Add reasons

yolken-segment · yolken-segment · commit 0ecbc1d2576c · 2021-04-13T13:57:49.000-07:00
diff --git a/pkg/validation/policy.go b/pkg/validation/policy.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"path/filepath"
 	"reflect"
+	"strings"
 
 	"github.com/ghodss/yaml"
 	"github.com/open-policy-agent/opa/rego"
@@ -14,6 +15,7 @@ import (
 const (
 	defaultPackage = "com.segment.kubeapply"
 	defaultResult  = "deny"
+	warnPrefix     = "warn:"
 )
 
 // Policy wraps a policy module and a prepared query.
@@ -155,12 +157,53 @@ func (p *PolicyChecker) Check(ctx context.Context, resource Resource) CheckResul
 			result.Status = StatusValid
 			result.Message = "Policy returned 0 deny reasons"
 		} else {
-			result.Status = StatusInvalid
-			result.Message = fmt.Sprintf(
-				"Policy returned %d deny reason(s): %+v",
-				len(value),
-				value,
-			)
+			invalidReasons := []string{}
+			warnReasons := []string{}
+
+			for _, subValue := range value {
+				subValueStr := fmt.Sprintf("%v", subValue)
+
+				if strings.HasPrefix(
+					strings.ToLower(subValueStr),
+					warnPrefix,
+				) {
+					// Treat this as a warning
+					warnReasons = append(
+						warnReasons,
+						subValueStr,
+					)
+				} else {
+					// Treat this as a denial
+					invalidReasons = append(
+						invalidReasons,
+						subValueStr,
+					)
+				}
+			}
+
+			if len(invalidReasons) == 0 {
+				result.Status = StatusWarning
+				result.Message = fmt.Sprintf(
+					"Policy returned %d warn reason(s)",
+					len(warnReasons),
+				)
+				result.Reasons = warnReasons
+			} else if len(warnReasons) == 0 {
+				result.Status = StatusInvalid
+				result.Message = fmt.Sprintf(
+					"Policy returned %d deny reason(s)",
+					len(invalidReasons),
+				)
+				result.Reasons = invalidReasons
+			} else {
+				result.Status = StatusInvalid
+				result.Message = fmt.Sprintf(
+					"Policy returned %d deny reason(s) and %d warn reason(s)",
+					len(invalidReasons),
+					len(warnReasons),
+				)
+				result.Reasons = append(invalidReasons, warnReasons...)
+			}
 		}
 	default:
 		result.Status = StatusError
diff --git a/pkg/validation/policy_test.go b/pkg/validation/policy_test.go
@@ -14,8 +14,17 @@ package example
 
 deny[msg] {
 	input.apiVersion == "badVersion"
-	input.extraKey == "extraBadValue"
 	msg = "Cannot have bad api version"
+}
+
+deny[msg] {
+	input.extraKey == "extraBadValue"
+	msg = "Cannot have bad extra key"
+}
+
+deny[msg] {
+	input.extraKey2 == "warnValue"
+	msg = "WARN: Cannot have warn value"
 }`
 
 	allowPolicyStr = `
@@ -56,9 +65,6 @@ func TestPolicyChecker(t *testing.T) {
 				Contents: denyPolicyStr,
 				Package:  "example",
 				Result:   "deny",
-				ExtraFields: map[string]interface{}{
-					"extraKey": "extraBadValue",
-				},
 			},
 			resource: MakeResource("test/path", []byte(goodVersionResourceStr), 0),
 			expected: CheckResult{
@@ -82,8 +88,32 @@ func TestPolicyChecker(t *testing.T) {
 			expected: CheckResult{
 				CheckType: CheckTypeOPA,
 				CheckName: "testDenyPolicy",
-				Status:    StatusValid,
-				Message:   "Policy returned 0 deny reasons",
+				Status:    StatusInvalid,
+				Message:   "Policy returned 1 deny reason(s)",
+				Reasons: []string{
+					"Cannot have bad api version",
+				},
+			},
+		},
+		{
+			policyModule: PolicyModule{
+				Name:     "testDenyPolicy",
+				Contents: denyPolicyStr,
+				Package:  "example",
+				Result:   "deny",
+				ExtraFields: map[string]interface{}{
+					"extraKey2": "warnValue",
+				},
+			},
+			resource: MakeResource("test/path", []byte(goodVersionResourceStr), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testDenyPolicy",
+				Status:    StatusWarning,
+				Message:   "Policy returned 1 warn reason(s)",
+				Reasons: []string{
+					"WARN: Cannot have warn value",
+				},
 			},
 		},
 		{
@@ -101,7 +131,35 @@ func TestPolicyChecker(t *testing.T) {
 				CheckType: CheckTypeOPA,
 				CheckName: "testDenyPolicy",
 				Status:    StatusInvalid,
-				Message:   "Policy returned 1 deny reason(s): [Cannot have bad api version]",
+				Message:   "Policy returned 2 deny reason(s)",
+				Reasons: []string{
+					"Cannot have bad extra key",
+					"Cannot have bad api version",
+				},
+			},
+		},
+		{
+			policyModule: PolicyModule{
+				Name:     "testDenyPolicy",
+				Contents: denyPolicyStr,
+				Package:  "example",
+				Result:   "deny",
+				ExtraFields: map[string]interface{}{
+					"extraKey":  "extraBadValue",
+					"extraKey2": "warnValue",
+				},
+			},
+			resource: MakeResource("test/path", []byte(badVersionResourceStr), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testDenyPolicy",
+				Status:    StatusInvalid,
+				Message:   "Policy returned 2 deny reason(s) and 1 warn reason(s)",
+				Reasons: []string{
+					"Cannot have bad extra key",
+					"Cannot have bad api version",
+					"WARN: Cannot have warn value",
+				},
 			},
 		},
 		{
diff --git a/pkg/validation/result.go b/pkg/validation/result.go
@@ -6,6 +6,7 @@ type Status string
 const (
 	StatusValid   Status = "valid"
 	StatusInvalid Status = "invalid"
+	StatusWarning Status = "warning"
 	StatusError   Status = "error"
 	StatusSkipped Status = "skipped"
 	StatusEmpty   Status = "empty"
@@ -31,4 +32,5 @@ type CheckResult struct {
 	CheckName string
 	Status    Status
 	Message   string
+	Reasons   []string
 }
