlContent), 0o666)
+	if err != nil {
+		t.Fatalf("Failed to write %s", manifestsPath)
+	}
+}
+
 func TestConfig(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()

internal/plugin_test.go

@@ -420,6 +420,67 @@ spec:
 	assertEqual(t, output, expected)
 }
 
+func TestCreatePolicyFromIamPolicyTypeManifest(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	createIamPolicyManifest(t, tmpDir, "iamKindManifestPluginTest.yaml")
+	p := Plugin{}
+	p.PolicyDefaults.Namespace = "Iam-policies"
+	policyConf := types.PolicyConfig{
+		Categories: []string{"AC Access Control"},
+		Controls:   []string{"AC-3 Access Enforcement"},
+		Standards:  []string{"NIST SP 800-53"},
+		Name:       "policy-limitclusteradmin",
+		Manifests: []types.Manifest{
+			{Path: path.Join(tmpDir, "iamKindManifestPluginTest.yaml")},
+		},
+	}
+	p.Policies = append(p.Policies, policyConf)
+	p.applyDefaults(map[string]interface{}{})
+
+	err := p.createPolicy(&p.Policies[0])
+	if err != nil {
+		t.Fatal(err.Error())
+	}
+
+	output := p.outputBuffer.String()
+	// expected Iam policy generated from
+	// non-root IAM policy type manifest
+	// in createIamPolicyTypeConfigMap()
+	expected := `
+---
+apiVersion: policy.open-cluster-management.io/v1
+kind: Policy
+metadata:
+    annotations:
+        policy.open-cluster-management.io/categories: AC Access Control
+        policy.open-cluster-management.io/controls: AC-3 Access Enforcement
+        policy.open-cluster-management.io/standards: NIST SP 800-53
+    name: policy-limitclusteradmin
+    namespace: Iam-policies
+spec:
+    disabled: false
+    policy-templates:
+        - objectDefinition:
+            apiVersion: policy.open-cluster-management.io/v1
+            kind: IamPolicy
+            metadata:
+                name: policy-limitclusteradmin-example
+            spec:
+                maxClusterRoleBindingUsers: 5
+                namespaceSelector:
+                    exclude:
+                        - kube-*
+                        - openshift-*
+                    include:
+                        - '*'
+                remediationAction: enforce
+                severity: medium
+`
+	expected = strings.TrimPrefix(expected, "\n")
+	assertEqual(t, output, expected)
+}
+
 func TestCreatePolicyDir(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()
@@ -517,6 +578,43 @@ func TestCreatePolicyInvalidYAML(t *testing.T) {
 	assertEqual(t, err.Error(), expected)
 }
 
+func TestCreatePolicyInvalidAPIOrKind(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	manifestPath := path.Join(tmpDir, "invalidAPIOrKind.yaml")
+	yamlContent := `
+apiVersion: policy.open-cluster-management.io/v1
+kind:
+  - IamPolicy
+  - CertificatePolicy
+metadata:
+  name: policy-limitclusteradmin-example
+`
+	err := ioutil.WriteFile(manifestPath, []byte(yamlContent), 0o666)
+	if err != nil {
+		t.Fatalf("Failed to create %s: %v", manifestPath, err)
+	}
+
+	p := Plugin{}
+	p.PolicyDefaults.Namespace = "my-policies"
+	policyConf := types.PolicyConfig{
+		Name:      "policy-limitclusteradmin",
+		Manifests: []types.Manifest{{Path: manifestPath}},
+	}
+	p.Policies = append(p.Policies, policyConf)
+	p.applyDefaults(map[string]interface{}{})
+
+	err = p.createPolicy(&p.Policies[0])
+	if err == nil {
+		t.Fatal("Expected an error but did not get one")
+	}
+
+	expected := fmt.Sprintf(
+		"invalid non-string kind format in manifest path: %s", manifestPath,
+	)
+	assertEqual(t, err.Error(), expected)
+}
+
 func TestCreatePlacementDefault(t *testing.T) {
 	t.Parallel()
 	p := Plugin{}

