diff options
| author | Dan Duvall <dduvall@wikimedia.org> | 2018-03-06 20:31:58 -0800 |
|---|---|---|
| committer | Dan Duvall <dduvall@wikimedia.org> | 2018-03-19 15:55:16 -0700 |
| commit | eb9b69dd3d710cb7afa1dfb6e23a5987842b21cc (patch) | |
| tree | 049b11cc885e4e9f54aac8981c91a1bf3620e7af /main.go | |
| parent | 6896e655eb5cc88b90e66979bc2d862eb92cbb9f (diff) | |
| download | blubber-eb9b69dd3d710cb7afa1dfb6e23a5987842b21cc.tar.gz | |
Allow for configuration policies
Summary:
Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.
The format of policies is:
enforcements:
- path: <path>
rule: <rule>
Where `<path>` is a YAML-ish path to a config field and `<rule>` is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in `config.validation.go`).
Example policy:
enforcements:
- path: variants.production.base
rule: oneof=debian:jessie debian:stretch
- path: variants.production.runs.as
rule: ne=foo
- path: variants.production.node.dependencies
rule: isfalse
Command flag parsing was implemented in `main.go` to support the new
`--policy=uri` flag and improve existing handling of `--version` and the
usage statement.
Test Plan: Run `go test ./...`.
Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team
Reviewed By: thcipriani, #release-engineering-team
Tags: #release-engineering-team
Differential Revision: https://phabricator.wikimedia.org/D999
Diffstat (limited to 'main.go')
| -rw-r--r-- | main.go | 52 |
1 files changed, 45 insertions, 7 deletions
@@ -7,35 +7,73 @@ import ( "log" "os" + "github.com/pborman/getopt/v2" + "phabricator.wikimedia.org/source/blubber/config" "phabricator.wikimedia.org/source/blubber/docker" "phabricator.wikimedia.org/source/blubber/meta" ) +const parameters = "config.yaml variant" + +var ( + showHelp *bool = getopt.BoolLong("help", 'h', "show help/usage") + showVersion *bool = getopt.BoolLong("version", 'v', "show version information") + policyURI *string = getopt.StringLong("policy", 'p', "", "policy file URI", "uri") +) + func main() { - if len(os.Args) > 1 && os.Args[1] == "--version" { + getopt.SetParameters(parameters) + getopt.Parse() + + if *showHelp { + getopt.Usage() + os.Exit(1) + } + + if *showVersion { fmt.Println(meta.FullVersion()) os.Exit(0) } - if len(os.Args) < 3 { - fmt.Println("Usage: blubber config.yaml variant") + args := getopt.Args() + + if len(args) < 2 { + getopt.Usage() os.Exit(1) } - cfg, err := config.ReadConfigFile(os.Args[1]) + cfgPath, variant := args[0], args[1] + + cfg, err := config.ReadConfigFile(cfgPath) if err != nil { if config.IsValidationError(err) { - log.Printf("Your config is invalid:\n%v", config.HumanizeValidationError(err)) + log.Printf("%s is invalid:\n%v", cfgPath, config.HumanizeValidationError(err)) os.Exit(4) } else { - log.Printf("Error reading config: %v\n", err) + log.Printf("Error reading %s: %v\n", cfgPath, err) os.Exit(2) } } - dockerFile, err := docker.Compile(cfg, os.Args[2]) + if *policyURI != "" { + policy, err := config.ReadPolicyFromURI(*policyURI) + + if err != nil { + log.Printf("Error loading policy from %s: %v\n", *policyURI, err) + os.Exit(5) + } + + err = policy.Validate(*cfg) + + if err != nil { + log.Printf("Configuration fails policy check against:\npolicy: %s\nviolation: %v\n", *policyURI, err) + os.Exit(6) + } + } + + dockerFile, err := docker.Compile(cfg, variant) if err != nil { log.Printf("Error compiling config: %v\n", err) |