rego

package
v0.0.82 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2025 License: Apache-2.0 Imports: 47 Imported by: 0

Documentation

Overview

Package rego provides the rego rule evaluator

Package rego provides the rego rule evaluator

Index

Constants

View Source 
const (
	// RegoEvalType is the type of the rego evaluator
	RegoEvalType = "rego"
	// MinderRegoFile is the default rego file for minder.
	MinderRegoFile = "minder.rego"
	// RegoQueryPrefix is the prefix for rego queries
	RegoQueryPrefix = "data.minder"
)
View Source 
const (
	// EnablePrintEnvVar is the environment variable to enable print statements
	EnablePrintEnvVar = "REGO_ENABLE_PRINT"
)

Variables

View Source 
var MinderRegoLib = []func(res *interfaces.Result) func(*rego.Rego){
	FileExists,
	FileLs,
	FileLsGlob,
	FileHTTPType,
	FileRead,
	FileWalk,
	ListGithubActions,
	ParseYaml,
	ParseToml,
	JQIsTrue,
}

MinderRegoLib contains the minder-specific functions for rego

View Source 
var MinderRegoLibExperiments = map[flags.Experiment][]func(res *interfaces.Result) func(*rego.Rego){
	flags.TarGzFunctions: {FileArchive, BaseFileArchive},
	flags.GitPRDiffs: {
		BaseFileExists,
		BaseFileLs,
		BaseFileLsGlob,
		BaseFileHTTPType,
		BaseFileRead,
		BaseFileWalk,
		BaseListGithubActions,
	},
	flags.DependencyExtract: {
		DependencyExtract,
		BaseDependencyExtract,
	},
}

MinderRegoLibExperiments contains Minder-specific functions which should only be exposed when the given experiment is enabled.

Functions

func BaseDependencyExtract added in v0.0.82 

func BaseDependencyExtract(res *interfaces.Result) func(*rego.Rego)

BaseDependencyExtract is a rego function that extracts dependencies from a file or subtree of the base filesystem in a pull_request or other diff context. It takes two arguments: the path to the file or subtree to be scanned. It returns the extracted dependencies as an AST term in the form of a protobom SBOM with the "nodes" fields but not "edges". It's exposed as `base_file.deps`.

func BaseFileArchive added in v0.0.81 

func BaseFileArchive(res *interfaces.Result) func(*rego.Rego)

BaseFileArchive packages a set of files form the the specified directory in the base filesystem (from a pull_request or other diff context) into a tarball. It takes one argument: a list of file or directory paths to include, and outputs the tarball as a string. It's exposed as 'base_file.archive`.

func BaseFileExists added in v0.0.81 

func BaseFileExists(res *interfaces.Result) func(*rego.Rego)

BaseFileExists is a rego function that checks if a file exists in the base filesystem from the ingester. Base filesystems are typically associated with pull requests. It takes one argument, the path to the file to check. It's exposed as `base_file.exists`.

func BaseFileHTTPType added in v0.0.81 

func BaseFileHTTPType(res *interfaces.Result) func(*rego.Rego)

BaseFileHTTPType is a rego function that returns the HTTP type of a file in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `base_file.http_type`.

func BaseFileLs added in v0.0.81 

func BaseFileLs(res *interfaces.Result) func(*rego.Rego)

BaseFileLs is a rego function that lists the files in a directory in the base filesystem being evaluated (in a pull_request or other diff context). It takes one argument, the path to the directory to list. It's exposed as `base_file.ls`. If the file is a file, it returns the file itself. If the file is a directory, it returns the files in the directory. If the file is a symlink, it follows the symlink and returns the files in the target.

func BaseFileLsGlob added in v0.0.81 

func BaseFileLsGlob(res *interfaces.Result) func(*rego.Rego)

BaseFileLsGlob is a rego function that lists the files matching a glob in a directory in the base filesystem being evaluated (in a pull_request or other diff context). It takes one argument, the path to the pattern to match. It's exposed as `base_file.ls_glob`.

