Add the ability to override complianceType at the manifest level

mprahl · mprahl · commit 0d768962d730 · 2021-10-13T13:21:29.000-04:00
Signed-off-by: mprahl &lt;mprahl@users.noreply.github.com&gt;
diff --git a/docs/policygenerator-reference.yaml b/docs/policygenerator-reference.yaml
@@ -65,6 +65,8 @@ policies:
       # Required. Path to a single file or a flat directory of files relative to the
       # kustomization.yaml file.
       - path: ""
+        # Optional. (See policy[0].complianceType for description.)
+        complianceType: "musthave"
         # Optional. A Kustomize patch to apply to the manifest(s) at the path. If there
         # are multiple manifests, the patch requires the apiVersion, kind, metadata.name,
         # and metadata.namespace (if applicable) fields to be set so Kustomize
diff --git a/internal/plugin.go b/internal/plugin.go
@@ -309,6 +309,12 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {
 		if policy.Standards == nil {
 			policy.Standards = p.PolicyDefaults.Standards
 		}
+
+		for i := range policy.Manifests {
+			if policy.Manifests[i].ComplianceType == "" {
+				policy.Manifests[i].ComplianceType = policy.ComplianceType
+			}
+		}
 	}
 }
 
diff --git a/internal/types/types.go b/internal/types/types.go
@@ -2,8 +2,9 @@
 package types
 
 type Manifest struct {
-	Patches []map[string]interface{} `json:"patches,omitempty" yaml:"patches,omitempty"`
-	Path    string                   `json:"path,omitempty" yaml:"path,omitempty"`
+	ComplianceType string                   `json:"complianceType,omitempty" yaml:"complianceType,omitempty"`
+	Patches        []map[string]interface{} `json:"patches,omitempty" yaml:"patches,omitempty"`
+	Path           string                   `json:"path,omitempty" yaml:"path,omitempty"`
 }
 
 type NamespaceSelector struct {
diff --git a/internal/utils.go b/internal/utils.go
@@ -15,10 +15,11 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-// getManifests will get all of the manifest files associated with the input policy configuration.
-// An error is returned if a manifest path cannot be read.
-func getManifests(policyConf *types.PolicyConfig) ([]map[string]interface{}, error) {
-	manifests := []map[string]interface{}{}
+// getManifests will get all of the manifest files associated with the input policy configuration
+// separated by policyConf.Manifests entries. An error is returned if a manifest path cannot
+// be read.
+func getManifests(policyConf *types.PolicyConfig) ([][]map[string]interface{}, error) {
+	manifests := [][]map[string]interface{}{}
 	for _, manifest := range policyConf.Manifests {
 		manifestPaths := []string{}
 		manifestFiles := []map[string]interface{}{}
@@ -107,7 +108,7 @@ func getManifests(policyConf *types.PolicyConfig) ([]map[string]interface{}, err
 			manifestFiles = *patchedFiles
 		}
 
-		manifests = append(manifests, manifestFiles...)
+		manifests = append(manifests, manifestFiles)
 	}
 
 	return manifests, nil
@@ -120,42 +121,45 @@ func getManifests(policyConf *types.PolicyConfig) ([]map[string]interface{}, err
 // that each template includes a single manifest specified in policyConf.
 // An error is returned if one or more manifests cannot be read or are invalid.
 func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string]interface{}, error) {
-	manifests, err := getManifests(policyConf)
+	manifestGroups, err := getManifests(policyConf)
 	if err != nil {
 		return nil, err
 	}
 
