Update tests

Author: yolken-segment

cmd/kubeapply/subcmd/validate.go

@@ -112,7 +112,16 @@ func execValidation(ctx context.Context, clusterConfig *config.ClusterConfig) er
 		return err
 	}
 
-	policies, err := validation.DefaultPoliciesFromGlobs(ctx, validateFlagValues.policies)
+	policies, err := validation.DefaultPoliciesFromGlobs(
+		ctx,
+		validateFlagValues.policies,
+		map[string]interface{}{
+			// TODO: Add more parameters here (or entire config)?
+			"cluster": clusterConfig.Cluster,
+			"region":  clusterConfig.Region,
+			"env":     clusterConfig.Env,
+		},
+	)
 	if err != nil {
 		return err
 	}
@@ -129,33 +138,37 @@ func execValidation(ctx context.Context, clusterConfig *config.ClusterConfig) er
 		},
 	)
 
-	log.Infof("Running kubeconform on configs in %+v", clusterConfig.AbsSubpaths())
+	log.Infof("Running validator on configs in %+v", clusterConfig.AbsSubpaths())
 	results, err := validator.RunChecks(ctx, clusterConfig.AbsSubpaths()[0])
 	if err != nil {
 		return err
 	}
 
-	numInvalidResources := 0
+	numInvalidResourceChecks := 0
+	numValidResourceChecks := 0
+	numSkippedResourceChecks := 0
 
 	for _, result := range results {
 		for _, checkResult := range result.CheckResults {
 			switch checkResult.Status {
 			case validation.StatusValid:
+				numValidResourceChecks++
 				log.Debugf(
 					"Resource %s in file %s OK according to check %s",
 					result.Resource.PrettyName(),
 					result.Resource.Path,
 					checkResult.CheckName,
 				)
 			case validation.StatusSkipped:
+				numSkippedResourceChecks++
 				log.Debugf(
 					"Resource %s in file %s was skipped by check %s",
 					result.Resource.PrettyName(),
 					result.Resource.Path,
 					checkResult.CheckName,
 				)
 			case validation.StatusError:
-				numInvalidResources++
+				numInvalidResourceChecks++
 				log.Errorf(
 					"Resource %s in file %s could not be processed by check %s: %s",
 					result.Resource.PrettyName(),
@@ -164,7 +177,7 @@ func execValidation(ctx context.Context, clusterConfig *config.ClusterConfig) er
 					checkResult.Message,
 				)
 			case validation.StatusInvalid:
-				numInvalidResources++
+				numInvalidResourceChecks++
 				log.Errorf(
 					"Resource %s in file %s is invalid according to check %s: %s",
 					result.Resource.PrettyName(),
@@ -179,13 +192,21 @@ func execValidation(ctx context.Context, clusterConfig *config.ClusterConfig) er
 		}
 	}
 
-	if numInvalidResources > 0 {
+	if numInvalidResourceChecks > 0 {
 		return fmt.Errorf(
-			"Validation failed for %d resources",
-			numInvalidResources,
+			"Validation failed for %d resources in cluster %s (%d checks valid, %d skipped)",
+			numInvalidResourceChecks,
+			clusterConfig.DescriptiveName(),
+			numValidResourceChecks,
+			numSkippedResourceChecks,
 		)
 	}
 
-	log.Infof("Validation of cluster %s passed", clusterConfig.DescriptiveName())
+	log.Infof(
+		"Validation of cluster %s passed (%d checks valid, %d skipped)",
+		clusterConfig.DescriptiveName(),
+		numValidResourceChecks,
+		numSkippedResourceChecks,
+	)
 	return nil
 }

pkg/util/headers.go

@@ -9,7 +9,8 @@ import (
 )
 
 var (
-	headerComment = []byte("# Generated by \"kubeapply expand\". DO NOT EDIT.\n")
+	HeaderComment    = []byte("# Generated by \"kubeapply expand\". DO NOT EDIT.\n")
+	HeaderCommentStr = string(HeaderComment)
 )
 
 // AddHeaders adds a comment header to all yaml files in the argument path.
@@ -30,11 +31,11 @@ func AddHeaders(root string) error {
 				return err
 			}
 
-			if bytes.HasPrefix(fileBytes, headerComment) {
+			if bytes.HasPrefix(fileBytes, HeaderComment) {
 				return nil
 			}
 
-			fileBytes = append(headerComment, fileBytes...)
+			fileBytes = append(HeaderComment, fileBytes...)
 
