Added conftest tests to resources (#149)

garethahealy · web-flow · commit ad093184a7e6 · 2020-07-28T09:42:19.000-04:00
* Added conftest tests to resources

* Added testing doc
diff --git a/.github/workflows/conftest.yaml b/.github/workflows/conftest.yaml
@@ -0,0 +1,15 @@
+name: Validate
+
+on: [push, pull_request]
+
+jobs:
+  conftest:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Conftest
+        uses: redhat-cop/github-actions/confbatstest@master
+        with:
+          tests: _test/conftest.sh
diff --git a/.gitignore b/.gitignore
@@ -113,4 +113,33 @@ dmypy.json
 
 # Ignore vscode meta
 *.code-workspace
-.vscode/
+.vscode/
+
+### JetBrains template
+# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
+# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
+
+# User-specific stuff:
+.idea/
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/dictionaries
+
+# Sensitive or high-churn files:
+.idea/**/dataSources/
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/dataSources.local.xml
+.idea/**/sqlDataSources.xml
+.idea/**/dynamic.xml
+.idea/**/uiDesigner.xml
+
+## File-based project format:
+*.iws
+*.iml
+
+# Rego
+policy/
+
+# BATS
+_test/test_helper/
diff --git a/_test/TESTING.md b/_test/TESTING.md
@@ -0,0 +1,59 @@
+# Testing
+The OCP resources should be tested via [conftest](https://github.com/open-policy-agent/conftest).
+The tests use [BATS](https://github.com/bats-core/bats-core) as a test framework.
+
+## Executing Locally
+```bash
+bats _test/conftest.sh
+```
+
+## Policies which already exist
+There are two policies repos which are currently pulled via the CI:
+- https://github.com/redhat-cop
+- https://github.com/swade1987
+
+Policies can also be local to this repo in the policy dir.
+
+## Including a new Policy
+Conftest activates policies via the `--namespace` flag.
+
+By default, we use a regex selector. In the example below, we only activate all the `deprecated` policies:
+```bash
+@test "charts/deploy" {
+  tmp=$(helm_template "charts/deploy")
+
+  namespaces=$(get_rego_namespaces "ocp\.deprecated\.*")
+  cmd="conftest test ${tmp} --output tap ${namespaces}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 0 ]
+}
+```
+
+As the selector is regex, we can use groups. In the example below, we only activate `deprecated` policies for `4.1` and `4.3`:
+```bash
+@test "charts/deploy" {
+  tmp=$(helm_template "charts/deploy")
+
+  namespaces=$(get_rego_namespaces "(ocp\.deprecated\.ocp4_1.*|ocp\.deprecated\.ocp4_3.*)")
+  cmd="conftest test ${tmp} --output tap ${namespaces}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 0 ]
+}
+```
+
+It is also possible to active all namespaces via:
+```bash
+@test "charts/deploy" {
+  tmp=$(helm_template "charts/deploy")
+
+  cmd="conftest test ${tmp} --output tap --all-namespaces"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 0 ]
+}
+```
diff --git a/_test/bats-support-clone.bash b/_test/bats-support-clone.bash
@@ -0,0 +1,9 @@
+if [[ ! -d "_test/test_helper/bats-support" ]]; then
+  # Download bats-support dynamically so it doesnt need to be added into source
+  git clone https://github.com/ztombol/bats-support _test/test_helper/bats-support --depth 1
+fi
+
+if [[ ! -d "_test/test_helper/redhatcop-bats-library" ]]; then
+  # Download redhat-cop/bats-library dynamically so it doesnt need to be added into source
+  git clone https://github.com/redhat-cop/bats-library _test/test_helper/redhatcop-bats-library --depth 1
+fi
diff --git a/_test/conftest.sh b/_test/conftest.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bats
+
+load bats-support-clone
+load test_helper/bats-support/load
+load test_helper/redhatcop-bats-library/load
+
+setup_file() {
+  rm -rf /tmp/rhcop
+  conftest_pull
+}
+
+@test "charts/deploy" {
+  tmp=$(helm_template "charts/deploy")
+
+  namespaces=$(get_rego_namespaces "ocp\.deprecated\.*")
+  cmd="conftest test ${tmp} --output tap ${namespaces}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 0 ]
+}
+
+@test "charts/exporter" {
+  tmp=$(helm_template "charts/exporter")
+
+  namespaces=$(get_rego_namespaces "ocp\.deprecated\.*")
+  cmd="conftest test ${tmp} --output tap ${namespaces}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 0 ]
+}
+
+@test "storage/minio-scc.yaml" {
+  tmp=$(split_files "storage/minio-scc.yaml")
+
+  namespaces=$(get_rego_namespaces "ocp\.deprecated\.*")
+  cmd="conftest test ${tmp} --output tap ${namespaces}"
+  run ${cmd}
+
+  print_info "${status}" "${output}" "${cmd}" "${tmp}"
+  [ "$status" -eq 0 ]
+}
