adding scopedenforcementactions

Signed-off-by: Jaydip Gabani <[email protected]>

go.mod

@@ -2,6 +2,8 @@ module github.com/open-policy-agent/gatekeeper/v3
 
 go 1.21
 
+replace github.com/open-policy-agent/frameworks/constraint => /mount/d/go/src/github.com/open-policy-agent/frameworks/constraint
+
 require (
 	cloud.google.com/go/trace v1.10.6
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.44.0

go.sum

@@ -287,8 +287,6 @@ github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
 github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
 github.com/open-policy-agent/cert-controller v0.10.1 h1:RXSYoyn8FdCenWecRP//UV5nbVfmstNpj4kHQFkvPK4=
 github.com/open-policy-agent/cert-controller v0.10.1/go.mod h1:4uRbBLY5DsPOog+a9pqk3JLxuuhrWsbUedQW65HcLTI=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20240320172527-359cf1b785c9 h1:pCYBnD9sTC1c6S/NdghkKnWYNOP+Q4ZxEZwxI9tTqvQ=
-github.com/open-policy-agent/frameworks/constraint v0.0.0-20240320172527-359cf1b785c9/go.mod h1:+DLsOmKpO561Scs6UKt4+Oxutbi0csbJWJe756NI5yU=
 github.com/open-policy-agent/opa v0.62.1 h1:UcxBQ0fe6NEjkYc775j4PWoUFFhx4f6yXKIKSTAuTVk=
 github.com/open-policy-agent/opa v0.62.1/go.mod h1:YqiSIIuvKwyomtnnXkJvy0E3KtVKbavjPJ/hNMuOmeM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

pkg/audit/manager.go

@@ -607,7 +607,7 @@ func (am *Manager) auditFromCache(ctx context.Context) ([]Result, []error) {
 			Object:    obj,
 			Namespace: ns,
 		}
-		resp, err := am.opa.Review(ctx, au, drivers.Stats(*logStatsAudit))
+		resp, err := am.opa.Review(ctx, au, util.AuditEnforcementPoint, drivers.Stats(*logStatsAudit))
 		if err != nil {
 			am.log.Error(err, fmt.Sprintf("Unable to review object from audit cache %v %s/%s", obj.GroupVersionKind().String(), obj.GetNamespace(), obj.GetName()))
 			continue
@@ -697,7 +697,7 @@ func (am *Manager) reviewObjects(ctx context.Context, kind string, folderCount i
 				Source:    mutationtypes.SourceTypeOriginal,
 			}
 
-			resp, err := am.opa.Review(ctx, augmentedObj, drivers.Stats(*logStatsAudit))
+			resp, err := am.opa.Review(ctx, augmentedObj, util.AuditEnforcementPoint, drivers.Stats(*logStatsAudit))
 			if err != nil {
 				am.log.Error(err, "Unable to review object from file", "fileName", fileName, "objNs", objNs)
 				continue
@@ -721,7 +721,7 @@ func (am *Manager) reviewObjects(ctx context.Context, kind string, folderCount i
 					Namespace: ns,
 					Source:    mutationtypes.SourceTypeGenerated,
 				}
-				resultantResp, err := am.opa.Review(ctx, au, drivers.Stats(*logStatsAudit))
+				resultantResp, err := am.opa.Review(ctx, au, util.AuditEnforcementPoint, drivers.Stats(*logStatsAudit))
 				if err != nil {
 					am.log.Error(err, "Unable to review expanded object", "objName", (*resultant.Obj).GetName(), "objNs", ns)
 					continue

pkg/controller/constrainttemplate/constrainttemplate_controller_test.go

@@ -461,7 +461,7 @@ func TestReconcile(t *testing.T) {
 			Name:      "FooNamespace",
 			Object:    runtime.RawExtension{Object: ns},
 		}
-		resp, err := cfClient.Review(ctx, req)
+		resp, err := cfClient.Review(ctx, req, util.AuditEnforcementPoint)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -655,7 +655,7 @@ func TestReconcile(t *testing.T) {
 			Name:      "FooNamespace",
 			Object:    runtime.RawExtension{Object: ns},
 		}
-		resp, err := cfClient.Review(ctx, req)
+		resp, err := cfClient.Review(ctx, req, util.AuditEnforcementPoint)
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -676,7 +676,7 @@ func TestReconcile(t *testing.T) {
 		err = retry.OnError(testutils.ConstantRetry, func(err error) bool {
 			return true
 		}, func() error {
-			resp, err := cfClient.Review(ctx, req)
+			resp, err := cfClient.Review(ctx, req, util.AuditEnforcementPoint)
 			if err != nil {
 				return err
 			}

pkg/gator/client.go

@@ -29,5 +29,5 @@ type Client interface {
 	RemoveData(ctx context.Context, data interface{}) (*types.Responses, error)
 