 			return ioutil.WriteFile(path, fileBytes, info.Mode().Perm())
 		},

pkg/validation/kubeconform.go

@@ -6,12 +6,15 @@ import (
 	"github.com/yannh/kubeconform/pkg/validator"
 )
 
+// KubeconformChecker is a Checker implementation that runs kubeconform over all Kubernetes
+// resources.
 type KubeconformChecker struct {
 	validatorObj validator.Validator
 }
 
 var _ Checker = (*KubeconformChecker)(nil)
 
+// NewKubeconformChecker creates a new KubeconformChecker instance.
 func NewKubeconformChecker() (*KubeconformChecker, error) {
 	validatorObj, err := validator.New(
 		nil,
@@ -29,6 +32,7 @@ func NewKubeconformChecker() (*KubeconformChecker, error) {
 	}, nil
 }
 
+// Check runs Kubeconform over the argument resource.
 func (k *KubeconformChecker) Check(_ context.Context, resource Resource) CheckResult {
 	kResult := k.validatorObj.ValidateResource(resource.TokResource())
 

pkg/validation/policy.go

@@ -18,21 +18,31 @@ const (
 
 // Policy wraps a policy module and a prepared query.
 type PolicyChecker struct {
-	Module PolicyModule
-	Query  rego.PreparedEvalQuery
+	Module      PolicyModule
+	Query       rego.PreparedEvalQuery
+	ExtraFields map[string]interface{}
 }
 
 var _ Checker = (*PolicyChecker)(nil)
 
 // PolicyModule contains information about a policy.
 type PolicyModule struct {
-	Name        string
-	Contents    string
-	Package     string
-	Result      string
+	Name string
+
+	// Contents is a string that stores the policy in rego format.
+	Contents string
+
+	// Package is the name of the package in the rego contents.
+	Package string
+
+	// Result is the variable that should be accessed to get the evaluation results.
+	Result string
+
+	// ExtraFields are added into the input and usable for policy evaluation.
 	ExtraFields map[string]interface{}
 }
 
+// NewPolicyChecker creates a new PolicyChecker from the given module.
 func NewPolicyChecker(ctx context.Context, module PolicyModule) (*PolicyChecker, error) {
 	query, err := rego.New(
 		rego.Query(
@@ -51,9 +61,12 @@ func NewPolicyChecker(ctx context.Context, module PolicyModule) (*PolicyChecker,
 	}, nil
 }
 
+// DefaultPoliciesFromGlobs creates policy checkers from one or more file policy globs, using
+// the default package and result values.
 func DefaultPoliciesFromGlobs(
 	ctx context.Context,
 	globs []string,
+	extraFields map[string]interface{},
 ) ([]*PolicyChecker, error) {
 	checkers := []*PolicyChecker{}
 
@@ -71,10 +84,11 @@ func DefaultPoliciesFromGlobs(
 			checker, err := NewPolicyChecker(
 				ctx,
 				PolicyModule{
-					Name:     filepath.Base(match),
-					Contents: string(contents),
-					Package:  defaultPackage,
-					Result:   defaultResult,
+					Name:        filepath.Base(match),
+					Contents:    string(contents),
+					Package:     defaultPackage,
+					Result:      defaultResult,
+					ExtraFields: extraFields,
 				},
 			)
 			if err != nil {
@@ -87,13 +101,23 @@ func DefaultPoliciesFromGlobs(
 	return checkers, nil
 }
 
+// Check runs a check against the argument resource using the current policy.
 func (p *PolicyChecker) Check(ctx context.Context, resource Resource) CheckResult {
-	data := map[string]interface{}{}
 	result := CheckResult{
 		CheckType: CheckTypeOPA,
 		CheckName: p.Module.Name,
 	}
 
+	if resource.Name == "" {
+		// Skip over resources that aren't likely to have any Kubernetes-related
+		// structure.
+		result.Status = StatusEmpty
+		result.Message = fmt.Sprintf("No resource content")
+		return result
+	}
+
+	data := map[string]interface{}{}
+
 	if err := yaml.Unmarshal(resource.Contents, &data); err != nil {
 		result.Status = StatusError
 		result.Message = fmt.Sprintf("Error unmarshalling yaml: %+v", err)

pkg/validation/policy_test.go

@@ -14,6 +14,7 @@ package example
 
 deny[msg] {
 	input.apiVersion == "badVersion"
+	input.extraKey == "extraBadValue"
 	msg = "Cannot have bad api version"
 }`
 
