Documentation ¶
Overview ¶
Package rego provides the rego rule evaluator
Index ¶
- Constants
- Variables
- func FileExists(res *engif.Result) func(*rego.Rego)
- func FileHTTPType(res *engif.Result) func(*rego.Rego)
- func FileLs(res *engif.Result) func(*rego.Rego)
- func FileLsGlob(res *engif.Result) func(*rego.Rego)
- func FileRead(res *engif.Result) func(*rego.Rego)
- func FileWalk(res *engif.Result) func(*rego.Rego)
- func ListGithubActions(res *engif.Result) func(*rego.Rego)
- type Config
- type ConstraintsViolationsFormat
- type EvaluationType
- type Evaluator
- type Input
Constants ¶
const ( // RegoEvalType is the type of the rego evaluator RegoEvalType = "rego" // MinderRegoFile is the default rego file for minder. MinderRegoFile = "minder.rego" // RegoQueryPrefix is the prefix for rego queries RegoQueryPrefix = "data.minder" )
const (
// EnablePrintEnvVar is the environment variable to enable print statements
EnablePrintEnvVar = "REGO_ENABLE_PRINT"
)
Variables ¶
var MinderRegoLib = []func(res *engif.Result) func(*rego.Rego){ FileExists, FileLs, FileLsGlob, FileHTTPType, FileRead, FileWalk, ListGithubActions, }
MinderRegoLib contains the minder-specific functions for rego
Functions ¶
func FileExists ¶
FileExists is a rego function that checks if a file exists in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.exists`.
func FileHTTPType ¶ added in v0.0.27
FileHTTPType is a rego function that returns the HTTP type of a file in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to check. It's exposed as `file.http_type`.
func FileLs ¶
FileLs is a rego function that lists the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `file.ls`. If the file is a file, it returns the file itself. If the file is a directory, it returns the files in the directory. If the file is a symlink, it follows the symlink and returns the files in the target.
func FileLsGlob ¶ added in v0.0.27
FileLsGlob is a rego function that lists the files matching a glob in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the pattern to match. It's exposed as `file.ls_glob`.
func FileRead ¶
FileRead is a rego function that reads a file from the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the file to read. It's exposed as `file.read`.
func FileWalk ¶ added in v0.0.27
FileWalk is a rego function that walks the files in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to walk. It's exposed as `file.walk`.
func ListGithubActions ¶ added in v0.0.19
ListGithubActions is a rego function that lists the actions in a directory in the filesystem being evaluated (which comes from the ingester). It takes one argument, the path to the directory to list. It's exposed as `github_workflow.ls_actions`. The function returns a set of strings, each string being the name of an action. The frizbee library guarantees that the actions are unique.
Types ¶
type Config ¶
type Config struct { // Type is the type of evaluation to perform Type EvaluationType `json:"type" mapstructure:"type" validate:"required"` // Def is the definition of the profile Def string `json:"def" mapstructure:"def" validate:"required"` ViolationFormat ConstraintsViolationsFormat `json:"violation_format" mapstructure:"violationFormat"` }
Config is the configuration for the rego evaluator
type ConstraintsViolationsFormat ¶ added in v0.0.19
type ConstraintsViolationsFormat string
ConstraintsViolationsFormat is the format to output violations in
const ( // ConstraintsViolationsOutputText specifies that the violations should be printed as human-readable text ConstraintsViolationsOutputText ConstraintsViolationsFormat = "text" // ConstraintsViolationsOutputJSON specifies that violations should be output as JSON ConstraintsViolationsOutputJSON ConstraintsViolationsFormat = "json" )
func (ConstraintsViolationsFormat) String ¶ added in v0.0.19
func (c ConstraintsViolationsFormat) String() string
type EvaluationType ¶
type EvaluationType string
EvaluationType is the type of evaluation to perform
const ( // DenyByDefaultEvaluationType is the deny-by-default evaluation type // It uses the rego query "data.minder.allow" to determine if the // object is allowed. DenyByDefaultEvaluationType EvaluationType = "deny-by-default" // ConstraintsEvaluationType is the constraints evaluation type // It uses the rego query "data.minder.violations[results]" to determine // if the object violates any constraints. If there are any violations, // the object is denied. Denials may contain a message specified through // the "msg" key. ConstraintsEvaluationType EvaluationType = "constraints" )
func (EvaluationType) String ¶
func (e EvaluationType) String() string
type Evaluator ¶
type Evaluator struct {
// contains filtered or unexported fields
}
Evaluator is the evaluator for rego rules It initializes the rego engine and evaluates the rules The default rego package is "minder"
func NewRegoEvaluator ¶
func NewRegoEvaluator(cfg *minderv1.RuleType_Definition_Eval_Rego) (*Evaluator, error)
NewRegoEvaluator creates a new rego evaluator
type Input ¶
type Input struct { // Profile is the values set for the profile Profile map[string]any `json:"profile"` // Ingested is the values set for the ingested data Ingested any `json:"ingested"` // OutputFormat is the format to output violations in OutputFormat ConstraintsViolationsFormat `json:"output_format"` }
Input is the input for the rego evaluator