-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Also in this PR is a slight change of behavior, where variables found in comprehension heads are no longer treated as assigned. This as they _aren't_, and the assignment happens in the comprehension body (or outside the comprehension). This change will uncover a few more `use-some-for-output-vars` issues in policy, which was also fixed as part of this PR. Fixes #823 Signed-off-by: Anders Eknert <[email protected]>
- Loading branch information
1 parent
7773c3c
commit b7c7385
Showing
10 changed files
with
120 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# METADATA | ||
# description: Variable name shadows built-in | ||
package regal.rules.bugs["var-shadows-builtin"] | ||
|
||
import rego.v1 | ||
|
||
import data.regal.ast | ||
import data.regal.result | ||
|
||
report contains violation if { | ||
var := ast.vars[_][_][_] | ||
|
||
var.value in ast.builtin_namespaces | ||
|
||
violation := result.fail(rego.metadata.chain(), result.location(var)) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package regal.rules.bugs["var-shadows-builtin_test"] | ||
|
||
import rego.v1 | ||
|
||
import data.regal.ast | ||
import data.regal.capabilities | ||
import data.regal.config | ||
|
||
import data.regal.rules.bugs["var-shadows-builtin"] as rule | ||
|
||
test_fail_var_shadows_builtin if { | ||
module := ast.with_rego_v1(`allow if http := "yes"`) | ||
|
||
r := rule.report with input as module with data.internal.combined_config as {"capabilities": capabilities.provided} | ||
r == {{ | ||
"category": "bugs", | ||
"description": "Variable name shadows built-in", | ||
"level": "error", | ||
"location": {"col": 10, "file": "policy.rego", "row": 5, "text": "allow if http := \"yes\""}, | ||
"related_resources": [{ | ||
"description": "documentation", | ||
"ref": config.docs.resolve_url("$baseUrl/$category/var-shadows-builtin", "bugs"), | ||
}], | ||
"title": "var-shadows-builtin", | ||
}} | ||
} | ||
|
||
test_success_var_does_not_shadow_builtin if { | ||
module := ast.with_rego_v1(`allow if answer := "yes"`) | ||
|
||
r := rule.report with input as module with data.internal.combined_config as {"capabilities": capabilities.provided} | ||
r == set() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# var-shadows-builtin | ||
|
||
**Summary**: Variable shadows built-in | ||
|
||
**Category**: Bugs | ||
|
||
**Avoid** | ||
```rego | ||
package policy | ||
import rego.v1 | ||
# variable `http` shadows `http.send` built-in function | ||
allow if { | ||
http := startswith(input.url, "https://") | ||
# do something with http | ||
} | ||
``` | ||
|
||
**Prefer** | ||
```rego | ||
package policy | ||
import rego.v1 | ||
# variable `is_http` doesn't shadow any built-in function | ||
allow if { | ||
is_http := startswith(input.url, "https://") | ||
# do something with is_http | ||
} | ||
``` | ||
|
||
## Rationale | ||
|
||
Using the name of built-in functions or operators as variable names can lead to confusion and unexpected behavior. | ||
A variable that shadows a built-in function (or the namespace of a function, like `http` in `http.send`) prevents any | ||
function in that namespace to be used later in the rule. Avoid this! | ||
|
||
## Configuration Options | ||
|
||
This linter rule provides the following configuration options: | ||
|
||
```yaml | ||
rules: | ||
bugs: | ||
var-shadows-builtin: | ||
# one of "error", "warning", "ignore" | ||
level: error | ||
``` | ||
## Related Resources | ||
- OPA Docs: [Built-in Functions](https://www.openpolicyagent.org/docs/latest/policy-reference/#built-in-functions) | ||
- OPA Repo: [builtin_metadata.json](https://github.com/open-policy-agent/opa/blob/main/builtin_metadata.json) | ||
- Regal Docs: [rule-shadows-builting](https://docs.styra.com/regal/rules/bugs/rule-shadows-builtin) | ||
## Community | ||
If you think you've found a problem with this rule or its documentation, would like to suggest improvements, new rules, | ||
or just talk about Regal in general, please join us in the `#regal` channel in the Styra Community | ||
[Slack](https://communityinviter.com/apps/styracommunity/signup)! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters