spacelift-policy 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 2e03df63a02ecd9be71ce542073170a680ca8700a2d83b6ecb377918a7477c6b
+  data.tar.gz: d98721507e5b61471d68ddacf87f381279e92156ebba8f1604ab8c4923fdfa70
+SHA512:
+  metadata.gz: 78fbe029ec9c679ad3a4451897c2eb5030e391699bee1d7026fdab0c9d1315736067a52f392e1fed821d3c83a7aef697987eed61a9cf85562a7efdcb1da62520
+  data.tar.gz: 0cc1dd62ce8281c9fc22692a179665ff07669446edf73066cf06870b59b8487cafb413745b998ceb643638fa5b49d523eb125f3ae2e8121ec641ef10fecf3f38

data/.gitignore

@@ -0,0 +1,13 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+Gemfile.lock
+*.gem

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in spacelift-policy.gemspec
+gemspec
+
+gem "rake", "~> 12.0"
+gem "rspec", "~> 3.0"

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Spacelift
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,40 @@
+# Spacelift::Policy
+
+Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/spacelift/policy`. To experiment with that code, run `bin/console` for an interactive prompt.
+
+TODO: Delete this and the text above, and describe your gem
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'spacelift-policy'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install spacelift-policy
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/spacelift-policy.
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/spacelift-policy

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require_relative '../lib/spacelift-policy'
+
+exit(1) unless Spacelift::Policy::CLI.run

data/lib/spacelift-policy.rb

@@ -0,0 +1,6 @@
+require_relative 'spacelift/policy/cli'
+require_relative 'spacelift/policy/error'
+require_relative 'spacelift/policy/policy'
+require_relative 'spacelift/policy/rule'
+require_relative 'spacelift/policy/version'
+require_relative 'spacelift/policy/violation'

data/lib/spacelift/policy/cli.rb

@@ -0,0 +1,70 @@
+require 'optparse'
+
+module Spacelift
+  module Policy
+    # CLI implements the logic required to configure, run and report  policy
+    # checks.
+    class CLI
+      attr_reader :json, :policies
+
+      DEFAULT_PLAN = 'spacelift.plan.json'.freeze
+      DEFAULT_POLICIES = '/spacelift/project/**/*.policy.rb'.freeze
+
+      def self.run(argv: ARGV)
+        new.parse(argv).run
+      end
+
+      def initialize
+        @json = DEFAULT_PLAN
+        @policies = DEFAULT_POLICIES
+      end
+
+      # This method reeks of :reek:NestedIterators and :reek:TooManyStatements
+      # rubocop:disable Metrics/LineLength, Metrics/MethodLength
+      def parse(options)
+        parser = OptionParser.new do |opts|
+          opts.banner = 'Usage: spacelift-policy [options]'
+
+          opts.on('-jJSON', '--json=JSON', 'Path to the Terraform JSON plan') do |json|
+            @json = json.freeze
+          end
+
+          opts.on('-pPOLICIES', '--policies=POLICIES', 'Glob expression capturing policy files') do |policies|
+            @policies = policies.freeze
+          end
+
+          opts.on('-h', '--help', 'Prints this help') do
+            puts opts
+            exit
+          end
+        end
+        parser.parse!(options)
+        self
+      end
+      # rubocop:enable Metrics/LineLength, Metrics/MethodLength
+
+      # This method reeks of :reek:TooManyStatements.
+      def run
+        # List and validate policy paths.
+        paths = Dir.glob(@policies)
+        raise Error, "no policy files matched by #{@policies}" if paths.empty?
+
+        # Validate state file path.
+        raise Error, "state file '#{json}' not present" unless File.file?(@json)
+
+        # Load policy files.
+        paths.each { |path| load path }
+
+        # Apply rules against the plan JSON file.
+        violations = Spacelift::Policy.enforce(File.read(@json))
+
+        # Print out violations, if any.
+        violations.each { |violation| warn violation.to_s }
+
+        # In the end, report if there were any violations. Based on that the
+        # caller will be able to decide whether ther run was successful or not.
+        violations.empty?
+      end
+    end
+  end
+end

data/lib/spacelift/policy/error.rb

@@ -0,0 +1,6 @@
+module Spacelift
+  module Policy
+    # Error is a simple class for declaring policy errors.
+    class Error < StandardError; end
+  end
+end

