forked from concourse/concourse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
checker.go
188 lines (151 loc) · 4.77 KB
/
checker.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
package policy
import (
"fmt"
"strings"
"code.cloudfoundry.org/lager"
"github.com/jessevdk/go-flags"
)
const ActionUseImage = "UseImage"
type PolicyCheckNotPass struct {
Reasons []string
}
func (e PolicyCheckNotPass) Error() string {
return fmt.Sprintf("policy check failed: %s", strings.Join(e.Reasons, ", "))
}
type Filter struct {
HttpMethods []string `long:"policy-check-filter-http-method" description:"API http method to go through policy check"`
Actions []string `long:"policy-check-filter-action" description:"Actions in the list will go through policy check"`
ActionsToSkip []string `long:"policy-check-filter-action-skip" description:"Actions the list will not go through policy check"`
}
type PolicyCheckInput struct {
Service string `json:"service"`
ClusterName string `json:"cluster_name"`
ClusterVersion string `json:"cluster_version"`
HttpMethod string `json:"http_method,omitempty"`
Action string `json:"action"`
User string `json:"user,omitempty"`
Team string `json:"team,omitempty"`
Roles []string `json:"roles,omitempty"`
Pipeline string `json:"pipeline,omitempty"`
Data interface{} `json:"data,omitempty"`
}
type PolicyCheckOutput struct {
Allowed bool
Reasons []string
}
// FailedPolicyCheck creates a generic failed check
func FailedPolicyCheck() PolicyCheckOutput {
return PolicyCheckOutput{
Allowed: false,
Reasons: []string{},
}
}
// PassedPolicyCheck creates a generic passed check
func PassedPolicyCheck() PolicyCheckOutput {
return PolicyCheckOutput{
Allowed: true,
Reasons: []string{},
}
}
//go:generate counterfeiter . Agent
// Agent should be implemented by policy agents.
type Agent interface {
// Check returns true if passes policy check. If not goes through policy
// check, just return true.
Check(PolicyCheckInput) (PolicyCheckOutput, error)
}
//go:generate counterfeiter . AgentFactory
type AgentFactory interface {
Description() string
IsConfigured() bool
NewAgent(lager.Logger) (Agent, error)
}
var agentFactories []AgentFactory
func RegisterAgent(factory AgentFactory) {
agentFactories = append(agentFactories, factory)
}
func WireCheckers(group *flags.Group) {
for _, factory := range agentFactories {
_, err := group.AddGroup(fmt.Sprintf("Policy Check Agent (%s)", factory.Description()), "", factory)
if err != nil {
panic(err)
}
}
}
var (
clusterName string
clusterVersion string
)
//go:generate counterfeiter . Checker
type Checker interface {
ShouldCheckHttpMethod(string) bool
ShouldCheckAction(string) bool
ShouldSkipAction(string) bool
Check(input PolicyCheckInput) (PolicyCheckOutput, error)
}
func Initialize(logger lager.Logger, cluster string, version string, filter Filter) (Checker, error) {
logger.Debug("policy-checker-initialize")
clusterName = cluster
clusterVersion = version
var checkerDescriptions []string
for _, factory := range agentFactories {
if factory.IsConfigured() {
checkerDescriptions = append(checkerDescriptions, factory.Description())
}
}
if len(checkerDescriptions) > 1 {
return nil, fmt.Errorf("Multiple policy checker configured: %s", strings.Join(checkerDescriptions, ", "))
}
for _, factory := range agentFactories {
if factory.IsConfigured() {
agent, err := factory.NewAgent(logger.Session("policy-checker"))
if err != nil {
return nil, err
}
logger.Info("warning-experiment-policy-check",
lager.Data{"rfc": "https://github.com/concourse/rfcs/pull/41"})
return &AgentChecker{
filter: filter,
agent: agent,
}, nil
}
}
// No policy checker configured.
return NoopChecker{}, nil
}
type AgentChecker struct {
filter Filter
agent Agent
}
func (c *AgentChecker) ShouldCheckHttpMethod(method string) bool {
return inArray(c.filter.HttpMethods, method)
}
func (c *AgentChecker) ShouldCheckAction(action string) bool {
return inArray(c.filter.Actions, action)
}
func (c *AgentChecker) ShouldSkipAction(action string) bool {
return inArray(c.filter.ActionsToSkip, action)
}
func inArray(array []string, target string) bool {
found := false
for _, ele := range array {
if ele == target {
found = true
break
}
}
return found
}
func (c *AgentChecker) Check(input PolicyCheckInput) (PolicyCheckOutput, error) {
input.Service = "concourse"
input.ClusterName = clusterName
input.ClusterVersion = clusterVersion
return c.agent.Check(input)
}
type NoopChecker struct{}
func (noop NoopChecker) ShouldCheckHttpMethod(string) bool { return false }
func (noop NoopChecker) ShouldCheckAction(string) bool { return false }
func (noop NoopChecker) ShouldSkipAction(string) bool { return true }
func (noop NoopChecker) Check(PolicyCheckInput) (PolicyCheckOutput, error) {
return PolicyCheckOutput{Allowed: true}, nil
}