feat: implement OPA bundle validator

Author: mxab

go.mod

@@ -54,13 +54,16 @@ require (
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/speakeasy v0.2.0 // indirect
+	github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/containerd/containerd/v2 v2.1.4 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v1.0.0-rc.1 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
@@ -70,6 +73,7 @@ require (
 	github.com/ebitengine/purego v0.8.4 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
@@ -145,6 +149,7 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/go-archive v0.1.0 // indirect
+	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/user v0.4.0 // indirect

go.sum

@@ -56,6 +56,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag=
 github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I=
+github.com/containerd/containerd/v2 v2.1.4 h1:/hXWjiSFd6ftrBOBGfAZ6T30LJcx1dBjdKEeI8xucKQ=
+github.com/containerd/containerd/v2 v2.1.4/go.mod h1:8C5QV9djwsYDNhxfTCFjWtTBZrqjditQ4/ghHSYjnHM=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@@ -64,6 +66,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E=
 github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
+github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
+github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
@@ -105,6 +109,8 @@ github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7Dlme
 github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
@@ -304,6 +310,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA=
 github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
@@ -350,6 +358,8 @@ github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3N
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
 github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
+github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
+github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=

pkg/admissionctrl/validator/opa_bundle_validator.go

@@ -0,0 +1,84 @@
+package validator
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/mxab/nacp/pkg/admissionctrl"
+	"github.com/mxab/nacp/pkg/admissionctrl/types"
+	"github.com/open-policy-agent/opa/v1/sdk"
+)
+
+type OpaBundleValidator struct {
+	name   string
+	path   string
+	logger *slog.Logger
+	opa    *sdk.OPA
+}
+
+var _ admissionctrl.JobValidator = (*OpaBundleValidator)(nil) // Verify that *T implements I.
+
+func NewOpaBundleValidator(name string, path string, logger *slog.Logger, sdk *sdk.OPA) (*OpaBundleValidator, error) {
+	return &OpaBundleValidator{
+		name:   name,
+		path:   path,
+		logger: logger,
+		opa:    sdk,
+	}, nil
+}
+
+func (v *OpaBundleValidator) Validate(ctx context.Context, payload *types.Payload) (warnings []error, err error) {
+
+	result, err := v.opa.Decision(ctx, sdk.DecisionOptions{
+		Input: payload,
+		Path:  v.path,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to perform policy decision: %w", err)
+	}
+
+	v.logger.DebugContext(ctx, "OPA decision", slog.Any("result", result))
+
+	if rmap, ok := result.Result.(map[string]interface{}); ok {
+		if errs, found := rmap["errors"]; found {
+			if errlist, ok := errs.([]interface{}); ok {
+
+				for _, e := range errlist {
+					if emsg, ok := e.(string); ok {
+						err = multierror.Append(err, errors.New(emsg))
+					} else {
+						err = multierror.Append(err, fmt.Errorf("policy yielded an invalid error value: %v", e))
+					}
+				}
+				if err != nil {
+					return
+				}
+			} else if errs != nil {
+				err = fmt.Errorf("policy yielded an invalid errors value: %v", errs)
+				return
+			}
+		}
+		if warns, found := rmap["warnings"]; found {
+			if warnlist, ok := warns.([]interface{}); ok {
+				for _, w := range warnlist {
+					if wmsg, ok := w.(string); ok {
+						warnings = append(warnings, errors.New(wmsg))
+					} else {
+						warnings = append(warnings, fmt.Errorf("policy yielded an invalid warning value: %v", w))
+					}
+				}
+			} else if warns != nil {
+				warnings = append(warnings, fmt.Errorf("policy yielded an invalid warnings value: %v", warns))
+			}
+		}
+	}
+
+	return
+}
+
+func (v *OpaBundleValidator) Name() string {
+	return v.name
+}