func BaseFileRead added in v0.0.81 

func BaseFileRead(res *interfaces.Result) func(*rego.Rego)

BaseFileRead is a rego function that reads a file from the base filesystem in a pull_request or other diff context. It takes one argument, the path to the file to read. It's exposed as `base_file.read`.

func BaseFileWalk added in v0.0.81 

func BaseFileWalk(res *interfaces.Result) func(*rego.Rego)

BaseFileWalk is a rego function that walks the files in a directory in the base filesystem being evaluated (in a pull_request or other diff context). It takes one argument, the path to the directory to walk. It's exposed as `base_file.walk`.

func BaseListGithubActions added in v0.0.81 

func BaseListGithubActions(res *interfaces.Result) func(*rego.Rego)

BaseListGithubActions is a rego function that lists the actions in a directory in the base filesystem being evaluated (in a pull_request or diff context). It takes one argument, the path to the directory to list. It's exposed as `github_workflow.base_ls_actions`. The function returns a set of strings, each string being the name of an action. The frizbee library guarantees that the actions are unique.

func DependencyExtract added in v0.0.82 

func DependencyExtract(res *interfaces.Result) func(*rego.Rego)

DependencyExtract is a rego function that extracts dependencies from a file or subtree of the filesystem being evaluated (which comes from the ingester). It takes one arguments: the path to the file or subtree to be scanned. It returns the extracted dependencies as an AST term in the form of a protobom SBOM with the "nodes" fields but not "edges". It's exposed as `file.deps`.

func FileArchive added in v0.0.81 

func FileArchive(res *interfaces.Result) func(*rego.Rego)

FileArchive packages a set of files form the the specified directory into a tarball. It takes one argument: a list of file or directory paths to include, and outputs the tarball as a string. It's exposed as 'file.archive`.

func FileExists 

func FileExists(res *interfaces.Result) func(*rego.Rego)

FileExists is a rego function that checks if a file exists in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.exists`.

func FileHTTPType 

func FileHTTPType(res *interfaces.Result) func(*rego.Rego)

FileHTTPType is a rego function that returns the HTTP type of a file in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.http_type`.

func FileLs 

func FileLs(res *interfaces.Result) func(*rego.Rego)

FileLs is a rego function that lists the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `file.ls`. If the file is a file, it returns the file itself. If the file is a directory, it returns the files in the directory. If the file is a symlink, it follows the symlink and returns the files in the target.

func FileLsGlob 

func FileLsGlob(res *interfaces.Result) func(*rego.Rego)

FileLsGlob is a rego function that lists the files matching a glob in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the pattern to match. It's exposed as `file.ls_glob`.

func FileRead 

func FileRead(res *interfaces.Result) func(*rego.Rego)

FileRead is a rego function that reads a file from the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to read. It's exposed as `file.read`.

func FileWalk 

func FileWalk(res *interfaces.Result) func(*rego.Rego)

FileWalk is a rego function that walks the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to walk. It's exposed as `file.walk`.

func JQIsTrue added in v0.0.70 

func JQIsTrue(_ *interfaces.Result) func(*rego.Rego)

JQIsTrue is a rego function that accepts parsed YAML data and runs a jq query on it. The query is a string in jq format that returns a boolean. It returns a boolean indicating whether the jq query matches the parsed YAML data. It takes two arguments: the parsed YAML data as an AST term, and the jq query as a string. It's exposed as `jq.is_true`.

func LimitedDialer added in v0.0.82 

func LimitedDialer(transport *http.Transport) http.RoundTripper

LimitedDialer is an HTTP Dialer (Rego topdowmn.CustomizeRoundTripper) which allows us to limit the destination of dialed requests to block specific network ranges (such as RFC1918 space). It operates by attempting to dial the requested URL (going through DNS resolution, etc), and then examining the remote IP address via conn.RemoteAddr().

