From 92a3e5ba8102330a8f62348b6a1efa3a9d629413 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Fri, 25 Apr 2025 10:52:45 -0400 Subject: [PATCH] fix: rename and/or to all/any Signed-off-by: Xe Iaso --- data/apps/git-client.yaml | 13 ++++++++++--- data/clients/go-get.yaml | 2 +- data/common/allow-api-like.yaml | 2 +- lib/policy/celchecker.go | 15 ++++++++++----- lib/policy/config/expressionorlist.go | 14 +++++++------- lib/policy/config/expressionorlist_test.go | 12 ++++++------ .../testdata/bad/multiple_expression_types.json | 4 ++-- .../testdata/bad/multiple_expression_types.yaml | 4 ++-- lib/policy/config/testdata/good/git_client.json | 2 +- lib/policy/config/testdata/good/git_client.yaml | 2 +- 10 files changed, 41 insertions(+), 29 deletions(-) diff --git a/data/apps/git-client.yaml b/data/apps/git-client.yaml index b2964937..4fba66b7 100644 --- a/data/apps/git-client.yaml +++ b/data/apps/git-client.yaml @@ -1,7 +1,14 @@ - name: allow-git-clients action: ALLOW expression: - and: - - userAgent.startsWith("git/") || userAgent.contains("libgit") || userAgent.startsWith("go-git") || userAgent.startsWith("JGit/") || userAgent.startsWith("JGit-") + all: - > - "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2" \ No newline at end of file + ( + userAgent.startsWith("git/") || + userAgent.contains("libgit") || + userAgent.startsWith("go-git") || + userAgent.startsWith("JGit/") || + userAgent.startsWith("JGit-") + ) + - '"Git-Protocol" in headers' + - headers["Git-Protocol"] == "version=2" \ No newline at end of file diff --git a/data/clients/go-get.yaml b/data/clients/go-get.yaml index ca061e28..701bd5d8 100644 --- a/data/clients/go-get.yaml +++ b/data/clients/go-get.yaml @@ -1,7 +1,7 @@ - name: go-get action: ALLOW expression: - and: + all: - userAgent.startsWith("Go-http-client/") - '"go-get" in query' - query["go-get"] == "1" \ No newline at end of file diff --git a/data/common/allow-api-like.yaml b/data/common/allow-api-like.yaml index 50738123..0cc3e3bf 100644 --- a/data/common/allow-api-like.yaml +++ b/data/common/allow-api-like.yaml @@ -1,6 +1,6 @@ - name: allow-api-routes action: ALLOW expression: - and: + all: - '!(method == "HEAD" || method == "GET")' - path.startsWith("/api/") \ No newline at end of file diff --git a/lib/policy/celchecker.go b/lib/policy/celchecker.go index 459e5c7b..38b81e12 100644 --- a/lib/policy/celchecker.go +++ b/lib/policy/celchecker.go @@ -28,18 +28,23 @@ func NewCELChecker(cfg *config.ExpressionOrList) (*CELChecker, error) { if cfg.Expression != "" { src = cfg.Expression var iss *cel.Issues - ast, iss = env.Compile(src) + interm, iss := env.Compile(src) + if iss != nil { + return nil, iss.Err() + } + + ast, iss = env.Check(interm) if iss != nil { return nil, iss.Err() } } - if len(cfg.And) != 0 { - ast, err = expressions.Join(env, expressions.JoinAnd, cfg.And...) + if len(cfg.All) != 0 { + ast, err = expressions.Join(env, expressions.JoinAnd, cfg.All...) } - if len(cfg.Or) != 0 { - ast, err = expressions.Join(env, expressions.JoinOr, cfg.Or...) + if len(cfg.Any) != 0 { + ast, err = expressions.Join(env, expressions.JoinOr, cfg.Any...) } if err != nil { diff --git a/lib/policy/config/expressionorlist.go b/lib/policy/config/expressionorlist.go index 31f945aa..7b07a359 100644 --- a/lib/policy/config/expressionorlist.go +++ b/lib/policy/config/expressionorlist.go @@ -14,8 +14,8 @@ var ( type ExpressionOrList struct { Expression string `json:"-"` - And []string `json:"and"` - Or []string `json:"or"` + All []string `json:"all"` + Any []string `json:"any"` } func (eol ExpressionOrList) Equal(rhs *ExpressionOrList) bool { @@ -23,11 +23,11 @@ func (eol ExpressionOrList) Equal(rhs *ExpressionOrList) bool { return false } - if !slices.Equal(eol.And, rhs.And) { + if !slices.Equal(eol.All, rhs.All) { return false } - if !slices.Equal(eol.Or, rhs.Or) { + if !slices.Equal(eol.Any, rhs.Any) { return false } @@ -44,8 +44,8 @@ func (eol *ExpressionOrList) UnmarshalJSON(data []byte) error { if err := json.Unmarshal(data, &val); err != nil { return err } - eol.And = val.And - eol.Or = val.Or + eol.All = val.All + eol.Any = val.Any return nil } @@ -54,7 +54,7 @@ func (eol *ExpressionOrList) UnmarshalJSON(data []byte) error { } func (eol *ExpressionOrList) Valid() error { - if len(eol.And) != 0 && len(eol.Or) != 0 { + if len(eol.All) != 0 && len(eol.Any) != 0 { return ErrExpressionCantHaveBoth } diff --git a/lib/policy/config/expressionorlist_test.go b/lib/policy/config/expressionorlist_test.go index e21fe709..ea4319ed 100644 --- a/lib/policy/config/expressionorlist_test.go +++ b/lib/policy/config/expressionorlist_test.go @@ -24,10 +24,10 @@ func TestExpressionOrListUnmarshal(t *testing.T) { { name: "object-and", inp: `{ - "and": ["\"User-Agent\" in headers"] + "all": ["\"User-Agent\" in headers"] }`, result: &ExpressionOrList{ - And: []string{ + All: []string{ `"User-Agent" in headers`, }, }, @@ -35,10 +35,10 @@ func TestExpressionOrListUnmarshal(t *testing.T) { { name: "object-or", inp: `{ - "or": ["\"User-Agent\" in headers"] + "any": ["\"User-Agent\" in headers"] }`, result: &ExpressionOrList{ - Or: []string{ + Any: []string{ `"User-Agent" in headers`, }, }, @@ -46,8 +46,8 @@ func TestExpressionOrListUnmarshal(t *testing.T) { { name: "both-or-and", inp: `{ - "and": ["\"User-Agent\" in headers"], - "or": ["\"User-Agent\" in headers"] + "all": ["\"User-Agent\" in headers"], + "any": ["\"User-Agent\" in headers"] }`, validErr: ErrExpressionCantHaveBoth, }, diff --git a/lib/policy/config/testdata/bad/multiple_expression_types.json b/lib/policy/config/testdata/bad/multiple_expression_types.json index f532c2b3..8b852768 100644 --- a/lib/policy/config/testdata/bad/multiple_expression_types.json +++ b/lib/policy/config/testdata/bad/multiple_expression_types.json @@ -4,11 +4,11 @@ "name": "multiple-expression-types", "action": "ALLOW", "expression": { - "and": [ + "all": [ "userAgent.startsWith(\"git/\") || userAgent.contains(\"libgit\")", "\"Git-Protocol\" in headers && headers[\"Git-Protocol\"] == \"version=2\"\n" ], - "or": [ + "any": [ "userAgent.startsWith(\"evilbot/\")" ] } diff --git a/lib/policy/config/testdata/bad/multiple_expression_types.yaml b/lib/policy/config/testdata/bad/multiple_expression_types.yaml index 3b6b8607..f7aa5463 100644 --- a/lib/policy/config/testdata/bad/multiple_expression_types.yaml +++ b/lib/policy/config/testdata/bad/multiple_expression_types.yaml @@ -2,9 +2,9 @@ bots: - name: multiple-expression-types action: ALLOW expression: - and: + all: - userAgent.startsWith("git/") || userAgent.contains("libgit") - > "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2" - or: + any: - userAgent.startsWith("evilbot/") diff --git a/lib/policy/config/testdata/good/git_client.json b/lib/policy/config/testdata/good/git_client.json index 13b20349..68a2b3e8 100644 --- a/lib/policy/config/testdata/good/git_client.json +++ b/lib/policy/config/testdata/good/git_client.json @@ -4,7 +4,7 @@ "name": "allow-git-clients", "action": "ALLOW", "expression": { - "and": [ + "all": [ "userAgent.startsWith(\"git/\") || userAgent.contains(\"libgit\")", "\"Git-Protocol\" in headers && headers[\"Git-Protocol\"] == \"version=2\"" ] diff --git a/lib/policy/config/testdata/good/git_client.yaml b/lib/policy/config/testdata/good/git_client.yaml index 9e894980..44aa2da3 100644 --- a/lib/policy/config/testdata/good/git_client.yaml +++ b/lib/policy/config/testdata/good/git_client.yaml @@ -2,7 +2,7 @@ bots: - name: allow-git-clients action: ALLOW expression: - and: + all: - userAgent.startsWith("git/") || userAgent.contains("libgit") - > "Git-Protocol" in headers && headers["Git-Protocol"] == "version=2"