feat: add support for return values

Author: chen-keinan

eval/cmdeval.go

@@ -54,53 +54,66 @@ func (cv commandEvaluate) EvalCommandPolicy(commands []string, evalExpr string,
 	if err != nil {
 		return CmdEvalResult{Match: false}
 	}
-	val, err := cv.evalPolicy(commands, cmdExec, evalExpr, policy, pep.EvalParamNum, []string{pep.PolicyQueryParam}...)
+	val, err := cv.evalPolicy(commands, cmdExec, evalExpr, policy, pep.EvalParamNum, []string{pep.PolicyQueryParam}, pep.ReturnKeys)
 	if err != nil {
 		return CmdEvalResult{Match: false, Error: err}
 	}
 	return CmdEvalResult{Match: val.EvalExpResult == 0, Error: err, PolicyResult: val.PolicyResult}
 }
 
-func (cv commandEvaluate) evalPolicy(commands []string, cmdExec cmd, evalExpr string, policy string, compareComm int, propertyEval ...string) (FinalResult, error) {
-	resMap := make(map[int][]string)
-	cmdTotalRes := make([]string, 0)
-	var commNum = 0
-	for index := range commands {
-		res := cmdExec.execCommand(index, cmdTotalRes, make([]IndexValue, 0), evalExpr)
-		sb := strings.Builder{}
-		for _, s := range res {
-			sb.WriteString(s)
-		}
-		resMap[commNum] = res
-		cmdTotalRes = append(cmdTotalRes, sb.String())
-		commNum++
-	}
-	policyEvalResults := make([]*validator.ValidateResult, 0)
+func (cv commandEvaluate) evalPolicy(commands []string, cmdExec cmd, evalExpr string, policy string, compareComm int, propertyEval []string, ReturnFields []string) (*FinalResult, error) {
+	resMap, cmdTotalRes := cv.ExecCommands(commands, cmdExec, evalExpr)
+	policyEvalResults := make([]utils.PolicyResult, 0)
 	var policyRes int
 	if val, ok := resMap[compareComm]; ok {
 		for _, cmdRes := range val {
 			res, err := validator.NewPolicyEval().EvaluatePolicy(propertyEval, policy, cmdRes)
 			if err != nil {
-				res = []*validator.ValidateResult{{Value: false}}
+				return nil, err
 			}
-			policyEvalResults = append(policyEvalResults, res...)
+			policyResult := utils.MatchPolicy(res[0].ExpressionValue[0].Value, ReturnFields)
+			policyEvalResults = append(policyEvalResults, policyResult)
 		}
 		for _, per := range policyEvalResults {
-			if !per.Value {
-				policyRes = 1
-				break
+			if returnVal, ok := per.ReturnValues["allow"]; ok {
+				val, err := strconv.ParseBool(returnVal)
+				if err != nil {
+					continue
+				}
+				if !val {
+					policyRes = 1
+					break
+				}
 			}
 		}
 	}
 	match := policyRes == 0
 	policyExpr := utils.GetPolicyExpr(evalExpr)
 	if len(policyExpr) == len(evalExpr) {
-		return FinalResult{EvalExpResult: policyRes, PolicyResult: policyEvalResults}, nil
+		return &FinalResult{EvalExpResult: policyRes, PolicyResult: policyEvalResults}, nil
 	}
 	neweEvalExpr := strings.Replace(evalExpr, policyExpr, fmt.Sprintf("'true' == '%s'", strconv.FormatBool(match)), -1)
 	evalExpResult, err := cmdExec.evalExpression(cmdTotalRes, len(cmdTotalRes), make([]string, 0), 0, neweEvalExpr)
-	return FinalResult{EvalExpResult: evalExpResult, PolicyResult: policyEvalResults}, err
+	return &FinalResult{EvalExpResult: evalExpResult, PolicyResult: policyEvalResults}, err
+
+}
 