func ListGithubActions 

func ListGithubActions(res *interfaces.Result) func(*rego.Rego)

ListGithubActions is a rego function that lists the actions in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `github_workflow.ls_actions`. The function returns a set of strings, each string being the name of an action. The frizbee library guarantees that the actions are unique.

func ParseToml added in v0.0.82 

func ParseToml(_ *interfaces.Result) func(*rego.Rego)

ParseToml is a rego function that parses a TOML configuration string into a structured data format. It takes one argument: the TOML content as a string. It returns the parsed TOML data as an AST term. It's exposed as `parse_toml`.

func ParseYaml added in v0.0.70 

func ParseYaml(_ *interfaces.Result) func(*rego.Rego)

ParseYaml is a rego function that parses a YAML string into a structured data format. It takes one argument: the YAML content as a string. It returns the parsed YAML data as an AST term. It's exposed as `parse_yaml`.

Types

type Config 

type Config struct {
	// Type is the type of evaluation to perform
	Type EvaluationType `json:"type" mapstructure:"type" validate:"required"`
	// Def is the definition of the profile
	Def             string                      `json:"def" mapstructure:"def" validate:"required"`
	ViolationFormat ConstraintsViolationsFormat `json:"violation_format" mapstructure:"violationFormat"`
}

Config is the configuration for the rego evaluator

type ConstraintsViolationsFormat 

type ConstraintsViolationsFormat string

ConstraintsViolationsFormat is the format to output violations in 

const (
	// ConstraintsViolationsOutputText specifies that the violations should be printed as human-readable text
	ConstraintsViolationsOutputText ConstraintsViolationsFormat = "text"
	// ConstraintsViolationsOutputJSON specifies that violations should be output as JSON
	ConstraintsViolationsOutputJSON ConstraintsViolationsFormat = "json"
)

func (ConstraintsViolationsFormat) String 

func (c ConstraintsViolationsFormat) String() string

type EvaluationType 

type EvaluationType string

EvaluationType is the type of evaluation to perform 

const (
	// DenyByDefaultEvaluationType is the deny-by-default evaluation type
	// It uses the rego query "data.minder.allow" to determine if the
	// object is allowed.
	DenyByDefaultEvaluationType EvaluationType = "deny-by-default"
	// ConstraintsEvaluationType is the constraints evaluation type
	// It uses the rego query "data.minder.violations[results]" to determine
	// if the object violates any constraints. If there are any violations,
	// the object is denied. Denials may contain a message specified through
	// the "msg" key.
	ConstraintsEvaluationType EvaluationType = "constraints"
)

func (EvaluationType) String 

func (e EvaluationType) String() string

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator is the evaluator for rego rules It initializes the rego engine and evaluates the rules The default rego package is "minder"

func NewRegoEvaluator 

func NewRegoEvaluator(
	cfg *minderv1.RuleType_Definition_Eval_Rego,
	featureFlags openfeature.IClient,
	opts ...eoptions.Option,
) (*Evaluator, error)

NewRegoEvaluator creates a new rego evaluator

func (*Evaluator) Eval 

func (e *Evaluator) Eval(
	ctx context.Context, pol map[string]any, entity protoreflect.ProtoMessage, res *interfaces.Result,
) (*interfaces.EvaluationResult, error)

Eval implements the Evaluator interface.

func (*Evaluator) RegisterDataSources added in v0.0.75 

func (e *Evaluator) RegisterDataSources(dsr *v1datasources.DataSourceRegistry)

RegisterDataSources implements the Eval interface.

type Input 

type Input struct {
	// Profile is the values set for the profile
	Profile map[string]any `json:"profile"`
	// Ingested is the values set for the ingested data
	Ingested any `json:"ingested"`
	// Properties contains the entity's properties as defined by
	// the provider
	Properties map[string]any `json:"properties"`
	// OutputFormat is the format to output violations in
	OutputFormat ConstraintsViolationsFormat `json:"output_format"`
}

Input is the input for the rego evaluator

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.