Add entity properties to rego evaluation context.

This change adds the entity's properties as defined by the provider to the REGO evaluation context, making it possible to use them as arguments to e.g. data sources.
mindersec · Dec 17, 2024 · c9876e4 · c9876e4
1 parent 4a53a45
commit c9876e4
Showing 1 changed file with 28 additions and 2 deletions.
diff --git a/internal/engine/eval/rego/eval.go b/internal/engine/eval/rego/eval.go
@@ -14,6 +14,7 @@ import (
 	"google.golang.org/protobuf/reflect/protoreflect"
 
 	eoptions "github.com/mindersec/minder/internal/engine/options"
+	pbinternal "github.com/mindersec/minder/internal/proto"
 	minderv1 "github.com/mindersec/minder/pkg/api/protobuf/go/minder/v1"
 	v1datasources "github.com/mindersec/minder/pkg/datasources/v1"
 	"github.com/mindersec/minder/pkg/engine/v1/interfaces"
@@ -49,6 +50,9 @@ type Input struct {
 	Profile map[string]any `json:"profile"`
 	// Ingested is the values set for the ingested data
 	Ingested any `json:"ingested"`
+	// Properties contains the entity's properties as defined by
+	// the provider
+	Properties any `json:"properties"`
 	// OutputFormat is the format to output violations in
 	OutputFormat ConstraintsViolationsFormat `json:"output_format"`
 }
@@ -134,14 +138,36 @@ func (e *Evaluator) Eval(
 		return nil, fmt.Errorf("could not prepare Rego: %w", err)
 	}
 
-	rs, err := pq.Eval(ctx, rego.EvalInput(&Input{
+	input := &Input{
 		Profile:      pol,
 		Ingested:     obj,
 		OutputFormat: e.cfg.ViolationFormat,
-	}))
+	}
+
+	enrichInputWithEntityProps(input, entity)
+	rs, err := pq.Eval(ctx, rego.EvalInput(input))
 	if err != nil {
 		return nil, fmt.Errorf("error evaluating profile. Might be wrong input: %w", err)
 	}
 
 	return e.reseval.parseResult(rs, entity)
 }
+
+func enrichInputWithEntityProps(
+	input *Input,
+	entity protoreflect.ProtoMessage,
+) {
+	switch entity := entity.(type) {
+	case *minderv1.Repository:
+		input.Properties = entity.Properties
+	case *pbinternal.PullRequest:
+		input.Properties = entity.Properties
+	case *minderv1.Artifact:
+		// TODO add properties to artifacts as well
+		// input.Properties = entity.Properties
+	default:
+		// We gracefully handle nils here to make testing
+		// easier. Also, if not entity is provided, there's
+		// not much we can add.
+	}
+}