Allow for configuration policies

Summary:
Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.

The format of policies is:

    enforcements:
      - path: <path>
        rule: <rule>

Where `<path>` is a YAML-ish path to a config field and `<rule>` is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in `config.validation.go`).

Example policy:

    enforcements:
      - path: variants.production.base
        rule: oneof=debian:jessie debian:stretch
      - path: variants.production.runs.as
        rule: ne=foo
      - path: variants.production.node.dependencies
        rule: isfalse

Command flag parsing was implemented in `main.go` to support the new
`--policy=uri` flag and improve existing handling of `--version` and the
usage statement.

Test Plan: Run `go test ./...`.

Reviewers: thcipriani, demon, hashar, mmodell, #release-engineering-team

Reviewed By: thcipriani, #release-engineering-team

Tags: #release-engineering-team

Differential Revision: https://phabricator.wikimedia.org/D999

1 files changed, 131 insertions, 83 deletions

diff --git a/vendor/gopkg.in/go-playground/validator.v9/baked_in.go b/vendor/gopkg.in/go-playground/validator.v9/baked_in.go
index 6654094..231b78e 100644
--- a/vendor/gopkg.in/go-playground/validator.v9/baked_in.go
+++ b/vendor/gopkg.in/go-playground/validator.v9/baked_in.go
@@ -6,7 +6,9 @@ import (
 	"net"
 	"net/url"
 	"reflect"
+	"strconv"
 	"strings"
+	"sync"
 	"time"
 	"unicode/utf8"
 )
@@ -55,88 +57,130 @@ var (
 	// you can add, remove or even replace items to suite your needs,
 	// or even disregard and use your own map if so desired.
 	bakedInValidators = map[string]Func{
-		"required":        hasValue,
-		"isdefault":       isDefault,
-		"len":             hasLengthOf,
-		"min":             hasMinOf,
-		"max":             hasMaxOf,
-		"eq":              isEq,
-		"ne":              isNe,
-		"lt":              isLt,
-		"lte":             isLte,
-		"gt":              isGt,
-		"gte":             isGte,
-		"eqfield":         isEqField,
-		"eqcsfield":       isEqCrossStructField,
-		"necsfield":       isNeCrossStructField,
-		"gtcsfield":       isGtCrossStructField,
-		"gtecsfield":      isGteCrossStructField,
-		"ltcsfield":       isLtCrossStructField,
-		"ltecsfield":      isLteCrossStructField,
-		"nefield":         isNeField,
-		"gtefield":        isGteField,
-		"gtfield":         isGtField,
-		"ltefield":        isLteField,
-		"ltfield":         isLtField,
-		"alpha":           isAlpha,
-		"alphanum":        isAlphanum,
-		"alphaunicode":    isAlphaUnicode,
-		"alphanumunicode": isAlphanumUnicode,
-		"numeric":         isNumeric,
-		"number":          isNumber,
-		"hexadecimal":     isHexadecimal,
-		"hexcolor":        isHEXColor,
-		"rgb":             isRGB,
-		"rgba":            isRGBA,
-		"hsl":             isHSL,
-		"hsla":            isHSLA,
-		"email":           isEmail,
-		"url":             isURL,
-		"uri":             isURI,
-		"base64":          isBase64,
-		"contains":        contains,
-		"containsany":     containsAny,
-		"containsrune":    containsRune,
-		"excludes":        excludes,
-		"excludesall":     excludesAll,
-		"excludesrune":    excludesRune,
-		"isbn":            isISBN,
-		"isbn10":          isISBN10,
-		"isbn13":          isISBN13,
-		"uuid":            isUUID,
-		"uuid3":           isUUID3,
-		"uuid4":           isUUID4,
-		"uuid5":           isUUID5,
-		"ascii":           isASCII,
-		"printascii":      isPrintableASCII,
-		"multibyte":       hasMultiByteCharacter,
-		"datauri":         isDataURI,
-		"latitude":        isLatitude,
-		"longitude":       isLongitude,
-		"ssn":             isSSN,
-		"ipv4":            isIPv4,
-		"ipv6":            isIPv6,
-		"ip":              isIP,
-		"cidrv4":          isCIDRv4,
-		"cidrv6":          isCIDRv6,
-		"cidr":            isCIDR,
-		"tcp4_addr":       isTCP4AddrResolvable,
-		"tcp6_addr":       isTCP6AddrResolvable,
-		"tcp_addr":        isTCPAddrResolvable,
-		"udp4_addr":       isUDP4AddrResolvable,
-		"udp6_addr":       isUDP6AddrResolvable,
-		"udp_addr":        isUDPAddrResolvable,
-		"ip4_addr":        isIP4AddrResolvable,
-		"ip6_addr":        isIP6AddrResolvable,
-		"ip_addr":         isIPAddrResolvable,
-		"unix_addr":       isUnixAddrResolvable,
-		"mac":             isMAC,
-		"hostname":        isHostname,
-		"fqdn":            isFQDN,
-		"unique":          isUnique,
+		"required":         hasValue,
+		"isdefault":        isDefault,
+		"len":              hasLengthOf,
+		"min":              hasMinOf,
+		"max":              hasMaxOf,
+		"eq":               isEq,
+		"ne":               isNe,
+		"lt":               isLt,
+		"lte":              isLte,
+		"gt":               isGt,
+		"gte":              isGte,
+		"eqfield":          isEqField,
+		"eqcsfield":        isEqCrossStructField,
+		"necsfield":        isNeCrossStructField,
+		"gtcsfield":        isGtCrossStructField,
+		"gtecsfield":       isGteCrossStructField,
+		"ltcsfield":        isLtCrossStructField,
+		"ltecsfield":       isLteCrossStructField,
+		"nefield":          isNeField,
+		"gtefield":         isGteField,
+		"gtfield":          isGtField,
+		"ltefield":         isLteField,
+		"ltfield":          isLtField,
+		"alpha":            isAlpha,
+		"alphanum":         isAlphanum,
+		"alphaunicode":     isAlphaUnicode,
+		"alphanumunicode":  isAlphanumUnicode,
+		"numeric":          isNumeric,
+		"number":           isNumber,
+		"hexadecimal":      isHexadecimal,
+		"hexcolor":         isHEXColor,
+		"rgb":              isRGB,
+		"rgba":             isRGBA,
+		"hsl":              isHSL,
+		"hsla":             isHSLA,
+		"email":            isEmail,
+		"url":              isURL,
+		"uri":              isURI,
+		"base64":           isBase64,
+		"contains":         contains,
+		"containsany":      containsAny,
+		"containsrune":     containsRune,
+		"excludes":         excludes,
+		"excludesall":      excludesAll,
+		"excludesrune":     excludesRune,
+		"isbn":             isISBN,
+		"isbn10":           isISBN10,
+		"isbn13":           isISBN13,
+		"uuid":             isUUID,
+		"uuid3":            isUUID3,
+		"uuid4":            isUUID4,
+		"uuid5":            isUUID5,
+		"ascii":            isASCII,
+		"printascii":       isPrintableASCII,
+		"multibyte":        hasMultiByteCharacter,
+		"datauri":          isDataURI,
+		"latitude":         isLatitude,
+		"longitude":        isLongitude,
+		"ssn":              isSSN,
+		"ipv4":             isIPv4,
+		"ipv6":             isIPv6,
+		"ip":               isIP,
+		"cidrv4":           isCIDRv4,
+		"cidrv6":           isCIDRv6,
+		"cidr":             isCIDR,
+		"tcp4_addr":        isTCP4AddrResolvable,
+		"tcp6_addr":        isTCP6AddrResolvable,
+		"tcp_addr":         isTCPAddrResolvable,
+		"udp4_addr":        isUDP4AddrResolvable,
+		"udp6_addr":        isUDP6AddrResolvable,
+		"udp_addr":         isUDPAddrResolvable,
+		"ip4_addr":         isIP4AddrResolvable,
+		"ip6_addr":         isIP6AddrResolvable,
+		"ip_addr":          isIPAddrResolvable,
+		"unix_addr":        isUnixAddrResolvable,
+		"mac":              isMAC,
+		"hostname":         isHostnameRFC952,  // RFC 952
+		"hostname_rfc1123": isHostnameRFC1123, // RFC 1123
+		"fqdn":             isFQDN,
+		"unique":           isUnique,
+		"oneof":            isOneOf,
 	}
 )
 
