search

open-policy-agent / conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language
https://conftest.dev
Other
2.85k stars 301 forks source link

Rego policy with ExternalData Provider : undefined function external_data #854

Open adriil opened 1 year ago

adriil commented 1 year ago

Hi team,

I've a policy that uses external_data built-in function, but the compilation fails with undefined function external_data : 

docker run --rm -v "${BASE}:/policies" "${CONFTEST_IMAGE}:v0.44.1" verify --report notes -p /policies/policy -d /policies/data

Error: running verification: load: loading policies: get compiler: 1 error occurred: /policies/policy/kubernetes/enforcesignedimage/policy.rego:28: rego_type_error: undefined function external_data
make: *** [conftest-test] Error 1

import data.lib.kubernetes

violation[{"msg": msg}] {

build a list of keys containing images

images := containers[_].image
count(images) > 0

# send external data request
response := external_data({"provider": "my-provider", "keys": images})

response_with_error(response)
msg := sprintf("Issue from provider : %v", [response])

}

response_with_error(response) { count(response.errors) > 0 }

response_with_error(response) { count(response.system_error) > 0 }



Does `conftest` support `external_data` or can we only use this along with Gatekeeper ? I understand that the actual call can't be done and will need to be mocked, but at least having the function recognised would help.

Thanks,
Adrien
boranx commented 1 year ago

Hi, thanks for reporting the issue

At first glance, this built-in is implemented for gatekeeper's internals: https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata/#motivation. Similar to external_data's functionality in gatekeeper, we could lean on OPA's http.send in Conftest and manually download/upload artifacts using http calls (it'd be supported by default, as long as it's not restricted via capabilities)

Nevertheless, if it's a must/nice-to-have requirement, then we could consider either adding this to Conftest built-ins: https://github.com/open-policy-agent/conftest/tree/master/builtins OR sending the built-in from gatekeeper to OPA upstream in a way Conftest could inherit as well

pedroapero commented 11 months ago

Hi, thanks for the hint @boranx. I stumbled upon the same with is_exempt() (part of each lib_exclude_update.rego file in the gatekeeper library).