Initial work on Python utilities for Open Policy Agent

Starting with tools to help with generating Gatekeeper
ConstraintTemplates from Rego source files.

.dockerignore

@@ -0,0 +1,6 @@
+__pycache__/
+*.py[cod]
+*.so
+.coverage
+*.egg-info
+.mypy_cache

.gitignore

@@ -0,0 +1,6 @@
+__pycache__/
+*.py[cod]
+*.so
+.coverage
+*.egg-info
+.mypy_cache

Dockerfile

@@ -0,0 +1,10 @@
+FROM python:alpine
+
+RUN pip3 install click colorama PyYAML
+
+WORKDIR /app
+
+COPY . /src
+
+ENTRYPOINT ["python3", "/src/cli.py"]
+CMD ["--help"]

LICENSE

@@ -0,0 +1,13 @@
+Copyright 2019 Gareth Rushgrove.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -0,0 +1,52 @@
+# Policy Tool
+
+A set of utilities and classes for working with [Open Policy Agent](https://www.openpolicyagent.org/) based tools, including [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) and [Conftest](https://github.com/instrumenta/conftest).
+
+
+## Installation
+
+Policy Tool can be installed from PyPI using `pip` or similar tools:
+
+```
+pip install policytool
+```
+
+
+## CLI
+
+The module provides a 
+
+```console
+$ policytool build *.rego
+[SecurityControls] Generating a ConstraintTemplate from "SecurityControls.rego"
+[SecurityControls] Searching "lib" for additional rego files
+[SecurityControls] Adding library from "lib/kubernetes.rego"
+[SecurityControls] Saving to "SecurityControls.yaml"
+```
+
+You can also use the tool via Docker:
+
+```
+docker run --rm -it -v $(pwd):/app  garethr/policytool build
+```
+
+
+## Python
+
+This module currently contains one class, for working with `ConstraintTemplates` in Gatekeeper.
+
+```python
+from policytool import ConstraintTemplate
+
+with open(path_to_rego_source_file, "r") as rego:
+    ct = ConstraintTemplate(name, rego.read())
+print(ct.yaml)
+```
+
+
+## Notes
+
+A few caveats for anyone trying to use this module.
+
+* [Loading libraries with `lib`](https://github.com/open-policy-agent/frameworks/commit/55fa33d1cca93f3b133e76a48d2e19adbdeb9de3) is only supported in Gatekeeper HEAD today but should be in the next release.
+* This module does not support parameterized ConstraintTemplates

cli.py

@@ -0,0 +1,48 @@
+import glob
+from pathlib import Path
+
+import click
+
+from policytool import ConstraintTemplate
+
+COLORS = ["red", "green", "yellow", "blue", "magenta", "cyan"]
+
+
+@click.group()
+def cli():
+    """
+    A set of utilities for working with Open Policy Agent based tools, including
+    Gatekeeper and Conftest.
+    """
+
+
+@click.command()
+@click.option("--lib", default="lib", show_default=True, type=click.Path(exists=True))
+@click.argument("files", nargs=-1, type=click.Path(exists=True))
+def build(files, lib):
+    """
+    Build ConstraintTemplates for Gatekeeper from rego source code
+    """
+    for filename in files:
+        name = Path(filename).stem
+        color = COLORS[len(name) % len(COLORS)]
+        head = click.style(f"[{name}]", fg=color)
+        click.echo(f'{head} Generating a ConstraintTemplate from "{filename}"')
+        with open(filename, "r") as rego:
+            ct = ConstraintTemplate(name, rego.read())
+
+        click.echo(f'{head} Searching "{lib}" for additional rego files')
+        for library in glob.glob(f"{lib}/*.rego"):
+            with open(library, "r") as handle:
+                click.echo(f'{head} Adding library from "{library}"')
+                ct.libs.append(handle.read())
+
+        with open(f"{name}.yaml", "w") as template:
+            click.echo(f'{head} Saving to "{name}.yaml"')
+            template.write(ct.yaml)
+
+
+cli.add_command(build)
+
+if __name__ == "__main__":
+    cli()