Update Rego validations (#104)

* WIP: implement validating with default policies

Need to handle the error throwing when unable to fetch metadata feilds from the defaultpolicies

Signed-off-by: Santosh <ksantosh@intelops.dev>

* WIP: Improved logging individual policy errors

Signed-off-by: Santosh <ksantosh@intelops.dev>

* WIP: Removed all the error which were showing even with correct validation results

Signed-off-by: Santosh <ksantosh@intelops.dev>

* WIP: Fetching policies using .env file

This method would require to supply the '.env' file to users, without
which the command will fail with error: Error reading .env file
Another approach could be to store all the ociURLs in a const and refer
them to pull default policies.

Signed-off-by: Santosh <ksantosh@intelops.dev>

* Update: Validation with default policies forinfrafile and terraform files

Added examples for using default policies. Updated the logic for adding the source annotation for creating a OCI artifact

Signed-off-by: Santosh <ksantosh@intelops.dev>

* Update ValidateWithRego() to validate with new format of Rego policy

Signed-off-by: Santosh <ksantosh@intelops.dev>

* Update URLs for default policies

Signed-off-by: Santosh <ksantosh@intelops.dev>

* fix failing tests

Signed-off-by: Santosh <ksantosh@intelops.dev>

---------

Signed-off-by: Santosh <ksantosh@intelops.dev>

cmd/artifact_push.go

@@ -120,7 +120,9 @@ func runPushCmd(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		log.Printf("Error parsing source: %v", err)
 	}
-	remoteURL, err := oci.GetGitRemoteURL()
+
+	remoteURL, err := oci.GetRemoteURL()
+	fmt.Printf("Remote Name: %v", remoteURL)
 	if err != nil {
 		return err
 	}

cmd/cel_infrafile.go

@@ -56,7 +56,11 @@ export GITHUB_TOKEN=<your GitHub PAT>
 
 ./genval celval infrafile --reqinput https://github.com/intelops/genval-security-policies/blob/patch-1/input-templates/k8s/deployment.json \
 --policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/cel/k8s_cel.yaml
-	`,
+
+
+
+
+`,
 
 	RunE: runCelCmd,
 }

cmd/regoval.go

@@ -10,7 +10,7 @@ var regovalCmd = &cobra.Command{
 	Long: `
 regoval command maages validation of Kubernetes and related manifests, Terraform files, and Dockerfiles
 using Rego policies.
-.
+
 `,
 }
 

cmd/regoval_dockerfileval.go

@@ -1,6 +1,10 @@
 package cmd
 
 import (
+	"fmt"
+	"os"
+
+	"github.com/intelops/genval/pkg/oci"
 	"github.com/intelops/genval/pkg/utils"
 	"github.com/intelops/genval/pkg/validate"
 	log "github.com/sirupsen/logrus"
@@ -20,9 +24,9 @@ func init() {
 		log.Fatalf("Error marking flag as required: %v", err)
 	}
 	dockerfilevalCmd.Flags().StringVarP(&dockerfilevalArgs.policy, "policy", "p", "", "Path for the Rego policy file, polciy can be passed from either Local or from remote URL")
-	if err := dockerfilevalCmd.MarkFlagRequired("policy"); err != nil {
-		log.Fatalf("Error marking flag as required: %v", err)
-	}
+	// if err := dockerfilevalCmd.MarkFlagRequired("policy"); err != nil {
+	// 	log.Fatalf("Error marking flag as required: %v", err)
+	// }
 
 	regovalCmd.AddCommand(dockerfilevalCmd)
 }
@@ -52,7 +56,12 @@ export GITHUB_TOKEN=<your GitHub PAT>
 
 ./genval regoval dockerfileval --reqinput https://raw.githubusercontent.com/intelops/genval-security-policies/patch-1/Dockerfile-sample \
 --policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/rego/dockerfile_policies.rego
-	`,
+
+
+# Users can you use default policies maintained by the community stored in the https://github.com/intelops/policyhub repo
+
+./genval regoval dockerfileval --reqinput <Path to Dockerfile>
+`,
 	RunE: runDockerfilevalCmd,
 }
 
