Paths

Table of Contentst

Differential D999

Allow for configuration policies
ClosedPublic
Actions

Authored by dduvall on Mar 7 2018, 4:43 AM.

Tags

Referenced Files

	Unknown Object (File)
	Sun, Mar 26, 10:47 AM

	Unknown Object (File)
	Sat, Mar 25, 10:21 AM

	Unknown Object (File)
	Fri, Mar 17, 4:50 PM

	Unknown Object (File)
	Thu, Mar 9, 7:55 PM

	Unknown Object (File)
	Sat, Mar 4, 7:33 PM

	Unknown Object (File)
	Sat, Mar 4, 11:28 AM

	Unknown Object (File)
	Wed, Mar 1, 3:59 PM

	Unknown Object (File)
	Mon, Feb 27, 11:41 AM

View All 22 Files

Subscribers

None

Details

Reviewers

thcipriani
demon
hashar
mmodell

Group Reviewers

Release-Engineering-Team

Commits

rGBLBReb9b69dd3d71: Allow for configuration policies

Patch without arc

git checkout -b D999 && curl -L https://phabricator.wikimedia.org/D999?download=true | git apply

Summary

Implements a rough interface for validating configuration against
arbitrary policy rules. Policies are provided as YAML and passed via the
command line as file paths or remote URIs.

The format of policies is:

enforcements:
  - path: <path>
    rule: <rule>

Where <path> is a YAML-ish path to a config field and <rule> is any
expression our config validator understands (expressions built in by the
validator library and custom tags defined in config.validation.go).

Example policy:

enforcements:
  - path: variants.production.base
    rule: oneof=debian:jessie debian:stretch
  - path: variants.production.runs.as
    rule: ne=foo
  - path: variants.production.node.dependencies
    rule: isfalse

Command flag parsing was implemented in main.go to support the new
--policy=uri flag and improve existing handling of --version and the
usage statement.

Test Plan

Run go test ./....

Diff Detail

Repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dduvall created this revision.Mar 7 2018, 4:43 AM

Restricted Application added a reviewer: Release-Engineering-Team. · View Herald TranscriptMar 7 2018, 4:43 AM

Restricted Application added a project: Release-Engineering-Team. · View Herald Transcript

dduvall requested review of this revision.Mar 7 2018, 4:43 AM

Harbormaster completed remote builds in B2823: Diff 2621.Mar 7 2018, 4:44 AM

Removed unecessary vendor updates

Refactored policy format and implemented loading of policies from URIs.

Fixed linter warning

Harbormaster completed remote builds in B2833: Diff 2627.Mar 8 2018, 11:15 PM

Replaced use of flag with github.com/pborman/getopt/v2

dduvall added a child revision: D1003: Provide a `runs.insecurely` to be used with test variants.Mar 10 2018, 12:11 AM

Modified the Diff description to match the git commit because... arcanist.

Harbormaster completed remote builds in B2854: Diff 2646.Mar 19 2018, 8:41 PM

Seems to work well, code looks fine to me (My browser really hates this diff though :)).

I was initially surprised that this validated a variant I wasn't trying to build at the time. In retrospect, I think my expectations were wrong, but in an understandable way.

policy.example.yaml
6	FWIW, this policy doesn't work with blubber.example.yaml in the repo

This revision is now accepted and ready to land.Mar 19 2018, 10:47 PM

Closed by commit rGBLBReb9b69dd3d71: Allow for configuration policies (authored by dduvall). · Explain WhyMar 19 2018, 10:57 PM

This revision was automatically updated to reflect the committed changes.

dduvall mentioned this in T174631: Support for Blubber defaults and/or policies.Apr 2 2018, 3:53 PM

Revision Contents
Changeset List

Path

Size

18 lines

10 lines

config/

12 lines

141 lines

117 lines

31 lines

52 lines

policy.example.yaml

5 lines

vendor/

github.com/

pborman/

getopt/

1 line

CONTRIBUTING.md

10 lines

27 lines

226 lines

74 lines

106 lines

breakup_test.go

34 lines

81 lines

counter_test.go

91 lines

56 lines

duration_test.go

73 lines

73 lines

66 lines

93 lines

537 lines

67 lines

67 lines

84 lines

67 lines

84 lines

67 lines

84 lines

84 lines

69 lines

99 lines

193 lines

268 lines

110 lines

97 lines

53 lines

77 lines

67 lines

67 lines

84 lines

67 lines

84 lines

67 lines

84 lines

84 lines

111 lines

unsigned_test.go

97 lines

87 lines

v2/

36 lines

106 lines

breakup_test.go

34 lines

69 lines

counter_test.go

76 lines

28 lines

duration_test.go

73 lines

79 lines

79 lines

93 lines

237 lines

generic_test.go

319 lines

520 lines

160 lines

595 lines

32 lines

99 lines

193 lines

284 lines

110 lines

97 lines

27 lines

77 lines

111 lines

unsigned_test.go

97 lines

85 lines

100 lines

63 lines

utahta/

go-openuri/

54 lines

openuri_test.go

74 lines

gopkg.in/

go-playground/

validator.v9/

128 lines

214 lines

benchmarks_test.go

24 lines

27 lines

36 lines

6 lines

2 lines

35 lines

validator_instance.go

85 lines

validator_test.go

198 lines

Diff 2647

Gopkg.lock

Loading...