+var oneofValsCache = map[string][]string{}
+var oneofValsCacheRWLock = sync.RWMutex{}
+
+func parseOneOfParam2(s string) []string {
+	oneofValsCacheRWLock.RLock()
+	vals, ok := oneofValsCache[s]
+	oneofValsCacheRWLock.RUnlock()
+	if !ok {
+		oneofValsCacheRWLock.Lock()
+		vals = strings.Fields(s)
+		oneofValsCache[s] = vals
+		oneofValsCacheRWLock.Unlock()
+	}
+	return vals
+}
+
+func isOneOf(fl FieldLevel) bool {
+	vals := parseOneOfParam2(fl.Param())
+
+	field := fl.Field()
+
+	var v string
+	switch field.Kind() {
+	case reflect.String:
+		v = field.String()
+	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+		v = strconv.FormatInt(field.Int(), 10)
+	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+		v = strconv.FormatUint(field.Uint(), 10)
+	default:
+		panic(fmt.Sprintf("Bad field type %T", field.Interface()))
+	}
+	for i := 0; i < len(vals); i++ {
+		if vals[i] == v {
+			return true
+		}
+	}
+	return false
+}
+
 // isUnique is the validation function for validating if each array|slice element is unique
 func isUnique(fl FieldLevel) bool {
 
@@ -1511,8 +1555,12 @@ func isIP6Addr(fl FieldLevel) bool {
 	return ip != nil && ip.To4() == nil
 }
 
-func isHostname(fl FieldLevel) bool {
-	return hostnameRegex.MatchString(fl.Field().String())
+func isHostnameRFC952(fl FieldLevel) bool {
+	return hostnameRegexRFC952.MatchString(fl.Field().String())
+}
+
+func isHostnameRFC1123(fl FieldLevel) bool {
+	return hostnameRegexRFC1123.MatchString(fl.Field().String())
 }
 
 func isFQDN(fl FieldLevel) bool {
@@ -1526,6 +1574,6 @@ func isFQDN(fl FieldLevel) bool {
 		val = val[0 : len(val)-1]
 	}
 
-	return (strings.IndexAny(val, ".") > -1) &&
-		hostnameRegex.MatchString(val)
+	return strings.ContainsAny(val, ".") &&
+		hostnameRegexRFC952.MatchString(val)
 }