@@ -65,10 +74,38 @@ func runDockerfilevalCmd(cmd *cobra.Command, args []string) error {
 		log.Errorf("Error reading Dockerfile: %v, validation failed: %s\n", input, err)
 	}
 
-	err = validate.ValidateDockerfile(string(dockerfilefileContent), policy)
-	if err != nil {
-		log.Errorf("Dockerfile validation failed: %s\n", err)
+	if policy == "" {
+		fmt.Println("\n" + "Validating with default policies...")
+
+		tempDir, err := os.MkdirTemp("", "policyDirectory")
+		if err != nil {
+			return fmt.Errorf("error creating policy directory: %v", err)
+		}
+		defer os.RemoveAll(tempDir)
+
+		policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
+		if err != nil {
+			return fmt.Errorf("error fetching policy from registry: %v", err)
+		}
+
+		defaultRegoPolicies, err := validate.ApplyDefaultPolicies(policyLoc, tempDir)
+		if err != nil {
+			return fmt.Errorf("error applying default policies: %v", err)
+		}
+
+		err = validate.ValidateDockerfile(string(dockerfilefileContent), defaultRegoPolicies)
+		if err != nil {
+			log.Errorf("Dockerfile validation failed: %s\n", err)
+			return err
+		}
+	} else {
+		err := validate.ValidateDockerfile(string(dockerfilefileContent), policy)
+		if err != nil {
+			log.Errorf("Dockerfile validation failed: %s\n", err)
+			return err
+		}
 	}
-	log.Infof("Dockerfile: %v validation succeeded!\n", input)
+
+	log.Infof("Dockerfile: %v validation completed!\n", input)
 	return nil
 }

cmd/regoval_infrafile.go

@@ -1,6 +1,10 @@
 package cmd
 
 import (
+	"fmt"
+	"os"
+
+	"github.com/intelops/genval/pkg/oci"
 	"github.com/intelops/genval/pkg/validate"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -20,9 +24,6 @@ func init() {
 	}
 
 	infrafileCmd.Flags().StringVarP(&infrafileArgs.policy, "policy", "p", "", "Path for the CEL policy file, polciy can be passed from either Local or from remote URL")
-	if err := infrafileCmd.MarkFlagRequired("policy"); err != nil {
-		log.Fatalf("Error marking flag as required: %v", err)
-	}
 
 	regovalCmd.AddCommand(infrafileCmd)
 }
@@ -54,6 +55,10 @@ export GITHUB_TOKEN=<Your GitHub PAT>
 ./genval regoval infrafile --reqinput https://github.com/intelops/genval-security-policies/blob/patch-1/input-templates/k8s/deployment.json \
 --policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/rego/k8s.rego
 
+
+# Users can you use default policies maintained by the community stored in the https://github.com/intelops/policyhub repo
+
+./genval --regoval infrafile --reqinput <Path to Infrafile like k8s>
 `,
 	RunE: runinfrafileCmd,
 }
@@ -62,10 +67,37 @@ func runinfrafileCmd(cmd *cobra.Command, args []string) error {
 	inputFile := infrafileArgs.reqinput
 	policy := infrafileArgs.policy
 
-	err := validate.ValidateWithRego(inputFile, policy)
-	if err != nil {
-		log.Errorf("Validation %v failed", err)
+	if policy == "" {
+		fmt.Println("\n" + "Validating with default policies...")
+
+		tempDir, err := os.MkdirTemp("", "policyDirectory")
+		if err != nil {
+			return fmt.Errorf("error creating policy directory: %v", err)
+		}
+		defer os.RemoveAll(tempDir)
+
+		policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
+		if err != nil {
+			return fmt.Errorf("error fetching policy from registry: %v", err)
+		}
+
+		defaultRegoPolicies, err := validate.ApplyDefaultPolicies(policyLoc, tempDir)
+		if err != nil {
+			return fmt.Errorf("error applying default policies: %v", err)
+		}
+
+		err = validate.ValidateWithRego(inputFile, defaultRegoPolicies)
+		if err != nil {
+			return fmt.Errorf("validation infrafiles failed: %s", err)
+		}
+	} else {
+
+		err := validate.ValidateWithRego(inputFile, policy)
+		if err != nil {
+			return fmt.Errorf("validating %v failed: %v", inputFile, err)
+		}
 	}
+
 	log.Infof("infrafile %v, validated succussfully.", inputFile)
 	return nil
 }