+//ExecCommands execute shell commands and encapsulate it results
+func (cv commandEvaluate) ExecCommands(commands []string, cmdExec cmd, evalExpr string) (map[int][]string, []string) {
+	resMap := make(map[int][]string)
+	cmdTotalRes := make([]string, 0)
+	var commNum = 0
+	for index := range commands {
+		res := cmdExec.execCommand(index, cmdTotalRes, make([]IndexValue, 0), evalExpr)
+		sb := strings.Builder{}
+		for _, s := range res {
+			sb.WriteString(s)
+		}
+		resMap[commNum] = res
+		cmdTotalRes = append(cmdTotalRes, sb.String())
+		commNum++
+	}
+	return resMap, cmdTotalRes
 }
 
 func (cv commandEvaluate) evalCommand(commands []string, cmdExec cmd, evalExpr string) (int, error) {
@@ -121,12 +134,12 @@ func (cv commandEvaluate) evalCommand(commands []string, cmdExec cmd, evalExpr s
 type CmdEvalResult struct {
 	Match        bool
 	CmdEvalExpr  string
-	PolicyResult []*validator.ValidateResult
+	PolicyResult []utils.PolicyResult
 	Error        error
 }
 
 //FinalResult  eval result object
 type FinalResult struct {
 	EvalExpResult int
-	PolicyResult  []*validator.ValidateResult
+	PolicyResult  []utils.PolicyResult
 }

eval/cmdeval_test.go

@@ -32,14 +32,21 @@ func TestEvalCommand(t *testing.T) {
 	}
 }
 
-const policy = `package example
-default deny = false
-deny {
+const NotAllowPolicy = `package itsio
+policy_eval :={"name":namespace_name,"allow":allow_policy} {
+	namespace_name:= input.metadata.namespace
+    input.kind == "Pod"
 	some i
-	input.kind == "Pod"
-	image := input.spec.containers[i].image
-	not startswith(image, "kalpine")
-}`
+	allow_policy := input.spec.containers[i].imagePullPolicy == "Always"
+  }
+`
+
+const AllowPolicy = `package itsio
+policy_eval :={"name":namespace_name,"allow":allow_policy} {
+	namespace_name:= input.metadata.namespace
+	allow_policy := namespace_name == "default"
+  }
+`
 
 func TestEvalPolicy(t *testing.T) {
 	res := NewEvalCmd()
@@ -50,12 +57,12 @@ func TestEvalPolicy(t *testing.T) {
 		policy   string
 		want     bool
 	}{
-		{name: "two command and deny policy match", evalExpr: "'${0}' != '';&& [${1} MATCH no_permission.policy QUERY example.deny]", cmd: []string{"kubectl get pods --no-headers -o custom-columns=\":metadata.name\"",
+		{name: "two command and deny policy match", evalExpr: "'${0}' != '';&& [${1} MATCH no_permission.policy QUERY itsio.policy_eval RETURN allow,name]", cmd: []string{"kubectl get pods --no-headers -o custom-columns=\":metadata.name\"",
 			"kubectl get pod ${0} -o json"},
-			policy: policy, want: true},
-		{name: "two command and deny policy expr not match", evalExpr: "'${0}' == '';&& [${1} MATCH no_permission.policy QUERY example.deny]", cmd: []string{"kubectl get pods --no-headers -o custom-columns=\":metadata.name\"",
+			policy: AllowPolicy, want: true},
+		{name: "two command and deny policy expr not match", evalExpr: "'${0}' == '';&& [${1} MATCH no_permission.policy QUERY itsio.policy_eval RETURN allow,name]", cmd: []string{"kubectl get pods --no-headers -o custom-columns=\":metadata.name\"",
 			"kubectl get pod ${0} -o json"},
-			policy: policy, want: false},
+			policy: NotAllowPolicy, want: false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

go.mod

@@ -2,7 +2,7 @@ module github.com/chen-keinan/go-command-eval
 
 go 1.16
 
-replace github.com/chen-keinan/go-opa-validate => github.com/chen-keinan/go-opa-validate v0.0.5
+replace github.com/chen-keinan/go-opa-validate => github.com/chen-keinan/go-opa-validate v0.0.6
 
 require (
 	github.com/Knetic/govaluate v3.0.0+incompatible

go.sum

@@ -69,8 +69,8 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chen-keinan/go-opa-validate v0.0.5 h1:vweuJCpR+PfqhwYnt0mGMfx5NqH3bUUSN6L4/V4YyQw=
-github.com/chen-keinan/go-opa-validate v0.0.5/go.mod h1:De/1llRdXYZY2XHDiSgJNUH1449Ha1G3OpL/ouyrBm4=
+github.com/chen-keinan/go-opa-validate v0.0.6 h1:EJ7y+KoOGd/WLLGKwil0vtDKvIt5yPTSnz1I9fbaZxo=
+github.com/chen-keinan/go-opa-validate v0.0.6/go.mod h1:ntu4OB8A6Ni3oyAdiWfwqUBTU8J2gS9K0HC2dk7n0gU=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=

