Skip to content

Commit

Permalink
Fixes #24380: Rename policy_mode to policy_mode_override
Browse files Browse the repository at this point in the history
  • Loading branch information
@amousset
amousset committed Mar 8, 2024
1 parent 720a337 commit e6e6a1d
Show file tree
Hide file tree
Showing 14 changed files with 83 additions and 71 deletions.
2 changes: 1 addition & 1 deletion policies/rudder-commons/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,7 +309,7 @@ impl PolicyMode {
String::deserialize(deserializer).and_then(|string| match string.as_ref() {
"enforce" => Ok(Some(PolicyMode::Enforce)),
"audit" => Ok(Some(PolicyMode::Audit)),
"default" => Ok(None),
"none" => Ok(None),
_ => Err(Error::custom(format!(
"Could not parse policy mode '{}'",
string
Expand Down
30 changes: 21 additions & 9 deletions policies/rudderc/docs/src/syntax.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,10 +109,10 @@ Blocks contains:
* `tags` (optional): Optional key-value tags.
* `items`: A list of items (block or method call). Cannot be empty.
* `condition` (optional): A condition expression for the whole block. `true` is an always defined (default), `false` is never defined.
* `policy_mode` (optional):
* `default`(default): Inherit policy mode from parent container
* `enforce`: Force the policy mode of all items within the block in enforce mode.
* `audit`: Force the policy mode of all items within the block in audit mode.
* `policy_mode_override` (optional):
* `none`(default): Use the policy mode from parent container (or directive if no override)
* `enforce`: Force the policy mode of all items within the block to enforce mode.
* `audit`: Force the policy mode of all items within the block to audit mode.
* `reporting` (optional):
* `mode`
* `weighted` (default)
Expand All @@ -122,6 +122,15 @@ Blocks contains:
* `disabled`: No reporting
* `id` (required with `focus` mode): id of the method to focus reporting on.

<div class="warning">
Setting <code class="hljs">policy_mode_override</code> to <code class="hljs">enforce</code> will <strong>bypass the audit mode</strong>, so it must only be used
for actions that <strong>do not modify the system</strong> and are required for proper audit mode operation (e.g.
writing a temporary file to compare its content with the system).
</div>

<div class="warning">Policy mode effective value will always be the most closest override layer, meanning that an overridden policy mode on a method call
will always prevail over directives and blocks values.</div>

```yaml
items:
- name: "Ensure telnet-server absence"
Expand All @@ -135,9 +144,6 @@ items:
- ...
```

<div class="warning">Policy mode effective value will always be taken from the latest override layer. Meaning that a forced policy mode on a method call
will always prevail over directives and blocks ones.</div>

## Methods

Methods contains:
Expand All @@ -148,15 +154,21 @@ Methods contains:
* `tags` (optional): Optional key-value tags.
* `params`: Key-Value dictionary of parameters for the method.
* `condition` (optional): A condition expression for the method. `true` is an always defined (default), `false` is never defined.
* `policy_mode` (optional):
* `default`(default): Inherit policy mode from parent container
* `policy_mode_override` (optional):
* `none` (default): Inherit policy mode from parent container (ore directive if no override)
* `enforce`: Force the policy mode to enforce mode.
* `audit`: Force the policy mode to audit mode.
* `reporting` (optional)
* `mode`
* `enabled` (default): Normal reporting
* `disabled`: No reporting

<div class="warning">
Setting <code class="hljs">policy_mode_override</code> to <code class="hljs">enforce</code> will <strong>bypass the audit mode</strong>, so it must only be used
for actions that <strong>do not modify the system</strong> and are required for proper audit mode operation (e.g.
writing a temporary file to compare its content with the system).
</div>

The methods are documented in the next section of this documentation, sorted by category.

Example:
Expand Down
4 changes: 2 additions & 2 deletions policies/rudderc/src/backends/unix.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ impl Backend for Unix {
ItemKind::Block(r) => {
let mut calls: Vec<(Promise, Option<Bundle>)> = vec![];
if let Some(x) = dry_run_mode::push_policy_mode(
r.policy_mode,
r.policy_mode_override,
format!("push_policy_mode_for_block_{}", r.id),
) {
calls.push((x, None))
Expand All @@ -96,7 +96,7 @@ impl Backend for Unix {
)?);
}
if let Some(x) = dry_run_mode::pop_policy_mode(
r.policy_mode,
r.policy_mode_override,
format!("pop_policy_mode_for_block_{}", r.id),
) {
calls.push((x, None))
Expand Down
4 changes: 2 additions & 2 deletions policies/rudderc/src/backends/unix/ncf/method_call.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,8 +106,8 @@ pub fn method_call(
info.bundle_name
);

