add interface for ExternalRuleInvoker, add test

assertion/engine.go

@@ -63,3 +63,7 @@ type Resource struct {
 	Properties interface{}
 	Filename   string
 }
+
+type ExternalRuleInvoker interface {
+	Invoke(Rule, Resource) (string, []Violation)
+}

assertion/invoke.go

@@ -15,7 +15,11 @@ type InvokeResponse struct {
 	Violations []InvokeViolation
 }
 
-func invoke(rule Rule, resource Resource, log LoggingFunction) (string, []Violation) {
+type StandardExternalRuleInvoker struct {
+	Log LoggingFunction
+}
+
+func (e StandardExternalRuleInvoker) Invoke(rule Rule, resource Resource) (string, []Violation) {
 	status := "OK"
 	violations := make([]Violation, 0)
 	payload := resource.Properties
@@ -27,7 +31,7 @@ func invoke(rule Rule, resource Resource, log LoggingFunction) (string, []Violat
 		payload = p
 	}
 	payloadJSON, err := JSONStringify(payload)
-	log(fmt.Sprintf("Invoke %s on %s\n", rule.Invoke.Url, payloadJSON))
+	e.Log(fmt.Sprintf("Invoke %s on %s\n", rule.Invoke.Url, payloadJSON))
 	httpResponse, err := http.Get(rule.Invoke.Url)
 	if err != nil {
 		return rule.Severity, violations // TODO set violation to HTTP call failed
@@ -37,7 +41,7 @@ func invoke(rule Rule, resource Resource, log LoggingFunction) (string, []Violat
 	if err != nil {
 		return rule.Severity, violations // TODO set violation to read body failed
 	}
-	log(string(body))
+	e.Log(string(body))
 	var invokeResponse InvokeResponse
 	err = json.Unmarshal(body, &invokeResponse)
 	if err != nil {

assertion/rules.go

@@ -68,15 +68,15 @@ func ResolveRule(rule Rule, valueSource ValueSource, log LoggingFunction) Rule {
 	return resolvedRule
 }
 
-func CheckRule(rule Rule, resource Resource, log LoggingFunction) (string, []Violation) {
+func CheckRule(rule Rule, resource Resource, e ExternalRuleInvoker, log LoggingFunction) (string, []Violation) {
 	returnStatus := "OK"
 	violations := make([]Violation, 0)
 	if ExcludeResource(rule, resource) {
 		fmt.Println("Ignoring resource:", resource.Id)
 		return returnStatus, violations
 	}
 	if rule.Invoke.Url != "" {
-		return invoke(rule, resource, log)
+		return e.Invoke(rule, resource)
 	}
 	for _, ruleAssertion := range rule.Assertions {
 		log(fmt.Sprintf("Checking resource %s", resource.Id))

assertion/rules_test.go

@@ -18,6 +18,20 @@ func testValueSource() ValueSource {
 	return TestValueSource{}
 }
 
