Skip to content

Commit

Permalink
Merge pull request #1103 from stacklok/policy-easier
Browse files Browse the repository at this point in the history
cleanup: Allow for policy files to not specify projects
  • Loading branch information
JAORMX authored Oct 4, 2023
2 parents f3249bf + bc4caaa commit 46392f0
Show file tree
Hide file tree
Showing 23 changed files with 127 additions and 158 deletions.
12 changes: 11 additions & 1 deletion cmd/cli/app/policy/policy_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ within a mediator control plane.`,
},
RunE: func(cmd *cobra.Command, args []string) error {
f := util.GetConfigValue("file", "file", cmd, "").(string)
proj := viper.GetString("project")

var err error

Expand Down Expand Up @@ -75,7 +76,15 @@ within a mediator control plane.`,

p, err := engine.ParseYAML(preader)
if err != nil {
return fmt.Errorf("error reading fragment from file: %w", err)
return fmt.Errorf("error reading policy from file: %w", err)
}

if proj != "" {
if p.Context == nil {
p.Context = &pb.Context{}
}

p.Context.Project = &proj
}

// create a policy
Expand All @@ -96,4 +105,5 @@ within a mediator control plane.`,
func init() {
PolicyCmd.AddCommand(Policy_createCmd)
Policy_createCmd.Flags().StringP("file", "f", "", "Path to the YAML defining the policy (or - for stdin)")
Policy_createCmd.Flags().StringP("project", "p", "", "Project to create the policy in")
}
1 change: 0 additions & 1 deletion examples/github/policies/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ version: v1
type: policy
name: acme-github-policy
context:
project: Root Project
provider: github
repository:
- type: secret_scanning
Expand Down
1 change: 0 additions & 1 deletion examples/github/policies/policy_artifact.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ version: v1
type: policy
name: acme-github-policy-artifact
context:
project: Root Project
provider: github
artifact:
- type: artifact_signature
Expand Down
1 change: 0 additions & 1 deletion examples/github/policies/pr_vuln_check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ version: v1
type: policy
name: acme-github-policy-pr-vuln-check
context:
project: Root Project
provider: github
pull_request:
- type: pr_vulnerability_check
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/actions_check_pinned_tags.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: actions_check_pinned_tags
context:
provider: github
group: Root Group
description: Verifies that any actions use pinned tags
guidance: |
Verifies that any actions use pinned tags
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/allowed_selected_actions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: allowed_selected_actions
context:
provider: github
group: Root Group
description: |
Verifies the settings for selected actions and reusable workflows that are allowed
in a repository. To use this rule, the repository policy for allowed_actions must
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/artifact_signature.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: artifact_signature
context:
provider: github
group: Root Group
description: Verifies that a given artifact has a valid signature.
guidance: |
Artifact signing allows a user to add a digital fingerprint to an artifact and verify its trust later.
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/branch_protection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: branch_protection
context:
provider: github
group: Root Group
description: Verifies that a branch has proper protections.
guidance: |
You can protect important branches by setting branch protection rules, which define whether
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/codeql_enabled.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: codeql_enabled
context:
provider: github
group: Root Group
description: Verifies that CodeQL is enabled for the repository
guidance: |
CodeQL is a tool that can be used to analyze code for security vulnerabilities.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: default_workflow_permissions
context:
provider: github
group: Root Group
description: |
Verifies the default workflow permissions granted to the GITHUB_TOKEN
when running workflows in a repository, as well as if GitHub Actions
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/dependabot_configured.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: dependabot_configured
context:
provider: github
group: Root Group
description: Verifies that Dependabot is configured for the repository
guidance: |
Dependabot enables Automated dependency updates for repositories.
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/dockerfile_no_latest_tag.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: dockerfile_no_latest_tag
context:
provider: github
group: Root Group
description: Verifies that the Dockerfile image references don't use the latest tag
guidance: |
Using the latest tag for Docker images is not recommended as it can lead to unexpected behavior.
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/github_actions_allowed.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: github_actions_allowed
context:
provider: github
group: Root Group
description: |
Verifies permissions for github actions for a specific repository.
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/pr_vulnerability_check.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: pr_vulnerability_check
context:
provider: github
group: Root Group
description: Verifies that pull requests do not add any vulnerable dependecies
guidance: |
For every pull request submitted to a repository, this rule will check if the pull request
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/repo_workflow_access_level.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: repo_workflow_access_level
context:
provider: github
group: Root Group
description: |
Verifies the level of access that workflows outside of the repository have
to actions and reusable workflows in the repository. This only applies to private repositories.
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/secret_push_protection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: secret_push_protection
context:
provider: github
group: Root Group
description: Verfies that secret push protection is enabled for a given repository.
guidance: |
You can use secret scanning to prevent supported secrets from being pushed into your repository by enabling secret scanning push protection.
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/secret_scanning.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: secret_scanning
context:
provider: github
group: Root Group
description: Verifies that secret scanning is enabled for a given repository.
guidance: |
Secret scanning is a feature that scans repositories for secrets and alerts
Expand Down
1 change: 0 additions & 1 deletion examples/github/rule-types/trivy_action_enabled.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ type: rule-type
name: trivy_action_enabled
context:
provider: github
group: Root Group
description: Verifies that the Trivy action is enabled for the repository and scanning
guidance: |
## Please set up trivy!
Expand Down
2 changes: 1 addition & 1 deletion internal/controlplane/handlers_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ func (s *Server) CreatePolicy(ctx context.Context,
return nil, providerError(fmt.Errorf("provider error: %w", err))
}

