kubelatte-ce
Форк от sbertech/kubelatte-ce
233 строки · 4.0 Кб
1package opa2
3import (4"context"5"github.com/open-policy-agent/opa/ast"6"github.com/open-policy-agent/opa/rego"7"github.com/pkg/errors"8"gitverse.ru/synapse/kubelatte/pkg/observability/logger"9"sort"10)
11
12func CapabilitiesForThisVersion() *ast.Capabilities {13f := &ast.Capabilities{}14
15// f.Builtins contains 149 allowed built-in functions16f.Builtins = []*ast.Builtin{17// Unification/equality ("=")18ast.Equality,19
20// Assignment (":=")21ast.Assign,22
23// Membership, infix "in": x in xs24ast.Member,25ast.MemberWithKey,26
27// Comparisons28ast.GreaterThan,29ast.GreaterThanEq,30ast.LessThan,31ast.LessThanEq,32ast.NotEqual,33ast.Equal,34
35// Arithmetic36ast.Plus,37ast.Minus,38ast.Multiply,39ast.Divide,40ast.Ceil,41ast.Floor,42ast.Round,43ast.Abs,44ast.Rem,45
46// Bitwise Arithmetic47ast.BitsOr,48ast.BitsAnd,49ast.BitsNegate,50ast.BitsXOr,51ast.BitsShiftLeft,52ast.BitsShiftRight,53
54// Binary55ast.And,56ast.Or,57
58// Aggregates59ast.Count,60ast.Sum,61ast.Product,62ast.Max,63ast.Min,64ast.Any,65ast.All,66
67// Arrays68ast.ArrayConcat,69ast.ArraySlice,70ast.ArrayReverse,71
72// Conversions73ast.ToNumber,74
75// Regular Expressions76ast.RegexIsValid,77ast.RegexMatch,78ast.RegexMatchDeprecated,79ast.RegexSplit,80ast.GlobsMatch,81ast.RegexTemplateMatch,82ast.RegexFind,83ast.RegexFindAllStringSubmatch,84ast.RegexReplace,85
86// Sets87ast.SetDiff,88ast.Intersection,89ast.Union,90
91// Strings92ast.AnyPrefixMatch,93ast.AnySuffixMatch,94ast.Concat,95ast.FormatInt,96ast.IndexOf,97ast.IndexOfN,98ast.Substring,99ast.Lower,100ast.Upper,101ast.Contains,102ast.StartsWith,103ast.EndsWith,104ast.Split,105ast.Replace,106ast.ReplaceN,107ast.Trim,108ast.TrimLeft,109ast.TrimPrefix,110ast.TrimRight,111ast.TrimSuffix,112ast.TrimSpace,113ast.Sprintf,114ast.StringReverse,115
116// Numbers117ast.NumbersRange,118
119// Encoding120ast.JSONMarshal,121ast.JSONUnmarshal,122ast.JSONIsValid,123ast.Base64Encode,124ast.Base64Decode,125ast.Base64IsValid,126ast.Base64UrlEncode,127ast.Base64UrlEncodeNoPad,128ast.Base64UrlDecode,129ast.URLQueryDecode,130ast.URLQueryEncode,131ast.URLQueryEncodeObject,132ast.URLQueryDecodeObject,133ast.YAMLMarshal,134ast.YAMLUnmarshal,135ast.YAMLIsValid,136ast.HexEncode,137ast.HexDecode,138
139// Object Manipulation140ast.ObjectUnion,141ast.ObjectUnionN,142ast.ObjectRemove,143ast.ObjectFilter,144ast.ObjectGet,145ast.ObjectKeys,146ast.ObjectSubset,147
148// JSON Object Manipulation149ast.JSONFilter,150ast.JSONRemove,151ast.JSONPatch,152
153// Time154ast.ParseNanos,155ast.ParseRFC3339Nanos,156ast.ParseDurationNanos,157ast.Format,158ast.Date,159ast.Clock,160ast.Weekday,161ast.AddDate,162ast.Diff,163
164// Crypto165//ast.CryptoX509ParseCertificates,166//ast.CryptoX509ParseAndVerifyCertificates,167//ast.CryptoMd5,168//ast.CryptoSha1,169ast.CryptoSha256,170//ast.CryptoX509ParseCertificateRequest,171//ast.CryptoX509ParseRSAPrivateKey,172//ast.CryptoX509ParseKeyPair,173//ast.CryptoParsePrivateKeys,174//ast.CryptoHmacMd5,175//ast.CryptoHmacSha1,176//ast.CryptoHmacSha256,177//ast.CryptoHmacSha512,178//ast.CryptoHmacEqual,179
180// Sort181ast.Sort,182
183// Types184ast.IsNumber,185ast.IsString,186ast.IsBoolean,187ast.IsArray,188ast.IsSet,189ast.IsObject,190ast.IsNull,191ast.TypeNameBuiltin,192
193// JSON Schema194ast.JSONSchemaVerify,195ast.JSONMatchSchema,196
197// Glob198ast.GlobMatch,199ast.GlobQuoteMeta,200
201// Units202ast.UnitsParse,203ast.UnitsParseBytes,204
205// SemVers206ast.SemVerIsValid,207ast.SemVerCompare,208}209sort.Slice(f.Builtins, func(i, j int) bool {210return f.Builtins[i].Name < f.Builtins[j].Name211})212return f213}
214
215func Precompile(module string) (rego.PreparedEvalQuery, error) {216ctx := context.Background()217log := logger.FromContext(ctx)218
219template := "package kubelatte.rego\n" + module220
221query, err := rego.New(222rego.Query("x = data.kubelatte.rego.violation"),223rego.Module("kubelatte.rego", template),224rego.Capabilities(CapabilitiesForThisVersion()),225).PrepareForEval(ctx)226
227if err != nil {228log.Errorf("Precompile failed %s", err)229
230return rego.PreparedEvalQuery{}, errors.Wrap(err, "Precompile failed %s")231}232return query, nil233}
234