regorus 0.9.1

A fast, lightweight Rego (OPA policy language) interpreter
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250

// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
#![allow(clippy::indexing_slicing)]

use super::super::error::TargetCompileError;
#[cfg(feature = "azure_policy")]
use super::super::TargetInfo;
use super::super::*;

fn format_effect_names(names: &[String]) -> String {
    match names.len() {
        0 => String::new(),
        1 => names[0].clone(),
        2 => format!("{} or {}", names[0], names[1]),
        _ => {
            if let Some((last, rest)) = names.split_last() {
                format!("{} or {}", rest.join(", "), last)
            } else {
                String::new()
            }
        }
    }
}

pub fn resolve_target(interpreter: &mut Interpreter) -> Result<(), TargetCompileError> {
    use crate::registry::targets;

    let mut target_name: Option<String> = None;
    let mut target_package: Option<String> = None;

    // Check all modules for target specifications
    for module in interpreter.compiled_policy.modules.iter() {
        if let Some(ref module_target) = module.target {
            // Get the package path for this module
            let module_package = Interpreter::get_path_string(&module.package.refr, None)
                .map_err(|_| TargetCompileError::TargetNotFound(module_target.clone().into()))?;

            match &target_name {
                None => {
                    // First target found
                    target_name = Some(module_target.clone());
                    target_package = Some(module_package);
                }
                Some(existing_target) => {
                    // Ensure all modules specify the same target
                    if existing_target != module_target {
                        return Err(TargetCompileError::ConflictingTargets {
                            existing: existing_target.as_str().into(),
                            conflicting: module_target.as_str().into(),
                        });
                    }

                    // Ensure all modules with targets have the same package
                    if let Some(ref existing_package) = target_package {
                        if existing_package != &module_package {
                            return Err(TargetCompileError::ConflictingPackages {
                                target: module_target.as_str().into(),
                                existing_package: existing_package.as_str().into(),
                                conflicting_package: module_package.as_str().into(),
                            });
                        }
                    }
                }
            }
        }
    }

    // If a target is specified, retrieve it from the registry
    if let Some(target_name) = target_name {
        match targets::get(&target_name) {
            Some(target) => {
                // Target found in registry - store it in the compiled policy
                // We'll set a default effect schema here, but it will be updated in resolve_effect
                // once we determine which effect actually has rules defined
                let default_effect_schema = match target.effects.values().next() {
                    Some(schema) => schema.clone(),
                    None => {
                        return Err(TargetCompileError::TargetNotFound(
                            format!("Target '{}' has no effects defined", target_name)
                                .as_str()
                                .into(),
                        ));
                    }
                };
                let target_info = TargetInfo {
                    target,
                    package: match target_package {
                        Some(pkg) => pkg.as_str().into(),
                        None => {
                            return Err(TargetCompileError::TargetNotFound(
                                format!("No package found for target '{}'", target_name)
                                    .as_str()
                                    .into(),
                            ));
                        }
                    },
                    effect_schema: default_effect_schema,
                    effect_name: "".into(), // Will be updated in resolve_effect
                    effect_path: "".into(), // Will be updated in resolve_effect
                };
                interpreter.compiled_policy_mut().target_info = Some(target_info);
            }
            None => {
                return Err(TargetCompileError::TargetNotFound(
                    target_name.as_str().into(),
                ));
            }
        }
    } else {
        // No target specified - this is an error when using compile_for_target
        return Err(TargetCompileError::NoTargetSpecified);
    }

    Ok(())
}

pub fn resolve_effect(interpreter: &mut Interpreter) -> Result<(), TargetCompileError> {
    // Check if we have target info from resolve_target
    if let Some(ref target_info) = interpreter.compiled_policy.target_info {
        let target = &target_info.target;
        let package = &target_info.package;

        let mut effects_with_rules = Vec::new();

        // For each effect defined in the target, check if rules exist
        for effect_name in target.effects.keys() {
            // Rule keys are stored with "data." prefix in CompiledPolicy
            let expected_path = format!("data.{}.{}", package, effect_name);

