fix(config): change selector type (fanal#189)

* fix(config): change selector type

* test(policy): fix test data

cmd/fanal/main.go

@@ -60,6 +60,11 @@ func run() (err error) {
 				Aliases: []string{"fs"},
 				Usage:   "inspect a local directory",
 				Flags: []cli.Flag{
+					&cli.StringSliceFlag{
+						Name:  "namespace",
+						Usage: "namespaces",
+						Value: cli.NewStringSlice("appshield"),
+					},
 					&cli.StringSliceFlag{
 						Name:  "policy",
 						Usage: "policy paths",
@@ -141,6 +146,7 @@ func archiveAction(c *cli.Context, fsCache cache.Cache) error {
 
 func fsAction(c *cli.Context, fsCache cache.Cache) error {
 	art, err := local.NewArtifact(c.Args().First(), fsCache, nil, config.ScannerOption{
+		Namespaces:  []string{"appshield"},
 		PolicyPaths: c.StringSlice("policy"),
 	})
 	if err != nil {
@@ -189,6 +195,9 @@ func inspect(ctx context.Context, art artifact.Artifact, c cache.LocalArtifactCa
 	}
 	for _, misconf := range mergedLayer.Misconfigurations {
 		fmt.Printf("  %s: failures %d, warnings %d\n", misconf.FilePath, len(misconf.Failures), len(misconf.Warnings))
+		for _, failure := range misconf.Failures {
+			fmt.Printf("    %s: %s\n", failure.ID, failure.Message)
+		}
 	}
 	return nil
 }

policy/engine.go

@@ -196,13 +196,13 @@ func (e *Engine) Check(ctx context.Context, configs []types.Config, namespaces [
 		}
 
 		var selectedConfigs []types.Config
-		if len(inputOption.Selector.Types) > 0 {
+		if len(inputOption.Selectors) > 0 {
 			// Pass only the config files that match the selector types
-			for _, t := range inputOption.Selector.Types {
+			for _, t := range uniqueSelectorTypes(inputOption.Selectors) {
 				selectedConfigs = append(selectedConfigs, typedConfigs[t]...)
 			}
 		} else {
-			// When the 'types' is not specified, it means '*'.
+			// When the 'selector' is not specified, it means '*'.
 			selectedConfigs = configs
 		}
 
@@ -666,6 +666,14 @@ func removeRulePrefix(rule string) string {
 	return rule
 }
 
+func uniqueSelectorTypes(selectors []types.PolicyInputSelector) []string {
+	selectorTypes := map[string]struct{}{}
+	for _, s := range selectors {
+		selectorTypes[s.Type] = struct{}{}
+	}
+	return utils.Keys(selectorTypes)
+}
+
 func uniqueResults(results []types.MisconfResult) []types.MisconfResult {
 	uniq := map[string]types.MisconfResult{}
 	for _, result := range results {

policy/testdata/combine/combined_deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[res] {

policy/testdata/combine/combined_docker.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["dockerfile"]},
 	"combine": true,
+	"selector": [{"type": "dockerfile"}],
 }
 
 deny[res] {

policy/testdata/combine/combined_pod.rego

@@ -9,10 +9,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-    "selector": {
-        "types": ["kubernetes"]
-    },
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[res] {

policy/testdata/combine/deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": false,
+	"selector": [{"type": "kubernetes"}],
 }
 
 warn[msg] {

policy/testdata/combine_exception/combined_deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 warn[res] {

policy/testdata/combine_exception/deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": false,
+	"selector": [{"type": "kubernetes"}],
 }
 
 warn[msg] {

policy/testdata/combine_exception/fail.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[res] {

policy/testdata/happy/deployment.rego

@@ -11,10 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-    "selector": {
-        "types": ["kubernetes"]
-    },
 	"combine": false,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[msg] {

policy/testdata/happy/docker.rego

@@ -9,10 +9,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-    "selector": {
-        "types": ["dockerfile"]
-    },
 	"combine": false,
+	"selector": [{"type": "dockerfile"}],
 }
 
 deny[msg] {

policy/testdata/happy/pod.rego

@@ -9,10 +9,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-    "selector": {
-        "types": ["kubernetes"]
-    },
 	"combine": false,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[msg] {

policy/testdata/sad/missing_filepath.rego

@@ -11,14 +11,12 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 warn[res] {
 	input[i].contents.kind == "Deployment"
 	services.ports[_] == 22
-	res := {
-		"msg": sprintf("deny combined %s", [input[i].contents.metadata.name]),
-	}
+	res := {"msg": sprintf("deny combined %s", [input[i].contents.metadata.name])}
 }

types/misconf.go

@@ -26,12 +26,12 @@ type PolicyMetadata struct {
 }
 
 type PolicyInputOption struct {
-	Combine  bool
-	Selector PolicyInputSelector
+	Combine   bool                  `mapstructure:"combine"`
+	Selectors []PolicyInputSelector `mapstructure:"selector"`
 }
 
 type PolicyInputSelector struct {
-	Types []string
+	Type string `mapstructure:"type"`
 }
 
 func (r MisconfResults) Len() int {

utils/utils.go

@@ -43,3 +43,11 @@ func IsGzip(f *bufio.Reader) bool {
 	}
 	return buf[0] == 0x1F && buf[1] == 0x8B && buf[2] == 0x8
 }
+
+func Keys(m map[string]struct{}) []string {
+	var keys []string
+	for k := range m {
+		keys = append(keys, k)
+	}
+	return keys
+}