Add policy tests

Author: yolken-segment

pkg/validation/kubeconform_test.go

@@ -0,0 +1,118 @@
+package validation
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	validKubeconformDeployment = `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  namespace: test1
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80`
+
+	invalidKubeconformDeployment = `
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  namespace: test1
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  invalidField: invalid
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+        ports:
+        - containerPort: 80`
+)
+
+func TestKubeconformChecker(t *testing.T) {
+	ctx := context.Background()
+
+	type testCase struct {
+		resource Resource
+		expected CheckResult
+	}
+
+	testCases := []testCase{
+		{
+			resource: MakeResource(
+				"test/path",
+				[]byte(validKubeconformDeployment),
+				0,
+			),
+			expected: CheckResult{
+				CheckType: CheckTypeKubeconform,
+				CheckName: "kubeconform",
+				Status:    StatusValid,
+			},
+		},
+		{
+			resource: MakeResource(
+				"test/path",
+				[]byte(invalidKubeconformDeployment),
+				0,
+			),
+			expected: CheckResult{
+				CheckType: CheckTypeKubeconform,
+				CheckName: "kubeconform",
+				Status:    StatusInvalid,
+				Message:   "For field spec: Additional property invalidField is not allowed",
+			},
+		},
+		{
+			resource: MakeResource(
+				"test/path",
+				[]byte("xxx\nzzzz"),
+				0,
+			),
+			expected: CheckResult{
+				CheckType: CheckTypeKubeconform,
+				CheckName: "kubeconform",
+				Status:    StatusError,
+				Message:   "error unmarshalling resource: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string into Go value of type map[string]interface {}",
+			},
+		},
+	}
+
+	checker, err := NewKubeconformChecker()
+	require.NoError(t, err)
+
+	for _, testCase := range testCases {
+		result := checker.Check(ctx, testCase.resource)
+		assert.Equal(t, testCase.expected, result)
+	}
+}

pkg/validation/policy.go

@@ -3,11 +3,19 @@ package validation
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"reflect"
 
 	"github.com/ghodss/yaml"
 	"github.com/open-policy-agent/opa/rego"
 )
 
+const (
+	defaultPackage = "com.segment.kubeapply"
+	defaultResult  = "deny"
+)
+
 // Policy wraps a policy module and a prepared query.
 type PolicyChecker struct {
 	Module PolicyModule
@@ -27,7 +35,7 @@ type PolicyModule struct {
 func NewPolicyChecker(ctx context.Context, module PolicyModule) (*PolicyChecker, error) {
 	query, err := rego.New(
 		rego.Query(
-			fmt.Sprintf("result = %s.%s", module.Package, module.Result),
+			fmt.Sprintf("result = data.%s.%s", module.Package, module.Result),
 		),
 		rego.Module(module.Package, module.Contents),
 	).PrepareForEval(ctx)
@@ -42,6 +50,42 @@ func NewPolicyChecker(ctx context.Context, module PolicyModule) (*PolicyChecker,
 	}, nil
 }
 
+func DefaultPoliciesFromGlobs(
+	ctx context.Context,
+	globs []string,
+) ([]PolicyChecker, error) {
+	checkers := []PolicyChecker{}
+
+	for _, glob := range globs {
+		matches, err := filepath.Glob(glob)
+		if err != nil {
+			return nil, err
+		}
+		for _, match := range matches {
+			contents, err := ioutil.ReadFile(match)
+			if err != nil {
+				return nil, err
+			}
+
+			checker, err := NewPolicyChecker(
+				ctx,
+				PolicyModule{
+					Name:     filepath.Base(match),
+					Contents: string(contents),
+					Package:  defaultPackage,
+					Result:   defaultResult,
+				},
+			)
+			if err != nil {
+				return nil, err
+			}
+			checkers = append(checkers, *checker)
+		}
+	}
+
+	return checkers, nil
+}
+
 func (p *PolicyChecker) Check(ctx context.Context, resource Resource) CheckResult {
 	data := map[string]interface{}{}
 	result := CheckResult{
@@ -68,19 +112,35 @@ func (p *PolicyChecker) Check(ctx context.Context, resource Resource) CheckResul
 		return result
 	}
 