cmd/regoval_terraform.go

@@ -1,6 +1,10 @@
 package cmd
 
 import (
+	"fmt"
+	"os"
+
+	"github.com/intelops/genval/pkg/oci"
 	"github.com/intelops/genval/pkg/parser"
 	"github.com/intelops/genval/pkg/validate"
 	log "github.com/sirupsen/logrus"
@@ -20,10 +24,6 @@ func init() {
 		log.Fatalf("Error marking flag as required: %v", err)
 	}
 	terraformCmd.Flags().StringVarP(&terraformArgs.policy, "policy", "p", "", "Path for the Rego policy file, polciy can be passed from either Local or from remote URL")
-	if err := terraformCmd.MarkFlagRequired("policy"); err != nil {
-		log.Fatalf("Error marking flag as required: %v", err)
-	}
-
 	regovalCmd.AddCommand(terraformCmd)
 }
 
@@ -53,6 +53,10 @@ export GITHUB_TOKEN=<your GitHub PAT>
 
 ./genval regoval terraform --reqinput https://github.com/intelops/genval-security-policies/blob/patch-1/input-templates/terraform/sec_group.tf \
 --policy https://github.com/intelops/genval-security-policies/blob/patch-1/default-policies/rego/terraform.rego
+
+# Users can you use default policies maintained by the community stored in the https://github.com/intelops/policyhub repo
+
+./genval regoval terraform --reqinput <path to terraform file>
 	`,
 	RunE: runTerraformCmd,
 }
@@ -66,9 +70,35 @@ func runTerraformCmd(cmd *cobra.Command, args []string) error {
 		log.Errorf("Error converting tf file: %v", err)
 	}
 
-	err = validate.ValidateWithRego(inputJSON, policy)
-	if err != nil {
-		log.Errorf("Validation %v failed", err)
+	if policy == "" {
+		fmt.Println("\n" + "Validating with default policies...")
+
+		tempDir, err := os.MkdirTemp("", "policyDirectory")
+		if err != nil {
+			return fmt.Errorf("error creating policy directory: %v", err)
+		}
+		defer os.RemoveAll(tempDir)
+
+		policyLoc, err := oci.FetchPolicyFromRegistry(cmd.Name())
+		if err != nil {
+			return fmt.Errorf("error fetching policy from registry: %v", err)
+		}
+
+		defaultRegoPolicies, err := validate.ApplyDefaultPolicies(policyLoc, tempDir)
+		if err != nil {
+			return fmt.Errorf("error applying default policies: %v", err)
+		}
+
+		err = validate.ValidateDockerfile(inputFile, defaultRegoPolicies)
+		if err != nil {
+			log.Errorf("Dockerfile validation failed: %s\n", err)
+			return err
+		}
+	} else {
+		err = validate.ValidateWithRego(inputJSON, policy)
+		if err != nil {
+			log.Errorf("Validation %v failed", err)
+		}
 	}
 	log.Infof("Terraform resource: %v, validated succussfully.", inputFile)
 	return nil

go.mod

@@ -33,6 +33,7 @@ require (
 
 require (
 	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
@@ -46,7 +47,7 @@ require (
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
@@ -94,6 +95,7 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/coreos/go-oidc/v3 v3.10.0 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
 	github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
@@ -105,9 +107,13 @@ require (
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emicklei/proto v1.13.2 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.12.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
@@ -146,10 +152,12 @@ require (
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.17.8 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
@@ -173,6 +181,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pborman/uuid v1.2.1 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
@@ -188,10 +197,12 @@ require (
 	github.com/sassoftware/relic v7.2.1+incompatible // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/sigstore/fulcio v1.4.5 // indirect
 	github.com/sigstore/rekor v1.3.6 // indirect
 	github.com/sigstore/timestamp-authority v1.2.2 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
@@ -210,6 +221,7 @@ require (
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
 	github.com/xanzy/go-gitlab v0.102.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
@@ -241,6 +253,7 @@ require (
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 	k8s.io/api v0.28.3 // indirect
 	k8s.io/apimachinery v0.28.3 // indirect
 	k8s.io/client-go v0.28.3 // indirect