-	if len(manifests) == 0 {
-		return nil, fmt.Errorf(
-			"the policy %s must specify at least one non-empty manifest file", policyConf.Name,
-		)
-	}
-
-	objectTemplatesLength := len(manifests)
+	objectTemplatesLength := len(manifestGroups)
 	policyTemplatesLength := 1
 	if !policyConf.ConsolidateManifests {
-		policyTemplatesLength = len(manifests)
+		policyTemplatesLength = len(manifestGroups)
 		objectTemplatesLength = 0
 	}
 	objectTemplates := make([]map[string]interface{}, 0, objectTemplatesLength)
 	policyTemplates := make([]map[string]map[string]interface{}, 0, policyTemplatesLength)
-	for _, manifest := range manifests {
-		objTemplate := map[string]interface{}{
-			"complianceType":   policyConf.ComplianceType,
-			"objectDefinition": manifest,
-		}
-		if policyConf.ConsolidateManifests {
-			// put all objTemplate with manifest into single consolidated objectTemplates object
-			objectTemplates = append(objectTemplates, objTemplate)
-		} else {
-			// casting each objTemplate with manifest to objectTemplates type
-			// build policyTemplate for each objectTemplates
-			policyTemplate := buildPolicyTemplate(policyConf, &[]map[string]interface{}{objTemplate})
-			setNamespaceSelector(policyConf, policyTemplate)
-			policyTemplates = append(policyTemplates, *policyTemplate)
+	for i, manifestGroup := range manifestGroups {
+		complianceType := policyConf.Manifests[i].ComplianceType
+		for _, manifest := range manifestGroup {
+			objTemplate := map[string]interface{}{
+				"complianceType":   complianceType,
+				"objectDefinition": manifest,
+			}
+			if policyConf.ConsolidateManifests {
+				// put all objTemplate with manifest into single consolidated objectTemplates object
+				objectTemplates = append(objectTemplates, objTemplate)
+			} else {
+				// casting each objTemplate with manifest to objectTemplates type
+				// build policyTemplate for each objectTemplates
+				policyTemplate := buildPolicyTemplate(policyConf, &[]map[string]interface{}{objTemplate})
+				setNamespaceSelector(policyConf, policyTemplate)
+				policyTemplates = append(policyTemplates, *policyTemplate)
+			}
 		}
 	}
 
+	if len(policyTemplates) == 0 && len(objectTemplates) == 0 {
+		return nil, fmt.Errorf(
+			"the policy %s must specify at least one non-empty manifest file", policyConf.Name,
+		)
+	}
+
 	//  just build one policyTemplate by using the above consolidated objectTemplates
 	if policyConf.ConsolidateManifests {
 		policyTemplate := buildPolicyTemplate(policyConf, &objectTemplates)
@@ -164,8 +168,10 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 	}
 
 	// check the enabled expanders and add additional policy templates
-	expandedPolicyTemplates := handleExpanders(manifests, policyConf)
-	policyTemplates = append(policyTemplates, expandedPolicyTemplates...)
+	for _, manifestGroup := range manifestGroups {
+		expandedPolicyTemplates := handleExpanders(manifestGroup, policyConf)
+		policyTemplates = append(policyTemplates, expandedPolicyTemplates...)
+	}
 
 	return policyTemplates, nil
 }
diff --git a/internal/utils_test.go b/internal/utils_test.go
@@ -30,6 +30,7 @@ func TestGetPolicyTemplate(t *testing.T) {
 	t.Parallel()
 	tmpDir := t.TempDir()
 	manifestFiles := []types.Manifest{}
+	manifestFilesMustNotHave := []types.Manifest{}
 	for i, enemy := range []string{"goldfish", "potato"} {
 		manifestPath := path.Join(tmpDir, fmt.Sprintf("configmap%d.yaml", i))
 		manifestYAML := fmt.Sprintf(
@@ -48,7 +49,14 @@ data:
 			t.Fatalf("Failed to write %s", manifestPath)
 		}
 
-		manifestFiles = append(manifestFiles, types.Manifest{Path: manifestPath})
+		// The applyDefaults method would normally fill in ComplianceType on each manifest entry.
+		manifestFiles = append(
+			manifestFiles, types.Manifest{ComplianceType: "musthave", Path: manifestPath},
+		)
+		manifestFilesMustNotHave = append(
+			manifestFilesMustNotHave,
+			types.Manifest{ComplianceType: "mustnothave", Path: manifestPath},
+		)
 	}
 
 	// Write a bogus file to ensure it is not picked up when creating the policy
@@ -60,9 +68,17 @@ data:
 	}
 
