Allow for configuration policies

Summary:
Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.

The format of policies is:

    enforcements:
      - path: <path>
        rule: <rule>

Where `<path>` is a YAML-ish path to a config field and `<rule>` is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in `config.validation.go`).

Example policy:

    enforcements:
      - path: variants.production.base
        rule: oneof=debian:jessie debian:stretch
      - path: variants.production.runs.as
        rule: ne=foo
      - path: variants.production.node.dependencies
        rule: isfalse

Command flag parsing was implemented in `main.go` to support the new
`--policy=uri` flag and improve existing handling of `--version` and the
usage statement.

Test Plan: Run `go test ./...`.

Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team

Reviewed By: thcipriani, #release-engineering-team

Tags: #release-engineering-team

Differential Revision: https://phabricator.wikimedia.org/D999

4 files changed, 291 insertions, 10 deletions

diff --git a/config/common.go b/config/common.go
index a597a82..4cc300d 100644
--- a/config/common.go
+++ b/config/common.go
@@ -9,12 +9,12 @@ import (
 //
 type CommonConfig struct {
 	Base         string       `yaml:"base" validate:"omitempty,baseimage"` // name/path to base image
-	Apt          AptConfig    `yaml:"apt"`                                 // APT related configuration
-	Node         NodeConfig   `yaml:"node"`                                // Node related configuration
-	Python       PythonConfig `yaml:"python"`                              // Python related configuration
-	Lives        LivesConfig  `yaml:"lives"`                               // application owner/dir configuration
-	Runs         RunsConfig   `yaml:"runs"`                                // runtime environment configuration
-	SharedVolume Flag         `yaml:"sharedvolume"`                        // define a volume for application
+	Apt          AptConfig    `yaml:"apt"`                                 // APT related
+	Node         NodeConfig   `yaml:"node"`                                // Node related
+	Python       PythonConfig `yaml:"python"`                              // Python related
+	Lives        LivesConfig  `yaml:"lives"`                               // application owner/dir
+	Runs         RunsConfig   `yaml:"runs"`                                // runtime environment
+	SharedVolume Flag         `yaml:"sharedvolume"`                        // use volume for app
 	EntryPoint   []string     `yaml:"entrypoint"`                          // entry-point executable
 }
 
