Add Open Service Mesh to ecosystem (open-policy-agent#4171)

Also: * Add some links to Kubernetes authorization item * Add SPIFFE/SPIRE blog * Extend Rego tests to verify added/modified YAML files as valid The last point was intended to be for the integrations.yaml file only, but thinking more about it made sense not to limit the check to a single file. Signed-off-by: Anders Eknert <anders@eknert.com>
justinlindh-wf · Dec 30, 2021 · 0ddf1db · 0ddf1db
1 parent 06664d0
commit 0ddf1db
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 14 deletions.
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -287,11 +287,11 @@ jobs:
         uses: infracost/setup-opa@v1
 
       - name: Test policies
-        run: opa test .github/policy
+        run: opa test build/policy
 
       - name: Run policy checks on changed files
         run: |
           curl --silent --fail --header 'Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
           https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files \
-          | opa eval --data .github/policy/files.rego --format values --stdin-input --fail-defined 'data.files.deny[message]'
+          | opa eval --bundle build/policy/ --format values --stdin-input --fail-defined 'data.files.deny[message]'
 
diff --git a/.github/policy/files.rego → build/policy/files.rego b/.github/policy/files.rego → build/policy/files.rego
@@ -9,14 +9,19 @@ package files
 
 import future.keywords.in
 
-filenames := [f | f := input[_].filename]
+import data.helpers.endswith_any
+import data.helpers.last_indexof
+
+filenames := {f.filename | some f in input}
 
 changes := {filename: attributes |
-	c := input[_]
-	filename := c.filename
-	attributes := object.remove(c, ["filename"])
+	some change in input
+	filename := change.filename
+	attributes := object.remove(change, ["filename"])
 }
 
+get_file_in_pr(filename) = http.send({"url": changes[filename].raw_url, "method": "GET"}).raw_body
+
 deny["Logo must be placed in docs/website/static/img/logos/integrations"] {
 	"docs/website/data/integrations.yaml" in filenames
 
@@ -37,10 +42,14 @@ deny["Logo must be a .png file"] {
 	not endswith(filename, ".png")
 }
 
-last_indexof(string, search) = i {
-	all := [i | chars := split(string, ""); chars[i] == search]
-	count(all) > 0
-	i := all[count(all) - 1]
-} else = -1 {
-	true
+# Helper rule to work around not being able to mock functions yet
+yaml_file_contents := {filename: get_file_in_pr(filename) |
+	some filename in filenames
+	endswith_any(filename, [".yml", ".yaml"])
+}
+
+deny[sprintf("%s is an invalid YAML file", [filename])] {
+	some filename, content in yaml_file_contents
+	changes[filename].status in {"added", "modified"}
+	not yaml.is_valid(content)
 }
diff --git a/.github/policy/files_test.rego → build/policy/files_test.rego b/.github/policy/files_test.rego → build/policy/files_test.rego
@@ -42,3 +42,14 @@ test_deny_logo_if_not_png_file {
 		},
 	]
 }
+
+test_deny_invalid_yaml_file {
+	expected := "invalid.yaml is an invalid YAML file"
+	deny[expected] with data.files.yaml_file_contents as {"invalid.yaml": "{null{}}"}
+		 with data.files.changes as {"invalid.yaml": {"status": "modified"}}
+}
+
+test_allow_valid_yaml_file {
+	count(deny) == 0 with data.files.yaml_file_contents as {"valid.yaml": "foo: bar"}
+		 with data.files.changes as {"valid.yaml": {"status": "modified"}}
+}
diff --git a/build/policy/helpers.rego b/build/policy/helpers.rego
@@ -0,0 +1,16 @@
+package helpers
+
+import future.keywords.in
+
+last_indexof(string, search) = i {
+	all := [i | chars := split(string, ""); chars[i] == search]
+	count(all) > 0
+	i := all[count(all) - 1]
+} else = -1 {
+	true
+}
+
+endswith_any(string, suffixes) {
+	some suffix in suffixes
+	endswith(string, suffix)
+}
diff --git a/docs/website/data/integrations.yaml b/docs/website/data/integrations.yaml
@@ -108,7 +108,6 @@ integrations:
           - name: Joe Beda
             organization: VMware
         link: https://www.youtube.com/watch?v=QU9BGPf0hBw
-
     blogs:
       - https://medium.com/@sbueringer/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
       - https://medium.com/@jimmy.ray/policy-enabled-kubernetes-with-open-policy-agent-3b612b3f0203
@@ -123,9 +122,14 @@ integrations:
       Kubernetes Authorization is a pluggable mechanism that lets administrators control which users can run which APIs and
       is often handled by builtin RBAC.  OPA's policy language is more flexible than the RBAC, for example,
       writing policy using a prohibited list of APIs instead of the usual RBAC style of listing the permitted APIs.
+    code:
+      - https://github.com/open-policy-agent/contrib/tree/main/k8s_authorization
     blogs:
+      - https://blog.styra.com/blog/kubernetes-authorization-webhook
       - https://itnext.io/kubernetes-authorization-via-open-policy-agent-a9455d9d5ceb
       - https://itnext.io/optimizing-open-policy-agent-based-kubernetes-authorization-via-go-execution-tracer-7b439bb5dc5b
+    inventors:
+      - styra
 
   kubernetes-provisioning:
     title: Kubernetes Provisioning
@@ -314,7 +318,6 @@ integrations:
         venue: Kubecon Austin 2017
         link: https://www.youtube.com/watch?v=R6tUNpRpdnY
 
-
   istio-authorization-edge:
     title: Container Network Authorization with Istio (at the Edge)
     description: Istio is a networking abstraction for cloud-native applications that uses Envoy at the edge. OPA hooks into Envoy’s external authorization filter to provide fine-grained, context-aware authorization for network or HTTP requests.
@@ -470,6 +473,19 @@ integrations:
     inventors:
       - styra
 
+  open-service-mesh:
+    title: Open Service Mesh (OSM)
+    description: Open Service Mesh is a lightweight and extensible cloud native service mesh.
+    software:
+      - osm
+    labels:
+      category: servicemesh
+      layer: network
+    code:
+      - https://github.com/openservicemesh/osm/blob/main/docs/example/manifests/opa/deploy-opa-envoy.yaml
+    tutorials:
+      - https://release-v0-11.docs.openservicemesh.io/docs/guides/integrations/external_auth_opa/#osm-with-opa-plugin-external-authorization-walkthrough
+
   minio:
     title: Minio API Authorization
     description: Minio is an open source, on-premise object database compatible with the Amazon S3 API.  This integration lets OPA enforce policies on Minio's API.
@@ -931,6 +947,8 @@ integrations:
     software:
       - SPIFFE
       - SPIRE
+    blogs:
+      - https://blog.styra.com/blog/zero-trust-with-envoy-spire-and-open-policy-agent-opa
     code:
       - https://github.com/spiffe/spire/blob/v1.0.2/doc/authorization_policy_engine.md
     tutorials:
@@ -1199,6 +1217,9 @@ software:
   javaspringsecurity:
     name: Spring Security
     link: https://spring.io/projects/spring-security
+  osm:
+    name: Open Service Mesh
+    link: https://openservicemesh.io/
   spinnaker:
     name: Spinnaker
     link: https://www.spinnaker.io/

diff --git a/docs/website/static/img/logos/integrations/open-service-mesh.png b/docs/website/static/img/logos/integrations/open-service-mesh.png