This repository has been archived by the owner on Sep 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 109
/
customrules.go
126 lines (110 loc) · 3.58 KB
/
customrules.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// Copyright 2021 Fugue, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package fugue
import (
"context"
"fmt"
"strings"
"github.com/fugue/regula/v3/pkg/rego"
"github.com/fugue/regula/v3/pkg/regotools/doublequote"
"github.com/fugue/regula/v3/pkg/regotools/metadoc"
"github.com/fugue/regula/v3/pkg/swagger/client/custom_rules"
"github.com/fugue/regula/v3/pkg/swagger/models"
"github.com/sirupsen/logrus"
)
func processCustomRule(rule *models.CustomRule) (rego.RegoFile, error) {
regometa, err := metadoc.RegoMetaFromString(rule.RuleText)
if err != nil {
return nil, err
}
// Construct package name
regometa.PackageName = "rules.rule_" + strings.ReplaceAll(rule.ID, "-", "_")
// Copy info from SaaS into metadoc
regometa.Id = rule.ID
regometa.Title = rule.Name
regometa.Description = rule.Description
regometa.Severity = rule.Severity
// Follow custom rule control scheme used in SaaS.
regometa.Controls = map[string][]string{
"Custom": {"custom/" + rule.Name},
}
regometa.Families = rule.Families
// Only set resource_type if not set explicitly.
if regometa.ResourceType == "" {
if rule.ResourceType == "MULTIPLE" {
regometa.ResourceType = "MULTIPLE"
} else if rule.TfResourceType != "" {
regometa.ResourceType = rule.TfResourceType
} else {
return nil, fmt.Errorf("Unknown resource type: %s", rule.ResourceType)
}
}
// Ensure data.fugue import is there.
regometa.Imports[metadoc.Import{Path: "data.fugue"}] = struct{}{}
// Turn single quotes into double quotes.
text := doublequote.Doublequote(regometa.String())
ruleName := fmt.Sprintf("Custom rule %s", rule.ID)
return rego.RegoFileFromString(ruleName, text), nil
}
func (c *fugueClient) CustomRulesProvider() rego.RegoProvider {
return func(ctx context.Context, p rego.RegoProcessor) error {
ruleStatus := "ENABLED"
isTruncated := true
offset := int64(0)
for isTruncated {
listCustomRulesParams := &custom_rules.ListCustomRulesParams{
Offset: &offset,
Status: &ruleStatus,
Context: ctx,
}
result, err := c.client.CustomRules.ListCustomRules(listCustomRulesParams, c.auth)
if err != nil {
return err
}
logrus.Infof("Retrieved %d custom rules...", len(result.Payload.Items))
for _, item := range result.Payload.Items {
rule, err := processCustomRule(item)
if err != nil {
logrus.Warningf("Could not load rule %s: %d", item.ID, err)
}
if err := p(rule); err != nil {
return err
}
}
isTruncated = result.Payload.IsTruncated
offset = result.Payload.NextOffset
}
return nil
}
}
func (c *fugueClient) CustomRuleProvider(ruleID string) rego.RegoProvider {
return func(ctx context.Context, p rego.RegoProcessor) error {
getCustomRuleParams := &custom_rules.GetCustomRuleParams{
RuleID: ruleID,
Context: ctx,
}
result, err := c.client.CustomRules.GetCustomRule(getCustomRuleParams, c.auth)
if err != nil {
return err
}
rule, err := processCustomRule(result.Payload)
if err != nil {
logrus.Warningf("Could not load rule %s: %d", ruleID, err)
}
if err := p(rule); err != nil {
return err
}
return nil
}
}