feat: support print statement in gator (#2949) (#3872)

Signed-off-by: Julian van den Berkmortel <7153670+Serializator@users.noreply.github.com>
Co-authored-by: Jaydip Gabani <gabanijaydip@gmail.com>

Author: Serializator

cmd/gator/test/test.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/open-policy-agent/frameworks/constraint/pkg/instrumentation"
 	cmdutils "github.com/open-policy-agent/gatekeeper/v3/cmd/gator/util"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/test"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
@@ -50,13 +51,15 @@ var (
 	flagTempDir      string
 	flagEnableK8sCel bool
 	flagDenyOnly     bool
+	flagVerbose      bool
 )
 
 const (
 	flagNameFilename = "filename"
 	flagNameOutput   = "output"
 	flagNameImage    = "image"
 	flagNameTempDir  = "tempdir"
+	flagNameVerbose  = "verbose"
 
 	stringJSON          = "json"
 	stringYAML          = "yaml"
@@ -74,6 +77,7 @@ func init() {
 	Cmd.Flags().StringArrayVarP(&flagImages, flagNameImage, "i", []string{}, "a URL to an OCI image containing policies. Can be specified multiple times.")
 	Cmd.Flags().StringVarP(&flagTempDir, flagNameTempDir, "d", "", fmt.Sprintf("Specifies the temporary directory to download and unpack images to, if using the --%s flag. Optional.", flagNameImage))
 	Cmd.Flags().BoolVarP(&flagDenyOnly, "deny-only", "", false, "output only denied constraints")
+	Cmd.Flags().BoolVarP(&flagVerbose, flagNameVerbose, "v", false, "print extended test output")
 }
 
 func run(_ *cobra.Command, _ []string) {
@@ -85,14 +89,34 @@ func run(_ *cobra.Command, _ []string) {
 		cmdutils.ErrFatalf("no input data identified")
 	}
 
-	responses, err := test.Test(unstrucs, test.Opts{IncludeTrace: flagIncludeTrace, GatherStats: flagGatherStats, UseK8sCEL: flagEnableK8sCel})
+	var printBuf bytes.Buffer
+
+	var opts []gator.Opt
+	if flagIncludeTrace {
+		opts = append(opts, test.WithTrace())
+	}
+	if flagGatherStats {
+		opts = append(opts, test.WithGatherStats())
+	}
+	if flagEnableK8sCel {
+		opts = append(opts, test.WithK8sCEL(flagGatherStats))
+	}
+	if flagVerbose {
+		opts = append(opts, gator.WithPrintHook(&printBuf))
+	}
+
+	responses, err := test.Test(unstrucs, opts...)
 	if err != nil {
 		cmdutils.ErrFatalf("auditing objects: %v", err)
 	}
 	results := responses.Results()
 
 	fmt.Print(formatOutput(flagOutput, results, responses.StatsEntries))
 
+	if printBuf.Len() > 0 {
+		fmt.Printf("\n%s\n", printBuf.String())
+	}
+
 	// Whether or not we return non-zero depends on whether we have a `deny`
 	// enforcementAction on one of the violated constraints
 	exitCode := 0

cmd/gator/verify/verify.go

@@ -112,7 +112,13 @@ func runE(cmd *cobra.Command, args []string) error {
 func runSuites(ctx context.Context, fileSystem fs.FS, suites []*verify.Suite, filter verify.Filter) error {
 	isFailure := false
 
-	runner, err := verify.NewRunner(fileSystem, gator.NewOPAClient, verify.IncludeTrace(includeTrace), verify.UseK8sCEL(flagEnableK8sCel))
+	runner, err := verify.NewRunner(fileSystem, func(opts ...gator.Opt) (gator.Client, error) {
+		if flagEnableK8sCel {
+			opts = append(opts, gator.WithK8sCEL())
+		}
+
+		return gator.NewOPAClient(includeTrace, opts...)
+	}, verify.IncludeTrace(includeTrace))
 	if err != nil {
 		return err
 	}
@@ -136,7 +142,9 @@ func runSuites(ctx context.Context, fileSystem fs.FS, suites []*verify.Suite, fi
 		results[i] = suiteResult
 		i++
 	}
+
 	w := &strings.Builder{}
+
 	printer := verify.PrinterGo{}
 	err = printer.Print(w, results, verbose)
 	if err != nil {

pkg/gator/fixtures/fixtures.go

@@ -39,6 +39,7 @@ spec:
       rego: |
         package k8salwaysvalidate
         violation[{"msg": msg}] {
+          print(sprintf("a debug message (%v)", [input.review.object.kind]))
           false
           msg := "should always pass"
         }

pkg/gator/opa.go

@@ -6,20 +6,29 @@ import (
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/drivers/k8scel"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/util"
+	"io"
 )
 
-func NewOPAClient(includeTrace bool, k8sCEL bool) (Client, error) {
+type Opt func() ([]constraintclient.Opt, []rego.Arg, error)
+
+func NewOPAClient(includeTrace bool, opts ...Opt) (Client, error) {
 	args := []constraintclient.Opt{constraintclient.Targets(&target.K8sValidationTarget{})}
 
-	if k8sCEL {
-		k8sDriver, err := k8scel.New()
+	driverArgs := []rego.Arg{
+		rego.Tracing(includeTrace),
+	}
+
+	for _, opt := range opts {
+		extraArgs, extraDriverArgs, err := opt()
 		if err != nil {
 			return nil, err
 		}
-		args = append(args, constraintclient.Driver(k8sDriver))
+
+		args = append(args, extraArgs...)
+		driverArgs = append(driverArgs, extraDriverArgs...)
 	}
 
-	driver, err := rego.New(rego.Tracing(includeTrace))
+	driver, err := rego.New(driverArgs...)
 	if err != nil {
 		return nil, err
 	}
@@ -33,3 +42,25 @@ func NewOPAClient(includeTrace bool, k8sCEL bool) (Client, error) {
 
 	return c, nil
 }
+
+func WithK8sCEL() Opt {
+	return func() ([]constraintclient.Opt, []rego.Arg, error) {
+		k8sDriver, err := k8scel.New()
+		if err != nil {
+			return nil, nil, err
+		}
+
+		return []constraintclient.Opt{
+			constraintclient.Driver(k8sDriver),
+		}, []rego.Arg{}, nil
+	}
+}
+
+func WithPrintHook(w io.Writer) Opt {
+	return func() ([]constraintclient.Opt, []rego.Arg, error) {
+		return []constraintclient.Opt{}, []rego.Arg{
+			rego.PrintEnabled(true),
+			rego.PrintHook(NewPrintHook(w)),
+		}, nil
+	}
+}

pkg/gator/print.go

@@ -0,0 +1,24 @@
+package gator
+
+import (
+	"fmt"
+	"io"
+
+	v1 "github.com/open-policy-agent/opa/v1/topdown/print"
+)
+
+// PrintHook implements the OPA print hook interface to capture print statement output from Rego policies.
+type PrintHook struct {
+	writer io.Writer
+}
+
+// NewPrintHook creates and returns a new instance of PrintHook and writes to writer.
+func NewPrintHook(writer io.Writer) PrintHook {
+	return PrintHook{writer}
+}
+
+// Print writes message to writer passed to PrintHook when it was created.
+func (h PrintHook) Print(ctx v1.Context, message string) error {
+	_, err := fmt.Fprintln(h.writer, message)
+	return err
+}

pkg/gator/test/test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/open-policy-agent/frameworks/constraint/pkg/client/reviews"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/drivers/k8scel"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/expansion"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/expand"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
 	mutationtypes "github.com/open-policy-agent/gatekeeper/v3/pkg/mutation/types"
@@ -29,28 +30,26 @@ func init() {
 	}
 }
 
-// options for the Test func.
-type Opts struct {
-	// Driver specific options
-	IncludeTrace bool
-	GatherStats  bool
-	UseK8sCEL    bool
-}
-
-func Test(objs []*unstructured.Unstructured, tOpts Opts) (*GatorResponses, error) {
+func Test(objs []*unstructured.Unstructured, opts ...gator.Opt) (*GatorResponses, error) {
 	args := []constraintclient.Opt{constraintclient.Targets(&target.K8sValidationTarget{})}
-	if tOpts.UseK8sCEL {
-		k8sDriver, err := makeK8sCELDriver(tOpts)
+
+	driverArgs := []rego.Arg{}
+
+	for _, opt := range opts {
+		extraArgs, extraDriverArgs, err := opt()
 		if err != nil {
-			return nil, fmt.Errorf("creating K8s native driver: %w", err)
+			return nil, err
 		}
-		args = append(args, constraintclient.Driver(k8sDriver))
+
+		args = append(args, extraArgs...)
+		driverArgs = append(driverArgs, extraDriverArgs...)
 	}
 
-	driver, err := makeRegoDriver(tOpts)
+	driver, err := rego.New(driverArgs...)
 	if err != nil {
 		return nil, fmt.Errorf("creating Rego driver: %w", err)
 	}
+
 	args = append(args, constraintclient.Driver(driver), constraintclient.EnforcementPoints(util.GatorEnforcementPoint))
 
 	client, err := constraintclient.NewClient(args...)
@@ -176,24 +175,37 @@ func Test(objs []*unstructured.Unstructured, tOpts Opts) (*GatorResponses, error
 	return responses, nil
 }
 
-func makeRegoDriver(tOpts Opts) (*rego.Driver, error) {
-	var args []rego.Arg
-	if tOpts.GatherStats {
-		args = append(args, rego.GatherStats())
-	}
-	if tOpts.IncludeTrace {
-		args = append(args, rego.Tracing(tOpts.IncludeTrace))
+func WithGatherStats() gator.Opt {
+	return func() ([]constraintclient.Opt, []rego.Arg, error) {
+		return []constraintclient.Opt{}, []rego.Arg{
+			rego.GatherStats(),
+		}, nil
 	}
+}
 
-	return rego.New(args...)
+func WithTrace() gator.Opt {
+	return func() ([]constraintclient.Opt, []rego.Arg, error) {
+		return []constraintclient.Opt{}, []rego.Arg{
+			rego.Tracing(true),
+		}, nil
+	}
 }
 
-func makeK8sCELDriver(tOpts Opts) (*k8scel.Driver, error) {
-	var args []k8scel.Arg
+func WithK8sCEL(gatherStats bool) gator.Opt {
+	return func() ([]constraintclient.Opt, []rego.Arg, error) {
+		var args []k8scel.Arg
 
-	if tOpts.GatherStats {
-		args = append(args, k8scel.GatherStats())
-	}
+		if gatherStats {
+			args = append(args, k8scel.GatherStats())
+		}
 
-	return k8scel.New(args...)
+		k8sDriver, err := k8scel.New(args...)
+		if err != nil {
+			return []constraintclient.Opt{}, []rego.Arg{}, fmt.Errorf("creating K8s native driver: %w", err)
+		}
+
+		return []constraintclient.Opt{
+			constraintclient.Driver(k8sDriver),
+		}, []rego.Arg{}, nil
+	}
 }

pkg/gator/test/test_test.go

@@ -1,13 +1,17 @@
 package test
 
 import (
+	"bytes"
+	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
 	constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/instrumentation"
 	"github.com/open-policy-agent/frameworks/constraint/pkg/types"
+	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/fixtures"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/gator/reader"
 	"github.com/open-policy-agent/gatekeeper/v3/pkg/target"
@@ -245,7 +249,7 @@ func TestTest(t *testing.T) {
 				objs = append(objs, u)
 			}
 
-			resps, err := Test(objs, Opts{})
+			resps, err := Test(objs)
 			if tc.err != nil {
 				require.ErrorIs(t, err, tc.err)
 			} else if err != nil {
@@ -285,7 +289,7 @@ func Test_Test_withTrace(t *testing.T) {
 		objs = append(objs, u)
 	}
 
-	resps, err := Test(objs, Opts{IncludeTrace: true})
+	resps, err := Test(objs, WithTrace())
 	if err != nil {
 		t.Errorf("got err '%v', want nil", err)
 	}
@@ -346,7 +350,7 @@ func Test_Test_withStats(t *testing.T) {
 		objs = append(objs, u)
 	}
 
-	resps, err := Test(objs, Opts{GatherStats: true})
+	resps, err := Test(objs, WithGatherStats())
 	assert.NoError(t, err)
 
 	actualStats := resps.StatsEntries
@@ -411,3 +415,38 @@ func Test_Test_withStats(t *testing.T) {
 		}
 	}
 }
+
+func TestTest_Print(t *testing.T) {
+	var printBuf bytes.Buffer
+
+	inputs := []string{
+		fixtures.TemplateAlwaysValidate,
+		fixtures.ConstraintAlwaysValidate,
+		fixtures.Object,
+	}
+
+	var objs []*unstructured.Unstructured
+	for _, input := range inputs {
+		u, err := reader.ReadUnstructured([]byte(input))
+		if err != nil {
+			t.Fatalf("readUnstructured for input %q: %v", input, err)
+		}
+		objs = append(objs, u)
+	}
+
+	_, err := Test(objs, gator.WithPrintHook(&printBuf))
+	if err != nil {
+		t.Errorf("got err '%v', want nil", err)
+	}
+
+	// The constraint template results in three debug statements. The use of the object's kind is only for
+	// illustration purposes to make it clear three debug statements being written is not a bug.
+	want := strings.Builder{}
+	for _, kind := range []string{"ConstraintTemplate", "AlwaysValidate", "Object"} {
+		want.WriteString(fmt.Sprintf("a debug message (%s)\n", kind))
+	}
+
+	if diff := cmp.Diff(want.String(), printBuf.String()); diff != "" {
+		t.Fatalf("diff in print statements (-want +got)\n%s", diff)
+	}
+}

pkg/gator/verify/printer_go.go

@@ -127,6 +127,20 @@ func (p PrinterGo) PrintCase(w StringWriter, r *CaseResult, verbose bool) error
 		if err != nil {
 			return fmt.Errorf("%w: %w", ErrWritingString, err)
 		}
+
+		if len(r.Print) > 0 {
+			_, err = w.WriteString("        === PRINT ===\n")
+			if err != nil {
+				return fmt.Errorf("%w: %w", ErrWritingString, err)
+			}
+
+			for _, line := range strings.Split(strings.TrimSuffix(r.Print, "\n"), "\n") {
+				_, err = w.WriteString(fmt.Sprintf("        %s\n", line))
+				if err != nil {
+					return fmt.Errorf("%w: %w", ErrWritingString, err)
+				}
+			}
+		}
 	}
 
 	if r.Error != nil {