Merge pull request #31 from jpower432/feat/add-automated-config-validation

Alex Flom · web-flow · commit b9fd3286940d · 2023-02-08T12:55:42.000-07:00
Feat/add automated config validation
diff --git a/.github/workflows/valdate-peribolos.yaml b/.github/workflows/valdate-peribolos.yaml
@@ -0,0 +1,32 @@
+name: Verify Peribolos
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  project:
+    name: Verify peribolos
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: install Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.18
+      - name: checkout repo
+        uses: actions/checkout@v3
+        with:
+          path: src/github.com/emporous/.github
+      - name: verify go modules and vendor directory
+        run: |
+          go mod tidy
+          go mod vendor
+        working-directory: src/github.com/emporous/.github
+      - name: running unit tests
+        run: |
+          go test ./... --config ../peribolos.yaml --owners-dir ../
+        working-directory: src/github.com/emporous/.github
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,6 @@
 .idea
 *.swp
 .vscode
+
+# Local vendor. Remove when ready to vendor dependencies.
+/vendor/
diff --git a/config/config_test.go b/config/config_test.go
@@ -0,0 +1,237 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// These tests are adapted from https://github.com/kubernetes/org/blob/main/config/config_test.go
+
+package config
+
+import (
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/ghodss/yaml"
+	"github.com/hmarr/codeowners"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/test-infra/prow/config/org"
+	"k8s.io/test-infra/prow/github"
+)
+
+var configPath = flag.String("config", "config.yaml", "Path to peribolos config")
+var ownersDir = flag.String("owners-dir", ".", "Directory to CODEOWNERS")
+
+var cfg org.FullConfig
+
+func TestMain(m *testing.M) {
+	flag.Parse()
+	if *configPath == "" {
+		fmt.Println("--config must be set")
+		os.Exit(1)
+	}
+
+	if *ownersDir == "" {
+		fmt.Println("--owners-dir must be set")
+		os.Exit(1)
+	}
+
+	raw, err := ioutil.ReadFile(*configPath)
+	if err != nil {
+		fmt.Printf("cannot read configuation from %s: %v\n", *configPath, err)
+		os.Exit(1)
+	}
+
+	if err := yaml.Unmarshal(raw, &cfg); err != nil {
+		fmt.Printf("cannot unmarshal configuration from %s: %v\n", *configPath, err)
+		os.Exit(1)
+	}
+
+	os.Exit(m.Run())
+}
+
+func loadOwners(dir string) ([]string, error) {
+	var owners []string
+
+	dir = path.Clean(dir)
+	file, err := os.Open(path.Join(dir, "CODEOWNERS"))
+	if err != nil {
+		return nil, err
+	}
+
+	ruleset, err := codeowners.ParseFile(file)
+	if err != nil {
+		return nil, err
+	}
+
+	rule, err := ruleset.Match(*configPath)
+	if err != nil {
+		return nil, err
+	}
+
+	if rule == nil {
+		return nil, fmt.Errorf("no matching rule found for %s", *configPath)
+	}
+
+	for _, owner := range rule.Owners {
+		owners = append(owners, owner.String())
+	}
+
+	return owners, nil
+}
+
+func testDuplicates(list sets.Set[string]) error {
+	found := sets.NewString()
+	dups := sets.NewString()
+	all := list.UnsortedList()
+	for _, i := range all {
+		if found.Has(i) {
+			dups.Insert(i)
+		}
+		found.Insert(i)
+	}
+	if n := len(dups); n > 0 {
+		return fmt.Errorf("%d duplicate names: %s", n, strings.Join(dups.List(), ", "))
+	}
+	return nil
+}
+
+func isSorted(list []string) bool {
+	items := make([]string, len(list))
+	for _, l := range list {
+		items = append(items, strings.ToLower(l))
+	}
+
+	return sort.StringsAreSorted(items)
+}
+
+func normalize(s sets.Set[string]) sets.Set[string] {
+	out := sets.Set[string]{}
+	for _, t := range s.UnsortedList() {
+		out.Insert(github.NormLogin(t))
+	}
+	return out
+}
+
+// testTeamMembers ensures that a user is not a maintainer and member at the same time,
+// there are no duplicate names in the list and all users are org members.
+func testTeamMembers(teams map[string]org.Team, admins sets.Set[string], orgMembers sets.Set[string], orgName string) []error {
+	var errs []error
+	for teamName, team := range teams {
+		teamMaintainers := sets.New(team.Maintainers...)
+		teamMembers := sets.New(team.Members...)
