Added Rule: Disallow import rego.v1#1778
Added Rule: Disallow import rego.v1#1778charlieegan3 merged 4 commits intoopen-policy-agent:mainfrom
Conversation
SeanLedford
force-pushed
the
s_ledford/rule-disallow-import-rego-v1
branch
from
774b0c1 to
d7b4d58
Compare
anderseknert
left a comment
anderseknert
left a comment
There was a problem hiding this comment.
A solid start 👏 There doesn't seem to be any documentation included for this rule, but that should be a pretty quick fix given how it's pretty obvious what it does. Left a few comments, but this is an excellent start.
| @@ -0,0 +1,31 @@ | |||
| # METADATA | |||
| # description: Use `import rego.v1` | |||
There was a problem hiding this comment.
This should probably be "Use of disallowed import rego.v1"
| confusing-alias: | ||
| level: error | ||
| disallow-rego-v1: | ||
| level: error |
There was a problem hiding this comment.
All good, but even if this pertains to imports, this rule should be in the custom category, where all optional rules are placed.
| notices contains result.notice(rego.metadata.chain()) if { | ||
| capabilities.is_opa_v1 | ||
| input.regal.file.rego_version != "v0" | ||
| } |
There was a problem hiding this comment.
I believe the notices can be removed for this rule, as enabling it manually assumes someone is running with a version of OPA at 1.0 or above.
| } | ||
|
|
||
| report contains violation if { | ||
| capabilities.is_opa_v1 |
e2e/cli_test.go
Outdated
| "file-length", | ||
| "rule-named-if", | ||
| "use-rego-v1", | ||
| "disallow-rego-v1", |
There was a problem hiding this comment.
The changes in this file are likely not needed once it's moved to the custom category.
|
Oh, I forgot! Once this rule is in the custom category — let's also enable it in our own linter configuration: https://github.com/open-policy-agent/regal/blob/main/.regal/config.yaml No better way to test our rules than to use them ourselves :) |
SeanLedford
force-pushed
the
s_ledford/rule-disallow-import-rego-v1
branch
3 times, most recently
from
555367b to
bbac31f
Compare
anderseknert
left a comment
anderseknert
left a comment
There was a problem hiding this comment.
Awesome! Thanks a lot @SeanLedford 👏 Nothing blocking, but some comments to consider. Great work, and impressive how quickly you got here considering that not only is this a new code base for you, but one that involves a new language. Awesome!
Let me know when you have had a chance to read and consider my last comments.
(And btw, sorry for the delay in reviewing this. Had some non-work issues to deal on Friday :/ )
| rules: | ||
| custom: | ||
| disallow-rego-v1: | ||
| level: error |
|
|
||
| foo if not bar | ||
| `) | ||
| with capabilities.is_opa_v1 as true |
There was a problem hiding this comment.
We no longer check the capabilities in the rule, so this can be removed. But no big deal 🙂
|
|
||
| This rule is intended to be enabled for projects that have been configured to target versions of OPA from 1.0 | ||
| onwards, but Regal does not explicitly check which version of OPA is being targeted for this rule. If working | ||
| with older versions of OPA and Rego, ensure that this rule is disabled. |
There was a problem hiding this comment.
ensure that this rule is disabled
Since this is the default, perhaps we can just say "you probably don't want to enable this rule".
(Unrelated to that, but what's up with the 1-space indentation on the 2 lines above? 😄)
|
|
||
| ## Related Resources | ||
|
|
||
| - GitHub: [Source Code](https://github.com/open-policy-agent/regal/blob/main/bundle/regal/rules/custom/disallow-rego-v1/disallow_rego_v1.rego) |
|
|
||
| policy := `package p | ||
|
|
||
| import rego.v1 |
|
|
||
| foo if not bar | ||
| `) | ||
| with capabilities.is_opa_v1 as true |
Signed-off-by: Sean Ledford <s_ledford@apple.com>
Signed-off-by: Sean Ledford <s_ledford@apple.com>
Signed-off-by: Sean Ledford <s_ledford@apple.com>
SeanLedford
force-pushed
the
s_ledford/rule-disallow-import-rego-v1
branch
2 times, most recently
from
287448e to
24030da
Compare
| @@ -0,0 +1,23 @@ | |||
| # disallow-rego-v1 | |||
|
|
|||
| **Summary**: Disallow `import rego v1` | |||
There was a problem hiding this comment.
| **Summary**: Disallow `import rego v1` | |
| **Summary**: Use of disallowed `import rego v1` |
I think the rules are generally named about what the use has done wrong, so it reads well when they see it in their editors, etc.
Signed-off-by: Sean Ledford <s_ledford@apple.com>
SeanLedford
force-pushed
the
s_ledford/rule-disallow-import-rego-v1
branch
from
24030da to
bef5faf
Compare
3 participants
Added an import rule to address the following issue!
Added necessary coverage as well. Would like to review e2e test changes before merging 😄