RFD for Linter

[flyinghermit]

RFD 2 - Linter

(Reserving RFD 1 for https://github.com/gravitational/predicate-lang/issues/53)

Rendered file

[xacrimon]

This looks good to me but I also haven't yet worked out any strong opinion on how this should work precisely. So at least wait for input from @klizhentas too as he may have a somewhat more fleshed out opinion on this.

[flyinghermit]

@klizhentas friendly ping for review 👀

[flyinghermit]

@klizhentas, currently, the no_allow rule describing AccessNode(User.name == "root") will not match AccessNode(User.name == "root" | User.name == "alice") because we are using the z3 equivalent query.

The pros of equivalent query are:

• Variation detection: Given a rule describing AccessNode(User.name == "root" | User.name == "alice") we can match the variation AccessNode(User.name == "alice" | User.name == "root" ) as well.
• Conditional blacklisting: Forbid usage of certain names/traits only under certain condition. E.g. admin wants to forbid root access to production db AccessNode((Node.labels["env"] == "prod") & (User.name == "root")) but its okay for staging server like AccessNode((Node.labels["env"] == "stage") & (User.name == "root")). no_allow will not flag the later.

But down the line, I think to support direct match (like search in string?) as well as this will let to forbid usage of certain usernames or groups altogether, no matter how the rule is defined. E.g. given the rule User.name == "root", match AccessNode(User.name == "root" | User.name == "alice").