utils/stringutil.go

@@ -179,7 +179,9 @@ func ReadPolicyExpr(policyExpr string) (*PolicyEvalParams, error) {
 		var err error
 		queryArgs := strings.Split(args[1], "QUERY")
 		if len(queryArgs) == 2 {
-			pep.PolicyQueryParam = strings.TrimSpace(queryArgs[1])
+			queryArgsReturn := strings.Split(queryArgs[1], "RETURN")
+			pep.PolicyQueryParam = strings.TrimSpace(queryArgsReturn[0])
+			pep.ReturnKeys = strings.Split(queryArgsReturn[1], ",")
 		}
 		pep.PolicyName = strings.TrimSpace(queryArgs[0])
 		param := strings.TrimSpace(args[0])
@@ -210,4 +212,39 @@ type PolicyEvalParams struct {
 	PolicyName       string
 	PolicyQueryParam string
 	EvalParamNum     int
+	ReturnKeys       []string
+}
+
+//MatchPolicy match policies results against expected return fields
+func MatchPolicy(evalResult interface{}, returnKeys []string) PolicyResult {
+	switch t := evalResult.(type) {
+	case bool:
+		boolValue := strconv.FormatBool(t)
+		return PolicyResult{ReturnValues: map[string]string{"allow": boolValue}}
+	case map[string]interface{}:
+		pr := PolicyResult{ReturnValues: make(map[string]string)}
+		for _, rv := range returnKeys {
+			key := strings.TrimSpace(rv)
+			if key == "allow" {
+				b, ok := t[key].(bool)
+				if ok {
+					boolValue := strconv.FormatBool(b)
+					pr.ReturnValues[key] = boolValue
+				}
+				continue
+			}
+			s, ok := t[key].(string)
+			if ok {
+				pr.ReturnValues[key] = s
+			}
+		}
+		return pr
+	default:
+		return PolicyResult{ReturnValues: map[string]string{"allow": "false"}}
+	}
+}
+
+//PolicyResult hold policy eval result
+type PolicyResult struct {
+	ReturnValues map[string]string
 }

utils/stringutil_test.go

@@ -126,16 +126,40 @@ func Test_ValidParam(t *testing.T) {
 }
 
 func Test_ReadPolicyExpr(t *testing.T) {
-	evalExpr := "'${0}' != '';&& [${0} MATCH no_permission.policy QUERY example.deny]"
+	evalExpr := "'${0}' != '';&& [${0} MATCH no_permission.policy QUERY example.policy_eval RETURN allow]"
+	policy, err := ReadPolicyExpr(evalExpr)
+	assert.NoError(t, err)
+	assert.Equal(t, policy.PolicyName, "no_permission.policy")
+	assert.Equal(t, policy.PolicyQueryParam, "example.policy_eval")
+	assert.Equal(t, policy.EvalParamNum, 0)
+}
+
+func Test_ReadPolicyExprwithReturn(t *testing.T) {
+	evalExpr := "'${0}' != '';&& [${0} MATCH no_permission.policy QUERY example.deny RETURN allow_policy,namespace]"
 	policy, err := ReadPolicyExpr(evalExpr)
 	assert.NoError(t, err)
 	assert.Equal(t, policy.PolicyName, "no_permission.policy")
 	assert.Equal(t, policy.PolicyQueryParam, "example.deny")
 	assert.Equal(t, policy.EvalParamNum, 0)
+	assert.Equal(t, len(policy.ReturnKeys), 2)
 }
 
 func Test_GetPolicyExpr(t *testing.T) {
 	evalExpr := "'${0}' == 'root:root'; && [${0} MATCH no_deny.policy]"
 	policyExpr := GetPolicyExpr(evalExpr)
 	assert.Equal(t, policyExpr, "[${0} MATCH no_deny.policy]")
 }
+
+func Test_MatchPolicySingleReturn(t *testing.T) {
+	policyValues := true
+	returnData := []string{"allow"}
+	mpr := MatchPolicy(policyValues, returnData)
+	assert.Equal(t, mpr.ReturnValues["allow"], "true")
+}
+
+func Test_MatchPolicySingleMulti(t *testing.T) {
+	policyValues := map[string]interface{}{"allow": true}
+	returnData := []string{"allow"}
+	mpr := MatchPolicy(policyValues, returnData)
+	assert.Equal(t, mpr.ReturnValues["allow"], "true")
+}