add schema validation to opa eval scripts about rego-policies HOT 11 CLOSED

@garethahealy @sabre1041 the latest release of OPA (v0.28.0) released yesterday contains support for schema annotations and uploading a directory of JSON schemas to the OPA engine. Compared to the previous release it supports schemas for both input and data documents. There are several features for globally scoped annotations and various other scopes, which should hopefully help with Rego library development for COP. Please check it out and let us know if you have any feedback. Here’s the documentation: https://www.openpolicyagent.org/docs/latest/schemas/ cc: @vazirim

from rego-policies.

@aavarghese i saw the tweet and medium post!

from rego-policies.

@aavarghese @vazirim thoughts?

wondering if this would be resolved by passing in the schemas dir. this PR suggests that's supported but can't see where it made the release and when I've tried to pass in a dir, i get a read error:

• open-policy-agent/opa#3123

opa eval --input /tmp/rhcop/23-03-2021-10-40/policy/ocp/bestpractices/common-k8s-labels-notset/test_data/unit/list.yml --data policy/lib --data policy/ocp/bestpractices/common-k8s-labels-notset/src.rego --schema _test/openshift-json-schema/release-4.5-local/ --profile --format pretty data.ocp.bestpractices.common_k8s_labels_notset read _test/openshift-json-schema/release-4.5-local/: is a directory

from rego-policies.

@garethahealy yes PR 3123 hasn't been merged yet but it's very close. It will be available in the next release of OPA.
It has support for schema directories and schema annotations attached to rules.

from rego-policies.

did abit of playing around tonight. probably need to merge a couple of schemas to get something working due to how the rego is currently written:

$ opa eval --format pretty --input /tmp/rhcop/19-03-2021-17-27/policy/ocp/bestpractices/common-k8s-labels-notset/test_data/unit/list.yml --data policy/lib --data policy/lib/kubernetes.rego --data policy/lib/openshift.rego --data policy/ocp/bestpractices/common-k8s-labels-notset/src.rego --schema _test/openshift-json-schema/release-4.5-local/deploymentconfig-apps-v1.json data.ocp.bestpractices.common_k8s_labels_notset
2 errors occurred:
policy/lib/konstraint/core.rego:7: rego_type_error: undefined ref: input.review
	input.review
	      ^
	      have: "review"
	      want (one of): ["apiVersion" "kind" "metadata" "spec" "status"]
policy/lib/konstraint/core.rego:10: rego_type_error: undefined ref: input.review.object
	input.review.object
	      ^
	      have: "review"
	      want (one of): ["apiVersion" "kind" "metadata" "spec" "status"]
	      

from rego-policies.

even generating a schema that wraps a gatekeeper review + target kind (see attached), still hit issues around how the rego is written to handle multiple types:

policy/lib/konstraint/pods.rego:16: rego_type_error: undefined ref: data.lib.konstraint.core.resource.spec.jobTemplate.spec.template
	data.lib.konstraint.core.resource.spec.jobTemplate.spec.template
	                                       ^
	                                       have: "jobTemplate"
	                                       want (one of): ["template"]

schema.log

from rego-policies.

added example showing the above:

git clone --branch schema-playground --depth 1 https://github.com/garethahealy/rego-policies.git
cd rego-policies
_test/testing-schema.sh

from rego-policies.

hey @vazirim ; I've tried with that PR as well but don't get any schema warnings when I'd expect to:

• garethahealy@9a294c0

any ideas what I might be doing wrong?

from rego-policies.

CC @sabre1041

the above commit link has comments around how we could use it.

from rego-policies.

@aavarghese ; can the schema validation be used with variables?

i.e.: https://github.com/redhat-cop/rego-policies/blob/master/policy/ocp/bestpractices/container-env-maxmemory-notset/src.rego#L23-L27

could I add the below schema to the above method?

# METADATA
# scope: rule
# schemas:
# - container: schema["container-v1"]

I've obviously tried but get:

rego_parse_error: invalid document reference

from rego-policies.

@garethahealy Today the schema support in OPA only allows the path refs to either be input or data.

We have future plans to look into supporting other refs for rule inputs/outputs etc. This is a good example usecase for variables - thanks for sharing! Will let you know if there are updates. cc: @vazirim

from rego-policies.