            // Disallow sub-paths for effects in rules.
            for rule_path in interpreter.compiled_policy.rules.keys() {
                if rule_path.starts_with(&expected_path) && rule_path.len() > expected_path.len() {
                    // Sub-paths are not allowed for effects - they must be exact matches only
                    // This prevents effect rules from being defined at deeper nested paths
                    let all_effect_names: Vec<String> =
                        target.effects.keys().map(|k| k.to_string()).collect();
                    let formatted_names = format_effect_names(&all_effect_names);
                    return Err(TargetCompileError::NoEffectRules {
                        target_name: target.name.to_string().into(),
                        package: package.to_string().into(),
                        effect_names: formatted_names.as_str().into(),
                    });
                }
            }

            // Disallow sub-paths for effects in default_rules.
            for rule_path in interpreter.compiled_policy.default_rules.keys() {
                if rule_path.starts_with(&expected_path) && rule_path.len() > expected_path.len() {
                    // Sub-paths are not allowed for effects - they must be exact matches only
                    let all_effect_names: Vec<String> =
                        target.effects.keys().map(|k| k.to_string()).collect();
                    let formatted_names = format_effect_names(&all_effect_names);
                    return Err(TargetCompileError::NoEffectRules {
                        target_name: target.name.to_string().into(),
                        package: package.to_string().into(),
                        effect_names: formatted_names.as_str().into(),
                    });
                }
            }

            // Check if rules exist at the expected path or any sub-path
            let mut has_rules = false;

            // Check for exact match in rules
            if let Some(rules) = interpreter.compiled_policy.rules.get(&expected_path) {
                if !rules.is_empty() {
                    has_rules = true;
                }
            }

            // Check for exact match in default_rules
            if !has_rules {
                if let Some(default_rules) = interpreter
                    .compiled_policy
                    .default_rules
                    .get(&expected_path)
                {
                    if !default_rules.is_empty() {
                        has_rules = true;
                    }
                }
            }

            if has_rules {
                effects_with_rules.push(effect_name.clone());
            }
        }

        // Ensure exactly one effect has rules defined
        match effects_with_rules.len() {
            0 => {
                let all_effect_names: Vec<String> =
                    target.effects.keys().map(|k| k.to_string()).collect();
                let formatted_names = format_effect_names(&all_effect_names);
                return Err(TargetCompileError::NoEffectRules {
                    target_name: target.name.to_string().into(),
                    package: package.to_string().into(),
                    effect_names: formatted_names.as_str().into(),
                });
            }
            1 => {
                // Exactly one effect has rules - this is correct
                // Update the target info with the correct effect schema
                let effect_name = &effects_with_rules[0];
                let effect_schema = match target.effects.get(effect_name) {
                    Some(schema) => schema.clone(),
                    None => {
                        // This should not happen since we got the effect_name from target.effects.keys()
                        return Err(TargetCompileError::TargetNotFound(
                            format!(
                                "Effect '{}' not found in target '{}'",
                                effect_name, target.name
                            )
                            .as_str()
                            .into(),
                        ));
                    }
                };

                // Update the target info with the correct effect schema, name, and path
                let expected_path = format!("data.{}.{}", package, effect_name);
                if let Some(ref mut target_info_mut) = interpreter.compiled_policy_mut().target_info
                {
                    target_info_mut.effect_schema = effect_schema;
                    target_info_mut.effect_name = effect_name.as_ref().into();
                    target_info_mut.effect_path = expected_path.as_str().into();
                }
            }
            _ => {
                return Err(TargetCompileError::MultipleEffectRules {
                    target_name: target.name.to_string().into(),
                    effect_names: effects_with_rules.join(", ").as_str().into(),
                    path: package.to_string().into(),
                });
            }
        }
    }

    Ok(())
}

pub fn resolve_and_apply_target(interpreter: &mut Interpreter) -> Result<(), TargetCompileError> {
    // Resolve the target first
    resolve_target(interpreter)?;

    // Then resolve the effect
    resolve_effect(interpreter)?;

    Ok(())
}