Validate policies configuration file

flavio · flavio · commit eb024ab6c2b2 · 2024-07-10T18:47:14.000+02:00
* Be strict during deserialization: error when something unknown is found
* Validate policy names: ensure they do not contain the `/` symbol

Signed-off-by: Flavio Castelli &lt;fcastelli@suse.com&gt;
diff --git a/src/config.rs b/src/config.rs
@@ -25,9 +25,6 @@ lazy_static! {
         std::env::var("HOSTNAME").unwrap_or_else(|_| String::from("unknown"));
 }
 
-// TODO: be more strict when parsing the configuration file:
-// - error when unknown data is found
-// - validate the names of the policies and sub-policies: they cannot have `/` symbols
 pub struct Config {
     pub addr: SocketAddr,
     pub sources: Option<Sources>,
@@ -195,13 +192,43 @@ fn tls_files(matches: &clap::ArgMatches) -> Result<(String, String)> {
 
 fn policies(matches: &clap::ArgMatches) -> Result<HashMap<String, PolicyOrPolicyGroup>> {
     let policies_file = Path::new(matches.get_one::<String>("policies").unwrap());
-    read_policies_file(policies_file).map_err(|e| {
+    let policies = read_policies_file(policies_file).map_err(|e| {
         anyhow!(
             "error while loading policies from {:?}: {}",
             policies_file,
             e
         )
-    })
+    })?;
+
+    validate_policies(&policies)?;
+
+    Ok(policies)
+}
+
+// Validate the policies and policy groups:
+//  - ensure policy names do not contain a '/' character
+//  - ensure names of policy group members do not contain a '/' character
+fn validate_policies(policies: &HashMap<String, PolicyOrPolicyGroup>) -> Result<()> {
+    for (name, policy) in policies.iter() {
+        if name.contains('/') {
+            return Err(anyhow!("policy name '{}' contains a '/' character", name));
+        }
+        if let PolicyOrPolicyGroup::PolicyGroup { members, .. } = policy {
+            let members_with_invalid_name: Vec<String> = members
+                .iter()
+                .filter_map(|(id, _)| if id.contains('/') { Some(id) } else { None })
+                .cloned()
+                .collect();
+            if !members_with_invalid_name.is_empty() {
+                return Err(anyhow!(
+                    "policy group '{}' contains members with invalid names: {:?}",
+                    name,
+                    members_with_invalid_name
+                ));
+            }
+        }
+    }
+    Ok(())
 }
 
 fn verification_config(matches: &clap::ArgMatches) -> Result<Option<LatestVerificationConfig>> {
@@ -286,7 +313,7 @@ pub enum PolicyOrPolicyGroupSettings {
 
 /// `PolicyGroupMember` represents a single policy that is part of a policy group.
 #[derive(Deserialize, Debug, Clone)]
-#[serde(rename_all = "camelCase")]
+#[serde(deny_unknown_fields, rename_all = "camelCase")]
 pub struct PolicyGroupMember {
     /// Thge URL where the policy is located
     pub url: String,
@@ -306,7 +333,7 @@ impl PolicyGroupMember {
 
 /// Describes a policy that can be either an individual policy or a group policy.
 #[derive(Deserialize, Debug, Clone)]
-#[serde(untagged, rename_all = "camelCase")]
+#[serde(deny_unknown_fields, untagged, rename_all = "camelCase")]
 pub enum PolicyOrPolicyGroup {
     /// An individual policy
     Policy {
@@ -491,4 +518,60 @@ example:
             assert_eq!(provide_flag, config.metrics_enabled);
         }
     }
+
+    #[rstest]
+    #[case::all_good(
+        r#"
+---
+example:
+  url: file:///tmp/namespace-validate-policy.wasm
+  settings: {}
+group_policy:
+  expression: "true"
+  message: "group policy message"
+  members:
+    policy1:
+      url: file:///tmp/namespace-validate-policy.wasm
+      settings: {}
+    policy2:
+      url: file:///tmp/namespace-validate-policy.wasm
+      settings: {}
+"#,
+        true
+    )]
+    #[case::policy_with_invalid_name(
+        r#"
+---
+example/invalid:
+  url: file:///tmp/namespace-validate-policy.wasm
+  settings: {}
+"#,
+        false
+    )]
+    #[case::policy_group_member_with_invalid_name(
+        r#"
+---
+example:
+  url: file:///tmp/namespace-validate-policy.wasm
+  settings: {}
+group_policy:
+  expression: "true"
+  message: "group policy message"
+  members:
+    policy1/a:
+      url: file:///tmp/namespace-validate-policy.wasm
+      settings: {}
+    policy2:
+      url: file:///tmp/namespace-validate-policy.wasm
+      settings: {}
+"#,
+        false
+    )]
+    fn policy_validation(#[case] policies_yaml: &str, #[case] is_valid: bool) {
+        let policies: HashMap<String, PolicyOrPolicyGroup> =
+            serde_yaml::from_str(policies_yaml).unwrap();
+
+        let validation_result = validate_policies(&policies);
+        assert_eq!(is_valid, validation_result.is_ok());
+    }
 }