let push_policy_mode = dry_run_mode::push_policy_mode(m.policy_mode, unique.clone());
let pop_policy_mode = dry_run_mode::pop_policy_mode(m.policy_mode, unique.clone());
let push_policy_mode = dry_run_mode::push_policy_mode(m.policy_mode_override, unique.clone());
let pop_policy_mode = dry_run_mode::pop_policy_mode(m.policy_mode_override, unique.clone());
let incall_condition = "${method_call_condition}".to_string();

let mut promises = match (&condition, is_supported) {
Expand Down
12 changes: 6 additions & 6 deletions policies/rudderc/src/backends/windows.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ struct WindowsMethod {
args: Vec<(String, String, Escaping)>,
name: String,
is_supported: bool,
policy_mode: Option<PolicyMode>,
policy_mode_override: Option<PolicyMode>,
}

fn method_call(
Expand Down Expand Up @@ -211,14 +211,14 @@ fn method_call(
args,
name: filters::dsc_case(&m.info.as_ref().unwrap().bundle_name).unwrap(),
is_supported,
policy_mode: if let Some(x) = policy_mode_context {
if m.policy_mode.is_none() {
policy_mode_override: if let Some(x) = policy_mode_context {
if m.policy_mode_override.is_none() {
Some(x)
} else {
m.policy_mode
m.policy_mode_override
}
} else {
m.policy_mode
m.policy_mode_override
},
})
}
Expand Down Expand Up @@ -246,7 +246,7 @@ impl Windows {
calls.extend(resolve_module(
inner,
context.and(&r.condition),
r.policy_mode,
r.policy_mode_override,
)?);
}
Ok(calls)
Expand Down
14 changes: 7 additions & 7 deletions policies/rudderc/src/ir/technique.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,7 @@ pub struct DeserItem {
pub module: Option<String>,
#[serde(deserialize_with = "PolicyMode::from_string")]
#[serde(default)]
pub policy_mode: Option<PolicyMode>,
pub policy_mode_override: Option<PolicyMode>,
}

// Variant of Technique for first level of deserialization
Expand Down Expand Up @@ -390,7 +390,7 @@ impl DeserItem {
&self.name, &self.id
))?,
info: None,
policy_mode: self.policy_mode,
policy_mode_override: self.policy_mode_override,
})),
(true, false, _, false) => {
bail!("Method {} ({}) requires params", self.name, self.id)
Expand All @@ -406,7 +406,7 @@ impl DeserItem {
"Module {} ({}) has an unexpected reporting mode",
self.name, self.id
))?,
policy_mode: self.policy_mode,
policy_mode_override: self.policy_mode_override,
})),
(false, true, _, false) => {
bail!("Module {} ({}) requires params", self.name, self.id)
Expand All @@ -426,7 +426,7 @@ impl DeserItem {
.into_iter()
.map(|i| i.into_kind().unwrap())
.collect(),
policy_mode: self.policy_mode,
policy_mode_override: self.policy_mode_override,
})),
(false, false, false, false) => {
bail!("Block {} ({}) requires items", self.name, self.id)
Expand Down Expand Up @@ -473,7 +473,7 @@ pub struct Block {
pub reporting: BlockReporting,
#[serde(default)]
#[serde(skip_serializing_if = "Option::is_none")]
pub policy_mode: Option<PolicyMode>,
pub policy_mode_override: Option<PolicyMode>,
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
Expand All @@ -493,7 +493,7 @@ pub struct Module {
pub reporting: LeafReporting,
#[serde(default)]
#[serde(skip_serializing_if = "Option::is_none")]
pub policy_mode: Option<PolicyMode>,
pub policy_mode_override: Option<PolicyMode>,
}

#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
Expand All @@ -516,7 +516,7 @@ pub struct Method {
pub info: Option<&'static MethodInfo>,
#[serde(default)]
#[serde(skip_serializing_if = "Option::is_none")]
pub policy_mode: Option<PolicyMode>,
pub policy_mode_override: Option<PolicyMode>,
}

#[derive(Debug, Clone, PartialEq, Eq, Default, Serialize, Deserialize)]
Expand Down
8 changes: 4 additions & 4 deletions policies/rudderc/src/technique.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@
"enum": [
"audit",
"enforce",
"default"
"none"
]
},
"methodReportingMode": {
Expand Down Expand Up @@ -386,7 +386,7 @@
"title": "method call tags",
"$ref": "#/$defs/tags"
},
"policy_mode": {
"policy_mode_override": {
"title": "method call policy mode override",
"$ref": "#/$defs/policyMode"
},
Expand Down Expand Up @@ -455,7 +455,7 @@
"title": "block call tags",
"$ref": "#/$defs/tags"
},
"policy_mode": {
"policy_mode_override": {
"title": "block call policy mode",
"$ref": "#/$defs/policyMode"
},
Expand Down Expand Up @@ -495,4 +495,4 @@
]
}
}
}
}
6 changes: 3 additions & 3 deletions policies/rudderc/templates/technique.ps1.askama
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ function {{ id|dsc_case }} {
ClassPrefix = ([Rudder.Condition]::canonify(("{{ m.class_prefix }}_" + $componentKey)))
ComponentKey = $componentKey
ComponentName = "{{ m.component_name|escape_double_quotes }}"
PolicyMode = {{ m.policy_mode|policy_mode_fmt }}
PolicyMode = {{ m.policy_mode_override|policy_mode_fmt }}
ReportId = $reportId
DisableReporting = ${{ m.disable_reporting }}
TechniqueName = $techniqueName
Expand All @@ -47,7 +47,7 @@ function {{ id|dsc_case }} {
{{- arg.0 }} = {{ arg|parameter_fmt }}
{% endfor %}
}
$call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode|policy_mode_fmt }}
$call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode_override|policy_mode_fmt }}
$methodContext = Compute-Method-Call @reportParams -MethodCall $call
$localContext.merge($methodContext)
} else {
Expand All @@ -59,7 +59,7 @@ function {{ id|dsc_case }} {
{{- arg.0 }} = {{ arg|parameter_fmt }}
{% endfor %}
}
$call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode|policy_mode_fmt }}
$call = {{ m.name|dsc_case }} @methodParams -PolicyMode {{ m.policy_mode_override|policy_mode_fmt }}
$methodContext = Compute-Method-Call @reportParams -MethodCall $call
$localContext.merge($methodContext)
{% endmatch %}
Expand Down
30 changes: 15 additions & 15 deletions policies/rudderc/tests/cases/general/policy_mode/technique.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: audit
policy_mode_override: audit
- id: 1eedce7b-3441-4251-bdd6-706fda3ec7a8
name: 'In omit mode'
method: file_content
Expand All @@ -25,18 +25,18 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: enforce
policy_mode_override: enforce
- id: 1d809592-808e-4177-8351-8b7b7769af69
name: 'In default mode'
method: file_content
params:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: default
policy_mode_override: none
- id: 57f54359-2b2e-49f9-ab61-a77705615302
name: "A block in audit mode"
policy_mode: audit
policy_mode_override: audit
items:
- id: ea274579-40fc-4545-b384-8d5576a7c69b
name: 'Resolve to audit'
Expand All @@ -45,26 +45,26 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: audit
policy_mode_override: audit
- id: 85659b7e-968c-458c-b566-c90108c50833
name: 'Resolve to enforce'
method: file_content
params:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: enforce
policy_mode_override: enforce
- id: d8def455-cd43-441f-8dba-1ebae3a29389
name: 'Resolve to audit'
method: file_content
params:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: default
policy_mode_override: none
- id: 1ff82fc2-38fc-4324-92ab-3de5fafcdc14
name: "A block in enforce mode"
policy_mode: enforce
policy_mode_override: enforce
items:
- id: f9417d97-3a18-4db6-85c3-72e28618bff1
name: 'Resolve to audit'
Expand All @@ -73,30 +73,30 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: audit
policy_mode_override: audit
- id: c4b4faa1-85e5-4922-b713-c198bf99226e
name: 'Resolve to enforce'
method: file_content
params:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: enforce
policy_mode_override: enforce
- id: cce62a59-bd17-4858-ba06-6ae41f39b15a
name: 'Resolve to enforce'
method: file_content
params:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: default
policy_mode_override: none
- id: 7def389a-78d2-4104-b6fc-19c74f14fe93
name: "An audit block"
policy_mode: enforce
policy_mode_override: enforce
items:
- id: 9fca6ca8-ccaa-4688-a5fc-e2a0d9d60165
name: 'A nested block in audit'
policy_mode: audit
policy_mode_override: audit
items:
- id: 0a4299dd-0902-48b2-85ee-13dfe6fc3af6
name: 'Resolve to audit'
Expand All @@ -105,12 +105,12 @@ items:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: default
policy_mode_override: none
- id: 3b8352df-1329-4956-a019-bb9c072bc830
name: 'Resolve to enforce'
method: file_content
params:
path: /tmp/1
lines: "foobar"
enforce: "true"
policy_mode: default
policy_mode_override: none
Loading

0 comments on commit e6e6a1d

Please sign in to comment.