-	allowed, ok := results[0].Bindings["result"].(bool)
-
-	if !ok {
+	switch value := results[0].Bindings["result"].(type) {
+	case bool:
+		if value {
+			result.Status = StatusValid
+			result.Message = "Policy returned allowed = true"
+		} else {
+			result.Status = StatusInvalid
+			result.Message = "Policy returned allowed = false"
+		}
+	case []interface{}:
+		if len(value) == 0 {
+			result.Status = StatusValid
+			result.Message = "Policy returned 0 deny reasons"
+		} else {
+			result.Status = StatusInvalid
+			result.Message = fmt.Sprintf(
+				"Policy returned %d deny reason(s): %+v",
+				len(value),
+				value,
+			)
+		}
+	default:
 		result.Status = StatusError
-		result.Message = fmt.Sprintf("Did not get exactly one result: %+v", results)
-		return result
-	} else if !allowed {
-		result.Status = StatusInvalid
-		result.Message = "Policy returned allowed = false"
-		return result
-	} else {
-		result.Status = StatusValid
-		result.Message = "Policy returned allowed = true"
-		return result
+		result.Message = fmt.Sprintf(
+			"Got unexpected response type: %+v (%+v)",
+			reflect.TypeOf(value),
+			value,
+		)
 	}
+
+	return result
 }

pkg/validation/policy_test.go

@@ -0,0 +1,112 @@
+package validation
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	denyPolicyStr = `
+package example
+
+deny[msg] {
+	input.apiVersion == "badVersion"
+	msg = "Cannot have bad api version"
+}`
+
+	allowPolicyStr = `
+package example
+
+default allow = true
+
+allow = false {
+	input.apiVersion == "badVersion"
+}`
+)
+
+func TestPolicyChecker(t *testing.T) {
+	ctx := context.Background()
+
+	type testCase struct {
+		policyModule PolicyModule
+		resource     Resource
+		expected     CheckResult
+	}
+
+	testCases := []testCase{
+		{
+			policyModule: PolicyModule{
+				Name:     "testDenyPolicy",
+				Contents: denyPolicyStr,
+				Package:  "example",
+				Result:   "deny",
+			},
+			resource: MakeResource("test/path", []byte("apiVersion: goodVersion"), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testDenyPolicy",
+				Status:    StatusValid,
+				Message:   "Policy returned 0 deny reasons",
+			},
+		},
+		{
+			policyModule: PolicyModule{
+				Name:     "testDenyPolicy",
+				Contents: denyPolicyStr,
+				Package:  "example",
+				Result:   "deny",
+			},
+			resource: MakeResource("test/path", []byte("apiVersion: badVersion"), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testDenyPolicy",
+				Status:    StatusInvalid,
+				Message:   "Policy returned 1 deny reason(s): [Cannot have bad api version]",
+			},
+		},
+		{
+			policyModule: PolicyModule{
+				Name:     "testAllowPolicy",
+				Contents: allowPolicyStr,
+				Package:  "example",
+				Result:   "allow",
+			},
+			resource: MakeResource("test/path", []byte("apiVersion: goodVersion"), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testAllowPolicy",
+				Status:    StatusValid,
+				Message:   "Policy returned allowed = true",
+			},
+		},
+		{
+			policyModule: PolicyModule{
+				Name:     "testAllowPolicy",
+				Contents: allowPolicyStr,
+				Package:  "example",
+				Result:   "allow",
+			},
+			resource: MakeResource("test/path", []byte("apiVersion: badVersion"), 0),
+			expected: CheckResult{
+				CheckType: CheckTypeOPA,
+				CheckName: "testAllowPolicy",
+				Status:    StatusInvalid,
+				Message:   "Policy returned allowed = false",
+			},
+		},
+	}
+
+	for _, testCase := range testCases {
+		checker, err := NewPolicyChecker(
+			ctx,
+			testCase.policyModule,
+		)
+		require.NoError(t, err)
+
+		result := checker.Check(ctx, testCase.resource)
+		assert.Equal(t, testCase.expected, result)
+	}
+}