Skip to content

Commit

Permalink
Revert "Revert "feat(scanner): Break out options for enabling libs an…
Browse files Browse the repository at this point in the history
…d policies (#1280)" (#1298)" (#1357)

* Revert "Revert "feat(scanner): Break out options for enabling libs and policies (#1280)" (#1298)"

This reverts commit 63a8b4f.

* add loadembedded for terraformplan

Signed-off-by: Simar <[email protected]>

* fix tests

Signed-off-by: Simar <[email protected]>

---------

Signed-off-by: Simar <[email protected]>
  • Loading branch information
simar7 authored Jul 16, 2023
1 parent e7e17b9 commit 931764a
Show file tree
Hide file tree
Showing 21 changed files with 227 additions and 147 deletions.
1 change: 1 addition & 0 deletions cmd/defsec/aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ func scanAWS(stdout, stderr io.Writer) error {

opts := []options.ScannerOption{
options.ScannerWithEmbeddedPolicies(true),
options.ScannerWithEmbeddedLibraries(true),
}

if flagDebug {
Expand Down
1 change: 1 addition & 0 deletions cmd/defsec/fs.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ func scanFS(dir string, stdout, stderr io.Writer) error {

opts := []options.ScannerOption{
options.ScannerWithEmbeddedPolicies(true),
options.ScannerWithEmbeddedLibraries(true),
}

if flagDebug {
Expand Down
35 changes: 23 additions & 12 deletions pkg/rego/load.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,18 +94,8 @@ func (s *Scanner) LoadEmbeddedLibraries() error {
return nil
}

func (s *Scanner) LoadPolicies(loadEmbedded bool, srcFS fs.FS, paths []string, readers []io.Reader) error {

if s.policies == nil {
s.policies = make(map[string]*ast.Module)
}

if s.policyFS != nil {
s.debug.Log("Overriding filesystem for policies!")
srcFS = s.policyFS
}

if loadEmbedded {
func (s *Scanner) loadEmbedded(enableEmbeddedLibraries, enableEmbeddedPolicies bool) error {
if enableEmbeddedLibraries {
loadedLibs, errLoad := loadEmbeddedLibraries()
if errLoad != nil {
return fmt.Errorf("failed to load embedded rego libraries: %w", errLoad)
Expand All @@ -114,6 +104,9 @@ func (s *Scanner) LoadPolicies(loadEmbedded bool, srcFS fs.FS, paths []string, r
s.policies[name] = policy
}
s.debug.Log("Loaded %d embedded libraries.", len(loadedLibs))
}

if enableEmbeddedPolicies {
loaded, err := loadEmbeddedPolicies()
if err != nil {
return fmt.Errorf("failed to load embedded rego policies: %w", err)
Expand All @@ -124,6 +117,24 @@ func (s *Scanner) LoadPolicies(loadEmbedded bool, srcFS fs.FS, paths []string, r
s.debug.Log("Loaded %d embedded policies.", len(loaded))
}

return nil
}

func (s *Scanner) LoadPolicies(enableEmbeddedLibraries, enableEmbeddedPolicies bool, srcFS fs.FS, paths []string, readers []io.Reader) error {

if s.policies == nil {
s.policies = make(map[string]*ast.Module)
}

if s.policyFS != nil {
s.debug.Log("Overriding filesystem for policies!")
srcFS = s.policyFS
}

if err := s.loadEmbedded(enableEmbeddedLibraries, enableEmbeddedPolicies); err != nil {
return err
}

var err error
if len(paths) > 0 {
loaded, err := s.loadPoliciesFromDirs(srcFS, paths)
Expand Down
5 changes: 5 additions & 0 deletions pkg/rego/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ type Scanner struct {
sourceType types.Source
}

func (s *Scanner) SetUseEmbeddedLibraries(b bool) {
// handled externally
}

func (s *Scanner) SetSpec(spec string) {
s.spec = spec
}
Expand All @@ -59,6 +63,7 @@ func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
func (s *Scanner) SetUseEmbeddedPolicies(b bool) {
// handled externally
}

