fix: rename and/or to all/any

Signed-off-by: Xe Iaso <me@xeiaso.net>

data/apps/git-client.yaml

@@ -1,7 +1,14 @@
 - name: allow-git-clients
   action: ALLOW
   expression:
-    and:
-    - userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-")
+    all:
     - >
-      "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
+      (  
+        userAgent.startsWith("git/") ||
+        userAgent.contains("libgit") ||
+        userAgent.startsWith("go-git") ||
+        userAgent.startsWith("JGit/") ||
+        userAgent.startsWith("JGit-")
+      )
+    - '"Git-Protocol" in headers'
+    - headers["Git-Protocol"] == "version=2"

data/clients/go-get.yaml

@@ -1,7 +1,7 @@
 - name: go-get
   action: ALLOW
   expression:
-    and:
+    all:
     - userAgent.startsWith("Go-http-client/")
     - '"go-get" in query'
     - query["go-get"] == "1"

data/common/allow-api-like.yaml

@@ -1,6 +1,6 @@
 - name: allow-api-routes
   action: ALLOW
   expression:
-    and:
+    all:
     - '!(method == "HEAD" || method == "GET")'
     - path.startsWith("/api/")

lib/policy/celchecker.go

@@ -28,18 +28,23 @@ func NewCELChecker(cfg *config.ExpressionOrList) (*CELChecker, error) {
 	if cfg.Expression != "" {
 		src = cfg.Expression
 		var iss *cel.Issues
-		ast, iss = env.Compile(src)
+		interm, iss := env.Compile(src)
+		if iss != nil {
+			return nil, iss.Err()
+		}
+
+		ast, iss = env.Check(interm)
 		if iss != nil {
 			return nil, iss.Err()
 		}
 	}
 
-	if len(cfg.And) != 0 {
-		ast, err = expressions.Join(env, expressions.JoinAnd, cfg.And...)
+	if len(cfg.All) != 0 {
+		ast, err = expressions.Join(env, expressions.JoinAnd, cfg.All...)
 	}
 
-	if len(cfg.Or) != 0 {
-		ast, err = expressions.Join(env, expressions.JoinOr, cfg.Or...)
+	if len(cfg.Any) != 0 {
+		ast, err = expressions.Join(env, expressions.JoinOr, cfg.Any...)
 	}
 
 	if err != nil {

lib/policy/config/expressionorlist.go

@@ -14,8 +14,8 @@ var (
 
 type ExpressionOrList struct {
 	Expression string   `json:"-"`
-	And        []string `json:"and"`
-	Or         []string `json:"or"`
+	All        []string `json:"all"`
+	Any        []string `json:"any"`
 }
 
 func (eol ExpressionOrList) Equal(rhs *ExpressionOrList) bool {
@@ -23,11 +23,11 @@ func (eol ExpressionOrList) Equal(rhs *ExpressionOrList) bool {
 		return false
 	}
 
-	if !slices.Equal(eol.And, rhs.And) {
+	if !slices.Equal(eol.All, rhs.All) {
 		return false
 	}
 
-	if !slices.Equal(eol.Or, rhs.Or) {
+	if !slices.Equal(eol.Any, rhs.Any) {
 		return false
 	}
 
@@ -44,8 +44,8 @@ func (eol *ExpressionOrList) UnmarshalJSON(data []byte) error {
 		if err := json.Unmarshal(data, &val); err != nil {
 			return err
 		}
-		eol.And = val.And
-		eol.Or = val.Or
+		eol.All = val.All
+		eol.Any = val.Any
 
 		return nil
 	}
@@ -54,7 +54,7 @@ func (eol *ExpressionOrList) UnmarshalJSON(data []byte) error {
 }
 
 func (eol *ExpressionOrList) Valid() error {
-	if len(eol.And) != 0 && len(eol.Or) != 0 {
+	if len(eol.All) != 0 && len(eol.Any) != 0 {
 		return ErrExpressionCantHaveBoth
 	}
 

lib/policy/config/expressionorlist_test.go

@@ -24,10 +24,10 @@ func TestExpressionOrListUnmarshal(t *testing.T) {
 		{
 			name: "object-and",
 			inp: `{
-			"and": ["\"User-Agent\" in headers"]
+			"all": ["\"User-Agent\" in headers"]
 			}`,
 			result: &ExpressionOrList{
-				And: []string{
+				All: []string{
 					`"User-Agent" in headers`,
 				},
 			},
@@ -35,10 +35,10 @@ func TestExpressionOrListUnmarshal(t *testing.T) {
 		{
 			name: "object-or",
 			inp: `{
-			"or": ["\"User-Agent\" in headers"]
+			"any": ["\"User-Agent\" in headers"]
 			}`,
 			result: &ExpressionOrList{
-				Or: []string{
+				Any: []string{
 					`"User-Agent" in headers`,
 				},
 			},
@@ -46,8 +46,8 @@ func TestExpressionOrListUnmarshal(t *testing.T) {
 		{
 			name: "both-or-and",
 			inp: `{
-			"and": ["\"User-Agent\" in headers"],
-			"or": ["\"User-Agent\" in headers"]
+			"all": ["\"User-Agent\" in headers"],
+			"any": ["\"User-Agent\" in headers"]
 			}`,
 			validErr: ErrExpressionCantHaveBoth,
 		},

lib/policy/config/testdata/bad/multiple_expression_types.json

@@ -4,11 +4,11 @@
       "name": "multiple-expression-types",
       "action": "ALLOW",
       "expression": {
-        "and": [
+        "all": [
           "userAgent.startsWith(\"git/\") || userAgent.contains(\"libgit\")",
           "\"Git-Protocol\" in headers && headers[\"Git-Protocol\"] == \"version=2\"\n"
         ],
-        "or": [
+        "any": [
           "userAgent.startsWith(\"evilbot/\")"
         ]
       }

lib/policy/config/testdata/bad/multiple_expression_types.yaml

@@ -2,9 +2,9 @@ bots:
 - name: multiple-expression-types
   action: ALLOW
   expression:
-    and:
+    all:
     - userAgent.startsWith("git/") || userAgent.contains("libgit")
     - >
       "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"
-    or:
+    any:
     - userAgent.startsWith("evilbot/")

lib/policy/config/testdata/good/git_client.json

@@ -4,7 +4,7 @@
       "name": "allow-git-clients",
       "action": "ALLOW",
       "expression": {
-        "and": [
+        "all": [
           "userAgent.startsWith(\"git/\") || userAgent.contains(\"libgit\")",
           "\"Git-Protocol\" in headers && headers[\"Git-Protocol\"] == \"version=2\""
         ]

lib/policy/config/testdata/good/git_client.yaml

@@ -2,7 +2,7 @@ bots:
 - name: allow-git-clients
   action: ALLOW
   expression:
-    and:
+    all:
     - userAgent.startsWith("git/") || userAgent.contains("libgit")
     - >
       "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"