github.com/zntrio/harp/v2@v2.0.9/pkg/bundle/selector/match_rego.go

github.com/zntrio/harp/v2@v2.0.9/pkg/bundle/selector/match_rego.go (about)

     1  // Licensed to Elasticsearch B.V. under one or more contributor
     2  // license agreements. See the NOTICE file distributed with
     3  // this work for additional information regarding copyright
     4  // ownership. Elasticsearch B.V. licenses this file to you under
     5  // the Apache License, Version 2.0 (the "License"); you may
     6  // not use this file except in compliance with the License.
     7  // You may obtain a copy of the License at
     8  //
     9  //     http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  // Unless required by applicable law or agreed to in writing,
    12  // software distributed under the License is distributed on an
    13  // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    14  // KIND, either express or implied.  See the License for the
    15  // specific language governing permissions and limitations
    16  // under the License.
    17  
    18  package selector
    19  
    20  import (
    21  	"context"
    22  	"errors"
    23  	"fmt"
    24  
    25  	"github.com/open-policy-agent/opa/rego"
    26  	"go.uber.org/zap"
    27  
    28  	bundlev1 "github.com/zntrio/harp/v2/api/gen/go/harp/bundle/v1"
    29  	"github.com/zntrio/harp/v2/pkg/sdk/log"
    30  )
    31  
    32  // MatchRego returns a Rego package matcher specification.
    33  func MatchRego(ctx context.Context, policy string) (Specification, error) {
    34  	// Prepare query filter
    35  	query, err := rego.New(
    36  		rego.Query("data.harp.matched"),
    37  		rego.Module("harp.rego", policy),
    38  	).PrepareForEval(ctx)
    39  	if err != nil {
    40  		return nil, fmt.Errorf("unable to prepare for eval: %w", err)
    41  	}
    42  
    43  	// Wrap as a builder
    44  	return &regoMatcher{
    45  		ctx:   ctx,
    46  		query: query,
    47  	}, nil
    48  }
    49  
    50  type regoMatcher struct {
    51  	ctx   context.Context
    52  	query rego.PreparedEvalQuery
    53  }
    54  
    55  // IsSatisfiedBy returns specification satisfaction status.
    56  func (s *regoMatcher) IsSatisfiedBy(object interface{}) bool {
    57  	// If object is a package
    58  	if p, ok := object.(*bundlev1.Package); ok {
    59  		// Evaluate filter compliance
    60  		matched, err := s.regoEvaluate(s.ctx, s.query, p)
    61  		if err != nil {
    62  			log.For(s.ctx).Debug("rego evaluation failed", zap.Error(err))
    63  			return false
    64  		}
    65  
    66  		return matched
    67  	}
    68  
    69  	return false
    70  }
    71  
    72  // -----------------------------------------------------------------------------
    73  
    74  func (s *regoMatcher) regoEvaluate(ctx context.Context, query rego.PreparedEvalQuery, input interface{}) (bool, error) {
    75  	// Evaluate the package with the policy
    76  	results, err := query.Eval(ctx, rego.EvalInput(input))
    77  	if err != nil {
    78  		return false, fmt.Errorf("unable to evaluate the policy: %w", err)
    79  	} else if len(results) == 0 {
    80  		// Handle undefined result.
    81  		return false, nil
    82  	}
    83  
    84  	// Extract decision
    85  	keep, ok := results[0].Expressions[0].Value.(bool)
    86  	if !ok {
    87  		// Handle unexpected result type.
    88  		return false, errors.New("the policy must return boolean")
    89  	}
    90  
    91  	// No error
    92  	return keep, nil
    93  }