@@ -25,6 +26,18 @@ default allow = true
 allow = false {
 	input.apiVersion == "badVersion"
 }`
+
+	goodVersionResourceStr = `
+apiVersion: goodVersion
+kind: Deployment
+metadata:
+  name: test`
+
+	badVersionResourceStr = `
+apiVersion: badVersion
+kind: Deployment
+metadata:
+  name: test`
 )
 
 func TestPolicyChecker(t *testing.T) {
@@ -43,8 +56,29 @@ func TestPolicyChecker(t *testing.T) {
 				Contents: denyPolicyStr,
 				Package:  "example",
 				Result:   "deny",
+				ExtraFields: map[string]interface{}{
+					"extraKey": "extraBadValue",
+				},
+			},
+			resource: MakeResource("test/path", []byte(goodVersionResourceStr), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testDenyPolicy",
+				Status:    StatusValid,
+				Message:   "Policy returned 0 deny reasons",
+			},
+		},
+		{
+			policyModule: PolicyModule{
+				Name:     "testDenyPolicy",
+				Contents: denyPolicyStr,
+				Package:  "example",
+				Result:   "deny",
+				ExtraFields: map[string]interface{}{
+					"extraKey": "goodValue",
+				},
 			},
-			resource: MakeResource("test/path", []byte("apiVersion: goodVersion"), 0),
+			resource: MakeResource("test/path", []byte(badVersionResourceStr), 0),
 			expected: CheckResult{
 				CheckType: CheckTypeOPA,
 				CheckName: "testDenyPolicy",
@@ -58,8 +92,11 @@ func TestPolicyChecker(t *testing.T) {
 				Contents: denyPolicyStr,
 				Package:  "example",
 				Result:   "deny",
+				ExtraFields: map[string]interface{}{
+					"extraKey": "extraBadValue",
+				},
 			},
-			resource: MakeResource("test/path", []byte("apiVersion: badVersion"), 0),
+			resource: MakeResource("test/path", []byte(badVersionResourceStr), 0),
 			expected: CheckResult{
 				CheckType: CheckTypeOPA,
 				CheckName: "testDenyPolicy",
@@ -74,7 +111,7 @@ func TestPolicyChecker(t *testing.T) {
 				Package:  "example",
 				Result:   "allow",
 			},
-			resource: MakeResource("test/path", []byte("apiVersion: goodVersion"), 0),
+			resource: MakeResource("test/path", []byte(goodVersionResourceStr), 0),
 			expected: CheckResult{
 				CheckType: CheckTypeOPA,
 				CheckName: "testAllowPolicy",
@@ -89,14 +126,29 @@ func TestPolicyChecker(t *testing.T) {
 				Package:  "example",
 				Result:   "allow",
 			},
-			resource: MakeResource("test/path", []byte("apiVersion: badVersion"), 0),
+			resource: MakeResource("test/path", []byte(badVersionResourceStr), 0),
 			expected: CheckResult{
 				CheckType: CheckTypeOPA,
 				CheckName: "testAllowPolicy",
 				Status:    StatusInvalid,
 				Message:   "Policy returned allowed = false",
 			},
 		},
+		{
+			policyModule: PolicyModule{
+				Name:     "testAllowPolicy",
+				Contents: allowPolicyStr,
+				Package:  "example",
+				Result:   "allow",
+			},
+			resource: MakeResource("test/path", []byte(""), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testAllowPolicy",
+				Status:    StatusEmpty,
+				Message:   "No resource content",
+			},
+		},
 	}
 
 	for _, testCase := range testCases {

pkg/validation/resource.go

@@ -55,6 +55,7 @@ func (r Resource) PrettyName() string {
 	}
 }
 
+// TokResource converts a Resource to a Kubeconform resource (useful for running the latter).
 func (r Resource) TokResource() kresource.Resource {
 	return kresource.Resource{
 		Path:  r.Path,

pkg/validation/result.go

@@ -12,19 +12,21 @@ const (
 	StatusOther   Status = "other"
 )
 
+// CheckType represents the type of check that has been done.
 type CheckType string
 
 const (
 	CheckTypeKubeconform CheckType = "kubeconform"
 	CheckTypeOPA         CheckType = "opa"
 )
 
-// Result stores the results of validating a single resource in a single file.
+// Result stores the results of validating a single resource in a single file, for all checks.
 type Result struct {
 	Resource     Resource
 	CheckResults []CheckResult
 }
 
+// CheckResult contains the detailed results of a single check.
 type CheckResult struct {
 	CheckType CheckType
 	CheckName string