Poc target resources (#134)

* Use target list to check project execution condition * add ignore resource support * add log on error * rename functions * Revert changes to CFs * Add tests and fix match of *
GoogleCloudPlatform · Dec 12, 2019 · cbe157b · cbe157b
1 parent cd71b6a
commit cbe157b
Show file tree

Hide file tree

Showing 3 changed files with 96 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -10,4 +10,4 @@ deploy
 .history
 .vscode
 .idea
-settings.json
+settings.json
diff --git a/services/resource.go b/services/resource.go
@@ -317,3 +317,54 @@ func (r *Resource) IfProjectInOrg(ctx context.Context, orgID, projectID string,
 	}
 	return nil
 }
+
+func (r *Resource) getProjectAncestryPath(ctx context.Context, projectID string) (string, error) {
+	resp, err := r.crm.GetAncestry(ctx, projectID)
+	if err != nil {
+		return "", err
+	}
+	s := []string{}
+	for i := len(resp.Ancestor) - 1; i >= 0; i-- {
+		s = append(s, resp.Ancestor[i].ResourceId.Type+"s/"+resp.Ancestor[i].ResourceId.Id)
+	}
+	return strings.Join(s, "/"), nil
+}
+
+func (r *Resource) ancestryMatches(patterns []string, ancestorPath string) (bool, error) {
+	for _, pattern := range patterns {
+		if pattern == "" {
+			continue
+		}
+		match, err := regexp.MatchString("^"+strings.Replace(pattern, "*", ".*", -1), ancestorPath)
+		if err != nil {
+			return false, errors.Wrapf(err, "failed to parse: %s", pattern)
+		}
+		if match {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// CheckMatches checks if a project is included in the target and not included in ignore
+func (r *Resource) CheckMatches(ctx context.Context, project string, target, ignore []string) (bool, error) {
+	ancestorPath, err := r.getProjectAncestryPath(ctx, project)
+	if err != nil {
+		return false, errors.Wrap(err, "failed to get project ancestry path")
+	}
+	matchesIgnore, err := r.ancestryMatches(ignore, ancestorPath)
+	if err != nil {
+		return false, errors.Wrap(err, "failed to process ignore list")
+	}
+	if matchesIgnore {
+		return false, nil
+	}
+	matchesTarget, err := r.ancestryMatches(target, ancestorPath)
+	if err != nil {
+		return false, errors.Wrap(err, "failed to process target list")
+	}
+	if matchesTarget {
+		return true, nil
+	}
+	return false, nil
+}
diff --git a/services/resource_test.go b/services/resource_test.go
@@ -289,3 +289,47 @@ func setupResourceManager(auditConfig *crm.AuditConfig) *stubs.ResourceManagerSt
 	}
 	return &stubs.ResourceManagerStub{GetPolicyResponse: &crm.Policy{}}
 }
+
+func TestCheckMatches(t *testing.T) {
+	crmStub := &stubs.ResourceManagerStub{}
+	storageStub := &stubs.StorageStub{}
+	r := NewResource(crmStub, storageStub)
+	ctx := context.Background()
+	const projectID = "test-project"
+	ancestryResponse := CreateAncestors([]string{"project/" + projectID, "folder/123", "organization/456"})
+	tests := []struct {
+		name      string
+		target    string
+		ignore    string
+		mustMatch bool
+	}{
+		{name: "org in target and not in ignore", mustMatch: true, target: "organizations/456/*", ignore: "organizations/888/*"},
+		{name: "org in target and in ignore", mustMatch: false, target: "organizations/456/*", ignore: "organizations/456/*"},
+		{name: "org not in target and in ignore", mustMatch: false, target: "organizations/888/*", ignore: "organizations/456/*"},
+		{name: "folder in target and not in ignore", mustMatch: true, target: "organizations/456/folders/123/*", ignore: "organizations/456/folders/12/*"},
+		{name: "folder in target and in ignore", mustMatch: false, target: "organizations/456/folders/123/*", ignore: "organizations/456/folders/123/*"},
+		{name: "folder not in target and in ignore", mustMatch: false, target: "organizations/456/folders/12/*", ignore: "organizations/456/folders/123/*"},
+		{name: "project in target and not in ignore", mustMatch: true, target: "organizations/456/folders/123/projects/" + projectID, ignore: "organizations/456/folders/123/projects/other-project"},
+		{name: "project in target and in ignore", mustMatch: false, target: "organizations/456/folders/123/projects/" + projectID, ignore: "organizations/456/folders/123/projects/" + projectID},
+		{name: "project not in target and in ignore", mustMatch: false, target: "organizations/456/folders/123/projects/yet-other-project", ignore: "organizations/456/folders/123/projects/" + projectID},
+		{name: "org not in target and not in ignore", mustMatch: false, target: "", ignore: ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			crmStub.GetAncestryResponse = ancestryResponse
+			matches := false
+			var err error
+			if matches, err = r.CheckMatches(ctx, projectID, []string{tt.target}, []string{tt.ignore}); err != nil {
+				t.Errorf("%s failed, err: %+v", tt.name, err)
+			}
+			if !tt.mustMatch && matches {
+				t.Errorf("%s failed: it should not matches function but function was matches", tt.name)
+			}
+			if tt.mustMatch && !matches {
+				t.Errorf("%s failed: it should execute function but function was not matches", tt.name)
+			}
+		})
+	}
+
+}