feat: Refactored RulesEngine to allow composite rules

Author: Marco Franceschi

src/plugins/policyPack/index.ts

@@ -130,6 +130,55 @@ export default class PolicyPackPlugin extends Plugin {
     }
   }
 
+  private async executeRule({
+    rules,
+    policyPack,
+    storageEngine,
+  }: {
+    rules: Rule[]
+    policyPack: string
+    storageEngine: StorageEngine
+  }): Promise<RuleFinding[]> {
+    const findings: RuleFinding[] = []
+
+    // Run rules:
+    for (const rule of rules) {
+      try {
+        if (rule.queries?.length > 0) {
+          const { queries, ...ruleMetadata } = rule
+          const subRules = queries.map(q => ({
+            ...q,
+            ...ruleMetadata,
+          }))
+
+          findings.push(
+            ...(await this.executeRule({
+              rules: subRules,
+              policyPack,
+              storageEngine,
+            }))
+          )
+        } else {
+          const { data } = rule.gql
+            ? await storageEngine.query(rule.gql)
+            : { data: undefined }
+          const results = (await this.policyPacksPlugins[
+            policyPack
+          ]?.engine?.processRule(rule, data)) as RuleFinding[]
+
+          findings.push(...results)
+        }
+      } catch (error) {
+        this.logger.error(
+          `Error processing rule ${rule.id} for ${policyPack} policy pack`
+        )
+        this.logger.debug(error)
+      }
+    }
+
+    return findings
+  }
+
   async configure(
     pluginManager: PluginManager,
     plugins: ConfiguredPlugin[]
@@ -239,26 +288,11 @@ export default class PolicyPackPlugin extends Plugin {
           mergeSchemas(currentSchema, findingsSchema),
         ])
 
-        const findings: RuleFinding[] = []
-
-        // Run rules:
-        for (const rule of rules) {
-          try {
-            const { data } = rule.gql
-              ? await storageEngine.query(rule.gql)
-              : { data: undefined }
-            const results = (await this.policyPacksPlugins[
-              policyPack
-            ]?.engine?.processRule(rule, data)) as RuleFinding[]
-
-            findings.push(...results)
-          } catch (error) {
-            this.logger.error(
-              `Error processing rule ${rule.id} for ${policyPack} policy pack`
-            )
-            this.logger.debug(error)
-          }
-        }
+        const findings = await this.executeRule({
+          rules,
+          policyPack,
+          storageEngine,
+        })
 
         // Prepare mutations
         const mutations = engine?.prepareMutations(findings)
@@ -279,7 +313,6 @@ export default class PolicyPackPlugin extends Plugin {
         )
         this.logger.successSpinner('success')
 
-        // TODO: Use table to display results
         const results = findings.filter(
           finding => finding.result === Result.FAIL
         )

src/rules-engine/evaluators/composite-evaluator.ts

@@ -1,3 +1,6 @@
+import groupBy from 'lodash/groupBy'
+import isEmpty from 'lodash/isEmpty'
+import { Entity } from '../../types'
 import {
   JsRule,
   ResourceData,
@@ -9,6 +12,17 @@ import {
 import { RuleEvaluator } from './rule-evaluator'
 
 export default class JsEvaluator implements RuleEvaluator<JsRule> {
+  private readonly findings: RuleFinding[] = []
+
+  private readonly providerName
+
+  private readonly entityName
+
+  constructor(providerName: string, entityName: string) {
+    this.entityName = entityName
+    this.providerName = providerName
+  }
+
   canEvaluate(rule: Rule | JsRule): boolean {
     return 'check' in rule
   }
@@ -32,4 +46,53 @@ export default class JsEvaluator implements RuleEvaluator<JsRule> {
 
     return finding
   }
+
+  // TODO: Share logic with the JSON evaluator
+  prepareMutations(): Entity[] {
+    const mutations = []
+
+    // Group Findings by schema type
+    const findingsByType = groupBy(this.findings, 'typename')
+
+    for (const findingType in findingsByType) {
+      if (!isEmpty(findingType)) {
+        // Group Findings by resource
+        const findingsByResource = groupBy(
+          findingsByType[findingType],
+          'resourceId'
+        )
+
+        for (const resource in findingsByResource) {
+          if (resource) {
+            const data = (
+              (findingsByResource[resource] as RuleFinding[]) || []
+            ).map(({ typename, ...properties }) => properties)
+
+            // Create dynamically update mutations by resource
+            const updateMutation = {
+              name: `${this.providerName}${this.entityName}Findings`,
+              mutation: `mutation update${findingType}($input: Update${findingType}Input!) {
+                update${findingType}(input: $input) {
+                  numUids
+                }
+              }
+              `,
+              data: {
+                filter: {
+                  id: { eq: resource },
+                },
+                set: {
+                  [`${this.entityName}Findings`]: data,
+                },
+              },
+            }
+
+            mutations.push(updateMutation)
+          }
+        }
+      }
+    }
+
+    return mutations
+  }
 }

