-
Notifications
You must be signed in to change notification settings - Fork 0
/
constraints.rego
81 lines (72 loc) · 2.47 KB
/
constraints.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package hooks["target"]
violation[response] {
data.hooks["target"].library.autoreject_review[rejection]
review := object.get(input, "review", {})
constraint := object.get(rejection, "constraint", {})
spec := object.get(constraint, "spec", {})
enforcementAction := object.get(spec, "enforcementAction", "deny")
response = {
"msg": object.get(rejection, "msg", ""),
"metadata": {"details": object.get(rejection, "details", {})},
"constraint": constraint,
"review": review,
"enforcementAction": enforcementAction,
}
}
# Finds all violations for a given target
violation[response] {
data.hooks["target"].library.matching_constraints[constraint]
review := object.get(input, "review", {})
inp := {
"review": review,
"parameters": object.get(object.get(constraint, "spec", {}), "parameters", {}),
}
inventory[inv]
data.templates["target"][constraint.kind].violation[r] with input as inp with data.inventory as inv
spec := object.get(constraint, "spec", {})
enforcementAction := object.get(spec, "enforcementAction", "deny")
response = {
"msg": r.msg,
"metadata": {"details": object.get(r, "details", {})},
"constraint": constraint,
"review": review,
"enforcementAction": enforcementAction,
}
}
# Finds all violations in the cached state of a given target
audit[response] {
data.hooks["target"].library.matching_reviews_and_constraints[[review, constraint]]
inp := {
"review": review,
"parameters": object.get(object.get(constraint, "spec", {}), "parameters", {}),
}
inventory[inv]
data.templates["target"][constraint.kind].violation[r] with input as inp with data.inventory as inv
spec := object.get(constraint, "spec", {})
enforcementAction := object.get(spec, "enforcementAction", "deny")
response = {
"msg": r.msg,
"metadata": {"details": object.get(r, "details", {})},
"constraint": constraint,
"review": review,
"enforcementAction": enforcementAction,
}
}
# get_default(data, "external", {}) seems to cause this error:
# "rego_type_error: undefined function data.hooks.<target>.get_default"
inventory[inv] {
inv = data.external["target"]
}
inventory[{}] {
not data.external["target"]
}
# get_default returns the value of an object's field or the provided default value.
# It avoids creating an undefined state when trying to access an object attribute that does
# not exist
get_default(object, field, _default) = object[field]
get_default(object, field, _default) = _default {
not has_field(object, field)
}
has_field(object, field) {
_ = object[field]
}