spoc merge: add --check

this flag is useful to ensure in CI that the profile includes all capabilities exercised in tests
kubernetes-sigs · May 3, 2024 · b7715e3 · b7715e3
1 parent 5461278
commit b7715e3
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 4 deletions.
diff --git a/cmd/spoc/main.go b/cmd/spoc/main.go
@@ -85,9 +85,11 @@ func main() {
 			},
 		},
 		&cli.Command{
-			Name:      "merge",
-			Aliases:   []string{"m"},
-			Usage:     "merge multiple security profiles",
+			Name:    "merge",
+			Aliases: []string{"m"},
+			Usage:   "merge multiple security profiles",
+			Description: "Merge multiple security profiles into a combined profile. " +
+				"Permissions are additive. For AppArmor, the first profile may additionally contain glob paths.",
 			Action:    merge,
 			ArgsUsage: "INFILE...",
 			Flags: []cli.Flag{
@@ -98,6 +100,12 @@ func main() {
 					DefaultText: merger.DefaultOutputFile,
 					TakesFile:   true,
 				},
+				&cli.BoolFlag{
+					Name:    merger.FlagCheck,
+					Aliases: []string{"c"},
+					Usage: "do not write an output file, " +
+						"but exit with an error if the first profile is not a superset of all others.",
+				},
 			},
 		},
 		&cli.Command{

diff --git a/internal/pkg/cli/merger/consts.go b/internal/pkg/cli/merger/consts.go
@@ -24,4 +24,6 @@ var DefaultOutputFile = cli.DefaultFile
 const (
 	// FlagOutputFile is the flag for defining the output file location.
 	FlagOutputFile string = cli.FlagOutputFile
+
+	FlagCheck string = "check"
 )
diff --git a/internal/pkg/cli/merger/merger.go b/internal/pkg/cli/merger/merger.go
@@ -20,6 +20,8 @@ import (
 	"bytes"
 	"fmt"
 	"log"
+	"os"
+	"reflect"
 
 	"k8s.io/cli-runtime/pkg/printers"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -60,13 +62,29 @@ func (p *Merger) Run() error {
 		}
 	}
 
+	baseProfile := contents[0].DeepCopyObject()
+
 	merged, err := recordingmerger.MergeProfiles(contents)
 	if err != nil {
 		return fmt.Errorf("merge profiles: %w", err)
 	}
 
-	var buffer bytes.Buffer
 	printer := printers.YAMLPrinter{}
+
+	if p.options.check {
+		if reflect.DeepEqual(baseProfile, merged) {
+			log.Println("Base profile is up-to-date.")
+			os.Exit(0)
+		} else {
+			log.Println("Base profile needs an update.")
+			if err := printer.PrintObj(merged, os.Stderr); err != nil {
+				return fmt.Errorf("print YAML: %w", err)
+			}
+			os.Exit(1)
+		}
+	}
+
+	var buffer bytes.Buffer
 	if err := printer.PrintObj(merged, &buffer); err != nil {
 		return fmt.Errorf("print YAML: %w", err)
 	}

diff --git a/internal/pkg/cli/merger/options.go b/internal/pkg/cli/merger/options.go
@@ -26,6 +26,7 @@ import (
 type Options struct {
 	inputFiles []string
 	outputFile string
+	check      bool
 }
 
 // Default returns a default options instance.
@@ -45,6 +46,8 @@ func FromContext(ctx *ucli.Context) (*Options, error) {
 	}
 	options.inputFiles = args
 
+	options.check = ctx.IsSet(FlagCheck)
+
 	if ctx.IsSet(FlagOutputFile) {
 		options.outputFile = ctx.String(FlagOutputFile)
 	}