Refactor policyTemplates type

It was map[string]map[string]interface{}, but now it is relaxed to
map[string]interface{}. Previously the only field under the template was
the `objectDefinition`, but it can soon have `ignorePending` and
`extraDependencies` which are not map[string]interface{}s.

Refs:
 - stolostron/backlog#26183

Signed-off-by: Justin Kulikauskas <[email protected]>

Author: JustinKuli

internal/expanders/expanders.go

@@ -20,7 +20,7 @@ type Expander interface {
 	// Enabled determines if the policy configuration allows a policy to be expanded.
 	Enabled(policyConf *types.PolicyConfig) bool
 	// Expand will generate additional policy templates for the policy for auditing purposes.
-	Expand(manifest map[string]interface{}, severity string) []map[string]map[string]interface{}
+	Expand(manifest map[string]interface{}, severity string) []map[string]interface{}
 }
 
 // Common constants for the expanders.

internal/expanders/gatekeeper.go

@@ -47,15 +47,15 @@ func (g GatekeeperPolicyExpander) Enabled(policyConf *types.PolicyConfig) bool {
 // method.
 func (g GatekeeperPolicyExpander) Expand(
 	manifest map[string]interface{}, severity string,
-) []map[string]map[string]interface{} {
-	templates := []map[string]map[string]interface{}{}
+) []map[string]interface{} {
+	templates := []map[string]interface{}{}
 	// These were previously validated in the CanHandle method.
 	constraintName, _, _ := unstructured.NestedString(manifest, "metadata", "name")
 	constraintKind, _, _ := unstructured.NestedString(manifest, "kind")
 
 	auditConfigPolicyName := fmt.Sprintf("inform-gatekeeper-audit-%s", constraintName)
-	auditConfigurationPolicy := map[string]map[string]interface{}{
-		"objectDefinition": {
+	auditConfigurationPolicy := map[string]interface{}{
+		"objectDefinition": map[string]interface{}{
 			"apiVersion": configPolicyAPIVersion,
 			"kind":       configPolicyKind,
 			"metadata":   map[string]interface{}{"name": auditConfigPolicyName},
@@ -87,8 +87,8 @@ func (g GatekeeperPolicyExpander) Expand(
 	// Further improvements here could be made by having the user specify the Gatekeeper namespace and
 	// targeting the events for the constraint kind to just that namespace.
 	admissionConfigPolicyName := fmt.Sprintf("inform-gatekeeper-admission-%s", constraintName)
-	admissionConfigurationPolicy := map[string]map[string]interface{}{
-		"objectDefinition": {
+	admissionConfigurationPolicy := map[string]interface{}{
+		"objectDefinition": map[string]interface{}{
 			"apiVersion": configPolicyAPIVersion,
 			"kind":       configPolicyKind,
 			"metadata":   map[string]interface{}{"name": admissionConfigPolicyName},

internal/expanders/gatekeeper_test.go

@@ -92,9 +92,9 @@ func TestGatekeeperExpand(t *testing.T) {
 		},
 	}
 
-	expected := []map[string]map[string]interface{}{
+	expected := []map[string]interface{}{
 		{
-			"objectDefinition": {
+			"objectDefinition": map[string]interface{}{
 				"apiVersion": configPolicyAPIVersion,
 				"kind":       configPolicyKind,
 				"metadata":   map[string]interface{}{"name": "inform-gatekeeper-audit-my-awesome-constraint"},
@@ -124,7 +124,7 @@ func TestGatekeeperExpand(t *testing.T) {
 			},
 		},
 		{
-			"objectDefinition": {
+			"objectDefinition": map[string]interface{}{
 				"apiVersion": configPolicyAPIVersion,
 				"kind":       configPolicyKind,
 				"metadata":   map[string]interface{}{"name": "inform-gatekeeper-admission-my-awesome-constraint"},

internal/expanders/kyverno.go

@@ -44,14 +44,14 @@ func (k KyvernoPolicyExpander) Enabled(policyConf *types.PolicyConfig) bool {
 // through Open Cluster Management. This should be run after the CanHandle method.
 func (k KyvernoPolicyExpander) Expand(
 	manifest map[string]interface{}, severity string,
-) []map[string]map[string]interface{} {
-	templates := []map[string]map[string]interface{}{}
+) []map[string]interface{} {
+	templates := []map[string]interface{}{}
 	// This was previously validated in the CanHandle method.
 	policyName, _, _ := unstructured.NestedString(manifest, "metadata", "name")
 
 	configPolicyName := fmt.Sprintf("inform-kyverno-%s", policyName)
-	configurationPolicy := map[string]map[string]interface{}{
-		"objectDefinition": {
+	configurationPolicy := map[string]interface{}{
+		"objectDefinition": map[string]interface{}{
 			"apiVersion": configPolicyAPIVersion,
 			"kind":       configPolicyKind,
 			"metadata":   map[string]interface{}{"name": configPolicyName},

