From c8a6e6f6fb9d3c6f2026b1de3d582752334e93da Mon Sep 17 00:00:00 2001 From: Anders Eknert Date: Thu, 10 Mar 2022 15:01:35 +0100 Subject: [PATCH] Integrations: enforce software is listed (#4425) Any "software" entry an integration provides should reference an item in the "software" object. This wasn't enforced previously, so this also contains some fixes to the integrations.yaml file. Signed-off-by: Anders Eknert --- build/policy/files.rego | 11 ++++++ build/policy/files_test.rego | 29 ++++++++++++++ docs/website/data/integrations.yaml | 60 ++++++++++++++++++----------- 3 files changed, 78 insertions(+), 22 deletions(-) diff --git a/build/policy/files.rego b/build/policy/files.rego index 13f4c3db43..48b1e60b47 100644 --- a/build/policy/files.rego +++ b/build/policy/files.rego @@ -58,6 +58,17 @@ deny[sprintf("Integration '%v' missing required attribute '%v'", [name, attr])] some attr in (required - {key | some key, _ in item}) } +deny[sprintf("Integration '%v' references unknown software '%v' (i.e. not in 'software' object)", [name, software])] { + "docs/website/data/integrations.yaml" in filenames + + file := yaml.unmarshal(integrations_file) + software_list := {software | file.software[software]} + + some name, item in file.integrations + some software in item.software + not software in software_list +} + deny[sprintf("%s is an invalid YAML file", [filename])] { some filename, content in yaml_file_contents changes[filename].status in {"added", "modified"} diff --git a/build/policy/files_test.rego b/build/policy/files_test.rego index 6ad6143ebc..190337e4f0 100644 --- a/build/policy/files_test.rego +++ b/build/policy/files_test.rego @@ -65,6 +65,35 @@ test_deny_integration_allowed_with_required_attributes { count(deny) == 0 with data.files.integrations_file as integrations with input as files } +test_deny_unlisted_software { + files := [{"filename": "docs/website/data/integrations.yaml"}] + integrations := yaml.marshal({ + "integrations": {"my-integration": { + "title": "My test integration", + "description": "This is a test integration", + "software": ["bitcoin-miner"], + }}, + "software": {"kubernetes": {"name": "Kubernetes"}}, + }) + expected := "Integration 'my-integration' references unknown software 'bitcoin-miner' (i.e. not in 'software' object)" + + deny[expected] with data.files.integrations_file as integrations with input as files +} + +test_allow_listed_software { + files := [{"filename": "docs/website/data/integrations.yaml"}] + integrations := yaml.marshal({ + "integrations": {"my-integration": { + "title": "My test integration", + "description": "This is a test integration", + "software": ["kubernetes"], + }}, + "software": {"kubernetes": {"name": "Kubernetes"}}, + }) + + count(deny) == 0 with data.files.integrations_file as integrations with input as files +} + test_deny_invalid_yaml_file { expected := "invalid.yaml is an invalid YAML file" deny[expected] with data.files.yaml_file_contents as {"invalid.yaml": "{null{}}"} diff --git a/docs/website/data/integrations.yaml b/docs/website/data/integrations.yaml index d8f0dbd9e3..1c21730799 100644 --- a/docs/website/data/integrations.yaml +++ b/docs/website/data/integrations.yaml @@ -595,7 +595,7 @@ integrations: layer: network category: linux software: - - Linux + - linux tutorials: - https://github.com/open-policy-agent/contrib/blob/master/opa-iptables/docs/tutorial.md code: @@ -773,15 +773,11 @@ integrations: code: - https://github.com/instrumenta/conftest software: - - CUE - - Kustomize + - kustomize - terraform - - Serverless Framework - - AWS SAM Framework - - INI - - TOML - - Dockerfile - - HCL2 + - aws + - toml + - docker videos: - title: "Applying Policy Throughout the Application Lifecycle with Open Policy Agent" speakers: @@ -809,9 +805,9 @@ integrations: title: Secure Kubernetes using eBPF & Open Policy Agent description: Ensure runtime security in any linux machine by combining Extended Berkeley Packet Filter(eBPF) and Open Policy Agent. software: - - Linux - - Kubernetes - - eBPF + - linux + - kubernetes + - ebpf labels: layer: application catagory: filtering @@ -849,7 +845,6 @@ integrations: - java - groovy - kotlin - - jvm code: - https://github.com/Bisnode/opa-gradle-plugin - https://plugins.gradle.org/plugin/com.bisnode.opa @@ -951,8 +946,7 @@ integrations: category: Infrastructure as Code layer: cicd software: - - Terraform - - Scalr + - terraform tutorials: - https://iacp.docs.scalr.com/en/latest/working-with-iacp/opa.html#creating-the-opa-policy code: @@ -969,8 +963,8 @@ integrations: layer: network category: application software: - - SPIFFE - - SPIRE + - spiffe + - spire blogs: - https://blog.styra.com/blog/zero-trust-with-envoy-spire-and-open-policy-agent-opa code: @@ -988,9 +982,9 @@ integrations: inventors: - fairwinds software: - - Kubernetes - - Docker - - Helm + - kubernetes + - docker + - helm tutorials: - https://insights.docs.fairwinds.com/features/policy/ - https://insights.docs.fairwinds.com/reports/opa/ @@ -1048,8 +1042,6 @@ integrations: layer: application inventors: - permitio - software: - - optoggles code: - https://github.com/permitio/OPToggles tutorials: @@ -1396,3 +1388,27 @@ software: styra-das: name: Styra DAS link: https://www.styra.com + kustomize: + name: Kustomize + link: https://kustomize.io + toml: + name: TOML + link: https://toml.io + groovy: + name: Groovy + link: https://groovy-lang.org + kotlin: + name: Kotlin + link: https://kotlinlang.org + linux: + name: Linux + link: https://www.kernel.org + ebpf: + name: eBPF + link: https://ebpf.io + git: + name: Git + link: https://git-scm.com + pre-commit: + name: pre-commit + link: https://pre-commit.com