internal/utils.go

@@ -15,6 +15,7 @@ import (
 	"github.com/stolostron/policy-generator-plugin/internal/expanders"
 	"github.com/stolostron/policy-generator-plugin/internal/types"
 	"gopkg.in/yaml.v3"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 // getManifests will get all of the manifest files associated with the input policy configuration
@@ -139,12 +140,28 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 	for i, manifestGroup := range manifestGroups {
 		complianceType := policyConf.Manifests[i].ComplianceType
 		for _, manifest := range manifestGroup {
+			isPolicyTypeManifest, err := isPolicyTypeManifest(manifest)
+			if err != nil {
+				return nil, fmt.Errorf(
+					"%w in manifest path: %s",
+					err,
+					policyConf.Manifests[i].Path,
+				)
+			}
+
+			if isPolicyTypeManifest {
+				policyTemplate := map[string]map[string]interface{}{"objectDefinition": manifest}
+				policyTemplates = append(policyTemplates, policyTemplate)
+
+				continue
+			}
+
 			objTemplate := map[string]interface{}{
 				"complianceType":   complianceType,
 				"objectDefinition": manifest,
 			}
 			if policyConf.ConsolidateManifests {
-				// put all objTemplate with manifest into single consolidated objectTemplates object
+				// put all objTemplate with manifest into single consolidated objectTemplates
 				objectTemplates = append(objectTemplates, objTemplate)
 			} else {
 				// casting each objTemplate with manifest to objectTemplates type
@@ -167,8 +184,9 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 		)
 	}
 
-	//  just build one policyTemplate by using the above consolidated objectTemplates
-	if policyConf.ConsolidateManifests {
+	// just build one policyTemplate by using the above non-empty consolidated objectTemplates
+	// ConsolidateManifests = true or there is non-policy-type manifest
+	if policyConf.ConsolidateManifests && len(objectTemplates) > 0 {
 		policyTemplate := buildPolicyTemplate(policyConf, 1, &objectTemplates, &policyConf.EvaluationInterval)
 		setNamespaceSelector(policyConf, policyTemplate)
 		policyTemplates = append(policyTemplates, *policyTemplate)
@@ -183,6 +201,24 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 	return policyTemplates, nil
 }
 
+// isPolicyTypeManifest determines if the manifest is a non-root policy manifest
+// by checking apiVersion and kind fields.
+// Return error when apiVersion and kind fields aren't string.
+func isPolicyTypeManifest(manifest map[string]interface{}) (bool, error) {
+	apiVersion, _, isAPIStr := unstructured.NestedString(manifest, "apiVersion")
+	kind, _, isKindStr := unstructured.NestedString(manifest, "kind")
+	if isAPIStr != nil {
+		return false, fmt.Errorf("invalid non-string apiVersion format")
+	} else if isKindStr != nil {
+		return false, fmt.Errorf("invalid non-string kind format")
+	} else if strings.HasPrefix(apiVersion, "policy.open-cluster-management.io") &&
+		kind != "Policy" && strings.HasSuffix(kind, "Policy") {
+		return true, nil // non-root policy-type manifest contains policy api
+	}
+
+	return false, nil
+}
+
 // setNamespaceSelector sets the namespace selector, if set, on the input policy template.
 func setNamespaceSelector(policyConf *types.PolicyConfig, policyTemplate *map[string]map[string]interface{}) {
 	if policyConf.NamespaceSelector.Exclude != nil || policyConf.NamespaceSelector.Include != nil {