pkg/admissionctrl/validator/opa_bundle_validator_test.go

@@ -0,0 +1,172 @@
+package validator
+
+import (
+	"bytes"
+	"fmt"
+	"log/slog"
+	"testing"
+
+	"github.com/mxab/nacp/pkg/admissionctrl/types"
+	"github.com/mxab/nacp/testutil"
+	"github.com/open-policy-agent/opa/v1/logging"
+	"github.com/open-policy-agent/opa/v1/sdk"
+	sdktest "github.com/open-policy-agent/opa/v1/sdk/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOpaBundleValidator(t *testing.T) {
+
+	// https://www.openpolicyagent.org/docs/integration#integrating-with-the-go-sdk
+
+	tt := []struct {
+		name           string
+		policy         string
+		path           string
+		expectErrParts []string
+		expectWarns    []string
+	}{
+		{
+			name:   "no issues",
+			policy: `package mypolicy`,
+			path:   "/mypolicy",
+		},
+		{
+			name: "error",
+			policy: `package mypolicy
+			errors = ["an error message"]`,
+			path:           "/mypolicy",
+			expectErrParts: []string{"an error message"},
+		},
+		{
+			name: "multiple errors",
+			policy: `package mypolicy
+			errors = ["an error message", "another error message"]`,
+			path:           "/mypolicy",
+			expectErrParts: []string{"an error message", "another error message"},
+		},
+		{
+			name: "warning",
+			policy: `package mypolicy
+			warnings = ["a warning message"]`,
+			path:        "/mypolicy",
+			expectWarns: []string{"a warning message"},
+		},
+		{
+			name: "handle invalid errors value",
+			policy: `package mypolicy
+			errors = 5`,
+			path:           "/mypolicy",
+			expectErrParts: []string{"policy yielded an invalid errors value"},
+		},
+		{
+			name: "handle invalid error value",
+			policy: `package mypolicy
+			errors = [5]`,
+			path:           "/mypolicy",
+			expectErrParts: []string{"policy yielded an invalid error value"},
+		},
+		{
+			name: "handle invalid warnings value",
+			policy: `package mypolicy
+			warnings = 5`,
+			path:        "/mypolicy",
+			expectWarns: []string{"policy yielded an invalid warnings value"},
+		},
+		{
+			name: "handle invalid warnings value",
+			policy: `package mypolicy
+			warnings = [5]`,
+			path:        "/mypolicy",
+			expectWarns: []string{"policy yielded an invalid warning value"},
+		},
+		{
+			name: "test invalid policy path",
+			policy: `package mypolicy
+			errors = ["an error message"]`,
+			path:           "/invalidpath",
+			expectErrParts: []string{"failed to perform policy decision"},
+		},
+	}
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			job := testutil.BaseJob()
+
+			opa := setupOpa(t, tc.policy)
+			validator, err := NewOpaBundleValidator("testopabundlevalidator", tc.path, slog.New(slog.DiscardHandler), opa)
+
+			require.NoError(t, err, "No error creating validator")
+
+			warnings, err := validator.Validate(t.Context(), &types.Payload{Job: job})
+
+			if len(tc.expectErrParts) > 0 {
+				for _, expectErrPart := range tc.expectErrParts {
+					assert.ErrorContains(t, err, expectErrPart, "Error from validator")
+				}
+			} else {
+				assert.NoError(t, err, "No error from validator")
+			}
+
+			// check warnings
+			require.Len(t, warnings, len(tc.expectWarns), "Number of warnings from validator")
+			for i, expectWarn := range tc.expectWarns {
+				assert.ErrorContains(t, warnings[i], expectWarn, "Warning from validator")
+			}
+
+		})
+	}
+}
+
+func setupOpa(t *testing.T, policy string) *sdk.OPA {
+	t.Helper()
+	ctx := t.Context()
+
+	// create a mock HTTP bundle server
+	server, err := sdktest.NewServer(sdktest.MockBundle("/bundles/bundle.tar.gz", map[string]string{
+		"example.rego": policy,
+	}))
+	require.NoError(t, err, "No error creating mock server")
+	t.Cleanup(server.Stop)
+
+	// provide the OPA configuration which specifies
+	// fetching policy bundles from the mock server
+	// and logging decisions locally to the console
+	config := []byte(fmt.Sprintf(`{
+		"services": {
+			"test": {
+				"url": %q
+			}
+		},
+		"bundles": {
+			"test": {
+				"resource": "/bundles/bundle.tar.gz"
+			}
+		},
+		"decision_logs": {
+			"console": true
+		}
+	}`, server.URL()))
+
+	// create an instance of the OPA object
+
+	opa, err := sdk.New(ctx, sdk.Options{
+		ID:     "opa-test-1",
+		Config: bytes.NewReader(config),
+		Logger: logging.New(),
+	})
+	require.NoError(t, err, "No error creating OPA instance")
+	t.Cleanup(func() {
+		opa.Stop(ctx)
+	})
+
+	return opa
+}
+func TestBundleValidatorName(t *testing.T) {
+	opa := setupOpa(t, "package mypolicy")
+	validator, err := NewOpaBundleValidator("testopabundlevalidator", "/mypolicy", slog.New(slog.DiscardHandler), opa)
+
+	require.NoError(t, err, "No error creating validator")
+
+	assert.Equal(t, "testopabundlevalidator", validator.Name(), "Validator name")
+}