Open Policy Agent
Possible to write rego tests for masks? #507
-
|
I'm looking at the documentation for masking sensitive data and it's unclear if we can write unit tests with rego to test masks? Does anyone know if this is possible, or the recommended approach for testing masks? https://www.openpolicyagent.org/docs/latest/management-decision-logs/#masking-sensitive-data |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hey, sorry for the late reply here. Masking of data is 'just' a Rego policy, so it'd be possible to test the behaviour like this:
package system.log
mask["/input/password"] {
input.input.resource == "user"
}
mask["/input/ssn"]
package system.log
import future.keywords.in
test_password_present_for_user {
result := mask with input as {"input": {"resource": "user", "password": "foobar"}}
"/input/password" in result
}
test_ssn_always_present {
result := mask with input as {}
"/input/ssn" in result
}and to test |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the example! With that I was able to make sense of redacting a header. package system.log
redact_authorization_header := {"path": "/input/attributes/request/http/headers/authorization", "value": "[REDACTED]", "op": "upsert"}
mask[redact_authorization_header]package system.log
import future.keywords
test_redact_authorization_header if {
result := mask with input.input.attributes.request.http.headers as {"authorization": "should-be-redacted"}
redact_authorization_header in result
} |
Beta Was this translation helpful? Give feedback.
-
|
👍 no probs, glad you got it working. Sorry again for the delay, good luck and let us know if you have any other issues! |
Beta Was this translation helpful? Give feedback.
Hey, sorry for the late reply here. Masking of data is 'just' a Rego policy, so it'd be possible to test the behaviour like this:
masks.regomasks_test.regoand to test