Merge pull request #18 from cloudgraphdev/feature/EP-1988-main

tyler-dunkel · web-flow · commit d4acc6e2d029 · 2022-06-29T22:28:40.000-05:00
feat: adapt CLI to pass data instead of queries
diff --git a/src/plugins/policyPack/index.ts b/src/plugins/policyPack/index.ts
@@ -15,6 +15,7 @@ import { Result, Rule, Severity } from '../../rules-engine/types'
 import Plugin, { ConfiguredPlugin, PluginManager } from '../types'
 import DgraphDataProcessor from '../../rules-engine/data-processors/dgraph-data-processor'
 import DataProcessor from '../../rules-engine/data-processors/data-processor'
+import getLinkedData from '../../utils/data'
 
 export default class PolicyPackPlugin extends Plugin {
   constructor({
@@ -137,13 +138,13 @@ export default class PolicyPackPlugin extends Plugin {
   }
 
   private async executeRule({
+    data,
     rules,
     policyPack,
-    storageEngine,
   }: {
+    data: any,
     rules: Rule[]
     policyPack: string
-    storageEngine: StorageEngine
   }): Promise<RuleFinding[]> {
     const findings: RuleFinding[] = []
 
@@ -159,18 +160,16 @@ export default class PolicyPackPlugin extends Plugin {
 
           findings.push(
             ...(await this.executeRule({
+              data,
               rules: subRules,
               policyPack,
-              storageEngine,
             }))
           )
         } else {
-          const { data } = rule.gql
-            ? await storageEngine.query(rule.gql)
-            : { data: undefined }
+          const ruleData = rule.gql ? data : undefined
           const results = (await this.policyPacksPlugins[
             policyPack
-          ]?.engine?.processRule(rule, data)) as RuleFinding[]
+          ]?.engine?.processRule(rule, ruleData)) as RuleFinding[]
 
           findings.push(...results)
         }
@@ -277,10 +276,12 @@ export default class PolicyPackPlugin extends Plugin {
   async execute({
     storageRunning,
     storageEngine,
+    providerData,
     processConnectionsBetweenEntities,
   }: {
     storageRunning: boolean
     storageEngine: StorageEngine
+    providerData: ProviderData
     processConnectionsBetweenEntities: (props: {
       provider?: string
       providerData: ProviderData
@@ -314,10 +315,13 @@ export default class PolicyPackPlugin extends Plugin {
           mergeSchemas(currentSchema, findingsSchema),
         ])
 
+        // Format metadata and link connections
+        const linkedData = getLinkedData(providerData)
+
         const findings = await this.executeRule({
+          data: linkedData,
           rules,
           policyPack,
-          storageEngine,
         })
 
         // Prepare mutations
diff --git a/src/rules-engine/evaluators/json-evaluator.ts b/src/rules-engine/evaluators/json-evaluator.ts
@@ -20,9 +20,12 @@ export default class JsonEvaluator extends BaseEvaluator<JsonRule> {
   }
 
   async evaluateSingleResource(
-    { id, conditions, severity }: JsonRule,
+    { id, conditions, severity, exclude }: JsonRule,
     data: ResourceData
   ): Promise<RuleFinding> {
+    if (exclude && (await this.evaluateCondition(exclude, data))) {
+      return
+    }
     const result = (await this.evaluateCondition(conditions, data))
       ? RuleResult.MATCHES
       : RuleResult.DOESNT_MATCH
@@ -157,6 +160,7 @@ export default class JsonEvaluator extends BaseEvaluator<JsonRule> {
 
     if (firstArg && jqQuery) {
       firstArg = await this.runJq(firstArg, jqQuery)
+      data.data = lodash.cloneDeep(data.data)
       lodash.set(data.data, data.elementPath, firstArg)
     }
 
diff --git a/src/rules-engine/index.ts b/src/rules-engine/index.ts
@@ -51,6 +51,8 @@ export default class RulesProvider implements Engine {
   ): Promise<RuleFinding> => {
     const finding = await evaluator.evaluateSingleResource(rule, data)
 
+    if (!finding) return
+    
     // Inject extra fields
     for (const field of this.dataProcessor.extraFields) {
       finding[field] = data.resource[field]
diff --git a/src/rules-engine/operators/common.ts b/src/rules-engine/operators/common.ts
@@ -13,6 +13,8 @@ export default {
       return shouldBeEmpty ? hasKeys === 0 : hasKeys > 0
     }
 
-    return false
+    return (
+      (data === null || data === undefined || data === '') === shouldBeEmpty
+    )
   },
 }
diff --git a/src/rules-engine/types.ts b/src/rules-engine/types.ts
@@ -65,6 +65,7 @@ export interface RuleFinding extends Finding {
 
 export interface JsonRule extends Rule {
   conditions: Condition
+  exclude?: Condition
 }
 
 export interface JsRule extends Rule {
diff --git a/src/utils/data.ts b/src/utils/data.ts
@@ -0,0 +1,57 @@
+import { ProviderData } from '../types'
+
+const getLinkedData = (providerData: ProviderData): any => {
+  const linkedData = {}
+  const allEntities = providerData?.entities || []
+  const allConnections = providerData?.connections || {}
+  const entitiesById: { [key: string]: any } = {}
+
+  for (const entity of allEntities) {
+    // AddawsEc2Input! => queryawsEc2
+    const mutationName = /(?<=\[)(.*?)(?=\])/
+      .exec(entity.mutation as any)[0]
+      .replace('Add', 'query')
+      .replace('Input!', '')
+
+    linkedData[mutationName] = entity.data
+
+    for (const entityData of entity.data) {
+      entitiesById[entityData.id] = entityData
+      // eslint-disable-next-line no-underscore-dangle
+      entityData.__typename = mutationName.replace('query', '') // or entity.name?
+    }
+  }
+
+  // connect data on a second pass
+  for (const entityId of Object.keys(allConnections)) {
+    const entityConnections = allConnections[entityId]
+    const entity = entitiesById[entityId]
+    if (!entity) {
+      // eslint-disable-next-line no-continue
+      continue
+    }
+    for (const conn of entityConnections) {
+      const targetEntity = entitiesById[conn.id]
+      if (!targetEntity) {
+        // eslint-disable-next-line no-continue
+        continue
+      }
+      if (conn.relation === 'child') {
+        if (!entity[conn.field]) {
+          entity[conn.field] = []
+        }
+        entity[conn.field].push(targetEntity)
+        // inverse relation
+        // const inverseConnField = this.schemasMap[entity.__typename] || 'account' // @TODO: account doesn't have a name
+        // if (!targetEntity[inverseConnField]) {
+        //   targetEntity[inverseConnField] = []
+        // }
+        // targetEntity[inverseConnField].push(entity)
+      } // else parent relation.. is not used atm
+    }
+  }
+
+  return linkedData
+}
+
+export default getLinkedData

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,8 @@ export default {`
`13`	`13`	`return shouldBeEmpty ? hasKeys === 0 : hasKeys > 0`
`14`	`14`	`}`
`15`	`15`
`16`		`- return false`
	`16`	`+ return (`
	`17`	`+ (data === null \|\| data === undefined \|\| data === '') === shouldBeEmpty`
	`18`	`+ )`
`17`	`19`	`},`
`18`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ export interface RuleFinding extends Finding {`
`65`	`65`
`66`	`66`	`export interface JsonRule extends Rule {`
`67`	`67`	`conditions: Condition`
	`68`	`+ exclude?: Condition`
`68`	`69`	`}`
`69`	`70`
`70`	`71`	`export interface JsRule extends Rule {`