Update result from CF to return the severity of the constraint violat…

…ion. Update test to check for severity.
GoogleCloudPlatform · Aug 17, 2020 · 719d333 · 719d333
1 parent 7388761
commit 719d333
Show file tree

Hide file tree

Showing 7 changed files with 108 additions and 53 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,9 @@ bin/
 # build artifacts
 /build-grpc/
 
+# debug
+/cmd/policy-tool/policy-tool
+
 # intellij stuff
 /.idea/
 /config-validator.iml
diff --git a/Makefile b/Makefile
@@ -3,17 +3,20 @@ PLATFORMS := linux windows darwin
 BUILD_DIR=./bin
 NAME=config-validator
 
+# Build docker image used for generating proto files
 .PHONY: proto-builder
 proto-builder:
 	docker build -t $(PROTO_DOCKER_IMAGE) -f ./build/proto/Dockerfile .
 
+# Generate validator.proto
 .PHONY: proto
 proto: proto-builder
 	docker run \
 		-v `pwd`:/go/src/github.com/forseti-security/config-validator \
 		$(PROTO_DOCKER_IMAGE) \
 		protoc -I/proto -I./api --go_out=plugins=grpc:./pkg/api/validator ./api/validator.proto
 
+# Generate validator.proto for Python
 .PHONY: pyproto
 pyproto:
 	mkdir -p build-grpc
@@ -27,9 +30,28 @@ pyproto:
 test:
 	GO111MODULE=on go test ./...
 
+# Format source code, generate protos, and build policy-tool and server
 .PHONY: build
 build: format proto tools
 
+# Build the Config Validator Docker iamge
+.PHONY: docker_build
+docker_build: build
+	docker build -t gcr.io/config-validator/config-validator:latest .
+
+# Build and run the Config Validator Docker image listening on port 50052
+# Set env var POLICY_LIBRARY_DIR to the local path of the policy library
+.PHONY: docker_run
+docker_run: guard-POLICY_LIBRARY_DIR docker_build
+	docker run --rm -p 50052:50052 --name config-validator \
+		-v $(POLICY_LIBRARY_DIR):/policy-library \
+		gcr.io/config-validator/config-validator:latest \
+		--policyPath='/policy-library/policies' \
+		--policyLibraryPath='/policy-library/lib' \
+		-port=50052 \
+		-v 7 \
+		-alsologtostderr
+
 .PHONY: release
 release: $(PLATFORMS)
 
@@ -41,10 +63,12 @@ $(PLATFORMS):
 clean:
 	rm bin/${NAME}*
 
+# Automatically format Go source code
 .PHONY: format
 format:
 	go fmt ./...
 
+# Build policy-tool and server
 .PHONY: tools
 tools:
 	go build ./cmd/...
@@ -61,3 +85,10 @@ IMAGE := gcr.io/config-validator/policy-tool:commit-$(TAG)$(DIRTY)
 policy-tool-docker:
 	docker build -t $(IMAGE) -f ./build/policy-tool/Dockerfile .
 	docker push $(IMAGE)
+
+# Helper target to require an env var to be set
+guard-%:
+	@ if [ "${${*}}" = "" ]; then \
+		echo "Environment variable $* not set"; \
+		exit 1; \
+  fi
diff --git a/api/validator.proto b/api/validator.proto
@@ -80,6 +80,8 @@ message Violation {
   google.protobuf.Value metadata = 4;
   // The full constraint configuration.
   Constraint constraint_config = 5;
+  // The constraint severity
+  string severity = 6;
 }
 
 message AddDataRequest {

diff --git a/pkg/api/validator/validator.pb.go b/pkg/api/validator/validator.pb.go
diff --git a/pkg/gcv/result.go b/pkg/gcv/result.go
@@ -1,4 +1,4 @@
-// Copyright 2019 Google LLC
+// Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -77,10 +77,15 @@ func NewResult(
 				return nil, errors.Errorf("constraint template metadata contains reserved key %s", ConstraintKey)
 			}
 		}
+		severity, found, err := unstructured.NestedString(cfResult.Constraint.Object, "spec", "severity")
+		if err != nil || !found {
+			severity = ""
+		}
 		result.ConstraintViolations[idx] = ConstraintViolation{
 			Message:    cfResult.Msg,
 			Metadata:   cfResult.Metadata,
 			Constraint: cfResult.Constraint,
+			Severity:   severity,
 		}
 	}
 	return result, nil
@@ -94,6 +99,8 @@ type ConstraintViolation struct {
 	Metadata map[string]interface{}
 	// Constraint is the K8S resource of the constraint that triggered the violation
 	Constraint *unstructured.Unstructured
+	// Constraint Severity
+	Severity string
 }
 
 // ToInsights returns the result represented as a slice of insights.
@@ -204,5 +211,6 @@ func (cv *ConstraintViolation) toViolation(name string, ancestryPath string) (*v
 		Resource:   name,
 		Message:    cv.Message,
 		Metadata:   metadata,
+		Severity:   cv.Severity,
 	}, nil
 }
diff --git a/pkg/gcv/result_test.go b/pkg/gcv/result_test.go
@@ -177,6 +177,7 @@ var conversionTestCases = []ConversionTestCase{
 						"parameters": map[string]interface{}{},
 					},
 				}),
+				Severity: "high",
 			},
 			{
 				Constraint: "GCPStorageLoggingConstraint.require_storage_logging_XX",
@@ -198,6 +199,7 @@ var conversionTestCases = []ConversionTestCase{
 						"parameters": map[string]interface{}{},
 					},
 				}),
+				Severity: "medium",
 			},
 		},
 	},

diff --git a/test/cf/constraints/gcp_storage_logging_constraint.yaml b/test/cf/constraints/gcp_storage_logging_constraint.yaml
@@ -20,7 +20,7 @@ metadata:
     # Example of tying a constraint to a CIS benchmark
     benchmark: CIS11_5.03
 spec:
-  severity: high
+  severity: medium
   match:
     target: ["organization/*"]
   parameters: {}