rego

package
v0.0.72 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 5, 2024 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Overview

Package rego provides the rego rule evaluator

Index

Constants

View Source 
const (
	// RegoEvalType is the type of the rego evaluator
	RegoEvalType = "rego"
	// MinderRegoFile is the default rego file for minder.
	MinderRegoFile = "minder.rego"
	// RegoQueryPrefix is the prefix for rego queries
	RegoQueryPrefix = "data.minder"
)
View Source 
const (
	// EnablePrintEnvVar is the environment variable to enable print statements
	EnablePrintEnvVar = "REGO_ENABLE_PRINT"
)

Variables

View Source 
var MinderRegoLib = []func(res *interfaces.Result) func(*rego.Rego){
	FileExists,
	FileLs,
	FileLsGlob,
	FileHTTPType,
	FileRead,
	FileWalk,
	ListGithubActions,
	ParseYaml,
	JQIsTrue,
}

MinderRegoLib contains the minder-specific functions for rego

Functions

func FileExists 

func FileExists(res *interfaces.Result) func(*rego.Rego)

FileExists is a rego function that checks if a file exists in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.exists`.

func FileHTTPType 

func FileHTTPType(res *interfaces.Result) func(*rego.Rego)

FileHTTPType is a rego function that returns the HTTP type of a file in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.http_type`.

func FileLs 

func FileLs(res *interfaces.Result) func(*rego.Rego)

FileLs is a rego function that lists the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `file.ls`. If the file is a file, it returns the file itself. If the file is a directory, it returns the files in the directory. If the file is a symlink, it follows the symlink and returns the files in the target.

func FileLsGlob 

func FileLsGlob(res *interfaces.Result) func(*rego.Rego)

FileLsGlob is a rego function that lists the files matching a glob in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the pattern to match. It's exposed as `file.ls_glob`.

func FileRead 

func FileRead(res *interfaces.Result) func(*rego.Rego)

FileRead is a rego function that reads a file from the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to read. It's exposed as `file.read`.

func FileWalk 

func FileWalk(res *interfaces.Result) func(*rego.Rego)

FileWalk is a rego function that walks the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to walk. It's exposed as `file.walk`.

func JQIsTrue added in v0.0.70 

func JQIsTrue(_ *interfaces.Result) func(*rego.Rego)

JQIsTrue is a rego function that accepts parsed YAML data and runs a jq query on it. The query is a string in jq format that returns a boolean. It returns a boolean indicating whether the jq query matches the parsed YAML data. It takes two arguments: the parsed YAML data as an AST term, and the jq query as a string. It's exposed as `jq.is_true`.

func ListGithubActions 

func ListGithubActions(res *interfaces.Result) func(*rego.Rego)

ListGithubActions is a rego function that lists the actions in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `github_workflow.ls_actions`. The function returns a set of strings, each string being the name of an action. The frizbee library guarantees that the actions are unique.

func ParseYaml added in v0.0.70 

func ParseYaml(_ *interfaces.Result) func(*rego.Rego)

ParseYaml is a rego function that parses a YAML string into a structured data format. It takes one argument: the YAML content as a string. It returns the parsed YAML data as an AST term. It's exposed as `parse_yaml`.

Types

type Config 

type Config struct {
	// Type is the type of evaluation to perform
	Type EvaluationType `json:"type" mapstructure:"type" validate:"required"`
	// Def is the definition of the profile
	Def             string                      `json:"def" mapstructure:"def" validate:"required"`
	ViolationFormat ConstraintsViolationsFormat `json:"violation_format" mapstructure:"violationFormat"`
}

Config is the configuration for the rego evaluator

type ConstraintsViolationsFormat 

type ConstraintsViolationsFormat string

ConstraintsViolationsFormat is the format to output violations in 

const (
	// ConstraintsViolationsOutputText specifies that the violations should be printed as human-readable text
	ConstraintsViolationsOutputText ConstraintsViolationsFormat = "text"
	// ConstraintsViolationsOutputJSON specifies that violations should be output as JSON
	ConstraintsViolationsOutputJSON ConstraintsViolationsFormat = "json"
)

func (ConstraintsViolationsFormat) String 

func (c ConstraintsViolationsFormat) String() string

type EvaluationType 

type EvaluationType string

EvaluationType is the type of evaluation to perform 

const (
	// DenyByDefaultEvaluationType is the deny-by-default evaluation type
	// It uses the rego query "data.minder.allow" to determine if the
	// object is allowed.
	DenyByDefaultEvaluationType EvaluationType = "deny-by-default"
	// ConstraintsEvaluationType is the constraints evaluation type
	// It uses the rego query "data.minder.violations[results]" to determine
	// if the object violates any constraints. If there are any violations,
	// the object is denied. Denials may contain a message specified through
	// the "msg" key.
	ConstraintsEvaluationType EvaluationType = "constraints"
)

func (EvaluationType) String 

func (e EvaluationType) String() string

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator is the evaluator for rego rules It initializes the rego engine and evaluates the rules The default rego package is "minder"

func NewRegoEvaluator 

func NewRegoEvaluator(
	cfg *minderv1.RuleType_Definition_Eval_Rego,
	opts ...eoptions.Option,
) (*Evaluator, error)

NewRegoEvaluator creates a new rego evaluator

func (*Evaluator) Eval 

func (e *Evaluator) Eval(
	ctx context.Context, pol map[string]any, entity protoreflect.ProtoMessage, res *interfaces.Result,
) error

Eval implements the Evaluator interface.

type Input 

type Input struct {
	// Profile is the values set for the profile
	Profile map[string]any `json:"profile"`
	// Ingested is the values set for the ingested data
	Ingested any `json:"ingested"`
	// OutputFormat is the format to output violations in
	OutputFormat ConstraintsViolationsFormat `json:"output_format"`
}

Input is the input for the rego evaluator

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.