diff --git a/config/policy.go b/config/policy.go
new file mode 100644
index 0000000..25fe02a
--- /dev/null
+++ b/config/policy.go
@@ -0,0 +1,141 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"reflect"
+	"strings"
+
+	"github.com/utahta/go-openuri"
+	"gopkg.in/yaml.v2"
+)
+
+// Policy validates a number of rules against a given configuration.
+//
+type Policy struct {
+	Enforcements []Enforcement `yaml:"enforcements"`
+}
+
+// Validate checks the given config against all policy enforcements.
+//
+func (pol Policy) Validate(config Config) error {
+	validate := NewValidator()
+
+	for _, enforcement := range pol.Enforcements {
+		cfg, err := ResolveYAMLPath(enforcement.Path, config)
+
+		if err != nil {
+			// If the path resolved nothing, there's nothing to enforce
+			continue
+		}
+
+		// Flags are a special case in which the True field should be compared
+		// against the validator, not the struct itself.
+		if flag, ok := cfg.(Flag); ok {
+			cfg = flag.True
+		}
+
+		err = validate.Var(cfg, enforcement.Rule)
+
+		if err != nil {
+			return fmt.Errorf(
+				`value for "%s" violates policy rule "%s"`,
+				enforcement.Path, enforcement.Rule,
+			)
+		}
+	}
+
+	return nil
+}
+
+// Enforcement represents a policy rule and config path on which to apply it.
+//
+type Enforcement struct {
+	Path string `yaml:"path"`
+	Rule string `yaml:"rule"`
+}
+
+// ReadPolicy unmarshals the given YAML bytes into a new Policy struct.
+//
+func ReadPolicy(data []byte) (*Policy, error) {
+	var policy Policy
+
+	err := yaml.Unmarshal(data, &policy)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &policy, err
+}
+
+// ReadPolicyFromURI fetches the policy file from the given URL or file path
+// and loads its contents with ReadPolicy.
+//
+func ReadPolicyFromURI(uri string) (*Policy, error) {
+	io, err := openuri.Open(uri)
+
+	if err != nil {
+		return nil, err
+	}
+
+	defer io.Close()
+
+	data, err := ioutil.ReadAll(io)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return ReadPolicy(data)
+}
+
+// ResolveYAMLPath returns the config value found at the given YAML-ish
+// namespace/path (e.g. "variants.production.runs.as").
+//
+func ResolveYAMLPath(path string, cfg interface{}) (interface{}, error) {
+	parts := strings.SplitN(path, ".", 2)
+	name := parts[0]
+
+	v := reflect.ValueOf(cfg)
+	t := v.Type()
+
+	var subcfg interface{}
+
+	switch t.Kind() {
+	case reflect.Struct:
+		for i := 0; i < t.NumField(); i++ {
+			if t.Field(i).Anonymous {
+				if subsubcfg, err := ResolveYAMLPath(path, v.Field(i).Interface()); err == nil {
+					return subsubcfg, nil
+				}
+			}
+
+			if name == resolveYAMLTagName(t.Field(i)) {
+				subcfg = v.Field(i).Interface()
+				break
+			}
+		}
+
+	case reflect.Map:
+		if t.Key().Kind() == reflect.String {
+			for _, key := range v.MapKeys() {
+				if key.Interface().(string) == name {
+					subcfg = v.MapIndex(key).Interface()
+					break
+				}
+			}
+		}
+	}
+
+	if subcfg == nil {
+		return nil, errors.New("invalid path")
+	}
+
+	if len(parts) > 1 {
+		return ResolveYAMLPath(parts[1], subcfg)
+	}
+
+	return subcfg, nil
+}
diff --git a/config/policy_test.go b/config/policy_test.go
new file mode 100644
index 0000000..2d7a3a7
--- /dev/null
+++ b/config/policy_test.go
@@ -0,0 +1,117 @@
+package config_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"phabricator.wikimedia.org/source/blubber/config"
+)
+
+func TestPolicyRead(t *testing.T) {
+	policy, err := config.ReadPolicy([]byte(`---
+    enforcements:
+      - path: variants.production.runs.as
+        rule: ne=root
+      - path: base
+        rule: oneof=debian:jessie debian:stretch`))
+
+	if assert.NoError(t, err) {
+		if assert.Len(t, policy.Enforcements, 2) {
+			assert.Equal(t, "variants.production.runs.as", policy.Enforcements[0].Path)
+			assert.Equal(t, "ne=root", policy.Enforcements[0].Rule)
+
+			assert.Equal(t, "base", policy.Enforcements[1].Path)
+			assert.Equal(t, "oneof=debian:jessie debian:stretch", policy.Enforcements[1].Rule)
+		}
+	}
+}
+
+func TestPolicyValidate(t *testing.T) {
+	cfg := config.Config{
+		CommonConfig: config.CommonConfig{
+			Base: "foo:tag",
+		},
+		Variants: map[string]config.VariantConfig{
+			"foo": config.VariantConfig{
+				CommonConfig: config.CommonConfig{
+					Runs: config.RunsConfig{
+						UserConfig: config.UserConfig{
+							As: "root",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	policy := config.Policy{
+		Enforcements: []config.Enforcement{
+			{Path: "variants.foo.runs.as", Rule: "ne=root"},
+		},
+	}
+
+	assert.EqualError(t,
+		policy.Validate(cfg),
+		`value for "variants.foo.runs.as" violates policy rule "ne=root"`,
+	)
+
+	policy = config.Policy{
+		Enforcements: []config.Enforcement{
+			{Path: "base", Rule: "oneof=debian:jessie debian:stretch"},
+		},
+	}
+
+	assert.EqualError(t,
+		policy.Validate(cfg),
+		`value for "base" violates policy rule "oneof=debian:jessie debian:stretch"`,
+	)
+}
+
+func TestEnforcementOnFlag(t *testing.T) {
+	cfg := config.Config{
+		Variants: map[string]config.VariantConfig{
+			"production": config.VariantConfig{
+				CommonConfig: config.CommonConfig{
+					Node: config.NodeConfig{
+						Dependencies: config.Flag{True: true},
+					},
+				},
+			},
+		},
+	}
+
+	policy := config.Policy{
+		Enforcements: []config.Enforcement{
+			{Path: "variants.production.node.dependencies", Rule: "isfalse"},
+		},
+	}
+
+	assert.Error(t,
+		policy.Validate(cfg),
+		`value for "variants.production.node.dependencies" violates policy rule "isfalse"`,
+	)
+
+}
+
+func TestResolveYAMLPath(t *testing.T) {
+	cfg := config.Config{
+		Variants: map[string]config.VariantConfig{
+			"foo": config.VariantConfig{
+				CommonConfig: config.CommonConfig{
+					Runs: config.RunsConfig{
+						UserConfig: config.UserConfig{
+							As: "root",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	val, err := config.ResolveYAMLPath("variants.foo.runs.as", cfg)
+
+	if assert.NoError(t, err) {
+		assert.Equal(t, "root", val)
+	}
+}
diff --git a/config/validation.go b/config/validation.go
index 652a3c8..3359211 100644
--- a/config/validation.go
+++ b/config/validation.go
@@ -52,6 +52,8 @@ var (
 		"baseimage":     isBaseImage,
 		"debianpackage": isDebianPackage,
 		"envvars":       isEnvironmentVariables,
+		"isfalse":       isFalse,
+		"istrue":        isTrue,
 		"variantref":    isVariantReference,
 		"variants":      hasVariantNames,
 	}
@@ -61,11 +63,10 @@ type ctxKey uint8
 
 const rootCfgCtx ctxKey = iota
 
-// Validate runs all validations defined for config fields against the given
-// Config value. If the returned error is not nil, it will contain a
-// user-friendly message describing all invalid field values.
+// NewValidator returns a validator instance for which our custom aliases and
+// functions are registered.
 //
-func Validate(config Config) error {
+func NewValidator() *validator.Validate {
 	validate := validator.New()
 
 	validate.RegisterTagNameFunc(resolveYAMLTagName)
@@ -78,6 +79,16 @@ func Validate(config Config) error {
 		validate.RegisterValidationCtx(name, f)
 	}
 
+	return validate
+}
+
+// Validate runs all validations defined for config fields against the given
+// Config value. If the returned error is not nil, it will contain a
+// user-friendly message describing all invalid field values.
+//
+func Validate(config Config) error {
+	validate := NewValidator()
+
 	ctx := context.WithValue(context.Background(), rootCfgCtx, config)
 
 	return validate.StructCtx(ctx, config)
@@ -169,6 +180,18 @@ func isEnvironmentVariables(_ context.Context, fl validator.FieldLevel) bool {
 	return true
 }
 
+func isFalse(_ context.Context, fl validator.FieldLevel) bool {
+	val, ok := fl.Field().Interface().(bool)
+
+	return ok && val == false
+}
+
+func isTrue(_ context.Context, fl validator.FieldLevel) bool {
+	val, ok := fl.Field().Interface().(bool)
+
+	return ok && val == true
+}
+
 func isVariantReference(ctx context.Context, fl validator.FieldLevel) bool {
 	cfg := ctx.Value(rootCfgCtx).(Config)
 	ref := fl.Field().String()