Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add function to retrieve object by path #199

Merged
merged 3 commits into from
Sep 24, 2024
Merged

feat: add function to retrieve object by path #199

merged 3 commits into from
Sep 24, 2024

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jul 18, 2024
edited
Loading

Ideally, we should point to the location of the misconfiguration in the code as precisely as possible. To do this, the result.new funuction takes an object with its location metadata as the second parameter. But there may be problems with this if the passed input is incomplete.

The following check safely checks for the absence of bar or its false value, but may fail if bar or the parent structure is missing, since the input.provider.foo.bar expression passed to the result.new function will be undefined.

deny contains res if {
  not nput.provider.some_resource.block1.block2.some_attr.value
  result.new(
    "bar does not exist",
    nput.provider.some_resource.block1.block2.some_attr,
  )
}

To solve this problem, we could use the object.get function to safely get a nested object, for example object.get(some_resource, ["block1", "block2", "some_attr"], resource), but in that case the result will not contain the exact location of the misconfig. And calling object.get for each level of nesting is fraught with a lot of code.

This PR adds a function that solves the problem. It recursively searches for a child object along the given path and if it is not found, it returns the last found one.

Example of use:

import data.lib.metadata

deny contains res if {
  not input.provider.some_resource.block1.block2.some_attr
  result.new(
    "bar does not exist",
    metadata.obj_by_path(input.provider.some_resource, ["block1", "block2", "some_attr"]),
  )
}

@nikpivkin nikpivkin marked this pull request as ready for review August 28, 2024 12:01
@nikpivkin nikpivkin requested a review from simar7 as a code owner August 28, 2024 12:01
simar7
simar7 reviewed Sep 24, 2024
View reviewed changes
lib/cloud/metadata.rego Outdated Show resolved Hide resolved
simar7
simar7 reviewed Sep 24, 2024
View reviewed changes
lib/cloud/metadata.rego Outdated Show resolved Hide resolved
@simar7 simar7 added this pull request to the merge queue Sep 24, 2024
Merged via the queue into aquasecurity:main with commit a76c0e9 Sep 24, 2024
5 checks passed
@nikpivkin nikpivkin deleted the meta-cause branch September 25, 2024 03:06
@nikpivkin nikpivkin mentioned this pull request Oct 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nikpivkin @simar7