src/rules-engine/evaluators/js-evaluator.ts

@@ -1,4 +1,4 @@
-import lodash from 'lodash'
+import lodash, { groupBy, isEmpty } from 'lodash'
 import * as jqNode from 'node-jq'
 import {
   Condition,
@@ -13,8 +13,20 @@ import {
 import { RuleEvaluator } from './rule-evaluator'
 import AdditionalOperators from '../operators'
 import ComparisonOperators from '../operators/comparison'
+import { Entity } from '../../types'
 
 export default class JsonEvaluator implements RuleEvaluator<JsonRule> {
+  private readonly findings: RuleFinding[] = []
+
+  private readonly providerName
+
+  private readonly entityName
+
+  constructor(providerName: string, entityName: string) {
+    this.entityName = entityName
+    this.providerName = providerName
+  }
+
   canEvaluate(rule: JsonRule): boolean {
     return 'conditions' in rule
   }
@@ -35,6 +47,7 @@ export default class JsonEvaluator implements RuleEvaluator<JsonRule> {
       typename: data.resource?.__typename, // eslint-disable-line no-underscore-dangle
       rule: ruleMetadata,
     } as RuleFinding
+    this.findings.push(finding)
 
     return finding
   }
@@ -174,4 +187,52 @@ export default class JsonEvaluator implements RuleEvaluator<JsonRule> {
       return data
     }
   }
+
+  prepareMutations(): Entity[] {
+    const mutations = []
+
+    // Group Findings by schema type
+    const findingsByType = groupBy(this.findings, 'typename')
+
+    for (const findingType in findingsByType) {
+      if (!isEmpty(findingType)) {
+        // Group Findings by resource
+        const findingsByResource = groupBy(
+          findingsByType[findingType],
+          'resourceId'
+        )
+
+        for (const resource in findingsByResource) {
+          if (resource) {
+            const data = (
+              (findingsByResource[resource] as RuleFinding[]) || []
+            ).map(({ typename, ...properties }) => properties)
+
+            // Create dynamically update mutations by resource
+            const updateMutation = {
+              name: `${this.providerName}${this.entityName}Findings`,
+              mutation: `mutation update${findingType}($input: Update${findingType}Input!) {
+                update${findingType}(input: $input) {
+                  numUids
+                }
+              }
+              `,
+              data: {
+                filter: {
+                  id: { eq: resource },
+                },
+                set: {
+                  [`${this.entityName}Findings`]: data,
+                },
+              },
+            }
+
+            mutations.push(updateMutation)
+          }
+        }
+      }
+    }
+
+    return mutations
+  }
 }

src/rules-engine/evaluators/json-evaluator.ts

@@ -1,22 +1,50 @@
+import { Entity } from '../../types'
 import { JsonRule, Result, Rule, RuleFinding } from '../types'
 import { RuleEvaluator } from './rule-evaluator'
 
 export default class ManualEvaluator implements RuleEvaluator<JsonRule> {
+  private readonly findings: RuleFinding[] = []
+
+  private readonly providerName
+
+  private readonly entityName
+
+  constructor(providerName: string, entityName: string) {
+    this.entityName = entityName
+    this.providerName = providerName
+  }
+
   canEvaluate(rule: Rule): boolean {
-    return (
-      !('gql' in rule) &&
-      !('conditions' in rule) &&
-      !('resource' in rule) &&
-      !('relatedRules' in rule)
-    )
+    return !('gql' in rule) && !('conditions' in rule) && !('resource' in rule)
   }
 
   async evaluateSingleResource(rule: Rule): Promise<RuleFinding> {
-    return {
+    const finding = {
       id: `${rule.id}/manual`,
       result: Result.SKIPPED,
       typename: 'manual',
       rule,
     } as RuleFinding
+    this.findings.push(finding)
+    return finding
+  }
+
+  prepareMutations(): Entity[] {
+    const manualFindings = this.findings.map(({ typename, ...finding }) => ({
+      ...finding,
+    }))
+    return [
+      {
+        name: `${this.providerName}${this.entityName}Findings`,
+        mutation: `
+      mutation($input: [Add${this.providerName}${this.entityName}FindingsInput!]!) {
+        add${this.providerName}${this.entityName}Findings(input: $input, upsert: true) {
+          numUids
+        }
+      }
+      `,
+        data: manualFindings,
+      },
+    ]
   }
 }

src/rules-engine/evaluators/manual-evaluator.ts

@@ -1,7 +1,8 @@
+import { Entity } from '../../types'
 import { ResourceData, Rule, RuleFinding } from '../types'
 
 export interface RuleEvaluator<K extends Rule> {
   canEvaluate: (rule: K) => boolean
   evaluateSingleResource: (rule: K, data?: ResourceData) => Promise<RuleFinding>
-  // @TODO complex rules can take a query and return an array of resourceId + Result
+  prepareMutations: () => Entity[]
 }