fix(config): change selector type (fanal#189)

* fix(config): change selector type

* test(policy): fix test data

Author: knqyf263

cmd/fanal/main.go

@@ -60,6 +60,11 @@ func run() (err error) {
 				Aliases: []string{"fs"},
 				Usage:   "inspect a local directory",
 				Flags: []cli.Flag{
+					&cli.StringSliceFlag{
+						Name:  "namespace",
+						Usage: "namespaces",
+						Value: cli.NewStringSlice("appshield"),
+					},
 					&cli.StringSliceFlag{
 						Name:  "policy",
 						Usage: "policy paths",
@@ -141,6 +146,7 @@ func archiveAction(c *cli.Context, fsCache cache.Cache) error {
 
 func fsAction(c *cli.Context, fsCache cache.Cache) error {
 	art, err := local.NewArtifact(c.Args().First(), fsCache, nil, config.ScannerOption{
+		Namespaces:  []string{"appshield"},
 		PolicyPaths: c.StringSlice("policy"),
 	})
 	if err != nil {
@@ -189,6 +195,9 @@ func inspect(ctx context.Context, art artifact.Artifact, c cache.LocalArtifactCa
 	}
 	for _, misconf := range mergedLayer.Misconfigurations {
 		fmt.Printf("  %s: failures %d, warnings %d\n", misconf.FilePath, len(misconf.Failures), len(misconf.Warnings))
+		for _, failure := range misconf.Failures {
+			fmt.Printf("    %s: %s\n", failure.ID, failure.Message)
+		}
 	}
 	return nil
 }

policy/engine.go

@@ -196,13 +196,13 @@ func (e *Engine) Check(ctx context.Context, configs []types.Config, namespaces [
 		}
 
 		var selectedConfigs []types.Config
-		if len(inputOption.Selector.Types) > 0 {
+		if len(inputOption.Selectors) > 0 {
 			// Pass only the config files that match the selector types
-			for _, t := range inputOption.Selector.Types {
+			for _, t := range uniqueSelectorTypes(inputOption.Selectors) {
 				selectedConfigs = append(selectedConfigs, typedConfigs[t]...)
 			}
 		} else {
-			// When the 'types' is not specified, it means '*'.
+			// When the 'selector' is not specified, it means '*'.
 			selectedConfigs = configs
 		}
 
@@ -666,6 +666,14 @@ func removeRulePrefix(rule string) string {
 	return rule
 }
 
+func uniqueSelectorTypes(selectors []types.PolicyInputSelector) []string {
+	selectorTypes := map[string]struct{}{}
+	for _, s := range selectors {
+		selectorTypes[s.Type] = struct{}{}
+	}
+	return utils.Keys(selectorTypes)
+}
+
 func uniqueResults(results []types.MisconfResult) []types.MisconfResult {
 	uniq := map[string]types.MisconfResult{}
 	for _, result := range results {

policy/testdata/combine/combined_deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[res] {

policy/testdata/combine/docker.rego renamed to policy/testdata/combine/combined_docker.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["dockerfile"]},
 	"combine": true,
+	"selector": [{"type": "dockerfile"}],
 }
 
 deny[res] {

policy/testdata/combine/combined_pod.rego

@@ -1,22 +1,20 @@
 package testdata.xyz_400
 
 __rego_metadata__ := {
-    "id": "XYZ-400",
-    "title": "Bad Combined Pod",
-    "version": "v1.0.0",
-    "severity": "LOW",
-    "type": "Kubernetes Security Check",
+	"id": "XYZ-400",
+	"title": "Bad Combined Pod",
+	"version": "v1.0.0",
+	"severity": "LOW",
+	"type": "Kubernetes Security Check",
 }
 
 __rego_input__ := {
-    "selector": {
-        "types": ["kubernetes"]
-    },
-    "combine": true,
+	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[res] {
-    input[i].contents.kind == "Pod"
+	input[i].contents.kind == "Pod"
 	res := {
 		"filepath": input[i].path,
 		"msg": sprintf("deny combined %s", [input[i].contents.metadata.name]),

policy/testdata/combine/deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": false,
+	"selector": [{"type": "kubernetes"}],
 }
 
 warn[msg] {

policy/testdata/combine_exception/combined_deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 warn[res] {

policy/testdata/combine_exception/deployment.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": false,
+	"selector": [{"type": "kubernetes"}],
 }
 
 warn[msg] {

policy/testdata/combine_exception/exceptions.rego

@@ -3,6 +3,6 @@ package namespace.exceptions
 import data.namespaces
 
 exception[ns] {
-    ns := data.namespaces[_]
-    ns == "testdata.xyz_300"
+	ns := data.namespaces[_]
+	ns == "testdata.xyz_300"
 }

policy/testdata/combine_exception/fail.rego

@@ -11,8 +11,8 @@ __rego_metadata__ := {
 }
 
 __rego_input__ := {
-	"selector": {"types": ["kubernetes"]},
 	"combine": true,
+	"selector": [{"type": "kubernetes"}],
 }
 
 deny[res] {