internal/utils_test.go

@@ -233,6 +233,130 @@ data:
 	}
 }
 
+func TestIsPolicyTypeManifest(t *testing.T) {
+	t.Parallel()
+
+	invalidAPI := []string{
+		"policy.open-cluster-management.io/v1",
+		"apps.open-cluster-management.io/v1",
+	}
+
+	invalidKind := []string{
+		"CertificatePolicy",
+		"IamPolicy",
+	}
+
+	tests := []struct {
+		apiVersion     string
+		kind           string
+		invalidAPI     []string
+		invalidKind    []string
+		expectedFlag   bool
+		expectedErrMsg string
+	}{
+		{"policy.open-cluster-management.io/v1", "IamPolicy", nil, nil, true, ""},
+		{"policy.open-cluster-management.io/v1", "CertificatePolicy", nil, nil, true, ""},
+		{"policy.open-cluster-management.io/v1", "ConfigurationPolicy", nil, nil, true, ""},
+		{"policy.open-cluster-management.io/v1", "Policy", nil, nil, false, ""},
+		{"apps.open-cluster-management.io/v1", "PlacementRule", nil, nil, false, ""},
+		{"", "", nil, nil, false, ""},
+		{"", "IamPolicy", invalidAPI, nil, false, "invalid non-string apiVersion format"},
+		{"policy.open-cluster-management.io/v1", "", nil, invalidKind, false, "invalid non-string kind format"},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(
+			fmt.Sprintf("apiVersion=%s, kind=%s", test.apiVersion, test.kind),
+			func(t *testing.T) {
+				t.Parallel()
+				manifest := map[string]interface{}{}
+
+				if test.invalidAPI == nil {
+					manifest["apiVersion"] = test.apiVersion
+				} else {
+					manifest["apiVersion"] = test.invalidAPI
+				}
+
+				if test.invalidKind == nil {
+					manifest["kind"] = test.kind
+				} else {
+					manifest["kind"] = test.invalidKind
+				}
+
+				isPolicyType, err := isPolicyTypeManifest(manifest)
+				assertEqual(t, isPolicyType, test.expectedFlag)
+
+				if test.expectedErrMsg == "" {
+					assertEqual(t, err, nil)
+				} else {
+					assertEqual(t, err.Error(), test.expectedErrMsg)
+				}
+			},
+		)
+	}
+}
+
+func TestGetPolicyTemplateFromPolicyTypeManifest(t *testing.T) {
+	t.Parallel()
+	tmpDir := t.TempDir()
+	manifestFiles := []types.Manifest{}
+	createIamPolicyManifest(t, tmpDir, "iamKindManifest.yaml")
+	// Test manifest is non-root IAM policy type.
+	IamManifestPath := path.Join(tmpDir, "iamKindManifest.yaml")
+
+	manifestFiles = append(
+		manifestFiles, types.Manifest{Path: IamManifestPath},
+	)
+
+	// Test both passing in individual files and a flat directory.
+	tests := []struct {
+		Manifests []types.Manifest
+	}{
+		{Manifests: manifestFiles},
+		{
+			Manifests: []types.Manifest{{Path: tmpDir}},
+		},
+	}
+
+	for _, test := range tests {
+		policyConf := types.PolicyConfig{
+			Manifests:         test.Manifests,
+			Name:              "policy-limitclusteradmin",
+			RemediationAction: "inform",
+			Severity:          "low",
+		}
+
+		policyTemplates, err := getPolicyTemplates(&policyConf)
+		if err != nil {
+			t.Fatalf("Failed to get the policy templates: %v", err)
+		}
+		assertEqual(t, len(policyTemplates), 1)
+
+		IamPolicyTemplate := policyTemplates[0]
+		IamObjdef := IamPolicyTemplate["objectDefinition"]
+		assertEqual(t, IamObjdef["apiVersion"], "policy.open-cluster-management.io/v1")
+		// kind will not be overridden by "ConfigurationPolicy".
+		assertEqual(t, IamObjdef["kind"], "IamPolicy")
+		assertEqual(t, IamObjdef["metadata"].(map[string]interface{})["name"], "policy-limitclusteradmin-example")
+		IamSpec, ok := IamObjdef["spec"].(map[string]interface{})
+		if !ok {
+			t.Fatal("The spec field is an invalid format")
+		}
+		// remediationAction will not be overridden by policyConf.
+		assertEqual(t, IamSpec["remediationAction"], "enforce")
+		// severity will not be overridden by policyConf.
+		assertEqual(t, IamSpec["severity"], "medium")
+		assertEqual(t, IamSpec["maxClusterRoleBindingUsers"], 5)
+		namespaceSelector, ok := IamSpec["namespaceSelector"].(map[string]interface{})
+		if !ok {
+			t.Fatal("The namespaceSelector field is an invalid format")
+		}
+		assertReflectEqual(t, namespaceSelector["include"], []interface{}{"*"})
+		assertReflectEqual(t, namespaceSelector["exclude"], []interface{}{"kube-*", "openshift-*"})
+	}
+}
+
 func TestGetPolicyTemplatePatches(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()