data/lib/spacelift/policy/policy.rb

@@ -0,0 +1,56 @@
+require 'json'
+require 'ostruct'
+require 'singleton'
+
+module Spacelift
+  # Policy is the module that hosts all the other resources in this library,
+  # and provides helper methods to deal with the Collection singleton.
+  module Policy
+    module_function
+
+    def define
+      yield Collection.instance
+    end
+
+    def enforce(source)
+      input = JSON.parse(source, object_class: OpenStruct)
+
+      changes = input.resource_changes
+      changes ? Collection.instance.process(changes) : []
+    end
+
+    # Collection is a singleton instance combining multiple rules. It's defined
+    # this way to allow pulling policy from multiple files in no particular
+    # order.
+    class Collection
+      include Singleton
+
+      def initialize
+        @rules = []
+        @violations = []
+      end
+
+      def ensure(name, &block)
+        raise Error, "definition not provided for rule '#{name}'" unless block
+
+        @rules << Rule.new(name, &block)
+      end
+
+      def process(resources)
+        raise Error, 'no rules defined' if @rules.empty?
+
+        resources.each { |resource| process_resource(resource) }
+        @violations
+      end
+
+      private
+
+      def process_resource(resource)
+        @rules.each do |rule|
+          ok, violation = rule.process(resource)
+          @violations << violation unless ok
+        end
+      end
+    end
+  end
+end

data/lib/spacelift/policy/rule.rb

@@ -0,0 +1,69 @@
+require 'colorize'
+require 'set'
+
+module Spacelift
+  module Policy
+    # Rule represents a single rule applied to all resources.
+    class Rule
+      attr_reader :name
+
+      def initialize(name)
+        @name = name
+        @matchers = []
+        @check = nil
+        yield self
+        freeze
+        validate
+      end
+
+      def process(resource)
+        return [true, nil] if ok?(resource)
+
+        [false, Violation.new(address: resource.address, rule: name)]
+      end
+
+      def then(&block)
+        raise Error, "check already defined on rule '#{name}'" if check
+
+        self.check = block
+      end
+
+      def when(&block)
+        matchers << block
+        self
+      end
+
+      def when_action_is(*actions)
+        required = Set.new(actions)
+
+        self.when do |resource|
+          Set.new(resource.change.actions).intersect?(required)
+        end
+      end
+
+      def when_managed
+        self.when { |resource| resource.mode == 'managed' }
+      end
+
+      def when_type_is(*types)
+        self.when { |resource| types.include?(resource.type) }
+      end
+
+      private
+
+      attr_accessor :matchers, :check
+
+      def ok?(resource)
+        return true unless matchers.all? { |matcher| matcher.call(resource) }
+
+        change = resource.change
+        check.call(change.before, change.after)
+      end
+
+      def validate
+        raise Error, "no matchers defined on rule '#{name}'" if matchers.empty?
+        raise Error, "no check defined on rule '#{name}'" unless check
+      end
+    end
+  end
+end

data/lib/spacelift/policy/version.rb

@@ -0,0 +1,5 @@
+module Spacelift
+  module Policy
+    VERSION = '0.1.0'.freeze
+  end
+end

data/lib/spacelift/policy/violation.rb

@@ -0,0 +1,19 @@
+require 'colorize'
+
+module Spacelift
+  module Policy
+    # Violation encapsulates a resource's violation of a single Rule.
+    class Violation
+      attr_reader :address, :rule
+
+      def initialize(address:, rule:)
+        @address = address
+        @rule = rule
+      end
+
+      def to_s
+        [address.red.bold, 'failed rule', rule.cyan.bold].join(' ')
+      end
+    end
+  end
+end

data/spacelift-policy.gemspec

@@ -0,0 +1,32 @@
+require_relative 'lib/spacelift/policy/version'
+
+# rubocop:disable Metrics/LineLength
+Gem::Specification.new do |spec|
+  spec.name          = 'spacelift-policy'
+  spec.version       = Spacelift::Policy::VERSION
+  spec.authors       = ['Marcin Wyszynski']
+  spec.email         = ['marcinw@spacelift.io']
+
+  spec.summary       = 'Ruby microframework for defining rich policy-as-code for Terraform'
+  spec.description   = <<-SUMMARY
+  SUMMARY
+  spec.homepage      = 'https://github.com/spacelift-io/policy'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/spacelift-io/policy'
+  spec.metadata['changelog_uri'] = 'https://github.com/spacelift-io/policy'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'colorize', '~> 0.8'
+end
+# rubocop:enable Metrics/LineLength

metadata

@@ -0,0 +1,76 @@
+--- !ruby/object:Gem::Specification
+name: spacelift-policy
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Marcin Wyszynski
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-12-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+description: ''
+email:
+- marcinw@spacelift.io
+executables:
+- spacelift-policy
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/spacelift-policy
+- lib/spacelift-policy.rb
+- lib/spacelift/policy/cli.rb
+- lib/spacelift/policy/error.rb
+- lib/spacelift/policy/policy.rb
+- lib/spacelift/policy/rule.rb
+- lib/spacelift/policy/version.rb
+- lib/spacelift/policy/violation.rb
+- spacelift-policy.gemspec
+homepage: https://github.com/spacelift-io/policy
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/spacelift-io/policy
+  source_code_uri: https://github.com/spacelift-io/policy
+  changelog_uri: https://github.com/spacelift-io/policy
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.2
+signing_key: 
+specification_version: 4
+summary: Ruby microframework for defining rich policy-as-code for Terraform
+test_files: []