Comments (9)
ah, it's more complicated than I thought.
parameter checking does run on imported files, it just doesn't catch things like foo = input.parameters.foo
however, checking is still broken for libraries since it expects library itself to have @parameter
annotations, and not the policy importing it.
from konstraint.
Hi, I'm not sure what you mean when you say it doesn't catch things like foo = input.parameters.foo
. The regex would find that.
When writing policies, I wouldn't expect any libraries to reference the parameters directly. Instead they could be functions and the main policy could pass the parameters in.
from konstraint.
@jalseth the regex works on Body, which in case of test = input.parameters.test
would be { true }
, since test = input.parameters.test
is equivalent to test = input.parameters.test { true }
from konstraint.
The regex does not evaluate the Rego. When it sees test = input.parameters.foo
the parameter that is extracted is foo
; it is everything after the parameters.
until there is a character that doesn't match the regex [a-zA-Z0-9-_]
. I'm not sure what you mean when you say it would be { true }
.
from konstraint.
@jalseth here's what I mean by "body would be { true }
"
diff --git a/internal/rego/rego.go b/internal/rego/rego.go
index 142fdfcbb39e..9403c1a825ff 100644
--- a/internal/rego/rego.go
+++ b/internal/rego/rego.go
@@ -379,6 +379,7 @@ func getBodyParamNames(rules []*ast.Rule) []string {
r := regexp.MustCompile(`(core|input)\.parameters\.([a-zA-Z0-9_-]+)`)
var bodyParams []string
for _, rule := range rules {
+ fmt.Printf("ast.Rule `%v`: Head: `%v` Body: `%v`\n", rule, rule.Head, rule.Body)
matches := r.FindAllStringSubmatch(rule.Body.String(), -1)
for _, match := range matches {
if !contains(bodyParams, match[2]) {
❯ grep -ve '^#' test/src.rego
package test
import data.lib.libraryA
violation[{"msg": "msg"}] {
true # some comment with a trailing space
}
❯ cat test/lib/libraryA.rego
package lib.libraryA
test = input.parameters.test
❯ go run . create test --output test
ast.Rule `violation[{"msg": "msg"}] { true }`: Head: `violation[{"msg": "msg"}]` Body: `true`
ast.Rule `test = input.parameters.test { true }`: Head: `test = input.parameters.test` Body: `true`
INFO[0000] completed successfully num_policies=1
from konstraint.
So test = input.parameters.test
as ast.Rule represented in yaml would be:
head:
name: test
args: []
key: nil
value: input.parameters.test
body:
- "true"
from konstraint.
while the regex only checks rule.Body
and not rule.Head.Value
for use of parameters
from konstraint.
Thank you for the clarification! I think this can be fixed by combining the rule.Head.Value
and rule.Body
before performing the regex search.
from konstraint.
@stek29 I've implemented this in #279, I'd appreciate a quick review of the change if you have time.
from konstraint.
Related Issues (20)
- Merge duplicate matcher annotations HOT 2
- Unexpected match.kinds generated when matching multiple apiGroups HOT 2
- Imports of specific rule from module not supported HOT 2
- Generate descriptions for parameters HOT 2
- Use OPA Rego rich metadata instead of custom @annotations HOT 3
- Allow defining object parameters HOT 2
- Provide a conversion tool from old annotations to OPA rich metadata annotations
- Legacy parameters warning is generated even for new style parameters HOT 1
- Remove legacy annotations support and refactor
- Migrate to PSS HOT 1
- Flag to generate templates to v1 from v1beta1 HOT 2
- Allow skipping creation of ConstraintTemplates entirely HOT 1
- Allow to add metadata like annotations to constraint automatically HOT 3
- Templates and Constraint files are not in CamelCasing after running konstraint create HOT 5
- Build binary for linux/arm64 HOT 1
- Lint examples with regal HOT 1
- containerdenyescalation HOT 2
- No arm64 docker image for konstraint HOT 1
- Documentation unclear
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from konstraint.