+type MockExternalRuleInvoker struct {
+	InvokeCount int
+}
+
+func mockExternalRuleInvoker() *MockExternalRuleInvoker {
+	return &MockExternalRuleInvoker{InvokeCount: 0}
+}
+
+func (e *MockExternalRuleInvoker) Invoke(Rule, Resource) (string, []Violation) {
+	e.InvokeCount += 1
+	noViolations := make([]Violation, 0)
+	return "OK", noViolations
+}
+
 var content = `Rules:
   - id: TEST1
     message: Test message
@@ -96,7 +110,7 @@ func TestRuleWithMultipleFilter(t *testing.T) {
 		Properties: map[string]interface{}{"instance_type": "t2.micro", "ami": "ami-000000"},
 		Filename:   "test.tf",
 	}
-	status, violations := CheckRule(rules.Rules[0], resource, testLogging)
+	status, violations := CheckRule(rules.Rules[0], resource, mockExternalRuleInvoker(), testLogging)
 	if status != "OK" {
 		t.Error("Expecting multiple rule to match")
 	}
@@ -113,7 +127,7 @@ func TestMultipleFiltersWithSingleFailure(t *testing.T) {
 		Properties: map[string]interface{}{"instance_type": "t2.micro", "ami": "ami-111111"},
 		Filename:   "test.tf",
 	}
-	status, violations := CheckRule(rules.Rules[0], resource, testLogging)
+	status, violations := CheckRule(rules.Rules[0], resource, mockExternalRuleInvoker(), testLogging)
 	if status != "FAILURE" {
 		t.Error("Expecting multiple rule to return FAILURE")
 	}
@@ -130,7 +144,7 @@ func TestMultipleFiltersWithMultipleFailures(t *testing.T) {
 		Properties: map[string]interface{}{"instance_type": "c3.medium", "ami": "ami-111111"},
 		Filename:   "test.tf",
 	}
-	status, violations := CheckRule(rules.Rules[0], resource, testLogging)
+	status, violations := CheckRule(rules.Rules[0], resource, mockExternalRuleInvoker(), testLogging)
 	if status != "FAILURE" {
 		t.Error("Expecting multiple rule to return FAILURE")
 	}
@@ -162,11 +176,36 @@ func TestValueFrom(t *testing.T) {
 		Filename:   "test.tf",
 	}
 	resolved := ResolveRules(rules.Rules, testValueSource(), testLogging)
-	status, violations := CheckRule(resolved[0], resource, testLogging)
+	status, violations := CheckRule(resolved[0], resource, mockExternalRuleInvoker(), testLogging)
 	if status != "OK" {
 		t.Error("Expecting value_from to match")
 	}
 	if len(violations) != 0 {
 		t.Error("Expecting value_from test to have 0 violations")
 	}
 }
+
+var ruleWithInvoke = `Rules:
+  - id: FROM1
+    message: Test value_from
+    severity: FAILURE
+    resource: aws_instance
+    invoke:
+      url: http://localhost
+`
+
+func TestInvoke(t *testing.T) {
+	rules := MustParseRules(ruleWithInvoke)
+	resource := Resource{
+		Id:         "a_test_resource",
+		Type:       "aws_instance",
+		Properties: map[string]interface{}{"instance_type": "m3.medium"},
+		Filename:   "test.tf",
+	}
+	resolved := ResolveRules(rules.Rules, testValueSource(), testLogging)
+	e := mockExternalRuleInvoker()
+	CheckRule(resolved[0], resource, e, testLogging)
+	if e.InvokeCount != 1 {
+		t.Error("Expecting external rule engine to be invoked")
+	}
+}

cli/app.go

@@ -74,7 +74,10 @@ func makeLinter(linterType string, log assertion.LoggingFunction) Linter {
 type arrayFlags []string
 
 func (i *arrayFlags) String() string {
-	return "my string representation"
+	if i != nil {
+		return strings.Join(*i, ",")
+	}
+	return ""
 }
 
 func (i *arrayFlags) Set(value string) error {
@@ -85,7 +88,7 @@ func (i *arrayFlags) Set(value string) error {
 func main() {
 	var rulesFilenames arrayFlags
 	verboseLogging := flag.Bool("verbose", false, "Verbose logging")
-	flag.Var(&rulesFilenames, "rules", "Rules file")
+	flag.Var(&rulesFilenames, "rules", "Rules file, can be specified multiple times")
 	tags := flag.String("tags", "", "Run only tests with tags in this comma separated list")
 	ids := flag.String("ids", "", "Run only the rules in this comma separated list")
 	queryExpression := flag.String("query", "", "JMESPath expression to query the results")

cli/kubernetes.go

@@ -47,6 +47,7 @@ func (l KubernetesLinter) ValidateKubernetesResources(resources []assertion.Reso
 	valueSource := assertion.StandardValueSource{Log: l.Log}
 	filteredRules := assertion.FilterRulesByTag(rules, tags)
 	resolvedRules := assertion.ResolveRules(filteredRules, valueSource, l.Log)
+	externalRules := assertion.StandardExternalRuleInvoker{Log: l.Log}
 
