Keep iterating on policy checking

yolken-segment · yolken-segment · commit c345f31e82ec · 2021-04-08T19:15:30.000-07:00
diff --git a/cmd/kubeapply/subcmd/validate.go b/cmd/kubeapply/subcmd/validate.go
@@ -102,21 +102,25 @@ func execValidation(ctx context.Context, clusterConfig *config.ClusterConfig) er
 	numInvalidResources := 0
 
 	for _, result := range results {
-		switch result.Status {
+		switch result.SchemaStatus {
 		case validation.StatusValid:
 			log.Infof("Resource %s in file %s OK", result.PrettyName(), result.Filename)
 		case validation.StatusSkipped:
 			log.Debugf("Resource %s in file %s was skipped", result.PrettyName(), result.Filename)
 		case validation.StatusError:
 			numInvalidResources++
-			log.Errorf("File %s could not be validated: %+v", result.Filename, result.Message)
+			log.Errorf(
+				"File %s could not be validated: %+v",
+				result.Filename,
+				result.SchemaMessage,
+			)
 		case validation.StatusInvalid:
 			numInvalidResources++
 			log.Errorf(
 				"Resource %s in file %s is invalid: %s",
 				result.PrettyName(),
 				result.Filename,
-				result.Message,
+				result.SchemaMessage,
 			)
 		case validation.StatusEmpty:
 		default:
diff --git a/pkg/validation/checker.go b/pkg/validation/checker.go
@@ -0,0 +1,8 @@
+package validation
+
+import "context"
+
+// Checker is an interface that checks a resource and then returns a CheckResult.
+type Checker interface {
+	Check(context.Context, Resource) CheckResult
+}
diff --git a/pkg/validation/kubeconform.go b/pkg/validation/kubeconform.go
@@ -0,0 +1,63 @@
+package validation
+
+import (
+	"context"
+
+	"github.com/yannh/kubeconform/pkg/validator"
+)
+
+type KubeconformChecker struct {
+	validatorObj validator.Validator
+}
+
+var _ Checker = (*KubeconformChecker)(nil)
+
+func NewKubeconformChecker() (*KubeconformChecker, error) {
+	validatorObj, err := validator.New(
+		nil,
+		validator.Opts{
+			IgnoreMissingSchemas: true,
+			Strict:               true,
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return &KubeconformChecker{
+		validatorObj: validatorObj,
+	}, nil
+}
+
+func (k *KubeconformChecker) Check(_ context.Context, resource Resource) CheckResult {
+	kResult := k.validatorObj.ValidateResource(resource.TokResource())
+
+	var message string
+	if kResult.Err != nil {
+		message = kResult.Err.Error()
+	}
+
+	return CheckResult{
+		CheckType: CheckTypeKubeconform,
+		CheckName: "kubeconform",
+		Status:    kStatusToStatus(kResult.Status),
+		Message:   message,
+	}
+}
+
+func kStatusToStatus(kStatus validator.Status) Status {
+	switch kStatus {
+	case validator.Valid:
+		return StatusValid
+	case validator.Invalid:
+		return StatusInvalid
+	case validator.Error:
+		return StatusError
+	case validator.Skipped:
+		return StatusSkipped
+	case validator.Empty:
+		return StatusEmpty
+	default:
+		return StatusOther
+	}
+}
diff --git a/pkg/validation/policy.go b/pkg/validation/policy.go
@@ -0,0 +1,86 @@
+package validation
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/ghodss/yaml"
+	"github.com/open-policy-agent/opa/rego"
+)
+
+// Policy wraps a policy module and a prepared query.
+type PolicyChecker struct {
+	Module PolicyModule
+	Query  rego.PreparedEvalQuery
+}
+
+var _ Checker = (*PolicyChecker)(nil)
+
+// PolicyModule contains information about a policy.