 	// Review runs all Constraints against obj.
-	Review(ctx context.Context, obj interface{}, opts ...drivers.QueryOpt) (*types.Responses, error)
+	Review(ctx context.Context, obj interface{}, sourceEP string, opts ...drivers.QueryOpt) (*types.Responses, error)
 }

pkg/gator/test/test.go

@@ -113,7 +113,7 @@ func Test(objs []*unstructured.Unstructured, tOpts Opts) (*GatorResponses, error
 			Source:    mutationtypes.SourceTypeOriginal,
 		}
 
-		review, err := client.Review(ctx, au)
+		review, err := client.Review(ctx, au, "gator.gatekeeper.sh")
 		if err != nil {
 			return nil, fmt.Errorf("reviewing %v %s/%s: %w",
 				obj.GroupVersionKind(), obj.GetNamespace(), obj.GetName(), err)
@@ -130,7 +130,7 @@ func Test(objs []*unstructured.Unstructured, tOpts Opts) (*GatorResponses, error
 				Namespace: ns,
 				Source:    mutationtypes.SourceTypeGenerated,
 			}
-			resultantReview, err := client.Review(ctx, au)
+			resultantReview, err := client.Review(ctx, au, "gator.gatekeeper.sh")
 			if err != nil {
 				return nil, fmt.Errorf("reviewing expanded resource %v %s/%s: %w",
 					resultant.Obj.GroupVersionKind(), resultant.Obj.GetNamespace(), resultant.Obj.GetName(), err)

pkg/gator/verify/runner.go

@@ -326,7 +326,7 @@ func (r *Runner) runReview(ctx context.Context, newClient func() (gator.Client,
 		Object: *toReview,
 		Source: mutationtypes.SourceTypeOriginal,
 	}
-	return c.Review(ctx, au)
+	return c.Review(ctx, au, util.GatorEnforcementPoint)
 }
 
 func (r *Runner) validateAndReviewAdmissionReviewRequest(ctx context.Context, c gator.Client, toReview *unstructured.Unstructured) (*types.Responses, error) {
@@ -369,7 +369,7 @@ func (r *Runner) validateAndReviewAdmissionReviewRequest(ctx context.Context, c
 		Source:           mutationtypes.SourceTypeOriginal,
 	}
 
-	return c.Review(ctx, arr)
+	return c.Review(ctx, arr, util.GatorEnforcementPoint)
 }
 
 func (r *Runner) addInventory(ctx context.Context, c gator.Client, suiteDir, inventoryPath string) error {

pkg/target/target_integration_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/open-policy-agent/frameworks/constraint/pkg/client/drivers/rego"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/core/templates"
 	api "github.com/open-policy-agent/gatekeeper/v3/apis"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
 	admissionv1 "k8s.io/api/admission/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -468,7 +469,7 @@ func TestConstraintEnforcement(t *testing.T) {
 			}
 
 			fullReq := &AugmentedReview{Namespace: tc.ns, AdmissionRequest: req}
-			res, err := c.Review(ctx, fullReq, drivers.Tracing(true))
+			res, err := c.Review(ctx, fullReq, util.AuditEnforcementPoint, drivers.Tracing(true))
 			if err != nil {
 				t.Errorf("Error reviewing request: %s", err)
 			}
@@ -497,7 +498,7 @@ func TestConstraintEnforcement(t *testing.T) {
 			}
 
 			fullReq2 := &AugmentedReview{Namespace: tc.ns, AdmissionRequest: req2}
-			res2, err := c.Review(ctx, fullReq2, drivers.Tracing(true))
+			res2, err := c.Review(ctx, fullReq2, util.AuditEnforcementPoint, drivers.Tracing(true))
 			if err != nil {
 				t.Errorf("Error reviewing OldObject request: %s", err)
 			}
@@ -510,7 +511,7 @@ func TestConstraintEnforcement(t *testing.T) {
 			}
 
 			fullReq3 := &AugmentedUnstructured{Namespace: tc.ns, Object: *tc.obj}
-			res3, err := c.Review(ctx, fullReq3, drivers.Tracing(true))
+			res3, err := c.Review(ctx, fullReq3, util.AuditEnforcementPoint, drivers.Tracing(true))
 			if err != nil {
 				t.Errorf("Error reviewing AugmentedUnstructured request: %s", err)
 			}

pkg/util/enforcement_action.go

@@ -1,6 +1,7 @@
 package util
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 
@@ -10,18 +11,41 @@ import (
 // EnforcementAction is the response we take to violations.
 type EnforcementAction string
 
