Integrations: enforce software is listed (#4425)

Any "software" entry an integration provides should reference an item in the "software" object. This wasn't enforced previously, so this also contains some fixes to the integrations.yaml file. Signed-off-by: Anders Eknert <anders@eknert.com>
open-policy-agent · Mar 10, 2022 · c8a6e6f · c8a6e6f
1 parent 5f91d00
commit c8a6e6f
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 22 deletions.
diff --git a/build/policy/files.rego b/build/policy/files.rego
@@ -58,6 +58,17 @@ deny[sprintf("Integration '%v' missing required attribute '%v'", [name, attr])]
 	some attr in (required - {key | some key, _ in item})
 }
 
+deny[sprintf("Integration '%v' references unknown software '%v' (i.e. not in 'software' object)", [name, software])] {
+	"docs/website/data/integrations.yaml" in filenames
+
+	file := yaml.unmarshal(integrations_file)
+	software_list := {software | file.software[software]}
+
+	some name, item in file.integrations
+	some software in item.software
+	not software in software_list
+}
+
 deny[sprintf("%s is an invalid YAML file", [filename])] {
 	some filename, content in yaml_file_contents
 	changes[filename].status in {"added", "modified"}

diff --git a/build/policy/files_test.rego b/build/policy/files_test.rego
@@ -65,6 +65,35 @@ test_deny_integration_allowed_with_required_attributes {
 	count(deny) == 0 with data.files.integrations_file as integrations with input as files
 }
 
+test_deny_unlisted_software {
+	files := [{"filename": "docs/website/data/integrations.yaml"}]
+	integrations := yaml.marshal({
+		"integrations": {"my-integration": {
+			"title": "My test integration",
+			"description": "This is a test integration",
+			"software": ["bitcoin-miner"],
+		}},
+		"software": {"kubernetes": {"name": "Kubernetes"}},
+	})
+	expected := "Integration 'my-integration' references unknown software 'bitcoin-miner' (i.e. not in 'software' object)"
+
+	deny[expected] with data.files.integrations_file as integrations with input as files
+}
+
+test_allow_listed_software {
+	files := [{"filename": "docs/website/data/integrations.yaml"}]
+	integrations := yaml.marshal({
+		"integrations": {"my-integration": {
+			"title": "My test integration",
+			"description": "This is a test integration",
+			"software": ["kubernetes"],
+		}},
+		"software": {"kubernetes": {"name": "Kubernetes"}},
+	})
+
+	count(deny) == 0 with data.files.integrations_file as integrations with input as files
+}
+
 test_deny_invalid_yaml_file {
 	expected := "invalid.yaml is an invalid YAML file"
 	deny[expected] with data.files.yaml_file_contents as {"invalid.yaml": "{null{}}"}

diff --git a/docs/website/data/integrations.yaml b/docs/website/data/integrations.yaml
@@ -595,7 +595,7 @@ integrations:
       layer: network
       category: linux
     software:
-      - Linux
+      - linux
     tutorials:
       - https://github.com/open-policy-agent/contrib/blob/master/opa-iptables/docs/tutorial.md
     code:
@@ -773,15 +773,11 @@ integrations:
     code:
       - https://github.com/instrumenta/conftest
     software:
-      - CUE
-      - Kustomize
+      - kustomize
       - terraform
-      - Serverless Framework
-      - AWS SAM Framework
-      - INI
-      - TOML
-      - Dockerfile
-      - HCL2
+      - aws
+      - toml
+      - docker
     videos:
       - title: "Applying Policy Throughout the Application Lifecycle with Open Policy Agent"
         speakers:
@@ -809,9 +805,9 @@ integrations:
     title: Secure Kubernetes using eBPF & Open Policy Agent
     description: Ensure runtime security in any linux machine by combining Extended Berkeley Packet Filter(eBPF) and Open Policy Agent.
     software:
-      - Linux
-      - Kubernetes
-      - eBPF
+      - linux
+      - kubernetes
+      - ebpf
     labels:
       layer: application
       catagory: filtering
@@ -849,7 +845,6 @@ integrations:
       - java
       - groovy
       - kotlin
-      - jvm
     code:
       - https://github.com/Bisnode/opa-gradle-plugin
       - https://plugins.gradle.org/plugin/com.bisnode.opa
@@ -951,8 +946,7 @@ integrations:
       category: Infrastructure as Code
       layer: cicd
     software:
-      - Terraform
-      - Scalr
+      - terraform
     tutorials:
       - https://iacp.docs.scalr.com/en/latest/working-with-iacp/opa.html#creating-the-opa-policy
     code:
@@ -969,8 +963,8 @@ integrations:
       layer: network
       category: application
     software:
-      - SPIFFE
-      - SPIRE
+      - spiffe
+      - spire
     blogs:
       - https://blog.styra.com/blog/zero-trust-with-envoy-spire-and-open-policy-agent-opa
     code:
@@ -988,9 +982,9 @@ integrations:
     inventors:
       - fairwinds
     software:
-      - Kubernetes
-      - Docker
-      - Helm
+      - kubernetes
+      - docker
+      - helm
     tutorials:
       - https://insights.docs.fairwinds.com/features/policy/
       - https://insights.docs.fairwinds.com/reports/opa/
@@ -1048,8 +1042,6 @@ integrations:
       layer: application
     inventors:
       - permitio
-    software:
-      - optoggles
     code:
       - https://github.com/permitio/OPToggles
     tutorials:
@@ -1396,3 +1388,27 @@ software:
   styra-das:
     name: Styra DAS
     link: https://www.styra.com
+  kustomize:
+    name: Kustomize
+    link: https://kustomize.io
+  toml:
+    name: TOML
+    link: https://toml.io
+  groovy:
+    name: Groovy
+    link: https://groovy-lang.org
+  kotlin:
+    name: Kotlin
+    link: https://kotlinlang.org
+  linux:
+    name: Linux
+    link: https://www.kernel.org
+  ebpf:
+    name: eBPF
+    link: https://ebpf.io
+  git:
+    name: Git
+    link: https://git-scm.com
+  pre-commit:
+    name: pre-commit
+    link: https://pre-commit.com