internal/expanders/kyverno_test.go

@@ -95,9 +95,9 @@ func TestKyvernoExpand(t *testing.T) {
 		},
 	}
 
-	expected := []map[string]map[string]interface{}{
+	expected := []map[string]interface{}{
 		{
-			"objectDefinition": {
+			"objectDefinition": map[string]interface{}{
 				"apiVersion": configPolicyAPIVersion,
 				"kind":       configPolicyKind,
 				"metadata":   map[string]interface{}{"name": "inform-kyverno-my-awesome-policy"},

internal/utils.go

@@ -150,7 +150,7 @@ func getManifests(policyConf *types.PolicyConfig) ([][]map[string]interface{}, e
 // policyConf.ConsolidateManifests = false will generate a policy templates slice
 // that each template includes a single manifest specified in policyConf.
 // An error is returned if one or more manifests cannot be read or are invalid.
-func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string]interface{}, error) {
+func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]interface{}, error) {
 	manifestGroups, err := getManifests(policyConf)
 	if err != nil {
 		return nil, err
@@ -165,7 +165,7 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 	}
 
 	objectTemplates := make([]map[string]interface{}, 0, objectTemplatesLength)
-	policyTemplates := make([]map[string]map[string]interface{}, 0, policyTemplatesLength)
+	policyTemplates := make([]map[string]interface{}, 0, policyTemplatesLength)
 
 	for i, manifestGroup := range manifestGroups {
 		complianceType := policyConf.Manifests[i].ComplianceType
@@ -182,7 +182,8 @@ func getPolicyTemplates(policyConf *types.PolicyConfig) ([]map[string]map[string
 			}
 
 			if isPolicyTypeManifest {
-				policyTemplate := map[string]map[string]interface{}{"objectDefinition": manifest}
+				policyTemplate := map[string]interface{}{"objectDefinition": manifest}
+
 				policyTemplates = append(policyTemplates, policyTemplate)
 
 				continue
@@ -275,14 +276,15 @@ func isPolicyTypeManifest(manifest map[string]interface{}) (bool, error) {
 // setNamespaceSelector sets the namespace selector, if set, on the input policy template.
 func setNamespaceSelector(
 	policyConf *types.ConfigurationPolicyOptions,
-	policyTemplate map[string]map[string]interface{},
+	policyTemplate map[string]interface{},
 ) {
 	selector := policyConf.NamespaceSelector
 	if selector.Exclude != nil ||
 		selector.Include != nil ||
 		selector.MatchLabels != nil ||
 		selector.MatchExpressions != nil {
-		spec := policyTemplate["objectDefinition"]["spec"].(map[string]interface{})
+		objDef := policyTemplate["objectDefinition"].(map[string]interface{})
+		spec := objDef["spec"].(map[string]interface{})
 		spec["namespaceSelector"] = selector
 	}
 }
@@ -317,16 +319,16 @@ func buildPolicyTemplate(
 	policyNum int,
 	objectTemplates []map[string]interface{},
 	configPolicyOptionsOverrides *types.ConfigurationPolicyOptions,
-) map[string]map[string]interface{} {
+) map[string]interface{} {
 	var name string
 	if policyNum > 1 {
 		name = fmt.Sprintf("%s%d", policyConf.Name, policyNum)
 	} else {
 		name = policyConf.Name
 	}
 
-	policyTemplate := map[string]map[string]interface{}{
-		"objectDefinition": {
+	policyTemplate := map[string]interface{}{
+		"objectDefinition": map[string]interface{}{
 			"apiVersion": policyAPIVersion,
 			"kind":       configPolicyKind,
 			"metadata": map[string]interface{}{
@@ -344,11 +346,13 @@ func buildPolicyTemplate(
 	setNamespaceSelector(&policyConf.ConfigurationPolicyOptions, policyTemplate)
 
 	if len(policyConf.ConfigurationPolicyAnnotations) > 0 {
-		metadata := policyTemplate["objectDefinition"]["metadata"].(map[string]interface{})
+		objDef := policyTemplate["objectDefinition"].(map[string]interface{})
+		metadata := objDef["metadata"].(map[string]interface{})
 		metadata["annotations"] = policyConf.ConfigurationPolicyAnnotations
 	}
 
-	configSpec := policyTemplate["objectDefinition"]["spec"].(map[string]interface{})
+	objDef := policyTemplate["objectDefinition"].(map[string]interface{})
+	configSpec := objDef["spec"].(map[string]interface{})
 
 	// Set EvaluationInterval with manifest overrides
 	evaluationInterval := configPolicyOptionsOverrides.EvaluationInterval
@@ -389,10 +393,8 @@ func buildPolicyTemplate(
 
 // handleExpanders will go through all the enabled expanders and generate additional
 // policy templates to include in the policy.
-func handleExpanders(
-	manifests []map[string]interface{}, policyConf types.PolicyConfig,
-) []map[string]map[string]interface{} {
-	policyTemplates := []map[string]map[string]interface{}{}
+func handleExpanders(manifests []map[string]interface{}, policyConf types.PolicyConfig) []map[string]interface{} {
+	policyTemplates := []map[string]interface{}{}
 
 	for _, expander := range expanders.GetExpanders() {
 		for _, m := range manifests {
@@ -499,11 +501,12 @@ func verifyManifestPath(baseDirectory string, manifestPath string) error {
 }
 