if err := engine.ValidatePolicy(in); err != nil {
if err := in.Validate(); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "invalid policy: %v", err)
}

Expand Down
87 changes: 1 addition & 86 deletions internal/engine/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,6 @@ import (
pb "github.com/stacklok/mediator/pkg/api/protobuf/go/mediator/v1"
)

var (
// ErrValidationFailed is returned when a policy fails validation
ErrValidationFailed = fmt.Errorf("validation failed")
)

// RuleValidationError is used to report errors from evaluating a rule, including
// attribution of the particular error encountered.
type RuleValidationError struct {
Expand Down Expand Up @@ -71,7 +66,7 @@ func ParseJSON(r io.Reader) (*pb.Policy, error) {
return nil, fmt.Errorf("error decoding json: %w", err)
}

if err := ValidatePolicy(&out); err != nil {
if err := out.Validate(); err != nil {
return nil, fmt.Errorf("error validating policy: %w", err)
}

Expand Down Expand Up @@ -101,86 +96,6 @@ func ReadPolicyFromFile(fpath string) (*pb.Policy, error) {
return out, nil
}

// ValidatePolicy validates a pipeline policy
func ValidatePolicy(p *pb.Policy) error {
if err := validateContext(p.Context); err != nil {
return err
}

// If the policy is nil or empty, we don't need to validate it
if p.Repository != nil && len(p.Repository) > 0 {
return validateEntity(p.Repository)
}

if p.BuildEnvironment != nil && len(p.BuildEnvironment) > 0 {
return validateEntity(p.BuildEnvironment)
}

if p.Artifact != nil && len(p.Artifact) > 0 {
return validateEntity(p.Artifact)
}

if p.PullRequest != nil && len(p.PullRequest) > 0 {
return validateEntity(p.PullRequest)
}

return nil
}

func validateContext(c *pb.Context) error {
if c == nil {
return fmt.Errorf("%w: context cannot be empty", ErrValidationFailed)
}

if c.Provider == "" {
return fmt.Errorf("%w: context provider cannot be empty", ErrValidationFailed)
}

if c.Organization == nil && c.Project == nil {
return fmt.Errorf("%w: context organization or group must be set", ErrValidationFailed)
}

if c.Organization != nil && *c.Organization == "" {
return fmt.Errorf("%w: context organization cannot be empty", ErrValidationFailed)
}

if c.Project != nil && *c.Project == "" {
return fmt.Errorf("%w: context group cannot be empty", ErrValidationFailed)
}

return nil
}

func validateEntity(e []*pb.Policy_Rule) error {
if len(e) == 0 {
return fmt.Errorf("%w: entity rules cannot be empty", ErrValidationFailed)
}

for _, r := range e {
if r == nil {
return fmt.Errorf("%w: entity contextual rules cannot be nil", ErrValidationFailed)
}

if err := validateRule(r); err != nil {
return err
}
}

return nil
}

func validateRule(r *pb.Policy_Rule) error {
if r.Type == "" {
return fmt.Errorf("%w: rule type cannot be empty", ErrValidationFailed)
}

if r.Def == nil {
return fmt.Errorf("%w: rule def cannot be nil", ErrValidationFailed)
}

return nil
}

// GetRulesForEntity returns the rules for the given entity
func GetRulesForEntity(p *pb.Policy, entity pb.Entity) ([]*pb.Policy_Rule, error) {
switch entity {
Expand Down
Loading

0 comments on commit 46392f0

Please sign in to comment.