Add entity properties to rego evaluation context.

This change adds the entity's properties as defined by the provider to the REGO evaluation context, making it possible to use them as arguments to e.g. data sources.
mindersec · Dec 17, 2024 · 1b1ea93 · 1b1ea93
1 parent 4a53a45
commit 1b1ea93
Showing 1 changed file with 35 additions and 2 deletions.
diff --git a/internal/engine/eval/rego/eval.go b/internal/engine/eval/rego/eval.go
@@ -14,6 +14,7 @@ import (
 	"google.golang.org/protobuf/reflect/protoreflect"
 
 	eoptions "github.com/mindersec/minder/internal/engine/options"
+	pbinternal "github.com/mindersec/minder/internal/proto"
 	minderv1 "github.com/mindersec/minder/pkg/api/protobuf/go/minder/v1"
 	v1datasources "github.com/mindersec/minder/pkg/datasources/v1"
 	"github.com/mindersec/minder/pkg/engine/v1/interfaces"
@@ -49,6 +50,9 @@ type Input struct {
 	Profile map[string]any `json:"profile"`
 	// Ingested is the values set for the ingested data
 	Ingested any `json:"ingested"`
+	// Properties contains the entity's properties as defined by
+	// the provider
+	Properties any `json:"properties"`
 	// OutputFormat is the format to output violations in
 	OutputFormat ConstraintsViolationsFormat `json:"output_format"`
 }
@@ -134,14 +138,43 @@ func (e *Evaluator) Eval(
 		return nil, fmt.Errorf("could not prepare Rego: %w", err)
 	}
 
-	rs, err := pq.Eval(ctx, rego.EvalInput(&Input{
+	input := &Input{
 		Profile:      pol,
 		Ingested:     obj,
 		OutputFormat: e.cfg.ViolationFormat,
-	}))
+	}
+
+	if err := enrichInputWithEntityProps(input, entity); err != nil {
+		return nil, fmt.Errorf("error adding properties to input: %w", err)
+	}
+
+	rs, err := pq.Eval(ctx, rego.EvalInput(input))
 	if err != nil {
 		return nil, fmt.Errorf("error evaluating profile. Might be wrong input: %w", err)
 	}
 
 	return e.reseval.parseResult(rs, entity)
 }
+
+func enrichInputWithEntityProps(
+	input *Input,
+	entity protoreflect.ProtoMessage,
+) error {
+	switch entity := entity.(type) {
+	case *minderv1.Repository:
+		input.Properties = entity.Properties
+		return nil
+	case *pbinternal.PullRequest:
+		input.Properties = entity.Properties
+		return nil
+	case *minderv1.Artifact:
+		// TODO add properties to artifacts as well
+		// input.Properties = entity.Properties
+		return nil
+	default:
+		// We gracefully handle nils here to make testing
+		// easier. Also, if not entity is provided, there's
+		// not much we can add.
+		return nil
+	}
+}