Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat bundle rego filter #106

Merged
merged 3 commits into from
Feb 3, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .wwhrd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,5 @@ exceptions:
- github.com/hashicorp/consul/api
# BSD-2.0 - https://github.com/Nvveen/Gotty/blob/master/LICENSE
- github.com/Nvveen/Gotty
# BSD-2.0 - https://github.com/rcrowley/go-metrics/blob/master/LICENSE
- github.com/rcrowley/go-metrics
4 changes: 0 additions & 4 deletions api/gen/go/cso/v1/validator_api_grpc.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 0 additions & 4 deletions api/gen/go/harp/bundle/v1/bundle_api_grpc.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

353 changes: 228 additions & 125 deletions api/gen/go/harp/bundle/v1/patch.pb.go

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions api/proto/harp/bundle/v1/patch.proto
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,10 @@ message PatchSelector {
PatchSelectorMatchPath matchPath = 1;
// Match a package using a JMESPath query.
string jmesPath = 2;
// Match a package using a Rego policy.
string rego = 3;
// Match a package by secret.
PatchSelectorMatchSecret matchSecret = 4;
}

// PatchSelectorMatchPath represents package path matching strategies.
Expand All @@ -83,6 +87,16 @@ message PatchSelectorMatchPath {
string regex = 2;
}

// PatchSelectorMatchPath represents package path matching strategies.
message PatchSelectorMatchSecret {
// Strict case-sensitive secret matching.
// Value can be templatized.
string strict = 1;
// Regex secret matching.
// Value can be templatized.
string regex = 2;
}

// PatchPackagePath represents package path operations.
message PatchPackagePath {
// Template used to completely rewrite the package path.
Expand Down
3 changes: 3 additions & 0 deletions cmd/harp/internal/cmd/bundle_filter.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ type bundleFilterParams struct {
excludePaths []string
keepPaths []string
jmesPath string
regoPolicy string
reverseLogic bool
}

Expand All @@ -55,6 +56,7 @@ var bundleFilterCmd = func() *cobra.Command {
ExcludePaths: params.excludePaths,
KeepPaths: params.keepPaths,
JMESPath: params.jmesPath,
RegoPolicy: params.regoPolicy,
ReverseLogic: params.reverseLogic,
}

Expand All @@ -71,6 +73,7 @@ var bundleFilterCmd = func() *cobra.Command {
cmd.Flags().StringArrayVar(&params.excludePaths, "exclude", []string{}, "Exclude path")
cmd.Flags().StringArrayVar(&params.keepPaths, "keep", []string{}, "Keep path")
cmd.Flags().StringVar(&params.jmesPath, "query", "", "JMESPath query used as package filter")
cmd.Flags().StringVar(&params.regoPolicy, "policy", "", "OPA Rego policy file as package filter")
cmd.Flags().BoolVar(&params.reverseLogic, "not", false, "Reverse filter logic expression")

return cmd
Expand Down
33 changes: 33 additions & 0 deletions docs/onboarding/3-secret-bundle/4-patch.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ bundle source without altering the source bundle.
- [Match by strict path](#match-by-strict-path)
- [Match by regex path](#match-by-regex-path)
- [Match by JMES filter](#match-by-jmes-filter)
- [Match by Rego policy](#match-by-rego-policy)
- [Match by secret key](#match-by-secret-key)
- [PatchSelectorMatchPath](#patchselectormatchpath)
- [PatchPackage](#patchpackage)
- [PatchPackagePath](#patchpackagepath)
Expand Down Expand Up @@ -181,6 +183,10 @@ message PatchSelector {
PatchSelectorMatchPath matchPath = 1;
// Match a package using a JMESPath query.
string jmesPath = 2;
// Match a package using a Rego policy.
string rego = 3;
// Match a package by secret.
PatchSelectorMatchSecret matchSecret = 4;
}
```

Expand All @@ -207,6 +213,33 @@ selector:
jmesPath: labels.database == "postgres"
```

#### Match by Rego policy

```yaml
selector:
rego: |-
package harp
default keep = false
keep {
input.annotations["infosec.elastic.co/v1/SecretPolicy#severity"] == "moderate"
input.secrets.data[_].key == "cookieEncryptionKey"
}
```

#### Match by secret key

```yaml
selector:
matchSecret:
strict: USER
```

```yaml
selector:
matchSecret:
regex: "*_KEY"
```

#### PatchSelectorMatchPath

`PatchSelectorMatchPath` is a package path matcher.
Expand Down
14 changes: 11 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ require (
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
golang.org/x/sys v0.0.0-20211210111614-af8b64212486
golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350
google.golang.org/grpc v1.44.0
Expand All @@ -79,6 +79,13 @@ require (
zntr.io/paseto v1.1.0
)

require (
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/ghodss/yaml v1.0.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
)

require (
github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
Expand Down Expand Up @@ -137,6 +144,7 @@ require (
github.com/mitchellh/mapstructure v1.4.3 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
github.com/open-policy-agent/opa v0.37.1
github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
github.com/pierrec/lz4 v2.5.2+incompatible // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
Expand All @@ -149,7 +157,7 @@ require (
github.com/spf13/pflag v1.0.5 // indirect
github.com/stoewer/go-strcase v1.2.0 // indirect
github.com/subosito/gotenv v1.2.0 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
go.etcd.io/etcd/api/v3 v3.5.1 // indirect
Expand All @@ -158,7 +166,7 @@ require (
go.uber.org/multierr v1.6.0 // indirect
golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/appengine v1.6.7 // indirect
gopkg.in/ini.v1 v1.66.2 // indirect
Expand Down
Loading