-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Flagging any reference in a policy that does not make use of an import where applicable. Fixes #540 Signed-off-by: Anders Eknert <anders@styra.com>
- Loading branch information
1 parent
55b8fa7
commit 3205762
Showing
8 changed files
with
167 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# METADATA | ||
# description: Reference ignores import | ||
package regal.rules.imports["ignored-import"] | ||
|
||
import rego.v1 | ||
|
||
import data.regal.ast | ||
import data.regal.result | ||
|
||
import_paths contains path if { | ||
some imp in input.imports | ||
path := [p.value | some p in imp.path.value] | ||
|
||
path[0] in {"data", "input"} | ||
} | ||
|
||
report contains violation if { | ||
some ref in ast.all_rules_refs | ||
|
||
ref.value[0].type == "var" | ||
ref.value[0].value in {"data", "input"} | ||
|
||
most_specific_match := regal.last(sort([ip | | ||
ref_path := [p.value | some p in ref.value] | ||
|
||
some ip in import_paths | ||
array.slice(ref_path, 0, count(ip)) == ip | ||
])) | ||
|
||
violation := result.fail(rego.metadata.chain(), object.union( | ||
result.location(ref), | ||
{"description": sprintf("Reference ignores import of %s", [concat(".", most_specific_match)])}, | ||
)) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
package regal.rules.imports["ignored-import_test"] | ||
|
||
import rego.v1 | ||
|
||
import data.regal.ast | ||
import data.regal.config | ||
|
||
import data.regal.rules.imports["ignored-import"] as rule | ||
|
||
test_fail_ignored_import if { | ||
module := ast.policy(` | ||
import data.foo | ||
bar := data.foo | ||
`) | ||
|
||
r := rule.report with input as module | ||
r == {{ | ||
"category": "imports", | ||
"description": "Reference ignores import of data.foo", | ||
"level": "error", | ||
"location": {"col": 9, "file": "policy.rego", "row": 6, "text": "\tbar := data.foo"}, | ||
"related_resources": [{ | ||
"description": "documentation", | ||
"ref": config.docs.resolve_url("$baseUrl/$category/ignored-import", "imports"), | ||
}], | ||
"title": "ignored-import", | ||
}} | ||
} | ||
|
||
test_fail_ignored_most_specific_import if { | ||
module := ast.policy(` | ||
import data.foo | ||
import data.foo.bar | ||
bar := data.foo.bar | ||
`) | ||
|
||
r := rule.report with input as module | ||
r == {{ | ||
"category": "imports", | ||
"description": "Reference ignores import of data.foo.bar", | ||
"level": "error", | ||
"location": {"col": 9, "file": "policy.rego", "row": 7, "text": "\tbar := data.foo.bar"}, | ||
"related_resources": [{ | ||
"description": "documentation", | ||
"ref": config.docs.resolve_url("$baseUrl/$category/ignored-import", "imports"), | ||
}], | ||
"title": "ignored-import", | ||
}} | ||
} | ||
|
||
test_success_import_not_ignored if { | ||
module := ast.policy(` | ||
import data.foo.bar | ||
foo := bar | ||
baz := bar.baz | ||
`) | ||
|
||
r := rule.report with input as module | ||
r == set() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
# ignored-import | ||
|
||
**Summary**: Reference ignores import | ||
|
||
**Category**: Imports | ||
|
||
**Avoid** | ||
```rego | ||
package policy | ||
import rego.v1 | ||
import data.authz.roles | ||
allow if { | ||
some role in input.user.roles | ||
# data.authz.roles has been imported, but the import is ignored here | ||
role in data.authz.roles.admin_roles | ||
} | ||
``` | ||
|
||
**Prefer** | ||
```rego | ||
package policy | ||
import rego.v1 | ||
import data.authz.roles | ||
allow if { | ||
some role in input.user.roles | ||
# imported data.authz.roles used | ||
role in roles.admin_roles | ||
} | ||
``` | ||
|
||
## Rationale | ||
|
||
Imports tend to make long, nested references more readable, and encourages reuse of common logic. Using a full reference | ||
(like `data.users.permissions`) despite having previously imported the reference, or parts of it (like `data.users`) | ||
defeats the purpose of the import, and you're better off referring to the import directly. | ||
|
||
## Configuration Options | ||
|
||
This linter rule provides the following configuration options: | ||
|
||
```yaml | ||
rules: | ||
imports: | ||
ignored-import: | ||
# one of "error", "warning", "ignore" | ||
level: error | ||
``` | ||
## Community | ||
If you think you've found a problem with this rule or its documentation, would like to suggest improvements, new rules, | ||
or just talk about Regal in general, please join us in the `#regal` channel in the Styra Community | ||
[Slack](https://communityinviter.com/apps/styracommunity/signup)! |