Gopkg.toml

Loading...

config/common.go

Loading...

config/policy.go

Loading...

config/policy_test.go

Loading...

config/validation.go

Loading...

main.go

Loading...

policy.example.yaml

Loading...

vendor/github.com/pborman/getopt/AUTHORS

Loading...

vendor/github.com/pborman/getopt/CONTRIBUTING.md

Loading...

vendor/github.com/pborman/getopt/LICENSE

Loading...

vendor/github.com/pborman/getopt/README.md

Loading...

vendor/github.com/pborman/getopt/bool.go

Loading...

vendor/github.com/pborman/getopt/bool_test.go

Loading...

vendor/github.com/pborman/getopt/breakup_test.go

Loading...

vendor/github.com/pborman/getopt/counter.go

Loading...

vendor/github.com/pborman/getopt/counter_test.go

Loading...

vendor/github.com/pborman/getopt/duration.go

Loading...

vendor/github.com/pborman/getopt/duration_test.go

Loading...

vendor/github.com/pborman/getopt/enum.go

Loading...

vendor/github.com/pborman/getopt/enum_test.go

Loading...

vendor/github.com/pborman/getopt/error.go

Loading...

vendor/github.com/pborman/getopt/getopt.go

Loading...

vendor/github.com/pborman/getopt/int.go

Loading...

vendor/github.com/pborman/getopt/int16.go

Loading...

vendor/github.com/pborman/getopt/int16_test.go

Loading...

vendor/github.com/pborman/getopt/int32.go

Loading...

vendor/github.com/pborman/getopt/int32_test.go

Loading...

vendor/github.com/pborman/getopt/int64.go

Loading...

vendor/github.com/pborman/getopt/int64_test.go

Loading...

vendor/github.com/pborman/getopt/int_test.go

Loading...

vendor/github.com/pborman/getopt/list.go

Loading...

vendor/github.com/pborman/getopt/list_test.go

Loading...

vendor/github.com/pborman/getopt/option.go

Loading...

vendor/github.com/pborman/getopt/set.go

Loading...

vendor/github.com/pborman/getopt/signed.go

Loading...

vendor/github.com/pborman/getopt/signed_test.go

Loading...

vendor/github.com/pborman/getopt/string.go

Loading...

vendor/github.com/pborman/getopt/string_test.go

Loading...

vendor/github.com/pborman/getopt/uint.go

Loading...

vendor/github.com/pborman/getopt/uint16.go

Loading...

vendor/github.com/pborman/getopt/uint16_test.go

Loading...

vendor/github.com/pborman/getopt/uint32.go

Loading...

vendor/github.com/pborman/getopt/uint32_test.go

Loading...

vendor/github.com/pborman/getopt/uint64.go

Loading...

vendor/github.com/pborman/getopt/uint64_test.go

Loading...

vendor/github.com/pborman/getopt/uint_test.go

Loading...

vendor/github.com/pborman/getopt/unsigned.go

Loading...

vendor/github.com/pborman/getopt/unsigned_test.go

Loading...

vendor/github.com/pborman/getopt/util_test.go

Loading...

vendor/github.com/pborman/getopt/v2/bool.go

Loading...

vendor/github.com/pborman/getopt/v2/bool_test.go

Loading...

vendor/github.com/pborman/getopt/v2/breakup_test.go

Loading...

vendor/github.com/pborman/getopt/v2/counter.go

Loading...

vendor/github.com/pborman/getopt/v2/counter_test.go

Loading...

vendor/github.com/pborman/getopt/v2/duration.go

Loading...

vendor/github.com/pborman/getopt/v2/duration_test.go

Loading...

vendor/github.com/pborman/getopt/v2/enum.go

Loading...

vendor/github.com/pborman/getopt/v2/enum_test.go

Loading...

vendor/github.com/pborman/getopt/v2/error.go

Loading...

vendor/github.com/pborman/getopt/v2/generic.go

Loading...

vendor/github.com/pborman/getopt/v2/generic_test.go

Loading...

vendor/github.com/pborman/getopt/v2/getopt.go

Loading...

vendor/github.com/pborman/getopt/v2/int.go

Loading...

vendor/github.com/pborman/getopt/v2/int_test.go

Loading...

vendor/github.com/pborman/getopt/v2/list.go

Loading...

vendor/github.com/pborman/getopt/v2/list_test.go

Loading...

vendor/github.com/pborman/getopt/v2/option.go

Loading...

vendor/github.com/pborman/getopt/v2/set.go

Loading...

vendor/github.com/pborman/getopt/v2/signed.go

Loading...

vendor/github.com/pborman/getopt/v2/signed_test.go

Loading...

vendor/github.com/pborman/getopt/v2/string.go

Loading...

vendor/github.com/pborman/getopt/v2/string_test.go

Loading...

vendor/github.com/pborman/getopt/v2/unsigned.go

Loading...

vendor/github.com/pborman/getopt/v2/unsigned_test.go

Loading...

vendor/github.com/pborman/getopt/v2/util_test.go

Loading...

vendor/github.com/pborman/getopt/v2/var.go

Loading...

vendor/github.com/pborman/getopt/var.go

Loading...

vendor/github.com/utahta/go-openuri/openuri.go

Loading...

vendor/github.com/utahta/go-openuri/openuri_test.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/README.md

Loading...

vendor/gopkg.in/go-playground/validator.v9/baked_in.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/benchmarks_test.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/cache.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/doc.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/regexes.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/util.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/validator.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/validator_instance.go

Loading...

vendor/gopkg.in/go-playground/validator.v9/validator_test.go

Loading...