Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure OPA strict mode compliance #429

Merged
merged 1 commit into from
Dec 6, 2023

Conversation

anderseknert
Copy link
Member

Hi Gatekeeper friends! 👋😃

In order to ensure the Gatekeeper library works with future updates of OPA, and to better catch some common mistakes in Rego policy, this PR aims to fix all errors reported from opa check --strict src, and to make sure future changes are compliant with the OPA strict mode checks.

The errors raised from strict mode, and which are fixed with this PR, include:

  • input must not be shadowed/assigned
  • Unused function args — use wildcards (_) in their place
  • Unused local assignment
  • Deprecated built-in functions
    • re_match -> regex.match
    • all -> these were not needed
    • any -> strings.any_prefix_match and strings.any_suffix_match
      as these were always used together with startswith/endswith

The by far most noisy fix was the first one, i.e. input getting shadowed in basically all tests. Changed to use inp for a name as in is of course another name we don't want to shadow 😅

The changes here do not change semantics of the code. I did however also make some additional fixes where e.g. the unused function args error showed that a function wasn't needed in the first place, and so on. Naturally, all tests pass as before.

Two things I'm not sure about:

  1. The code introduces the strings.any_prefix_match and strings.any_suffix_match built-in functions in one policy. These were introduced in OPA v0.44.0, which is quite a few OPA and Gatekeeper versions ago. I could not find information on what the minimum version of OPA or Gatekeeper must be supported in the Rego code in this library. If needed, that change can be reverted.
  2. https://github.com/open-policy-agent/gatekeeper-library mentions Versioning. Should I update the versions of each policy changed with this PR?

To make sure the code stays compliant, I've added the opa check --strict command to execute with the test.sh script, before the unit tests run.

@anderseknert anderseknert requested a review from a team as a code owner October 30, 2023 19:23
@anderseknert anderseknert force-pushed the check-strict branch 3 times, most recently from 1839c6e to 1de0f97 Compare October 30, 2023 19:50
@anderseknert
Copy link
Member Author

Generating artifact hub content for  /home/runner/work/gatekeeper-library/gatekeeper-library/library/general/allowedrepos
panic: looks like template.yaml is updated but the version is not. Please update the 'metadata.gatekeeper.sh/version' annotation in the template.yaml source

I guess that answered my question about whether versioning was needed 😄
Am I correct to think a patch version bump would be needed for these changes?

@apeabody
Copy link
Contributor

apeabody commented Oct 30, 2023

Generating artifact hub content for  /home/runner/work/gatekeeper-library/gatekeeper-library/library/general/allowedrepos
panic: looks like template.yaml is updated but the version is not. Please update the 'metadata.gatekeeper.sh/version' annotation in the template.yaml source

I guess that answered my question about whether versioning was needed 😄 Am I correct to think a patch version bump would be needed for these changes?

Hi @anderseknert - Yup, assuming these are all backward compatible with no change in behavior, they can just be a patch version bumps.

@anderseknert
Copy link
Member Author

@apeabody all versions now bumped accordingly, and the tests seemingly pleased.

Copy link
Contributor

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @anderseknert!

A second maintainer will also need to review.

@maxsmythe maxsmythe requested review from sozercan and ritazh October 30, 2023 22:57
@maxsmythe
Copy link
Contributor

@anderseknert

Quick question about not being able to override input. Gatekeeper's Rego driver relies on this behavior to get constraint arguments in a performant manner. We could switch to specifying the input directly for each individual constraint, but in (admittedly old) performance testing, that was found to be slower.

The question is... will the below linked Rego code eventually break?

https://github.com/open-policy-agent/frameworks/blob/3eb381ce6cbedf3c1adedf2bfb20aa5e491c5baa/constraint/pkg/client/drivers/rego/rego.go#L27-L37

@anderseknert
Copy link
Member Author

@maxsmythe no, that's fine! You can still override input using with. You just can't shadow the global input variable itself, i.e. not input := { ... } but inp := { ... } (or any other name). Saying with input as inp or with input as { ... } is just doing what with is there for 🙂

@maxsmythe
Copy link
Contributor

@anderseknert Awesome, thanks for clarifying!

@apeabody
Copy link
Contributor

apeabody commented Nov 3, 2023

@sozercan - We are now testing with both OPA versions, when convenient PTAL

@apeabody apeabody requested a review from sozercan November 8, 2023 00:29
@apeabody
Copy link
Contributor

Hi @sozercan or @ritazh Please take a look when convenient - Thanks!

Copy link
Contributor

@nilekhc nilekhc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anderseknert

Looks like unit tests are failing. Could you PTAL?

@apeabody
Copy link
Contributor

apeabody commented Dec 6, 2023

@anderseknert

Looks like unit tests are failing. Could you PTAL?

Ahh, looks like it is the k8sdisallowinteractivetty template added in 2d99845

src/general/disallowinteractive/src_test.rego:4: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:9: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:14: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:19: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:24: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:29: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:34: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:39: rego_compile_error: variables must not shadow input (use a different variable name)
src/general/disallowinteractive/src_test.rego:44: rego_compile_error: variables must not shadow input (use a different variable name)

Hi Gatekeeper friends! 👋😃

In order to ensure the Gatekeeper library works with future
updates of OPA, and to better catch some common mistakes in
Rego policy in the future, this PR aims to fix all errors
reported from `opa check --strict src`, and to make sure
future changes are compliant with the OPA
[strict mode](https://www.openpolicyagent.org/docs/latest/policy-language/#strict-mode)
checks.

The errors raised from strict mode, and which are fixed with
this PR, include:

* `input` must not be shadowed/assigned
* Unused function args — use wildcards (`_`) in their place
* Unused local assignment
* Deprecated built-in functions
  * `re_match` -> `regex.match`
  * `all` -> these were not needed
  * `any` -> `strings.any_prefix_match` and `strings.any_suffix_match`
     as these were always used together with `startswith`/`endswith`

The by far most noisy fix was the first one, i.e. `input` getting
shadowed in basically all tests. Changed to use `inp` for a name
as `in` is of course another name we don't want to shadow 😅

The changes here do not change semantics of the code. I did however
also make some additional fixes where e.g. the unused function args
error showed that a function wasn't needed in the first place, and
so on. Naturally, all tests pass as before.

Two things I'm not sure about:

1. The code introduces the `strings.any_prefix_match` and
   `strings.any_suffix_match` built-in functions in one policy. These
   were introduced in OPA v0.44.0, which is quite a few OPA and
   Gatekeeper versions ago. I could not find information on what the
   minimum version of OPA or Gatekeeper must be supported in the Rego
   code in this library. If needed, that change can be reverted.
2. https://github.com/open-policy-agent/gatekeeper-library mentions
   Versioning. Should I update the versions of each policy changed
   with this PR?

To make sure the code stays compliant, I've added the
`opa check --strict` command to execute with the `test.sh` script,
before the unit tests run.

Signed-off-by: Anders Eknert <anders@styra.com>
@anderseknert
Copy link
Member Author

Yes, some new tests overloading input, as is now verboten. I just fixed that and pushed.

@nilekhc nilekhc merged commit 3f72d58 into open-policy-agent:master Dec 6, 2023
16 checks passed
@anderseknert anderseknert deleted the check-strict branch December 6, 2023 19:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants