Comments (9)
stek29
commented on May 27, 2024
ah, it's more complicated than I thought.
parameter checking does run on imported files, it just doesn't catch things like foo = input.parameters.foo
however, checking is still broken for libraries since it expects library itself to have @parameter annotations, and not the policy importing it.
from konstraint.
jalseth
commented on May 27, 2024
Hi, I'm not sure what you mean when you say it doesn't catch things like foo = input.parameters.foo. The regex would find that.
When writing policies, I wouldn't expect any libraries to reference the parameters directly. Instead they could be functions and the main policy could pass the parameters in.
from konstraint.
stek29
commented on May 27, 2024
@jalseth the regex works on Body, which in case of test = input.parameters.test would be { true }, since test = input.parameters.test is equivalent to test = input.parameters.test { true }
from konstraint.
jalseth
commented on May 27, 2024
The regex does not evaluate the Rego. When it sees test = input.parameters.foo the parameter that is extracted is foo; it is everything after the parameters. until there is a character that doesn't match the regex [a-zA-Z0-9-_]. I'm not sure what you mean when you say it would be { true }.
from konstraint.
stek29
commented on May 27, 2024
@jalseth here's what I mean by "body would be { true }"
diff --git a/internal/rego/rego.go b/internal/rego/rego.go
index 142fdfcbb39e..9403c1a825ff 100644
--- a/internal/rego/rego.go
+++ b/internal/rego/rego.go
@@ -379,6 +379,7 @@ func getBodyParamNames(rules []*ast.Rule) []string {
r := regexp.MustCompile(`(core|input)\.parameters\.([a-zA-Z0-9_-]+)`)
var bodyParams []string
for _, rule := range rules {
+ fmt.Printf("ast.Rule `%v`: Head: `%v` Body: `%v`\n", rule, rule.Head, rule.Body)
matches := r.FindAllStringSubmatch(rule.Body.String(), -1)
for _, match := range matches {
if !contains(bodyParams, match[2]) {❯ grep -ve '^#' test/src.rego
package test
import data.lib.libraryA
violation[{"msg": "msg"}] {
true # some comment with a trailing space
}
❯ cat test/lib/libraryA.rego
package lib.libraryA
test = input.parameters.test
❯ go run . create test --output test
ast.Rule `violation[{"msg": "msg"}] { true }`: Head: `violation[{"msg": "msg"}]` Body: `true`
ast.Rule `test = input.parameters.test { true }`: Head: `test = input.parameters.test` Body: `true`
INFO[0000] completed successfully num_policies=1
from konstraint.
stek29
commented on May 27, 2024
So test = input.parameters.test as ast.Rule represented in yaml would be:
head:
name: test
args: []
key: nil
value: input.parameters.test
body:
- "true"from konstraint.
stek29
commented on May 27, 2024
while the regex only checks rule.Body and not rule.Head.Value for use of parameters
from konstraint.
jalseth
commented on May 27, 2024
Thank you for the clarification! I think this can be fixed by combining the rule.Head.Value and rule.Body before performing the regex search.
from konstraint.
jalseth
commented on May 27, 2024
@stek29 I've implemented this in #279, I'd appreciate a quick review of the change if you have time.
from konstraint.
Related Issues (20)
- Merge duplicate matcher annotations HOT 2
- Unexpected match.kinds generated when matching multiple apiGroups HOT 2
- Imports of specific rule from module not supported HOT 2
- Generate descriptions for parameters HOT 2
- Use OPA Rego rich metadata instead of custom @annotations HOT 3
- Allow defining object parameters HOT 2
- Provide a conversion tool from old annotations to OPA rich metadata annotations
- Legacy parameters warning is generated even for new style parameters HOT 1
- Remove legacy annotations support and refactor
- Migrate to PSS HOT 1
- Flag to generate templates to v1 from v1beta1 HOT 2
- Allow skipping creation of ConstraintTemplates entirely HOT 1
- Allow to add metadata like annotations to constraint automatically HOT 3
- Templates and Constraint files are not in CamelCasing after running konstraint create HOT 5
- Build binary for linux/arm64 HOT 1
- Lint examples with regal HOT 1
- containerdenyescalation HOT 2
- No arm64 docker image for konstraint HOT 1
- Documentation unclear
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from konstraint.