brennen
/
blubber
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
120 Commits
2 Branches
713 KiB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
blubber/config/policy.go

152 lines
3.0 KiB
Raw Permalink Normal View History

Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
No need to export NewValidator Summary: It occurred to me while looking at code in another patch that there is no need to have this function be public. Test Plan: `go test ./...` Reviewers: dduvall, #release-engineering-team Reviewed By: dduvall, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D1012
6 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
Use JSON as canonical config format Uses the github.com/ghodss/yaml library to convert YAML to JSON before unmarshaling for the purposes of supporting YAML and JSON input while converting to only support JSON internally. Bug: T207694 Change-Id: I00668014907e9ea54917f5d5067cac08d0668053
5 years ago
Allow for configuration policies Summary: Implements a rough interface for validating configuration against arbitrary policy rules. Policies are provided as YAML and passed via the command line as file paths or remote URIs. The format of policies is: enforcements: - path: <path> rule: <rule> Where `<path>` is a YAML-ish path to a config field and `<rule>` is any expression our config validator understands (expressions built in by the validator library and custom tags defined in `config.validation.go`). Example policy: enforcements: - path: variants.production.base rule: oneof=debian:jessie debian:stretch - path: variants.production.runs.as rule: ne=foo - path: variants.production.node.dependencies rule: isfalse Command flag parsing was implemented in `main.go` to support the new `--policy=uri` flag and improve existing handling of `--version` and the usage statement. Test Plan: Run `go test ./...`. Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team Reviewed By: thcipriani, #release-engineering-team Tags: #release-engineering-team Differential Revision: https://phabricator.wikimedia.org/D999
6 years ago
 
  1. package config
  2. 

  3. import (
  4. 	"errors"
  5. 	"encoding/json"
  6. 	"fmt"
  7. 	"io/ioutil"
  8. 	"reflect"
  9. 	"strings"
  10. 

  11. 	"github.com/utahta/go-openuri"
  12. 	"github.com/ghodss/yaml"
  13. )
  14. 

  15. // Policy validates a number of rules against a given configuration.

  16. //

  17. type Policy struct {
  18. 	Enforcements []Enforcement `json:"enforcements"`
  19. }
  20. 

  21. // Validate checks the given config against all policy enforcements.

  22. //

  23. func (pol Policy) Validate(config Config) error {
  24. 	validate := newValidator()
  25. 

  26. 	for _, enforcement := range pol.Enforcements {
  27. 		cfg, err := ResolveJSONPath(enforcement.Path, config)
  28. 

  29. 		if err != nil {
  30. 			// If the path resolved nothing, there's nothing to enforce

  31. 			continue
  32. 		}
  33. 

  34. 		// Flags are a special case in which the True field should be compared

  35. 		// against the validator, not the struct itself.

  36. 		if flag, ok := cfg.(Flag); ok {
  37. 			cfg = flag.True
  38. 		}
  39. 

  40. 		err = validate.Var(cfg, enforcement.Rule)
  41. 

  42. 		if err != nil {
  43. 			return fmt.Errorf(
  44. 				`value for "%s" violates policy rule "%s"`,
  45. 				enforcement.Path, enforcement.Rule,
  46. 			)
  47. 		}
  48. 	}
  49. 

  50. 	return nil
  51. }
  52. 

  53. // Enforcement represents a policy rule and config path on which to apply it.

  54. //

  55. type Enforcement struct {
  56. 	Path string `json:"path"`
  57. 	Rule string `json:"rule"`
  58. }
  59. 

  60. // ReadYAMLPolicy converts YAML input to JSON and returns a new Policy struct.

  61. //

  62. func ReadYAMLPolicy(data []byte) (*Policy, error) {
  63. 	jsonData, err := yaml.YAMLToJSON(data)
  64. 	if err != nil {
  65. 		return nil, err
  66. 	}
  67. 

  68. 	return ReadPolicy(jsonData)
  69. }
  70. 

  71. // ReadPolicy unmarshals the given YAML/json bytes into a new Policy struct.

  72. //

  73. func ReadPolicy(data []byte) (*Policy, error) {
  74. 	var policy Policy
  75. 	err := json.Unmarshal(data, &policy)
  76. 

  77. 	if err != nil {
  78. 		return nil, err
  79. 	}
  80. 

  81. 	return &policy, err
  82. }
  83. 

  84. // ReadPolicyFromURI fetches the policy file from the given URL or file path

  85. // and loads its contents with ReadPolicy.

  86. //

  87. func ReadPolicyFromURI(uri string) (*Policy, error) {
  88. 	io, err := openuri.Open(uri)
  89. 

  90. 	if err != nil {
  91. 		return nil, err
  92. 	}
  93. 

  94. 	defer io.Close()
  95. 

  96. 	data, err := ioutil.ReadAll(io)
  97. 

  98. 	if err != nil {
  99. 		return nil, err
  100. 	}
  101. 

  102. 	return ReadYAMLPolicy(data)
  103. }
  104. 

  105. // ResolveJSONPath returns the config value found at the given JSON-ish

  106. // namespace/path (e.g. "variants.production.runs.as").

  107. //

  108. func ResolveJSONPath(path string, cfg interface{}) (interface{}, error) {
  109. 	parts := strings.SplitN(path, ".", 2)
  110. 	name := parts[0]
  111. 

  112. 	v := reflect.ValueOf(cfg)
  113. 	t := v.Type()
  114. 

  115. 	var subcfg interface{}
  116. 

  117. 	switch t.Kind() {
  118. 	case reflect.Struct:
  119. 		for i := 0; i < t.NumField(); i++ {
  120. 			if t.Field(i).Anonymous {
  121. 				if subsubcfg, err := ResolveJSONPath(path, v.Field(i).Interface()); err == nil {
  122. 					return subsubcfg, nil
  123. 				}
  124. 			}
  125. 

  126. 			if name == resolveJSONTagName(t.Field(i)) {
  127. 				subcfg = v.Field(i).Interface()
  128. 				break
  129. 			}
  130. 		}
  131. 

  132. 	case reflect.Map:
  133. 		if t.Key().Kind() == reflect.String {
  134. 			for _, key := range v.MapKeys() {
  135. 				if key.Interface().(string) == name {
  136. 					subcfg = v.MapIndex(key).Interface()
  137. 					break
  138. 				}
  139. 			}
  140. 		}
  141. 	}
  142. 

  143. 	if subcfg == nil {
  144. 		return nil, errors.New("invalid path")
  145. 	}
  146. 

  147. 	if len(parts) > 1 {
  148. 		return ResolveJSONPath(parts[1], subcfg)
  149. 	}
  150. 

  151. 	return subcfg, nil
  152. }