+type ScopedEnforcementAction struct {
+	Action            string             `json:"action"`
+	EnforcementPoints []EnforcementPoint `json:"enforcementPoints"`
+}
+
+type EnforcementPoint struct {
+	Name string `json:"name"`
+}
+
 // The set of possible responses to policy violations.
 const (
 	Deny         EnforcementAction = "deny"
 	Dryrun       EnforcementAction = "dryrun"
 	Warn         EnforcementAction = "warn"
+	Scoped       EnforcementAction = "scoped"
 	Unrecognized EnforcementAction = "unrecognized"
 )
 
-var supportedEnforcementActions = []EnforcementAction{Deny, Dryrun, Warn}
+const (
+	// WebhookEnforcementPoint is the enforcement point for admission.
+	WebhookEnforcementPoint = "admission.k8s.io"
+
+	// AuditEnforcementPoint is the enforcement point for audit.
+	AuditEnforcementPoint = "audit.gatekeeper.sh"
+
+	// GatorEnforcementPoint is the enforcement point for gator cli.
+	GatorEnforcementPoint = "gator.gatekeeper.sh"
+)
+
+var supportedEnforcementActions = []EnforcementAction{Deny, Dryrun, Warn, Scoped}
+
+var supportedScopedActions = []EnforcementAction{Deny, Dryrun, Warn}
 
 // KnownEnforcementActions are all defined EnforcementActions.
-var KnownEnforcementActions = []EnforcementAction{Deny, Dryrun, Warn, Unrecognized}
+var KnownEnforcementActions = []EnforcementAction{Deny, Dryrun, Warn, Scoped, Unrecognized}
 
 // ErrEnforcementAction indicates the passed EnforcementAction is not valid.
 var ErrEnforcementAction = errors.New("unrecognized enforcementAction")
@@ -30,14 +54,69 @@ var ErrEnforcementAction = errors.New("unrecognized enforcementAction")
 // spec.enforcementAction field as it was not a string.
 var ErrInvalidSpecEnforcementAction = errors.New("spec.enforcementAction must be a string")
 
-func ValidateEnforcementAction(input EnforcementAction) error {
-	for _, n := range supportedEnforcementActions {
-		if input == n {
-			return nil
+var ErrInvalidSpecScopedEnforcementAction = errors.New("spec.scopedEnforcementAction must be in the format of []{action: string, enforcementPoints: []{name: string}}")
+
+func ValidateEnforcementAction(input EnforcementAction, item map[string]interface{}) error {
+	switch input {
+	case Scoped:
+		return ValidateScopedEnforcementAction(item)
+	case Dryrun, Deny, Warn:
+		return nil
+	default:
+		return fmt.Errorf("%w: %q is not within the supported list %v",
+			ErrEnforcementAction, input, supportedEnforcementActions)
+	}
+}
+
+func ValidateScopedEnforcementAction(item map[string]interface{}) error {
+	obj, err := GetScopedEnforcementAction(item)
+	if err != nil {
+		return fmt.Errorf("error fetching scopedEnforcementActions: %w", err)
+	}
+
+	// validating scopedEnforcementActions
+	for _, scopedEnforcementAction := range *obj {
+		if scopedEnforcementAction.Action == "" {
+			return ErrInvalidSpecEnforcementAction
+		}
+		switch EnforcementAction(scopedEnforcementAction.Action) {
+		case Dryrun, Deny, Warn:
+		default:
+			return fmt.Errorf("%w: %q is not within the supported list %v", ErrEnforcementAction, scopedEnforcementAction.Action, supportedScopedActions)
+		}
+		if len(scopedEnforcementAction.EnforcementPoints) == 0 {
+			return ErrInvalidSpecEnforcementAction
+		}
+		for _, enforcementPoint := range scopedEnforcementAction.EnforcementPoints {
+			if enforcementPoint.Name == "" {
+				return ErrInvalidSpecEnforcementAction
+			}
 		}
 	}
-	return fmt.Errorf("%w: %q is not within the supported list %v",
-		ErrEnforcementAction, input, supportedEnforcementActions)
+	return nil
+}
+
+func GetScopedEnforcementAction(item map[string]interface{}) (*[]ScopedEnforcementAction, error) {
+	scopedEnforcementActions, found, err := unstructured.NestedFieldNoCopy(item, "spec", "scopedEnforcementActions")
+	if err != nil {
+		return nil, fmt.Errorf("error fetching scopedEnforcementActions: %w", err)
+	}
+	if !found {
+		return nil, fmt.Errorf("scopedEnforcementActions is required")
+	}
+	return convertToScopedEnforcementActions(scopedEnforcementActions)
+}
+
+func convertToScopedEnforcementActions(object interface{}) (*[]ScopedEnforcementAction, error) {
+	j, err := json.Marshal(object)
+	if err != nil {
+		return nil, fmt.Errorf("could not convert unknown object to JSON: %w", err)
+	}
+	obj := []ScopedEnforcementAction{}
+	if err := json.Unmarshal(j, &obj); err != nil {
+		return nil, fmt.Errorf("Could not convert JSON to scopedEnforcementActions: %w", err)
+	}
+	return &obj, nil
 }
 