 // Check policy-templates to see if all the remediation actions match, if so return the root policy remediation action
-func getRootRemediationAction(policyTemplates []map[string]map[string]interface{}) string {
+func getRootRemediationAction(policyTemplates []map[string]interface{}) string {
 	var action string
 
 	for _, value := range policyTemplates {
-		if spec, ok := value["objectDefinition"]["spec"].(map[string]interface{}); ok {
+		objDef := value["objectDefinition"].(map[string]interface{})
+		if spec, ok := objDef["spec"].(map[string]interface{}); ok {
 			if _, ok = spec["remediationAction"].(string); ok {
 				if action == "" {
 					action = spec["remediationAction"].(string)

internal/utils_test.go

@@ -215,7 +215,7 @@ data:
 		assertEqual(t, len(policyTemplates), 1)
 
 		policyTemplate := policyTemplates[0]
-		objdef := policyTemplate["objectDefinition"]
+		objdef := policyTemplate["objectDefinition"].(map[string]interface{})
 
 		assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), "policy-app-config")
 
@@ -383,7 +383,7 @@ resources:
 		assertEqual(t, len(policyTemplates), 1)
 
 		policyTemplate := policyTemplates[0]
-		objdef := policyTemplate["objectDefinition"]
+		objdef := policyTemplate["objectDefinition"].(map[string]interface{})
 
 		assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), "policy-kustomize")
 
@@ -517,7 +517,7 @@ data:
 
 		for i := 0; i < len(policyTemplates); i++ {
 			policyTemplate := policyTemplates[i]
-			objdef := policyTemplate["objectDefinition"]
+			objdef := policyTemplate["objectDefinition"].(map[string]interface{})
 			name := "policy-app-config"
 
 			if i > 0 {
@@ -705,7 +705,7 @@ func TestGetPolicyTemplateFromPolicyTypeManifest(t *testing.T) {
 		assertEqual(t, len(policyTemplates), 1)
 
 		IamPolicyTemplate := policyTemplates[0]
-		IamObjdef := IamPolicyTemplate["objectDefinition"]
+		IamObjdef := IamPolicyTemplate["objectDefinition"].(map[string]interface{})
 		assertEqual(t, IamObjdef["apiVersion"], "policy.open-cluster-management.io/v1")
 		// kind will not be overridden by "ConfigurationPolicy".
 		assertEqual(t, IamObjdef["kind"], "IamPolicy")
@@ -778,7 +778,7 @@ data:
 	assertEqual(t, len(policyTemplates), 1)
 
 	policyTemplate := policyTemplates[0]
-	objdef := policyTemplate["objectDefinition"]
+	objdef := policyTemplate["objectDefinition"].(map[string]interface{})
 	assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), "policy-app-config")
 
 	spec, ok := objdef["spec"].(map[string]interface{})
@@ -866,7 +866,7 @@ data:
 	assertEqual(t, len(policyTemplates), 1)
 
 	policyTemplate := policyTemplates[0]
-	objdef := policyTemplate["objectDefinition"]
+	objdef := policyTemplate["objectDefinition"].(map[string]interface{})
 
 	assertEqual(t, objdef["metadata"].(map[string]interface{})["name"].(string), "policy-app-config")
 
@@ -1009,7 +1009,7 @@ metadata:
 	// This is not an in-depth test since the Kyverno expansion is tested elsewhere. This is to
 	// to test that glue code is working as expected.
 	expandedPolicyTemplate := policyTemplates[1]
-	objdef := expandedPolicyTemplate["objectDefinition"]
+	objdef := expandedPolicyTemplate["objectDefinition"].(map[string]interface{})
 
 	spec, ok := objdef["spec"].(map[string]interface{})
 	if !ok {
@@ -1469,8 +1469,8 @@ data:
 func TestGetRootRemediationAction(t *testing.T) {
 	t.Parallel()
 
-	policyTemplates := []map[string]map[string]interface{}{
-		{"objectDefinition": {
+	policyTemplates := []map[string]interface{}{{
+		"objectDefinition": map[string]interface{}{
 			"apiVersion": policyAPIVersion,
 			"kind":       configPolicyKind,
 			"metadata": map[string]interface{}{
@@ -1480,13 +1480,14 @@ func TestGetRootRemediationAction(t *testing.T) {
 				"remediationAction": "inform",
 				"severity":          "low",
 			},
-		}},
-	}
+		},
+	}}
 
 	expected := getRootRemediationAction(policyTemplates)
 	assertEqual(t, "inform", expected)
 
-	policyTemplates[0]["objectDefinition"]["spec"].(map[string]interface{})["remediationAction"] = "enforce"
+	objDef := policyTemplates[0]["objectDefinition"].(map[string]interface{})
+	objDef["spec"].(map[string]interface{})["remediationAction"] = "enforce"
 	expected = getRootRemediationAction(policyTemplates)
 	assertEqual(t, "enforce", expected)
 }