kubelatte-ce
Форк от sbertech/kubelatte-ce
233 строки · 4.0 Кб
1package opa
2
3import (
4"context"
5"github.com/open-policy-agent/opa/ast"
6"github.com/open-policy-agent/opa/rego"
7"github.com/pkg/errors"
8"gitverse.ru/ktrntrsv/kubelatte-ce/pkg/observability/logger"
9"sort"
10)
11
12func CapabilitiesForThisVersion() *ast.Capabilities {
13f := &ast.Capabilities{}
14
15// f.Builtins contains 149 allowed built-in functions
16f.Builtins = []*ast.Builtin{
17// Unification/equality ("=")
18ast.Equality,
19
20// Assignment (":=")
21ast.Assign,
22
23// Membership, infix "in": x in xs
24ast.Member,
25ast.MemberWithKey,
26
27// Comparisons
28ast.GreaterThan,
29ast.GreaterThanEq,
30ast.LessThan,
31ast.LessThanEq,
32ast.NotEqual,
33ast.Equal,
34
35// Arithmetic
36ast.Plus,
37ast.Minus,
38ast.Multiply,
39ast.Divide,
40ast.Ceil,
41ast.Floor,
42ast.Round,
43ast.Abs,
44ast.Rem,
45
46// Bitwise Arithmetic
47ast.BitsOr,
48ast.BitsAnd,
49ast.BitsNegate,
50ast.BitsXOr,
51ast.BitsShiftLeft,
52ast.BitsShiftRight,
53
54// Binary
55ast.And,
56ast.Or,
57
58// Aggregates
59ast.Count,
60ast.Sum,
61ast.Product,
62ast.Max,
63ast.Min,
64ast.Any,
65ast.All,
66
67// Arrays
68ast.ArrayConcat,
69ast.ArraySlice,
70ast.ArrayReverse,
71
72// Conversions
73ast.ToNumber,
74
75// Regular Expressions
76ast.RegexIsValid,
77ast.RegexMatch,
78ast.RegexMatchDeprecated,
79ast.RegexSplit,
80ast.GlobsMatch,
81ast.RegexTemplateMatch,
82ast.RegexFind,
83ast.RegexFindAllStringSubmatch,
84ast.RegexReplace,
85
86// Sets
87ast.SetDiff,
88ast.Intersection,
89ast.Union,
90
91// Strings
92ast.AnyPrefixMatch,
93ast.AnySuffixMatch,
94ast.Concat,
95ast.FormatInt,
96ast.IndexOf,
97ast.IndexOfN,
98ast.Substring,
99ast.Lower,
100ast.Upper,
101ast.Contains,
102ast.StartsWith,
103ast.EndsWith,
104ast.Split,
105ast.Replace,
106ast.ReplaceN,
107ast.Trim,
108ast.TrimLeft,
109ast.TrimPrefix,
110ast.TrimRight,
111ast.TrimSuffix,
112ast.TrimSpace,
113ast.Sprintf,
114ast.StringReverse,
115
116// Numbers
117ast.NumbersRange,
118
119// Encoding
120ast.JSONMarshal,
121ast.JSONUnmarshal,
122ast.JSONIsValid,
123ast.Base64Encode,
124ast.Base64Decode,
125ast.Base64IsValid,
126ast.Base64UrlEncode,
127ast.Base64UrlEncodeNoPad,
128ast.Base64UrlDecode,
129ast.URLQueryDecode,
130ast.URLQueryEncode,
131ast.URLQueryEncodeObject,
132ast.URLQueryDecodeObject,
133ast.YAMLMarshal,
134ast.YAMLUnmarshal,
135ast.YAMLIsValid,
136ast.HexEncode,
137ast.HexDecode,
138
139// Object Manipulation
140ast.ObjectUnion,
141ast.ObjectUnionN,
142ast.ObjectRemove,
143ast.ObjectFilter,
144ast.ObjectGet,
145ast.ObjectKeys,
146ast.ObjectSubset,
147
148// JSON Object Manipulation
149ast.JSONFilter,
150ast.JSONRemove,
151ast.JSONPatch,
152
153// Time
154ast.ParseNanos,
155ast.ParseRFC3339Nanos,
156ast.ParseDurationNanos,
157ast.Format,
158ast.Date,
159ast.Clock,
160ast.Weekday,
161ast.AddDate,
162ast.Diff,
163
164// Crypto
165//ast.CryptoX509ParseCertificates,
166//ast.CryptoX509ParseAndVerifyCertificates,
167//ast.CryptoMd5,
168//ast.CryptoSha1,
169ast.CryptoSha256,
170//ast.CryptoX509ParseCertificateRequest,
171//ast.CryptoX509ParseRSAPrivateKey,
172//ast.CryptoX509ParseKeyPair,
173//ast.CryptoParsePrivateKeys,
174//ast.CryptoHmacMd5,
175//ast.CryptoHmacSha1,
176//ast.CryptoHmacSha256,
177//ast.CryptoHmacSha512,
178//ast.CryptoHmacEqual,
179
180// Sort
181ast.Sort,
182
183// Types
184ast.IsNumber,
185ast.IsString,
186ast.IsBoolean,
187ast.IsArray,
188ast.IsSet,
189ast.IsObject,
190ast.IsNull,
191ast.TypeNameBuiltin,
192
193// JSON Schema
194ast.JSONSchemaVerify,
195ast.JSONMatchSchema,
196
197// Glob
198ast.GlobMatch,
199ast.GlobQuoteMeta,
200
201// Units
202ast.UnitsParse,
203ast.UnitsParseBytes,
204
205// SemVers
206ast.SemVerIsValid,
207ast.SemVerCompare,
208}
209sort.Slice(f.Builtins, func(i, j int) bool {
210return f.Builtins[i].Name < f.Builtins[j].Name
211})
212return f
213}
214
215func Precompile(module string) (rego.PreparedEvalQuery, error) {
216ctx := context.Background()
217log := logger.FromContext(ctx)
218
219template := "package kubelatte.rego\n" + module
220
221query, err := rego.New(
222rego.Query("x = data.kubelatte.rego.violation"),
223rego.Module("kubelatte.rego", template),
224rego.Capabilities(CapabilitiesForThisVersion()),
225).PrepareForEval(ctx)
226
227if err != nil {
228log.Errorf("Precompile failed %s", err)
229
230return rego.PreparedEvalQuery{}, errors.Wrap(err, "Precompile failed %s")
231}
232return query, nil
233}
234