Documentation ¶
Overview ¶
Package rego provides the rego rule evaluator
Index ¶
- Constants
- Variables
- func FileExists(res *interfaces.Result) func(*rego.Rego)
- func FileHTTPType(res *interfaces.Result) func(*rego.Rego)
- func FileLs(res *interfaces.Result) func(*rego.Rego)
- func FileLsGlob(res *interfaces.Result) func(*rego.Rego)
- func FileRead(res *interfaces.Result) func(*rego.Rego)
- func FileWalk(res *interfaces.Result) func(*rego.Rego)
- func JQIsTrue(_ *interfaces.Result) func(*rego.Rego)
- func ListGithubActions(res *interfaces.Result) func(*rego.Rego)
- func ParseYaml(_ *interfaces.Result) func(*rego.Rego)
- type Config
- type ConstraintsViolationsFormat
- type EvaluationType
- type Evaluator
- type Input
Constants ¶
const ( // RegoEvalType is the type of the rego evaluator RegoEvalType = "rego" // MinderRegoFile is the default rego file for minder. MinderRegoFile = "minder.rego" // RegoQueryPrefix is the prefix for rego queries RegoQueryPrefix = "data.minder" )
const (
// EnablePrintEnvVar is the environment variable to enable print statements
EnablePrintEnvVar = "REGO_ENABLE_PRINT"
)
Variables ¶
var MinderRegoLib = []func(res *interfaces.Result) func(*rego.Rego){ FileExists, FileLs, FileLsGlob, FileHTTPType, FileRead, FileWalk, ListGithubActions, ParseYaml, JQIsTrue, }
MinderRegoLib contains the minder-specific functions for rego
Functions ¶
func FileExists ¶
func FileExists(res *interfaces.Result) func(*rego.Rego)
FileExists is a rego function that checks if a file exists in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.exists`.
func FileHTTPType ¶
func FileHTTPType(res *interfaces.Result) func(*rego.Rego)
FileHTTPType is a rego function that returns the HTTP type of a file in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.http_type`.
func FileLs ¶
func FileLs(res *interfaces.Result) func(*rego.Rego)
FileLs is a rego function that lists the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `file.ls`. If the file is a file, it returns the file itself. If the file is a directory, it returns the files in the directory. If the file is a symlink, it follows the symlink and returns the files in the target.
func FileLsGlob ¶
func FileLsGlob(res *interfaces.Result) func(*rego.Rego)
FileLsGlob is a rego function that lists the files matching a glob in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the pattern to match. It's exposed as `file.ls_glob`.
func FileRead ¶
func FileRead(res *interfaces.Result) func(*rego.Rego)
FileRead is a rego function that reads a file from the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to read. It's exposed as `file.read`.
func FileWalk ¶
func FileWalk(res *interfaces.Result) func(*rego.Rego)
FileWalk is a rego function that walks the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to walk. It's exposed as `file.walk`.
func JQIsTrue ¶ added in v0.0.70
func JQIsTrue(_ *interfaces.Result) func(*rego.Rego)
JQIsTrue is a rego function that accepts parsed YAML data and runs a jq query on it. The query is a string in jq format that returns a boolean. It returns a boolean indicating whether the jq query matches the parsed YAML data. It takes two arguments: the parsed YAML data as an AST term, and the jq query as a string. It's exposed as `jq.is_true`.
func ListGithubActions ¶
func ListGithubActions(res *interfaces.Result) func(*rego.Rego)
ListGithubActions is a rego function that lists the actions in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `github_workflow.ls_actions`. The function returns a set of strings, each string being the name of an action. The frizbee library guarantees that the actions are unique.
func ParseYaml ¶ added in v0.0.70
func ParseYaml(_ *interfaces.Result) func(*rego.Rego)
ParseYaml is a rego function that parses a YAML string into a structured data format. It takes one argument: the YAML content as a string. It returns the parsed YAML data as an AST term. It's exposed as `parse_yaml`.
Types ¶
type Config ¶
type Config struct { // Type is the type of evaluation to perform Type EvaluationType `json:"type" mapstructure:"type" validate:"required"` // Def is the definition of the profile Def string `json:"def" mapstructure:"def" validate:"required"` ViolationFormat ConstraintsViolationsFormat `json:"violation_format" mapstructure:"violationFormat"` }
Config is the configuration for the rego evaluator
type ConstraintsViolationsFormat ¶
type ConstraintsViolationsFormat string
ConstraintsViolationsFormat is the format to output violations in
const ( // ConstraintsViolationsOutputText specifies that the violations should be printed as human-readable text ConstraintsViolationsOutputText ConstraintsViolationsFormat = "text" // ConstraintsViolationsOutputJSON specifies that violations should be output as JSON ConstraintsViolationsOutputJSON ConstraintsViolationsFormat = "json" )
func (ConstraintsViolationsFormat) String ¶
func (c ConstraintsViolationsFormat) String() string
type EvaluationType ¶
type EvaluationType string
EvaluationType is the type of evaluation to perform
const ( // DenyByDefaultEvaluationType is the deny-by-default evaluation type // It uses the rego query "data.minder.allow" to determine if the // object is allowed. DenyByDefaultEvaluationType EvaluationType = "deny-by-default" // ConstraintsEvaluationType is the constraints evaluation type // It uses the rego query "data.minder.violations[results]" to determine // if the object violates any constraints. If there are any violations, // the object is denied. Denials may contain a message specified through // the "msg" key. ConstraintsEvaluationType EvaluationType = "constraints" )
func (EvaluationType) String ¶
func (e EvaluationType) String() string
type Evaluator ¶
type Evaluator struct {
// contains filtered or unexported fields
}
Evaluator is the evaluator for rego rules It initializes the rego engine and evaluates the rules The default rego package is "minder"
func NewRegoEvaluator ¶
func NewRegoEvaluator( cfg *minderv1.RuleType_Definition_Eval_Rego, opts ...eoptions.Option, ) (*Evaluator, error)
NewRegoEvaluator creates a new rego evaluator
func (*Evaluator) Eval ¶
func (e *Evaluator) Eval( ctx context.Context, pol map[string]any, entity protoreflect.ProtoMessage, res *interfaces.Result, ) error
Eval implements the Evaluator interface.
func (*Evaluator) RegisterDataSources ¶ added in v0.0.75
func (e *Evaluator) RegisterDataSources(dsr *v1datasources.DataSourceRegistry)
RegisterDataSources implements the Eval interface.
type Input ¶
type Input struct { // Profile is the values set for the profile Profile map[string]any `json:"profile"` // Ingested is the values set for the ingested data Ingested any `json:"ingested"` // OutputFormat is the format to output violations in OutputFormat ConstraintsViolationsFormat `json:"output_format"` }
Input is the input for the rego evaluator