 	// Test both passing in individual files and a flat directory
-	tests := []struct{ Manifests []types.Manifest }{
-		{Manifests: manifestFiles},
-		{Manifests: []types.Manifest{{Path: tmpDir}}},
+	tests := []struct {
+		ExpectedComplianceType string
+		Manifests              []types.Manifest
+	}{
+		{ExpectedComplianceType: "musthave", Manifests: manifestFiles},
+		{ExpectedComplianceType: "mustnothave", Manifests: manifestFilesMustNotHave},
+		// The applyDefaults method would normally fill in ComplianceType on each manifest entry.
+		{
+			ExpectedComplianceType: "musthave",
+			Manifests:              []types.Manifest{{ComplianceType: "musthave", Path: tmpDir}},
+		},
 	}
 	// test ConsolidateManifests = true (default case)
 	// policyTemplates will have only one policyTemplate
@@ -97,13 +113,13 @@ data:
 			t.Fatal("The object-templates field is an invalid format")
 		}
 		assertEqual(t, len(objTemplates), 2)
-		assertEqual(t, objTemplates[0]["complianceType"], "musthave")
+		assertEqual(t, objTemplates[0]["complianceType"], test.ExpectedComplianceType)
 		kind1, ok := objTemplates[0]["objectDefinition"].(map[string]interface{})["kind"]
 		if !ok {
 			t.Fatal("The objectDefinition field is an invalid format")
 		}
 		assertEqual(t, kind1, "ConfigMap")
-		assertEqual(t, objTemplates[1]["complianceType"], "musthave")
+		assertEqual(t, objTemplates[1]["complianceType"], test.ExpectedComplianceType)
 		kind2, ok := objTemplates[1]["objectDefinition"].(map[string]interface{})["kind"]
 		if !ok {
 			t.Fatal("The objectDefinition field is an invalid format")
@@ -143,7 +159,7 @@ data:
 			t.Fatal("The object-templates field is an invalid format")
 		}
 		assertEqual(t, len(objTemplates1), 1)
-		assertEqual(t, objTemplates1[0]["complianceType"], "musthave")
+		assertEqual(t, objTemplates1[0]["complianceType"], test.ExpectedComplianceType)
 		kind1, ok := objTemplates1[0]["objectDefinition"].(map[string]interface{})["kind"]
 		if !ok {
 			t.Fatal("The objectDefinition field is an invalid format")
@@ -164,7 +180,7 @@ data:
 			t.Fatal("The object-templates field is an invalid format")
 		}
 		assertEqual(t, len(objTemplates2), 1)
-		assertEqual(t, objTemplates2[0]["complianceType"], "musthave")
+		assertEqual(t, objTemplates2[0]["complianceType"], test.ExpectedComplianceType)
 		kind2, ok := objTemplates2[0]["objectDefinition"].(map[string]interface{})["kind"]
 		if !ok {
 			t.Fatal("The objectDefinition field is an invalid format")
@@ -481,7 +497,7 @@ func TestGetPolicyTemplateInvalidPath(t *testing.T) {
 	manifestPath := path.Join(tmpDir, "does-not-exist.yaml")
 	policyConf := types.PolicyConfig{
 		ComplianceType:    "musthave",
-		Manifests:         []types.Manifest{{Path: manifestPath}},
+		Manifests:         []types.Manifest{{ComplianceType: "musthave", Path: manifestPath}},
 		Name:              "policy-app-config",
 		RemediationAction: "inform",
 		Severity:          "low",

Original file line number	Diff line number	Diff line change
`@@ -309,6 +309,12 @@ func (p *Plugin) applyDefaults(unmarshaledConfig map[string]interface{}) {`
`309`	`309`	`if policy.Standards == nil {`
`310`	`310`	`policy.Standards = p.PolicyDefaults.Standards`
`311`	`311`	`}`
	`312`	`+`
	`313`	`+ for i := range policy.Manifests {`
	`314`	`+ if policy.Manifests[i].ComplianceType == "" {`
	`315`	`+ policy.Manifests[i].ComplianceType = policy.ComplianceType`
	`316`	`+ }`
	`317`	`+ }`
`312`	`318`	`}`
`313`	`319`	`}`
`314`	`320`