 	allViolations := make([]assertion.Violation, 0)
 	for _, rule := range resolvedRules {
@@ -55,7 +56,7 @@ func (l KubernetesLinter) ValidateKubernetesResources(resources []assertion.Reso
 			if assertion.ExcludeResource(rule, resource) {
 				l.Log(fmt.Sprintf("Ignoring resource %s", resource.Id))
 			} else {
-				_, violations := assertion.CheckRule(rule, resource, l.Log)
+				_, violations := assertion.CheckRule(rule, resource, externalRules, l.Log)
 				allViolations = append(allViolations, violations...)
 			}
 		}

cli/security_group.go

@@ -53,6 +53,7 @@ func (l SecurityGroupLinter) ValidateSecurityGroupResources(resources []assertio
 	valueSource := assertion.StandardValueSource{Log: l.Log}
 	filteredRules := assertion.FilterRulesByTag(rules, tags)
 	resolvedRules := assertion.ResolveRules(filteredRules, valueSource, l.Log)
+	externalRules := assertion.StandardExternalRuleInvoker{Log: l.Log}
 
 	allViolations := make([]assertion.Violation, 0)
 	for _, rule := range resolvedRules {
@@ -61,7 +62,7 @@ func (l SecurityGroupLinter) ValidateSecurityGroupResources(resources []assertio
 			if assertion.ExcludeResource(rule, resource) {
 				l.Log(fmt.Sprintf("Ignoring resource %s", resource.Id))
 			} else {
-				_, violations := assertion.CheckRule(rule, resource, l.Log)
+				_, violations := assertion.CheckRule(rule, resource, externalRules, l.Log)
 				allViolations = append(allViolations, violations...)
 			}
 		}

cli/terraform.go

@@ -94,6 +94,7 @@ func (l TerraformLinter) ValidateTerraformResources(resources []assertion.Resour
 	valueSource := assertion.StandardValueSource{Log: l.Log}
 	filteredRules := assertion.FilterRulesByTag(rules, tags)
 	resolvedRules := assertion.ResolveRules(filteredRules, valueSource, l.Log)
+	externalRules := assertion.StandardExternalRuleInvoker{Log: l.Log}
 
 	allViolations := make([]assertion.Violation, 0)
 	for _, rule := range resolvedRules {
@@ -102,7 +103,7 @@ func (l TerraformLinter) ValidateTerraformResources(resources []assertion.Resour
 			if assertion.ExcludeResource(rule, resource) {
 				l.Log(fmt.Sprintf("Ignoring resource %s", resource.Id))
 			} else {
-				_, violations := assertion.CheckRule(rule, resource, l.Log)
+				_, violations := assertion.CheckRule(rule, resource, externalRules, l.Log)
 				allViolations = append(allViolations, violations...)
 			}
 		}

lambda/lambda.go

@@ -103,14 +103,15 @@ func handler(configEvent events.ConfigEvent) (string, error) {
 	ruleSet := assertion.MustParseRules(rulesString)
 	valueSource := assertion.StandardValueSource{Log: log}
 	resolvedRules := assertion.ResolveRules(ruleSet.Rules, valueSource, log)
+	externalRules := StandardExternalRuleInvoker{Log: log}
 	for _, rule := range resolvedRules {
 		if rule.Resource == configurationItem.ResourceType {
 			resource := assertion.Resource{
 				Id:         configurationItem.ResourceId,
 				Type:       configurationItem.ResourceType,
 				Properties: configurationItem.Configuration,
 			}
-			_, violations := assertion.CheckRule(rule, resource, log)
+			_, violations := assertion.CheckRule(rule, resource, externalRules, log)
 			if len(violations) > 0 {
 				fmt.Println("Resource in NON_COMPLIANT")
 				complianceType = "NON_COMPLIANT"