rego

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 10, 2025 License: Apache-2.0 Imports: 47 Imported by: 0

Documentation

Overview

Package rego provides the rego rule evaluator

Package rego provides the rego rule evaluator

Index

Constants

View Source 
const (
	// RegoEvalType is the type of the rego evaluator
	RegoEvalType = "rego"
	// MinderRegoFile is the default rego file for minder.
	MinderRegoFile = "minder.rego"
	// RegoQueryPrefix is the prefix for rego queries
	RegoQueryPrefix = "data.minder"
)
View Source 
const (
	// EnablePrintEnvVar is the environment variable to enable print statements
	EnablePrintEnvVar = "REGO_ENABLE_PRINT"
)

Variables

View Source 
var MinderRegoLib = []func(res *interfaces.Ingested) func(*rego.Rego){
	FileExists,
	FileLs,
	FileLsGlob,
	FileHTTPType,
	FileRead,
	FileWalk,
	FileArchive,
	BaseFileArchive,
	ListGithubActions,
	ParseYaml,
	ParseToml,
	JQIsTrue,
}

MinderRegoLib contains the minder-specific functions for rego

View Source 
var MinderRegoLibExperiments = map[flags.Experiment][]func(res *interfaces.Ingested) func(*rego.Rego){
	flags.GitPRDiffs: {
		BaseFileExists,
		BaseFileLs,
		BaseFileLsGlob,
		BaseFileHTTPType,
		BaseFileRead,
		BaseFileWalk,
		BaseListGithubActions,
	},
	flags.DependencyExtract: {
		DependencyExtract,
		BaseDependencyExtract,
	},
}

MinderRegoLibExperiments contains Minder-specific functions which should only be exposed when the given experiment is enabled.

Functions

func BaseDependencyExtract added in v0.0.82 

func BaseDependencyExtract(res *interfaces.Ingested) func(*rego.Rego)

BaseDependencyExtract adds the `base_file.deps` function to the Rego engine.

func BaseFileArchive added in v0.0.81 

func BaseFileArchive(res *interfaces.Ingested) func(*rego.Rego)

BaseFileArchive adds the 'base_file.archive` function to the Rego engine.

func BaseFileExists added in v0.0.81 

func BaseFileExists(res *interfaces.Ingested) func(*rego.Rego)

BaseFileExists adds the `base_file.exists` function to the Rego engine.

func BaseFileHTTPType added in v0.0.81 

func BaseFileHTTPType(res *interfaces.Ingested) func(*rego.Rego)

BaseFileHTTPType adds the `base_file.http_type` function to the Rego engine.

func BaseFileLs added in v0.0.81 

func BaseFileLs(res *interfaces.Ingested) func(*rego.Rego)

BaseFileLs is a rego function that lists the files in a directory in the base filesystem being evaluated (in a pull_request or other diff context). It takes one argument, the path to the directory to list. It's exposed as `base_file.ls`. If the file is a file, it returns the file itself. If the file is a directory, it returns the files in the directory. If the file is a symlink, it follows the symlink and returns the files in the target.

func BaseFileLsGlob added in v0.0.81 

func BaseFileLsGlob(res *interfaces.Ingested) func(*rego.Rego)

BaseFileLsGlob adds the `base_file.ls_glob` function to the Rego engine.

func BaseFileRead added in v0.0.81 

func BaseFileRead(res *interfaces.Ingested) func(*rego.Rego)

BaseFileRead adds the `base_file.read` function to the Rego engine.

func BaseFileWalk added in v0.0.81 

func BaseFileWalk(res *interfaces.Ingested) func(*rego.Rego)

BaseFileWalk adds the `base_file.walk` function to the Rego engine.

func BaseListGithubActions added in v0.0.81 

func BaseListGithubActions(res *interfaces.Ingested) func(*rego.Rego)

BaseListGithubActions adds the `github_workflow.base_ls_actions` function to the Rego engine. The frizbee library guarantees that the actions are unique.

func DependencyExtract added in v0.0.82 

func DependencyExtract(res *interfaces.Ingested) func(*rego.Rego)

DependencyExtract adds the `file.deps` function to the Rego engine.

func FileArchive added in v0.0.81 

func FileArchive(res *interfaces.Ingested) func(*rego.Rego)

FileArchive adds the 'file.archive` function to the Rego engine.

func FileExists 

func FileExists(res *interfaces.Ingested) func(*rego.Rego)

FileExists adds the `file.exists` function to the Rego engine.

func FileHTTPType 

func FileHTTPType(res *interfaces.Ingested) func(*rego.Rego)

FileHTTPType adds the `file.http_type` function to the Rego engine.

func FileLs 

func FileLs(res *interfaces.Ingested) func(*rego.Rego)

FileLs adds the `file.ls` function to the Rego engine.

func FileLsGlob 

func FileLsGlob(res *interfaces.Ingested) func(*rego.Rego)

FileLsGlob adds the `file.ls_glob` function to the Rego engine.

func FileRead 

func FileRead(res *interfaces.Ingested) func(*rego.Rego)

FileRead adds the `file.read` function to the Rego engine.

func FileWalk 

func FileWalk(res *interfaces.Ingested) func(*rego.Rego)

FileWalk adds the `file.walk` function to the Rego engine.

func JQIsTrue added in v0.0.70 

func JQIsTrue(_ *interfaces.Ingested) func(*rego.Rego)

JQIsTrue adds the `jq.is_true` function to the Rego engine.

func LimitedDialer added in v0.0.82 

func LimitedDialer(transport *http.Transport) http.RoundTripper

LimitedDialer is an HTTP Dialer (Rego topdowmn.CustomizeRoundTripper) which allows us to limit the destination of dialed requests to block specific network ranges (such as RFC1918 space). It operates by attempting to dial the requested URL (going through DNS resolution, etc), and then examining the remote IP address via conn.RemoteAddr().

func ListGithubActions 

func ListGithubActions(res *interfaces.Ingested) func(*rego.Rego)

ListGithubActions adds the `github_workflow.ls_actions` function to the Rego engine. The frizbee library guarantees that the actions are unique.

func ParseToml added in v0.0.82 

func ParseToml(_ *interfaces.Ingested) func(*rego.Rego)

ParseToml adds the `parse_toml` function to the Rego engine.

func ParseYaml added in v0.0.70 

func ParseYaml(_ *interfaces.Ingested) func(*rego.Rego)

ParseYaml adds the `parse_yaml` function to the Rego engine.

Types

type Config 

type Config struct {
	// Type is the type of evaluation to perform
	Type EvaluationType `json:"type" mapstructure:"type" validate:"required"`
	// Def is the definition of the profile
	Def             string           `json:"def" mapstructure:"def" validate:"required"`
	ViolationFormat EvalOutputFormat `json:"violation_format" mapstructure:"violationFormat"`
}

Config is the configuration for the rego evaluator

type EvalOutputFormat added in v0.1.0 

type EvalOutputFormat string

EvalOutputFormat is the format to output violations in 

const (
	// OutputText specifies that the violations should be printed as human-readable text
	OutputText EvalOutputFormat = "text"
	// OutputJSON specifies that violations should be output as JSON
	OutputJSON EvalOutputFormat = "json"
)

func (EvalOutputFormat) String added in v0.1.0 

func (c EvalOutputFormat) String() string

type EvaluationType 

type EvaluationType string

EvaluationType is the type of evaluation to perform 

const (
	// DenyByDefaultEvaluationType is the deny-by-default evaluation type
	// It uses the rego query "data.minder.allow" to determine if the
	// object is allowed.
	DenyByDefaultEvaluationType EvaluationType = "deny-by-default"
	// ConstraintsEvaluationType is the constraints evaluation type
	// It uses the rego query "data.minder.violations[results]" to determine
	// if the object violates any constraints. If there are any violations,
	// the object is denied. Denials may contain a message specified through
	// the "msg" key.
	ConstraintsEvaluationType EvaluationType = "constraints"
)

func (EvaluationType) String 

func (e EvaluationType) String() string

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator is the evaluator for rego rules It initializes the rego engine and evaluates the rules The default rego package is "minder"

func NewRegoEvaluator 

func NewRegoEvaluator(
	cfg *minderv1.RuleType_Definition_Eval_Rego,
	opts ...eoptions.Option,
) (*Evaluator, error)

NewRegoEvaluator creates a new rego evaluator

func (*Evaluator) Eval 

func (e *Evaluator) Eval(
	ctx context.Context, pol map[string]any, entity protoreflect.ProtoMessage, res *interfaces.Ingested,
) (*interfaces.EvaluationResult, error)

Eval implements the Evaluator interface.

func (*Evaluator) RegisterDataSources added in v0.0.75 

func (e *Evaluator) RegisterDataSources(dsr *v1datasources.DataSourceRegistry)

RegisterDataSources implements the Eval interface.

func (*Evaluator) SetFlagsClient added in v0.0.89 

func (e *Evaluator) SetFlagsClient(client flags.Interface) error

SetFlagsClient implements the SupportsFlags interface.

type Input 

type Input struct {
	// Profile is the values set for the profile
	Profile map[string]any `json:"profile"`
	// Ingested is the values set for the ingested data
	Ingested any `json:"ingested"`
	// Properties contains the entity's properties as defined by
	// the provider
	Properties map[string]any `json:"properties"`
	// OutputFormat is the format to output violations in
	OutputFormat EvalOutputFormat `json:"output_format"`
}

Input is the input for the rego evaluator

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.