-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This one checks that all attributes of a metadata block are valid, i.e. not custom outside of the custom map. Signed-off-by: Anders Eknert <anders@styra.com>
- Loading branch information
1 parent
17bc200
commit 2f68245
Showing
6 changed files
with
144 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# METADATA | ||
# description: Invalid attribute in metadata annotation | ||
package regal.rules.bugs["invalid-metadata-attribute"] | ||
|
||
import future.keywords.contains | ||
import future.keywords.if | ||
import future.keywords.in | ||
|
||
import data.regal.ast | ||
import data.regal.result | ||
|
||
report contains violation if { | ||
some block in ast.comments.blocks | ||
|
||
startswith(trim_space(block[0].Text), "METADATA") | ||
|
||
text := _block_to_string(block) | ||
attributes := object.keys(yaml.unmarshal(text)) | ||
|
||
some attribute in attributes | ||
not attribute in ast.comments.metadata_attributes | ||
|
||
violation := result.fail(rego.metadata.chain(), result.location(_find_line(block, attribute))) | ||
} | ||
|
||
_block_to_string(block) := concat("\n", [line | | ||
some i, entry in block | ||
i > 0 | ||
line := entry.Text | ||
]) | ||
|
||
_find_line(block, attribute) := [line | | ||
some line in block | ||
startswith(trim_space(line.Text), sprintf("%s:", [attribute])) | ||
][0] |
37 changes: 37 additions & 0 deletions
37
bundle/regal/rules/bugs/invalid_metadata_attribute_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
package regal.rules.bugs["invalid-metadata-attribute_test"] | ||
|
||
import future.keywords.if | ||
|
||
import data.regal.ast | ||
import data.regal.config | ||
import data.regal.rules.bugs["invalid-metadata-attribute"] as rule | ||
|
||
test_fail_invalid_attribute if { | ||
r := rule.report with input as ast.policy(` | ||
# METADATA | ||
# title: allow | ||
# is_true: yes | ||
allow := true | ||
`) | ||
r == {{ | ||
"category": "bugs", | ||
"description": "Invalid attribute in metadata annotation", | ||
"level": "error", | ||
"location": {"col": 1, "file": "policy.rego", "row": 6, "text": "# is_true: yes"}, | ||
"related_resources": [{ | ||
"description": "documentation", | ||
"ref": config.docs.resolve_url("$baseUrl/$category/invalid-metadata-attribute", "bugs"), | ||
}], | ||
"title": "invalid-metadata-attribute", | ||
}} | ||
} | ||
|
||
test_success_valid_metadata if { | ||
r := rule.report with input as ast.policy(` | ||
# METADATA | ||
# title: valid | ||
# description: also valid | ||
allow := true | ||
`) | ||
r == set() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# invalid-metadata-attribute | ||
|
||
**Summary**: Invalid attribute in metadata annotation | ||
|
||
**Category**: Bugs | ||
|
||
**Avoid** | ||
```rego | ||
# METADATA | ||
# title: Main policy routing requests to other policies based on input | ||
# category: Routing | ||
package router | ||
``` | ||
|
||
**Prefer** | ||
```rego | ||
# METADATA | ||
# title: Main policy routing requests to other policies based on input | ||
# custom: | ||
# category: Routing | ||
package router | ||
``` | ||
|
||
## Rationale | ||
|
||
Metadata comments should follow the schema expected by | ||
[annotations](https://www.openpolicyagent.org/docs/latest/policy-language/#annotations). Custom attributes, like | ||
`category` above, should be placed under the `custom` key, which is a map of arbitrary key-value pairs. | ||
|
||
While arbitrary attributes is accepted, they will not be treated as metadata annotations but regular comments, and as | ||
such won't be available to other tools that | ||
[process annotations](https://www.openpolicyagent.org/docs/latest/policy-language/#accessing-annotations). | ||
These tools include built-in functions like | ||
[rego.metadata.rule](https://www.openpolicyagent.org/docs/latest/policy-reference/#builtin-rego-regometadatarule) and | ||
[rego.metadata.chain](https://www.openpolicyagent.org/docs/latest/policy-reference/#builtin-rego-regometadatachain). | ||
|
||
## Configuration Options | ||
|
||
This linter rule provides the following configuration options: | ||
|
||
```yaml | ||
rules: | ||
bugs: | ||
invalid-metadata: | ||
# one of "error", "warning", "ignore" | ||
level: error | ||
``` | ||
## Related Resources | ||
- OPA Docs: [Annotations](https://www.openpolicyagent.org/docs/latest/policy-language/#annotations) | ||
- OPA Docs: [Accessing Annotations](https://www.openpolicyagent.org/docs/latest/policy-language/#accessing-annotations) |