kubelatte-ce

1
package opa
2

3
import (
4
	"context"
5
	"github.com/open-policy-agent/opa/ast"
6
	"github.com/open-policy-agent/opa/rego"
7
	"github.com/pkg/errors"
8
	"gitverse.ru/synapse/kubelatte/pkg/observability/logger"
9
	"sort"
10
)
11

12
func CapabilitiesForThisVersion() *ast.Capabilities {
13
	f := &ast.Capabilities{}
14

15
	// f.Builtins contains 149 allowed built-in functions
16
	f.Builtins = []*ast.Builtin{
17
		// Unification/equality ("=")
18
		ast.Equality,
19

20
		// Assignment (":=")
21
		ast.Assign,
22

23
		// Membership, infix "in": x in xs
24
		ast.Member,
25
		ast.MemberWithKey,
26

27
		// Comparisons
28
		ast.GreaterThan,
29
		ast.GreaterThanEq,
30
		ast.LessThan,
31
		ast.LessThanEq,
32
		ast.NotEqual,
33
		ast.Equal,
34

35
		// Arithmetic
36
		ast.Plus,
37
		ast.Minus,
38
		ast.Multiply,
39
		ast.Divide,
40
		ast.Ceil,
41
		ast.Floor,
42
		ast.Round,
43
		ast.Abs,
44
		ast.Rem,
45

46
		// Bitwise Arithmetic
47
		ast.BitsOr,
48
		ast.BitsAnd,
49
		ast.BitsNegate,
50
		ast.BitsXOr,
51
		ast.BitsShiftLeft,
52
		ast.BitsShiftRight,
53

54
		// Binary
55
		ast.And,
56
		ast.Or,
57

58
		// Aggregates
59
		ast.Count,
60
		ast.Sum,
61
		ast.Product,
62
		ast.Max,
63
		ast.Min,
64
		ast.Any,
65
		ast.All,
66

67
		// Arrays
68
		ast.ArrayConcat,
69
		ast.ArraySlice,
70
		ast.ArrayReverse,
71

72
		// Conversions
73
		ast.ToNumber,
74

75
		// Regular Expressions
76
		ast.RegexIsValid,
77
		ast.RegexMatch,
78
		ast.RegexMatchDeprecated,
79
		ast.RegexSplit,
80
		ast.GlobsMatch,
81
		ast.RegexTemplateMatch,
82
		ast.RegexFind,
83
		ast.RegexFindAllStringSubmatch,
84
		ast.RegexReplace,
85

86
		// Sets
87
		ast.SetDiff,
88
		ast.Intersection,
89
		ast.Union,
90

91
		// Strings
92
		ast.AnyPrefixMatch,
93
		ast.AnySuffixMatch,
94
		ast.Concat,
95
		ast.FormatInt,
96
		ast.IndexOf,
97
		ast.IndexOfN,
98
		ast.Substring,
99
		ast.Lower,
100
		ast.Upper,
101
		ast.Contains,
102
		ast.StartsWith,
103
		ast.EndsWith,
104
		ast.Split,
105
		ast.Replace,
106
		ast.ReplaceN,
107
		ast.Trim,
108
		ast.TrimLeft,
109
		ast.TrimPrefix,
110
		ast.TrimRight,
111
		ast.TrimSuffix,
112
		ast.TrimSpace,
113
		ast.Sprintf,
114
		ast.StringReverse,
115

116
		// Numbers
117
		ast.NumbersRange,
118

119
		// Encoding
120
		ast.JSONMarshal,
121
		ast.JSONUnmarshal,
122
		ast.JSONIsValid,
123
		ast.Base64Encode,
124
		ast.Base64Decode,
125
		ast.Base64IsValid,
126
		ast.Base64UrlEncode,
127
		ast.Base64UrlEncodeNoPad,
128
		ast.Base64UrlDecode,
129
		ast.URLQueryDecode,
130
		ast.URLQueryEncode,
131
		ast.URLQueryEncodeObject,
132
		ast.URLQueryDecodeObject,
133
		ast.YAMLMarshal,
134
		ast.YAMLUnmarshal,
135
		ast.YAMLIsValid,
136
		ast.HexEncode,
137
		ast.HexDecode,
138

139
		// Object Manipulation
140
		ast.ObjectUnion,
141
		ast.ObjectUnionN,
142
		ast.ObjectRemove,
143
		ast.ObjectFilter,
144
		ast.ObjectGet,
145
		ast.ObjectKeys,
146
		ast.ObjectSubset,
147

148
		// JSON Object Manipulation
149
		ast.JSONFilter,
150
		ast.JSONRemove,
151
		ast.JSONPatch,
152

153
		// Time
154
		ast.ParseNanos,
155
		ast.ParseRFC3339Nanos,
156
		ast.ParseDurationNanos,
157
		ast.Format,
158
		ast.Date,
159
		ast.Clock,
160
		ast.Weekday,
161
		ast.AddDate,
162
		ast.Diff,
163

164
		// Crypto
165
		//ast.CryptoX509ParseCertificates,
166
		//ast.CryptoX509ParseAndVerifyCertificates,
167
		//ast.CryptoMd5,
168
		//ast.CryptoSha1,
169
		ast.CryptoSha256,
170
		//ast.CryptoX509ParseCertificateRequest,
171
		//ast.CryptoX509ParseRSAPrivateKey,
172
		//ast.CryptoX509ParseKeyPair,
173
		//ast.CryptoParsePrivateKeys,
174
		//ast.CryptoHmacMd5,
175
		//ast.CryptoHmacSha1,
176
		//ast.CryptoHmacSha256,
177
		//ast.CryptoHmacSha512,
178
		//ast.CryptoHmacEqual,
179

180
		// Sort
181
		ast.Sort,
182

183
		// Types
184
		ast.IsNumber,
185
		ast.IsString,
186
		ast.IsBoolean,
187
		ast.IsArray,
188
		ast.IsSet,
189
		ast.IsObject,
190
		ast.IsNull,
191
		ast.TypeNameBuiltin,
192

193
		// JSON Schema
194
		ast.JSONSchemaVerify,
195
		ast.JSONMatchSchema,
196

197
		// Glob
198
		ast.GlobMatch,
199
		ast.GlobQuoteMeta,
200

201
		// Units
202
		ast.UnitsParse,
203
		ast.UnitsParseBytes,
204

205
		// SemVers
206
		ast.SemVerIsValid,
207
		ast.SemVerCompare,
208
	}
209
	sort.Slice(f.Builtins, func(i, j int) bool {
210
		return f.Builtins[i].Name < f.Builtins[j].Name
211
	})
212
	return f
213
}
214

215
func Precompile(module string) (rego.PreparedEvalQuery, error) {
216
	ctx := context.Background()
217
	log := logger.FromContext(ctx)
218

219
	template := "package kubelatte.rego\n" + module
220

221
	query, err := rego.New(
222
		rego.Query("x = data.kubelatte.rego.violation"),
223
		rego.Module("kubelatte.rego", template),
224
		rego.Capabilities(CapabilitiesForThisVersion()),
225
	).PrepareForEval(ctx)
226

227
	if err != nil {
228
		log.Errorf("Precompile failed %s", err)
229

230
		return rego.PreparedEvalQuery{}, errors.Wrap(err, "Precompile failed %s")
231
	}
232
	return query, nil
233
}
234