+
+		teamMaintainers = normalize(teamMaintainers)
+		teamMembers = normalize(teamMembers)
+
+		// ensure all teams have privacy as closed
+		if team.Privacy == nil || (team.Privacy != nil && *team.Privacy != org.Closed) {
+			errs = append(errs, fmt.Errorf("The team %s in org %s doesn't have the `privacy: closed` field", teamName, orgName))
+		}
+
+		// check for non-admins in maintainers list
+		if nonAdminMaintainers := teamMaintainers.Difference(admins); len(nonAdminMaintainers) > 0 {
+			errs = append(errs, fmt.Errorf("The team %s in org %s has non-admins listed as maintainers; these users should be in the members list instead: %s", teamName, orgName, strings.Join(nonAdminMaintainers.UnsortedList(), ",")))
+		}
+
+		// check for users in both maintainers and members
+		if both := teamMaintainers.Intersection(teamMembers); len(both) > 0 {
+			errs = append(errs, fmt.Errorf("The team %s in org %s has users in both maintainer admin and member roles: %s", teamName, orgName, strings.Join(both.UnsortedList(), ", ")))
+		}
+
+		// check for duplicates
+		if err := testDuplicates(teamMaintainers); err != nil {
+			errs = append(errs, fmt.Errorf("The team %s in org %s has duplicate maintainers: %v", teamName, orgName, err))
+		}
+		if err := testDuplicates(teamMembers); err != nil {
+			errs = append(errs, fmt.Errorf("The team %s in org %s has duplicate members: %v", teamMembers, orgName, err))
+		}
+
+		// check if all are org members
+		if missing := teamMembers.Difference(orgMembers); len(missing) > 0 {
+			errs = append(errs, fmt.Errorf("The following members of team %s are not %s org members: %s", teamName, orgName, strings.Join(missing.UnsortedList(), ", ")))
+		}
+
+		// check if admins are a regular member of team
+		if adminTeamMembers := teamMembers.Intersection(admins); len(adminTeamMembers) > 0 {
+			errs = append(errs, fmt.Errorf("The team %s in org %s has org admins listed as members; these users should be in the maintainers list instead, and cannot be on the members list: %s", teamName, orgName, strings.Join(adminTeamMembers.UnsortedList(), ", ")))
+		}
+
+		// check if lists are sorted
+		if !isSorted(team.Maintainers) {
+			errs = append(errs, fmt.Errorf("The team %s in org %s has an unsorted list of maintainers", teamName, orgName))
+		}
+		if !isSorted(team.Members) {
+			errs = append(errs, fmt.Errorf("The team %s in org %s has an unsorted list of members", teamName, orgName))
+		}
+
+		if team.Children != nil {
+			errs = append(errs, testTeamMembers(team.Children, admins, orgMembers, orgName)...)
+		}
+	}
+	return errs
+}
+
+func TestOrgs(t *testing.T) {
+	own, err := loadOwners(*ownersDir)
+	if err != nil {
+		t.Fatalf("failed to load CODEOWNERS: %v", err)
+	}
+
+	for _, org := range cfg.Orgs {
+		members := normalize(sets.New(org.Members...))
+		admins := normalize(sets.New(org.Admins...))
+		allOrgMembers := members.Union(admins)
+
+		approvers := normalize(sets.New(own...))
+
+		if diff := approvers.Difference(admins); len(diff) > 0 {
+			t.Errorf("users do not match in CODEOWNERS and org admins '%s': %s", *org.Name, strings.Join(diff.UnsortedList(), ", "))
+		}
+
+		if n := len(approvers); n < 4 {
+			t.Errorf("Require at least 4 approvers, found %d: %s", n, strings.Join(approvers.UnsortedList(), ", "))
+		}
+
+		if err := testDuplicates(approvers); err != nil {
+			t.Errorf("duplicate approvers: %v", err)
+		}
+
+		if both := admins.Intersection(members); len(both) > 0 {
+			t.Errorf("users in both org admin and member roles for org '%s': %s", *org.Name, strings.Join(both.UnsortedList(), ", "))
+		}
+
+		if err := testDuplicates(admins); err != nil {
+			t.Errorf("duplicate admins: %v", err)
+		}
+		if err := testDuplicates(allOrgMembers); err != nil {
+			t.Errorf("duplicate members: %v", err)
+		}
+		if !isSorted(org.Admins) {
+			t.Errorf("admins for %s org are unsorted", *org.Name)
+		}
+		if !isSorted(org.Members) {
+			t.Errorf("members for %s org are unsorted", *org.Name)
+		}
+
+		if errs := testTeamMembers(org.Teams, admins, allOrgMembers, *org.Name); errs != nil {
+			for _, err := range errs {
+				t.Error(err)
+			}
+		}
+	}
+
+}
diff --git a/go.mod b/go.mod
@@ -0,0 +1,49 @@
+module github.com/emporous/.github
+
+go 1.18
+
+require (
+	github.com/ghodss/yaml v1.0.0
+	github.com/hmarr/codeowners v1.1.1
+	k8s.io/apimachinery v0.26.1
+	k8s.io/test-infra v0.0.0-20230128010633-10be4bc2e686
+)
+
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/gomodule/redigo v1.8.5 // indirect
+	github.com/google/btree v1.0.1 // indirect
+	github.com/google/gofuzz v1.2.1-0.20210504230335-f78f29fc09ea // indirect
+	github.com/gregjones/httpcache v0.0.0-20190212212710-3befbb6ad0cc // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228 // indirect
+	github.com/shurcooL/graphql v0.0.0-20181231061246-d48a9a75455f // indirect
+	github.com/sirupsen/logrus v1.8.1 // indirect
+	golang.org/x/net v0.3.1-0.20221206200815-1e63c2f08a10 // indirect
+	golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb // indirect
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
+	k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect
+	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
diff --git a/go.sum b/go.sum
diff --git a/peribolos.yaml b/peribolos.yaml
