Take selectors into use in executor #4004
Conversation
| GROUP BY pr.id | ||
| ) | ||
| SELECT sqlc.embed(profiles), | ||
| helper.selectors::profile_selector[] AS profiles_with_selectors |
There was a problem hiding this comment.
If this is too hairy, we can instead just loop over the profiles and do a get for each profile
There was a problem hiding this comment.
on the other hand, having everything in a single call is probably safer in the long run
| @@ -107,6 +107,7 @@ func newEnvForEntity(varName string, typ any, typName string) (*cel.Env, error) | |||
| } | |||
|
|
|||
| type compiledSelector struct { | |||
| orig string | |||
There was a problem hiding this comment.
there is ast.ToString but it doesn't guarantee that the result will be exactly the same, only that it will have the same meaning..
| @@ -258,9 +260,9 @@ type EntitySelection struct { | |||
| } | |||
|
|
|||
| // Select return true if the entity matches all the compiled expressions and false otherwise | |||
| func (s *EntitySelection) Select(se *internalpb.SelectorEntity, userOpts ...SelectOption) (bool, error) { | |||
| func (s *EntitySelection) Select(se *internalpb.SelectorEntity, userOpts ...SelectOption) (bool, string, error) { | |||
There was a problem hiding this comment.
I started wondering if it would be better to return a struct that would contain bool and string for now. Three return values from a function already starts to smell especially if the function is used in an interface.
There was a problem hiding this comment.
I think having a dedicated struct would be cleaner in terms of returning it and using it. A bool and a string can get confusing. However, this is not blocking IMO and can be done later.
There was a problem hiding this comment.
Alternatively, you could use presence or absence of the error as part of the boolean (and a particular error interface to indicate "not selected"), but I'm happy with this interface.
jhrozek
force-pushed
the
selectors_executor
branch
from
f0b6675
to
e6b1e24
Compare
internal/engine/executor.go
Outdated
| @@ -131,10 +136,14 @@ func (e *executor) EvalEntityEvent(ctx context.Context, inf *entities.EntityInfo | |||
| return fmt.Errorf("error while retrieving profiles and rule instances: %w", err) | |||
| } | |||
|
|
|||
| // For each profile, evaluate each rule and store the outcome in the database | |||
| // For each profile, get the profile-override status. Then, if there is no profile-override status, | |||
| // evaluate each rule and store the outcome in the database or store the override status for all rules | |||
There was a problem hiding this comment.
remind me what the "profile override status" is
| for _, profile := range profileAggregates { | ||
|
|
||
| profileEvalStatus := e.profileEvalStatus(ctx, provider, inf, profile) |
There was a problem hiding this comment.
@JAORMX I called the variable actually profileEvalStatus, but "profile-override status" in the comment. I'll fix the naming since it's confusing.
This will make it easier to extend what the query returns
This is to return the selectors at the same time as querying the profiles from the DB and be able to use them in the executor.
This returns the selectors to the engine through the ProfileAggregate structure
…ture from the models API This will make it easier to use the method in the executor
When an entity is not selected for a profile, let's save that into a profile-global status override and use that for all the statuses instead calling eval. Fixes: mindersec#3724
In addition to returning a bool, let's also return which selector did shortcut the evaluation when returning false
jhrozek
force-pushed
the
selectors_executor
branch
from
e6b1e24
to
1d88d5b
Compare
Summary
Fixes: #3724
Fixes: #3725
Change Type
Testing
manual
Review Checklist: