-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Initial work on Python utilities for Open Policy Agent
Starting with tools to help with generating Gatekeeper ConstraintTemplates from Rego source files.
- Loading branch information
0 parents
commit 4b49976
Showing
12 changed files
with
646 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
__pycache__/ | ||
*.py[cod] | ||
*.so | ||
.coverage | ||
*.egg-info | ||
.mypy_cache |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
__pycache__/ | ||
*.py[cod] | ||
*.so | ||
.coverage | ||
*.egg-info | ||
.mypy_cache |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
FROM python:alpine | ||
|
||
RUN pip3 install click colorama PyYAML | ||
|
||
WORKDIR /app | ||
|
||
COPY . /src | ||
|
||
ENTRYPOINT ["python3", "/src/cli.py"] | ||
CMD ["--help"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
Copyright 2019 Gareth Rushgrove. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# Policy Tool | ||
|
||
A set of utilities and classes for working with [Open Policy Agent](https://www.openpolicyagent.org/) based tools, including [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) and [Conftest](https://github.com/instrumenta/conftest). | ||
|
||
|
||
## Installation | ||
|
||
Policy Tool can be installed from PyPI using `pip` or similar tools: | ||
|
||
``` | ||
pip install policytool | ||
``` | ||
|
||
|
||
## CLI | ||
|
||
The module provides a | ||
|
||
```console | ||
$ policytool build *.rego | ||
[SecurityControls] Generating a ConstraintTemplate from "SecurityControls.rego" | ||
[SecurityControls] Searching "lib" for additional rego files | ||
[SecurityControls] Adding library from "lib/kubernetes.rego" | ||
[SecurityControls] Saving to "SecurityControls.yaml" | ||
``` | ||
|
||
You can also use the tool via Docker: | ||
|
||
``` | ||
docker run --rm -it -v $(pwd):/app garethr/policytool build | ||
``` | ||
|
||
|
||
## Python | ||
|
||
This module currently contains one class, for working with `ConstraintTemplates` in Gatekeeper. | ||
|
||
```python | ||
from policytool import ConstraintTemplate | ||
|
||
with open(path_to_rego_source_file, "r") as rego: | ||
ct = ConstraintTemplate(name, rego.read()) | ||
print(ct.yaml) | ||
``` | ||
|
||
|
||
## Notes | ||
|
||
A few caveats for anyone trying to use this module. | ||
|
||
* [Loading libraries with `lib`](https://github.com/open-policy-agent/frameworks/commit/55fa33d1cca93f3b133e76a48d2e19adbdeb9de3) is only supported in Gatekeeper HEAD today but should be in the next release. | ||
* This module does not support parameterized ConstraintTemplates |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
import glob | ||
from pathlib import Path | ||
|
||
import click | ||
|
||
from policytool import ConstraintTemplate | ||
|
||
COLORS = ["red", "green", "yellow", "blue", "magenta", "cyan"] | ||
|
||
|
||
@click.group() | ||
def cli(): | ||
""" | ||
A set of utilities for working with Open Policy Agent based tools, including | ||
Gatekeeper and Conftest. | ||
""" | ||
|
||
|
||
@click.command() | ||
@click.option("--lib", default="lib", show_default=True, type=click.Path(exists=True)) | ||
@click.argument("files", nargs=-1, type=click.Path(exists=True)) | ||
def build(files, lib): | ||
""" | ||
Build ConstraintTemplates for Gatekeeper from rego source code | ||
""" | ||
for filename in files: | ||
name = Path(filename).stem | ||
color = COLORS[len(name) % len(COLORS)] | ||
head = click.style(f"[{name}]", fg=color) | ||
click.echo(f'{head} Generating a ConstraintTemplate from "{filename}"') | ||
with open(filename, "r") as rego: | ||
ct = ConstraintTemplate(name, rego.read()) | ||
|
||
click.echo(f'{head} Searching "{lib}" for additional rego files') | ||
for library in glob.glob(f"{lib}/*.rego"): | ||
with open(library, "r") as handle: | ||
click.echo(f'{head} Adding library from "{library}"') | ||
ct.libs.append(handle.read()) | ||
|
||
with open(f"{name}.yaml", "w") as template: | ||
click.echo(f'{head} Saving to "{name}.yaml"') | ||
template.write(ct.yaml) | ||
|
||
|
||
cli.add_command(build) | ||
|
||
if __name__ == "__main__": | ||
cli() |
Oops, something went wrong.