diff --git a/pkg/filters/filter-specs.go b/pkg/filters/filter-specs.go index 568fb16c5..4fbda084c 100644 --- a/pkg/filters/filter-specs.go +++ b/pkg/filters/filter-specs.go @@ -28,7 +28,7 @@ type PolicyTypesFilterSpecification struct { // IsSatisfied implementation for policy type based Filter spec func (p PolicyTypesFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bool { - // if resource type is not present for metadata, + // if policy type is not present for rego metadata, // or if policy types is not specified, return true if len(r.PolicyType) < 1 || len(p.policyTypes) < 1 { return true @@ -43,7 +43,7 @@ type ResourceTypeFilterSpecification struct { // IsSatisfied implementation for resource type based Filter spec func (rs ResourceTypeFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bool { - // if resource type is not present for metadata, return true + // if resource type is not present for rego metadata, return true if len(r.ResourceType) < 1 { return true } @@ -122,12 +122,10 @@ func (a AndFilterSpecification) IsSatisfied(r *policy.RegoMetadata) bool { if len(a.filterSpecs) < 1 { return false } - isSatisfied := true for _, filterSpec := range a.filterSpecs { - isSatisfied = isSatisfied && filterSpec.IsSatisfied(r) - if !isSatisfied { - return isSatisfied + if !filterSpec.IsSatisfied(r) { + return false } } - return isSatisfied + return true } diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go index 88c6da503..f43412cc5 100644 --- a/pkg/policy/opa/engine.go +++ b/pkg/policy/opa/engine.go @@ -368,7 +368,7 @@ func (e *Engine) Evaluate(engineInput policy.EngineInput, filter policy.PreScanF if err != nil { // since the eval failed with the policy, we should decrement the total count by 1 e.stats.ruleCount-- - zap.S().Warn("failed to run prepared query", zap.Error(err), zap.String("rule", "'"+k+"'"), zap.String("file", e.regoDataMap[k].Metadata.File)) + zap.S().Debug("failed to run prepared query", zap.Error(err), zap.String("rule", "'"+k+"'"), zap.String("file", e.regoDataMap[k].Metadata.File)) continue } diff --git a/pkg/runtime/executor.go b/pkg/runtime/executor.go index abd015c00..5156ef089 100644 --- a/pkg/runtime/executor.go +++ b/pkg/runtime/executor.go @@ -83,10 +83,6 @@ func NewExecutor(iacType, iacVersion string, policyTypes []string, filePath, dir e.categories = categories } - if len(policyTypes) > 0 { - e.policyTypes = policyTypes - } - // initialize executor if err = e.Init(); err != nil { return e, err @@ -272,9 +268,7 @@ func (e *Executor) findViolations(results *Output) error { for _, engine := range e.policyEngines { go func(eng policy.Engine) { - // create a regodata pre scan filter - preScanFilter := filters.RegoDataFilter{} - output, err := eng.Evaluate(policy.EngineInput{InputData: &results.ResourceConfig}, &preScanFilter) + output, err := eng.Evaluate(policy.EngineInput{InputData: &results.ResourceConfig}, &filters.RegoDataFilter{}) evalResultChan <- engineEvalResult{err, output} }(engine) } diff --git a/pkg/utils/policy.go b/pkg/utils/policy.go index b59071ed0..368f6c496 100644 --- a/pkg/utils/policy.go +++ b/pkg/utils/policy.go @@ -30,3 +30,21 @@ func GetAbsPolicyConfigPaths(policyBasePath, policyRepoPath string) (string, str absolutePolicyRepoPath = filepath.Join(absolutePolicyBasePath, policyRepoPath) return absolutePolicyBasePath, absolutePolicyRepoPath, nil } + +// CheckPolicyType checks if supplied policy type matches desired policy types +func CheckPolicyType(rulePolicyType string, desiredPolicyTypes []string) bool { + normDesiredPolicyTypes := make(map[string]bool, len(desiredPolicyTypes)) + normRulePolicyType := EnsureUpperCaseTrimmed(rulePolicyType) + + for _, desiredPolicyType := range desiredPolicyTypes { + desiredPolicyType = EnsureUpperCaseTrimmed(desiredPolicyType) + normDesiredPolicyTypes[desiredPolicyType] = true + } + + if _, ok := normDesiredPolicyTypes["ALL"]; ok { + return true + } + + _, ok := normDesiredPolicyTypes[normRulePolicyType] + return ok +} diff --git a/pkg/utils/policy_type.go b/pkg/utils/policy_type.go deleted file mode 100644 index 63c6bb50e..000000000 --- a/pkg/utils/policy_type.go +++ /dev/null @@ -1,35 +0,0 @@ -/* - Copyright (C) 2020 Accurics, Inc. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package utils - -// CheckPolicyType checks if supplied policy type matches desired policy types -func CheckPolicyType(rulePolicyType string, desiredPolicyTypes []string) bool { - normDesiredPolicyTypes := make(map[string]bool, len(desiredPolicyTypes)) - normRulePolicyType := EnsureUpperCaseTrimmed(rulePolicyType) - - for _, desiredPolicyType := range desiredPolicyTypes { - desiredPolicyType = EnsureUpperCaseTrimmed(desiredPolicyType) - normDesiredPolicyTypes[desiredPolicyType] = true - } - - if _, ok := normDesiredPolicyTypes["ALL"]; ok { - return true - } - - _, ok := normDesiredPolicyTypes[normRulePolicyType] - return ok -}