 func GetEnforcementAction(item map[string]interface{}) (EnforcementAction, error) {
@@ -50,10 +129,33 @@ func GetEnforcementAction(item map[string]interface{}) (EnforcementAction, error
 	if enforcementAction == "" {
 		enforcementAction = Deny
 	}
-	// validating enforcement action - if it is not deny or dryrun, we are classifying as unrecognized
-	if err := ValidateEnforcementAction(enforcementAction); err != nil {
+	// validating enforcement action - if it is not deny or dryrun or scoped, we are classifying as unrecognized
+	if err := ValidateEnforcementAction(enforcementAction, item); err != nil {
 		enforcementAction = Unrecognized
 	}
 
 	return enforcementAction, nil
 }
+
+func (h *ScopedEnforcementAction) ScopedActionForEP(enforcementPoint string, u *unstructured.Unstructured) ([]string, error) {
+	scopedEnforcementActions, err := GetScopedEnforcementAction(u.Object)
+	if err != nil {
+		return nil, err
+	}
+	enforcementActions := []string{}
+	for _, scopedEnforcementAction := range *scopedEnforcementActions {
+		if enforcementPointEnabled(scopedEnforcementAction, enforcementPoint) {
+			enforcementActions = append(enforcementActions, scopedEnforcementAction.Action)
+		}
+	}
+	return enforcementActions, nil
+}
+
+func enforcementPointEnabled(scopedEnforcementAction ScopedEnforcementAction, enforcementPoint string) bool {
+	for _, ep := range scopedEnforcementAction.EnforcementPoints {
+		if ep.Name == enforcementPoint || ep.Name == "*" {
+			return true
+		}
+	}
+	return false
+}

pkg/util/enforcement_action_test.go

@@ -7,21 +7,61 @@ import (
 
 func TestValidateEnforcementAction(t *testing.T) {
 	testCases := []struct {
-		name    string
-		action  EnforcementAction
-		wantErr error
+		name       string
+		action     EnforcementAction
+		wantErr    error
+		constraint map[string]interface{}
 	}{
 		{
-			name:    "empty string",
-			action:  "",
-			wantErr: ErrEnforcementAction,
+			name:       "empty string",
+			action:     "",
+			wantErr:    ErrEnforcementAction,
+			constraint: nil,
+		},
+		{
+			action:     "notsupported",
+			wantErr:    ErrEnforcementAction,
+			constraint: nil,
 		},
 		{
-			action:  "notsupported",
-			wantErr: ErrEnforcementAction,
+			action:     Dryrun,
+			constraint: nil,
 		},
 		{
-			action: Dryrun,
+			action: Scoped,
+			constraint: map[string]interface{}{
+				"spec": map[string]interface{}{
+					"scopedEnforcementActions": []ScopedEnforcementAction{
+						{
+							Action: "deny",
+							EnforcementPoints: []EnforcementPoint{
+								{
+									Name: "audit",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name:   "invalid scopedEnforcementActions",
+			action: Scoped,
+			constraint: map[string]interface{}{
+				"spec": map[string]interface{}{
+					"scopedEnforcementActions": []map[string]interface{}{
+						{
+							"action": "deny",
+							"enforcementPoints": []map[string]string{
+								{
+									"test": "audit",
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: ErrInvalidSpecEnforcementAction,
 		},
 	}
 
@@ -30,7 +70,7 @@ func TestValidateEnforcementAction(t *testing.T) {
 			tc.name = string(tc.action)
 		}
 		t.Run(tc.name, func(t *testing.T) {
-			err := ValidateEnforcementAction(tc.action)
+			err := ValidateEnforcementAction(tc.action, tc.constraint)
 			if !errors.Is(err, tc.wantErr) {
 				t.Errorf("got ValidateEnforcementAction(%q) == %v, want %v",
 					tc.action, err, tc.wantErr)