feat: Add external_data function to Gator Test command

[fardin01]

Signed-off-by: Fardin Khanjani fardin.khanjani@tradeshift.com

What this PR does / why we need it:
gator test should be able to handle external data providers.

gator test returns undefined function external_data if external_data is being used in a ConstraintTemplate. This means that policies that query an external data source cannot be tested except for manual tests against a live cluster.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #2659

Special notes for your reviewer:

[fardin01]

@maxsmythe @sozercan Can I please get some initial feedback here? I'll add tests afterward.

[codecov-commenter]

Codecov Report

Patch coverage: 27.77% and project coverage change: -0.16 ⚠️

Comparison is base (9da7226) 53.56% compared to head (fdffa22) 53.41%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2789      +/-   ##
==========================================
- Coverage   53.56%   53.41%   -0.16%     
==========================================
  Files         128      128              
  Lines       11411    11462      +51     
==========================================
+ Hits         6112     6122      +10     
- Misses       4822     4861      +39     
- Partials      477      479       +2     

Flag	Coverage Δ
unittests	53.41% <27.77%> (-0.16%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/gator/reader/filereader.go	0.00% <0.00%> (ø)
pkg/gator/test/test.go	55.41% <30.95%> (-8.94%)	⬇️
cmd/gator/test/test.go	32.71% <50.00%> (+1.28%)	⬆️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[acpana]

Thanks for opening this PR! Excited to see this take shape. Before acting on any feedback, please wait on max/ sertac to see what other comments they may have

[acpana]

I think the existence of external-data-providers implies that external-data is true so we could get away with just using the latter flag.

[acpana]

Similarly, probably don't need two options in test.Opts

[maxsmythe]

What is the reason for using a different flag to source providers vs. the rest of the cluster config? Avoiding letting untrusted config reach out to arbitrary HTTP endpoints?

[fardin01]

No specific reason. :) I agree with Alex's suggestion that the existence of external-data-providers implies that external-data is true.

[maxsmythe]

Gotcha. I think security is a good consideration as far as separating out the providers folder (at least potentially). And, if we do have a providers folder, that can probably take the place of an enabled/disabled flag. Maybe users who have a hard requirement of "absolutely no reaching out to external services" might take comfort in an explicit flag though.

@sozercan thoughts?

[fardin01]

@sozercan Kind reminder. :)

[ritazh]

+1 on having an explicit flag to enable/disable external data. though I prefer something like enable-external-data

[fardin01]

@maxsmythe @sozercan A kind reminder. :)

[maxsmythe]

Sorry for the delay in review

[maxsmythe]

What is the reason for using a different flag to source providers vs. the rest of the cluster config? Avoiding letting untrusted config reach out to arbitrary HTTP endpoints?

[maxsmythe]

If having a separate flag is for security purposes, we'd also need to load in the data separately, currently providers defined in any file would be ingested.

[maxsmythe]

I think we should figure out our stance vis-a-vis security in the other comment (link below). Then this comment will either be irrelevant, or very relevant.

#2789 (comment)

[fardin01]

@maxsmythe Could you please give me some pointers on how to implement this?

Should ReadSources() function contain something like

s, err = readExternalDataSourceFiles(externalDataProviderFiles)
...

[fardin01]

If we want to load the external data provider config from its dedicated directory, then we should change this line to skip over external data provider config, and then either

1. Reuse readFiles function like: s, err = readFiles(externalDataProviderFiles)
2. Create a new function like: readExternalDataSourceFiles(externalDataProviderFiles).

and then append the result to sources. Am I on the right path?

[maxsmythe]

Yep!

[fardin01]

@maxsmythe @ritazh Please take another look. I'll add the tests afterward.

[sozercan]

Sorry for the delay. +1 on @acpana and @maxsmythe's comments.

[fardin01]

In terms of unit tests, what do we do about the external_data() function request and response?

[sozercan]

@fardin01

for go http unit tests, we might be able to use https://pkg.go.dev/net/http/httptest

for mock rego tests, see #2826

[acpana]

@fardin01 thanks again your PR here and for your contributions.

I'm curious if you still had the bandwidth to follow up here.

I think there's still the issue of figuring out the right semantics for the flags here @maxsmythe @sozercan and testing IIUC.

[fardin01]

@acpana No problem! I do have the bandwidth, just been waiting for input before I spend time on it.

We are actually going to go live soon with Gator CLI built off of this PR (to give our developers a tool to verify their changes before deploying), so we are very eager for this PR to be merged and released. 😃

[maxsmythe]

To be clear, I'd prefer having a separate flag for specifying provider configs (for security purposes), and provider configs should be loaded from a different path from the rest of the code. This is to make it possible to avoid loading malicious configurations.

[ritazh]

Let's also make sure to add the new flag(s) to docs.

[ritazh]

@fardin01 Let us know if this is ready for review!

[fardin01]

@fardin01 Let us know if this is ready for review!

@ritazh Unfortunately I will not be working on this anymore. 😞

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.