func (s *Scanner) trace(heading string, input interface{}) {
if s.traceWriter == nil {
return
Expand Down
52 changes: 26 additions & 26 deletions pkg/rego/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -70,7 +70,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"/policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"/policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -105,7 +105,7 @@ warn {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -137,7 +137,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -180,7 +180,7 @@ exception[ns] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -228,7 +228,7 @@ exception[ns] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -265,7 +265,7 @@ exception[rules] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -301,7 +301,7 @@ exception[rules] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -335,7 +335,7 @@ deny_evil {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -366,7 +366,7 @@ deny[msg] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -404,7 +404,7 @@ deny[res] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -446,7 +446,7 @@ deny[res] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -500,7 +500,7 @@ deny[res] {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -549,7 +549,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -583,7 +583,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -614,7 +614,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -649,7 +649,7 @@ deny {
scanner := NewScanner(types.SourceJSON, options.ScannerWithTrace(traceBuffer))
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -683,7 +683,7 @@ deny {
scanner := NewScanner(types.SourceJSON, options.ScannerWithPerResultTracing(true))
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -721,7 +721,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -754,7 +754,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -801,7 +801,7 @@ deny {
scanner := NewScanner(types.SourceJSON)
require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{
Expand Down Expand Up @@ -840,7 +840,7 @@ deny {
scanner.SetRegoErrorLimit(0) // override to not allow any errors
assert.ErrorContains(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
"undefined ref: input.evil",
)
}
Expand All @@ -862,7 +862,7 @@ deny {
scanner := NewScanner(types.SourceDockerfile)
assert.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)
}

Expand All @@ -882,7 +882,7 @@ deny {
scanner.SetRegoErrorLimit(0) // override to not allow any errors
assert.ErrorContains(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
"undefined ref: input.evil",
)
}
Expand Down Expand Up @@ -916,7 +916,7 @@ deny {

require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{})
Expand Down Expand Up @@ -956,7 +956,7 @@ deny {

require.NoError(
t,
scanner.LoadPolicies(false, srcFS, []string{"policies"}, nil),
scanner.LoadPolicies(false, false, srcFS, []string{"policies"}, nil),
)

results, err := scanner.ScanInput(context.TODO(), Input{})
Expand Down
33 changes: 19 additions & 14 deletions pkg/scanners/azure/arm/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,17 +28,18 @@ var _ scanners.FSScanner = (*Scanner)(nil)
var _ options.ConfigurableScanner = (*Scanner)(nil)

type Scanner struct {
scannerOptions []options.ScannerOption
parserOptions []options.ParserOption
debug debug.Logger
frameworks []framework.Framework
skipRequired bool
regoOnly bool
loadEmbedded bool
policyDirs []string
policyReaders []io.Reader
regoScanner *rego.Scanner
spec string
scannerOptions []options.ScannerOption
parserOptions []options.ParserOption
debug debug.Logger
frameworks []framework.Framework
skipRequired bool
regoOnly bool
loadEmbeddedPolicies bool
loadEmbeddedLibraries bool
policyDirs []string
policyReaders []io.Reader
regoScanner *rego.Scanner
spec string
sync.Mutex
}

Expand Down Expand Up @@ -87,8 +88,12 @@ func (s *Scanner) SetDataFilesystem(_ fs.FS) {
// handled by rego when option is passed on
}

func (s *Scanner) SetUseEmbeddedPolicies(loadEmbedded bool) {
s.loadEmbedded = loadEmbedded
func (s *Scanner) SetUseEmbeddedPolicies(b bool) {
s.loadEmbeddedPolicies = b
}

func (s *Scanner) SetUseEmbeddedLibraries(b bool) {
s.loadEmbeddedLibraries = b
}

func (s *Scanner) SetFrameworks(frameworks []framework.Framework) {
Expand All @@ -109,7 +114,7 @@ func (s *Scanner) initRegoScanner(srcFS fs.FS) error {
}
regoScanner := rego.NewScanner(types.SourceCloud, s.scannerOptions...)
regoScanner.SetParentDebugLogger(s.debug)
if err := regoScanner.LoadPolicies(s.loadEmbedded, srcFS, s.policyDirs, s.policyReaders); err != nil {
if err := regoScanner.LoadPolicies(s.loadEmbeddedLibraries, s.loadEmbeddedPolicies, srcFS, s.policyDirs, s.policyReaders); err != nil {
return err
}
s.regoScanner = regoScanner
Expand Down
Loading

0 comments on commit 931764a

Please sign in to comment.