Skip to content

Commit

Permalink
rego-v1: Future-proofing logs pkg tests to be 1.0 compatible (#7042)
Browse files Browse the repository at this point in the history 
Signed-off-by: Johan Fylling <[email protected]>
  • Loading branch information
@johanfylling
johanfylling authored Sep 19, 2024
1 parent 1f3bf1c commit 0ccf63c
Showing 1 changed file with 35 additions and 19 deletions.
54 changes: 35 additions & 19 deletions plugins/logs/plugin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1872,7 +1872,8 @@ func TestPluginMasking(t *testing.T) {
note: "simple erase (with body true)",
rawPolicy: []byte(`
package system.log
mask["/input/password"] {
import rego.v1
mask contains "/input/password" if {
input.input.is_sensitive
}`),
expErased: []string{"/input/password"},
Expand All @@ -1888,7 +1889,8 @@ func TestPluginMasking(t *testing.T) {
note: "simple erase (with body true, plugin reconfigured)",
rawPolicy: []byte(`
package system.log
mask["/input/password"] {
import rego.v1
mask contains "/input/password" if {
input.input.is_sensitive
}`),
expErased: []string{"/input/password"},
Expand All @@ -1905,7 +1907,8 @@ func TestPluginMasking(t *testing.T) {
note: "simple upsert (with body true)",
rawPolicy: []byte(`
package system.log
mask[{"op": "upsert", "path": "/input/password", "value": x}] {
import rego.v1
mask contains {"op": "upsert", "path": "/input/password", "value": x} if {
input.input.password
x := "**REDACTED**"
}`),
Expand All @@ -1923,7 +1926,8 @@ func TestPluginMasking(t *testing.T) {
note: "remove even with value set in rule body",
rawPolicy: []byte(`
package system.log
mask[{"op": "remove", "path": "/input/password", "value": x}] {
import rego.v1
mask contains {"op": "remove", "path": "/input/password", "value": x} if {
input.input.password
x := "**REDACTED**"
}`),
Expand All @@ -1940,7 +1944,8 @@ func TestPluginMasking(t *testing.T) {
note: "remove when value not defined",
rawPolicy: []byte(`
package system.log
mask[{"op": "remove", "path": "/input/password"}] {
import rego.v1
mask contains {"op": "remove", "path": "/input/password"} if {
input.input.password
}`),
expErased: []string{"/input/password"},
Expand All @@ -1956,10 +1961,11 @@ func TestPluginMasking(t *testing.T) {
note: "remove when value not defined in rule body",
rawPolicy: []byte(`
package system.log
mask[{"op": "remove", "path": "/input/password", "value": x}] {
import rego.v1
mask contains {"op": "remove", "path": "/input/password", "value": x} if {
input.input.password
}`),
errManager: fmt.Errorf("1 error occurred: test.rego:3: rego_unsafe_var_error: var x is unsafe"),
errManager: fmt.Errorf("1 error occurred: test.rego:4: rego_unsafe_var_error: var x is unsafe"),
},
{
note: "simple erase - no match",
Expand All @@ -1981,7 +1987,8 @@ func TestPluginMasking(t *testing.T) {
note: "complex upsert - object key",
rawPolicy: []byte(`
package system.log
mask[{"op": "upsert", "path": "/input/foo", "value": x}] {
import rego.v1
mask contains {"op": "upsert", "path": "/input/foo", "value": x} if {
input.input.foo
x := [
{"nabs": 1}
Expand Down Expand Up @@ -2025,12 +2032,14 @@ func TestPluginMasking(t *testing.T) {
rawPolicy: []byte(`
package system.log
mask["/input/password"] {
import rego.v1
mask contains "/input/password" if {
input.input.is_sensitive
}
# invalidate JWT signature
mask[{"op": "upsert", "path": "/input/jwt", "value": x}] {
mask contains {"op": "upsert", "path": "/input/jwt", "value": x} if {
input.input.jwt
# split jwt string
Expand All @@ -2045,7 +2054,7 @@ func TestPluginMasking(t *testing.T) {
}
mask[{"op": "upsert", "path": "/input/foo", "value": x}] {
mask contains {"op": "upsert", "path": "/input/foo", "value": x} if {
input.input.foo
x := [
{"changed": 1}
Expand All @@ -2069,7 +2078,8 @@ func TestPluginMasking(t *testing.T) {
note: "print() works",
rawPolicy: []byte(`
package system.log
mask["/input/password"] {
import rego.v1
mask contains "/input/password" if {
print("Erasing /input/password")
input.input.is_sensitive
}`),
Expand All @@ -2087,7 +2097,8 @@ func TestPluginMasking(t *testing.T) {
note: "simple upsert on nd_builtin_cache",
rawPolicy: []byte(`
package system.log
mask[{"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x}] {
import rego.v1
mask contains {"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x} if {
input.nd_builtin_cache["rand.intn"]
x := "**REDACTED**"
}`),
Expand All @@ -2104,12 +2115,13 @@ func TestPluginMasking(t *testing.T) {
note: "simple upsert on nd_builtin_cache with multiple entries",
rawPolicy: []byte(`
package system.log
mask[{"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x}] {
import rego.v1
mask contains {"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x} if {
input.nd_builtin_cache["rand.intn"]
x := "**REDACTED**"
}
mask[{"op": "upsert", "path": "/nd_builtin_cache/net.lookup_ip_addr", "value": y}] {
mask contains {"op": "upsert", "path": "/nd_builtin_cache/net.lookup_ip_addr", "value": y} if {
obj := input.nd_builtin_cache["net.lookup_ip_addr"]
y := object.union({k: "4.4.x.x" | obj[k]; startswith(k, "[\"4.4.")},
{k: obj[k] | obj[k]; not startswith(k, "[\"4.4.")})
Expand Down Expand Up @@ -2269,7 +2281,8 @@ func TestPluginDrop(t *testing.T) {
note: "simple drop",
rawPolicy: []byte(`
package system.log
drop {
import rego.v1
drop if {
endswith(input.path, "bar")
}`),
event: &EventV1{Path: "foo/bar"},
Expand All @@ -2280,7 +2293,8 @@ func TestPluginDrop(t *testing.T) {
note: "no drop",
rawPolicy: []byte(`
package system.log
drop {
import rego.v1
drop if {
endswith(input.path, "bar")
}`),
event: &EventV1{Path: "foo/foo"},
Expand Down Expand Up @@ -2353,7 +2367,8 @@ func TestPluginDrop(t *testing.T) {
func TestPluginMaskErrorHandling(t *testing.T) {
rawPolicy := []byte(`
package system.log
drop {
import rego.v1
drop if {
endswith(input.path, "bar")
}`)
event := &EventV1{Path: "foo/bar"}
Expand Down Expand Up @@ -2426,7 +2441,8 @@ func TestPluginMaskErrorHandling(t *testing.T) {
func TestPluginDropErrorHandling(t *testing.T) {
rawPolicy := []byte(`
package system.log
drop {
import rego.v1
drop if {
endswith(input.path, "bar")
}`)
event := &EventV1{Path: "foo/bar"}
Expand Down

0 comments on commit 0ccf63c

Please sign in to comment.