+type PolicyModule struct {
+	Name     string
+	Contents string
+	Package  string
+	Result   string
+}
+
+func NewPolicyChecker(ctx context.Context, module PolicyModule) (*PolicyChecker, error) {
+	query, err := rego.New(
+		rego.Query(
+			fmt.Sprintf("result = %s.%s", module.Package, module.Result),
+		),
+		rego.Module(module.Package, module.Contents),
+	).PrepareForEval(ctx)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &PolicyChecker{
+		Module: module,
+		Query:  query,
+	}, nil
+}
+
+func (p *PolicyChecker) Check(ctx context.Context, resource Resource) CheckResult {
+	data := map[string]interface{}{}
+	result := CheckResult{
+		CheckType: CheckTypeOPA,
+		CheckName: p.Module.Name,
+	}
+
+	if err := yaml.Unmarshal(resource.Contents, &data); err != nil {
+		result.Status = StatusError
+		result.Message = fmt.Sprintf("Error unmarshalling yaml: %+v", err)
+		return result
+	}
+
+	results, err := p.Query.Eval(ctx, rego.EvalInput(data))
+	if err != nil {
+		result.Status = StatusError
+		result.Message = fmt.Sprintf("Error evaluating query: %+v", err)
+		return result
+	}
+
+	if len(results) != 1 {
+		result.Status = StatusError
+		result.Message = fmt.Sprintf("Did not get exactly one result: %+v", results)
+		return result
+	}
+
+	allowed, ok := results[0].Bindings["result"].(bool)
+
+	if !ok {
+		result.Status = StatusError
+		result.Message = fmt.Sprintf("Did not get exactly one result: %+v", results)
+		return result
+	} else if !allowed {
+		result.Status = StatusInvalid
+		result.Message = "Policy returned allowed = false"
+		return result
+	} else {
+		result.Status = StatusValid
+		result.Message = "Policy returned allowed = true"
+		return result
+	}
+}
diff --git a/pkg/validation/resource.go b/pkg/validation/resource.go
@@ -0,0 +1,63 @@
+package validation
+
+import (
+	"fmt"
+
+	kresource "github.com/yannh/kubeconform/pkg/resource"
+)
+
+// Resource is a Kubernetes resource from a file that we want to do checks on.
+type Resource struct {
+	Path      string
+	Contents  []byte
+	Name      string
+	Namespace string
+	Version   string
+	Kind      string
+
+	index int
+}
+
+// MakeResource constructs a resource from a path, contents, and index.
+func MakeResource(path string, contents []byte, index int) Resource {
+	kResource := &kresource.Resource{
+		Path:  path,
+		Bytes: contents,
+	}
+
+	resource := Resource{
+		Path:     path,
+		Contents: contents,
+		index:    index,
+	}
+
+	sig, err := kResource.Signature()
+	if err == nil || sig != nil {
+		resource.Name = sig.Name
+		resource.Kind = sig.Kind
+		resource.Namespace = sig.Namespace
+		resource.Version = sig.Version
+	}
+
+	return resource
+}
+
+// PrettyName returns a pretty, compact name for a resource.
+func (r Resource) PrettyName() string {
+	if r.Kind != "" && r.Version != "" && r.Name != "" && r.Namespace != "" {
+		// Namespaced resources
+		return fmt.Sprintf("%s.%s.%s.%s", r.Kind, r.Version, r.Namespace, r.Name)
+	} else if r.Kind != "" && r.Version != "" && r.Name != "" {
+		// Non-namespaced resources
+		return fmt.Sprintf("%s.%s.%s", r.Kind, r.Version, r.Name)
+	} else {
+		return r.Name
+	}
+}
+
+func (r Resource) TokResource() kresource.Resource {
+	return kresource.Resource{
+		Path:  r.Path,
+		Bytes: r.Contents,
+	}
+}
diff --git a/pkg/validation/result.go b/pkg/validation/result.go
@@ -0,0 +1,33 @@
+package validation
+
+// Status stores the result of validating a single file or resource.
+type Status string
+
+const (
+	StatusValid   Status = "valid"
+	StatusInvalid Status = "invalid"
+	StatusError   Status = "error"
+	StatusSkipped Status = "skipped"
+	StatusEmpty   Status = "empty"
+	StatusOther   Status = "other"
+)
+
+type CheckType string
+
+const (
+	CheckTypeKubeconform CheckType = "kubeconform"
+	CheckTypeOPA         CheckType = "opa"
+)
+
+// Result stores the results of validating a single resource in a single file.
+type Result struct {
+	Resource     Resource
+	CheckResults []CheckResult
+}
+
+type CheckResult struct {
+	CheckType CheckType
+	CheckName string
+	Status    Status
+	Message   string
+}
diff --git a/pkg/validation/validation.go b/pkg/validation/validation.go
diff --git a/pkg/validation/validation_test.go b/pkg/validation/validation_test.go
