incorporate review comments

tenable · Jun 3, 2021 · fde1435 · fde1435
1 parent d8d58a2
commit fde1435
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 50 deletions.
diff --git a/pkg/filters/filter-specs.go b/pkg/filters/filter-specs.go
@@ -28,7 +28,7 @@ type PolicyTypesFilterSpecification struct {
 
 // IsSatisfied implementation for policy type based Filter spec
 func (p PolicyTypesFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bool {
-	// if resource type is not present for metadata,
+	// if policy type is not present for rego metadata,
 	// or if policy types is not specified, return true
 	if len(r.PolicyType) < 1 || len(p.policyTypes) < 1 {
 		return true
@@ -43,7 +43,7 @@ type ResourceTypeFilterSpecification struct {
 
 // IsSatisfied implementation for resource type based Filter spec
 func (rs ResourceTypeFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bool {
-	// if resource type is not present for metadata, return true
+	// if resource type is not present for rego metadata, return true
 	if len(r.ResourceType) < 1 {
 		return true
 	}
@@ -122,12 +122,10 @@ func (a AndFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bool {
 	if len(a.filterSpecs) < 1 {
 		return false
 	}
-	isSatisfied := true
 	for _, filterSpec := range a.filterSpecs {
-		isSatisfied = isSatisfied && filterSpec.IsSatisfied(r)
-		if !isSatisfied {
-			return isSatisfied
+		if !filterSpec.IsSatisfied(r) {
+			return false
 		}
 	}
-	return isSatisfied
+	return true
 }
diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go
@@ -368,7 +368,7 @@ func (e *Engine) Evaluate(engineInput policy.EngineInput, filter policy.PreScanF
 		if err != nil {
 			// since the eval failed with the policy, we should decrement the total count by 1
 			e.stats.ruleCount--
-			zap.S().Warn("failed to run prepared query", zap.Error(err), zap.String("rule", "'"+k+"'"), zap.String("file", e.regoDataMap[k].Metadata.File))
+			zap.S().Debug("failed to run prepared query", zap.Error(err), zap.String("rule", "'"+k+"'"), zap.String("file", e.regoDataMap[k].Metadata.File))
 			continue
 		}
 

diff --git a/pkg/runtime/executor.go b/pkg/runtime/executor.go
@@ -83,10 +83,6 @@ func NewExecutor(iacType, iacVersion string, policyTypes []string, filePath, dir
 		e.categories = categories
 	}
 
-	if len(policyTypes) > 0 {
-		e.policyTypes = policyTypes
-	}
-
 	// initialize executor
 	if err = e.Init(); err != nil {
 		return e, err
@@ -272,9 +268,7 @@ func (e *Executor) findViolations(results *Output) error {
 
 	for _, engine := range e.policyEngines {
 		go func(eng policy.Engine) {
-			// create a regodata pre scan filter
-			preScanFilter := filters.RegoDataFilter{}
-			output, err := eng.Evaluate(policy.EngineInput{InputData: &results.ResourceConfig}, &preScanFilter)
+			output, err := eng.Evaluate(policy.EngineInput{InputData: &results.ResourceConfig}, &filters.RegoDataFilter{})
 			evalResultChan <- engineEvalResult{err, output}
 		}(engine)
 	}

diff --git a/pkg/utils/policy.go b/pkg/utils/policy.go
@@ -30,3 +30,21 @@ func GetAbsPolicyConfigPaths(policyBasePath, policyRepoPath string) (string, str
 	absolutePolicyRepoPath = filepath.Join(absolutePolicyBasePath, policyRepoPath)
 	return absolutePolicyBasePath, absolutePolicyRepoPath, nil
 }
+
+// CheckPolicyType checks if supplied policy type matches desired policy types
+func CheckPolicyType(rulePolicyType string, desiredPolicyTypes []string) bool {
+	normDesiredPolicyTypes := make(map[string]bool, len(desiredPolicyTypes))
+	normRulePolicyType := EnsureUpperCaseTrimmed(rulePolicyType)
+
+	for _, desiredPolicyType := range desiredPolicyTypes {
+		desiredPolicyType = EnsureUpperCaseTrimmed(desiredPolicyType)
+		normDesiredPolicyTypes[desiredPolicyType] = true
+	}
+
+	if _, ok := normDesiredPolicyTypes["ALL"]; ok {
+		return true
+	}
+
+	_, ok := normDesiredPolicyTypes[normRulePolicyType]
+	return ok
+}
diff --git a/pkg/utils/policy_type.go b/pkg/utils/policy_type.go