check policy against user repository metadata

kobtea · Dec 31, 2022 · 5b13e5a · 5b13e5a
1 parent 43f5336
commit 5b13e5a
Show file tree

Hide file tree

Showing 6 changed files with 86 additions and 6 deletions.
diff --git a/check/check.go b/check/check.go
@@ -0,0 +1,46 @@
+package check
+
+import (
+	"context"
+	"path/filepath"
+	"strings"
+
+	"github.com/kobtea/gorgo/config"
+	"github.com/kobtea/gorgo/fetch"
+	"github.com/open-policy-agent/conftest/output"
+	"github.com/open-policy-agent/conftest/runner"
+)
+
+func Check(ctx context.Context, cfg *config.Config) error {
+	var result []output.CheckResult
+	for _, elm := range cfg.Users {
+		pat := filepath.Join(cfg.WorkingDir, fetch.MetadataDirname, elm.Name, "*", fetch.RepoFilename)
+		files, err := filepath.Glob(pat)
+		if err != nil {
+			return err
+		}
+		var matchFiles []string
+		for _, file := range files {
+			l := strings.Split(file, "/")
+			repoName := l[len(l)-2]
+			if elm.Regex.Match([]byte(repoName)) {
+				matchFiles = append(matchFiles, file)
+			}
+		}
+		r := runner.TestRunner{
+			AllNamespaces: true,
+			Policy:        elm.RepoPolicies,
+		}
+		res, err := r.Run(ctx, matchFiles)
+		if err != nil {
+			return err
+		}
+		result = append(result, res...)
+	}
+	// FIXME: support multi format
+	outputter := output.Get("", output.Options{})
+	if err := outputter.Output(result); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/cmd/check.go b/cmd/check.go
@@ -0,0 +1,22 @@
+package cmd
+
+import (
+	"context"
+
+	"github.com/kobtea/gorgo/check"
+	"github.com/spf13/cobra"
+)
+
+// checkCmd represents the check command
+var checkCmd = &cobra.Command{
+	Use:   "check",
+	Short: "Test policies",
+	Run: func(cmd *cobra.Command, args []string) {
+		ctx := context.Background()
+		check.Check(ctx, cfg)
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(checkCmd)
+}
diff --git a/config/config.go b/config/config.go
@@ -35,8 +35,9 @@ type Config struct {
 }
 
 type User struct {
-	Name  string  `yaml:"name"`
-	Regex *Regexp `yaml:"regex,omitempty"`
+	Name         string   `yaml:"name"`
+	Regex        *Regexp  `yaml:"regex,omitempty"`
+	RepoPolicies []string `yaml:"repo_policies"`
 }
 
 func (s *User) UnmarshalYAML(unmarshal func(interface{}) error) error {

diff --git a/example/config.yaml b/example/config.yaml
@@ -2,5 +2,9 @@ working_dir: ./tmp/
 users:
   - name: kobtea
     regex: jsonnet
+    repo_policies:
+      - ./example/policy/github_repo.rego
   - name: kobtea
     regex: exporter
+    repo_policies:
+      - ./example/policy/github_repo.rego
diff --git a/example/policy/github_repo.rego b/example/policy/github_repo.rego
@@ -0,0 +1,7 @@
+package github.repo
+
+warn[msg] {
+  [y, m, _, _, _, _] := time.diff(time.now_ns(), time.parse_rfc3339_ns(input.pushed_at))
+  y * 12 + m > 6
+  msg := "GitHub repository should be pushed at least once every 6 month"
+}
diff --git a/fetch/fetch.go b/fetch/fetch.go
@@ -13,8 +13,8 @@ import (
 )
 
 const (
-	metadataDirname = "metadata"
-	repoFilename    = "repo.json"
+	MetadataDirname = "metadata"
+	RepoFilename    = "repo.json"
 )
 
 func Fetch(ctx context.Context, cfg *config.Config) error {
@@ -62,12 +62,12 @@ func fetchUserRepositories(ctx context.Context, name string, regexes []*config.R
 					if err != nil {
 						return err
 					}
-					dir := filepath.Join(outputDir, metadataDirname, name, *repo.Name)
+					dir := filepath.Join(outputDir, MetadataDirname, name, *repo.Name)
 					if err = os.MkdirAll(dir, 0755); err != nil {
 						return err
 					}
 
-					if err = os.WriteFile(filepath.Join(dir, repoFilename), j, 0644); err != nil {
+					if err = os.WriteFile(filepath.Join(dir, RepoFilename), j, 0644); err != nil {
 						return err
 					}
 				}