feat: adapt CLI to pass data instead of queries

Author: m-pizarro

src/plugins/policyPack/index.ts

@@ -137,10 +137,12 @@ export default class PolicyPackPlugin extends Plugin {
   }
 
   private async executeRule({
+    data,
     rules,
     policyPack,
     storageEngine,
   }: {
+    data: any,
     rules: Rule[]
     policyPack: string
     storageEngine: StorageEngine
@@ -159,18 +161,17 @@ export default class PolicyPackPlugin extends Plugin {
 
           findings.push(
             ...(await this.executeRule({
+              data,
               rules: subRules,
               policyPack,
               storageEngine,
             }))
           )
         } else {
-          const { data } = rule.gql
-            ? await storageEngine.query(rule.gql)
-            : { data: undefined }
+          const ruleData = rule.gql ? data : undefined
           const results = (await this.policyPacksPlugins[
             policyPack
-          ]?.engine?.processRule(rule, data)) as RuleFinding[]
+          ]?.engine?.processRule(rule, ruleData)) as RuleFinding[]
 
           findings.push(...results)
         }
@@ -274,13 +275,69 @@ export default class PolicyPackPlugin extends Plugin {
     }
   }
 
+  private getLinkedData({ providerData }: { providerData: ProviderData }): any {
+    const linkedData = {}
+    const allEntities = providerData?.entities || []
+    const allConnections = providerData?.connections || {}
+    const entitiesById: { [key: string]: any } = {}
+
+    for (const entity of allEntities) {
+      // AddawsEc2Input! => queryawsEc2
+      const mutationName = /(?<=\[)(.*?)(?=\])/
+        .exec(entity.mutation as any)[0]
+        .replace('Add', 'query')
+        .replace('Input!', '')
+
+      linkedData[mutationName] = entity.data
+
+      for (const entityData of entity.data) {
+        entitiesById[entityData.id] = entityData
+        // eslint-disable-next-line no-underscore-dangle
+        entityData.__typename = mutationName.replace('query', '') // or entity.name?
+      }
+    }
+
+    // connect data on a second pass
+    for (const entityId of Object.keys(allConnections)) {
+      const entityConnections = allConnections[entityId]
+      const entity = entitiesById[entityId]
+      if (!entity) {
+        // eslint-disable-next-line no-continue
+        continue
+      }
+      for (const conn of entityConnections) {
+        const targetEntity = entitiesById[conn.id]
+        if (!targetEntity) {
+          // eslint-disable-next-line no-continue
+          continue
+        }
+        if (conn.relation === 'child') {
+          if (!entity[conn.field]) {
+            entity[conn.field] = []
+          }
+          entity[conn.field].push(targetEntity)
+          // inverse relation
+          // const inverseConnField = this.schemasMap[entity.__typename] || 'account' // @TODO: account doesn't have a name
+          // if (!targetEntity[inverseConnField]) {
+          //   targetEntity[inverseConnField] = []
+          // }
+          // targetEntity[inverseConnField].push(entity)
+        } // else parent relation.. is not used atm
+      }
+    }
+
+    return linkedData
+  }
+
   async execute({
     storageRunning,
     storageEngine,
+    providerData,
     processConnectionsBetweenEntities,
   }: {
     storageRunning: boolean
     storageEngine: StorageEngine
+    providerData: ProviderData
     processConnectionsBetweenEntities: (props: {
       provider?: string
       providerData: ProviderData
@@ -314,7 +371,10 @@ export default class PolicyPackPlugin extends Plugin {
           mergeSchemas(currentSchema, findingsSchema),
         ])
 
+        const linkedData = this.getLinkedData({ providerData })
+
         const findings = await this.executeRule({
+          data: linkedData,
           rules,
           policyPack,
           storageEngine,

src/rules-engine/evaluators/json-evaluator.ts

@@ -20,9 +20,12 @@ export default class JsonEvaluator implements RuleEvaluator<JsonRule> {
   }
 
   async evaluateSingleResource(
-    { id, conditions, severity }: JsonRule,
+    { id, conditions, severity, exclude }: JsonRule,
     data: ResourceData
   ): Promise<RuleFinding> {
+    if (exclude && (await this.evaluateCondition(exclude, data))) {
+      return
+    }
     const result = (await this.evaluateCondition(conditions, data))
       ? RuleResult.MATCHES
       : RuleResult.DOESNT_MATCH
@@ -157,6 +160,7 @@ export default class JsonEvaluator implements RuleEvaluator<JsonRule> {
 
     if (firstArg && jqQuery) {
       firstArg = await this.runJq(firstArg, jqQuery)
+      data.data = lodash.cloneDeep(data.data)
       lodash.set(data.data, data.elementPath, firstArg)
     }
 

src/rules-engine/index.ts

@@ -51,6 +51,8 @@ export default class RulesProvider implements Engine {
   ): Promise<RuleFinding> => {
     const finding = await evaluator.evaluateSingleResource(rule, data)
 
+    if (!finding) return
+    
     // Inject extra fields
     for (const field of this.dataProcessor.extraFields) {
       finding[field] = data.resource[field]

src/rules-engine/operators/common.ts

@@ -13,6 +13,8 @@ export default {
       return shouldBeEmpty ? hasKeys === 0 : hasKeys > 0
     }
 
-    return false
+    return (
+      (data === null || data === undefined || data === '') === shouldBeEmpty
+    )
   },
 }

src/rules-engine/types.ts

@@ -65,6 +65,7 @@ export interface RuleFinding extends Finding {
 
 export interface JsonRule extends Rule {
   conditions: Condition
+  exclude?: Condition
 }
 
 export interface JsRule extends Rule {