diff --git a/plugins/logs/plugin_test.go b/plugins/logs/plugin_test.go index e5a73dd0d8..d904205811 100644 --- a/plugins/logs/plugin_test.go +++ b/plugins/logs/plugin_test.go @@ -1872,7 +1872,8 @@ func TestPluginMasking(t *testing.T) { note: "simple erase (with body true)", rawPolicy: []byte(` package system.log - mask["/input/password"] { + import rego.v1 + mask contains "/input/password" if { input.input.is_sensitive }`), expErased: []string{"/input/password"}, @@ -1888,7 +1889,8 @@ func TestPluginMasking(t *testing.T) { note: "simple erase (with body true, plugin reconfigured)", rawPolicy: []byte(` package system.log - mask["/input/password"] { + import rego.v1 + mask contains "/input/password" if { input.input.is_sensitive }`), expErased: []string{"/input/password"}, @@ -1905,7 +1907,8 @@ func TestPluginMasking(t *testing.T) { note: "simple upsert (with body true)", rawPolicy: []byte(` package system.log - mask[{"op": "upsert", "path": "/input/password", "value": x}] { + import rego.v1 + mask contains {"op": "upsert", "path": "/input/password", "value": x} if { input.input.password x := "**REDACTED**" }`), @@ -1923,7 +1926,8 @@ func TestPluginMasking(t *testing.T) { note: "remove even with value set in rule body", rawPolicy: []byte(` package system.log - mask[{"op": "remove", "path": "/input/password", "value": x}] { + import rego.v1 + mask contains {"op": "remove", "path": "/input/password", "value": x} if { input.input.password x := "**REDACTED**" }`), @@ -1940,7 +1944,8 @@ func TestPluginMasking(t *testing.T) { note: "remove when value not defined", rawPolicy: []byte(` package system.log - mask[{"op": "remove", "path": "/input/password"}] { + import rego.v1 + mask contains {"op": "remove", "path": "/input/password"} if { input.input.password }`), expErased: []string{"/input/password"}, @@ -1956,10 +1961,11 @@ func TestPluginMasking(t *testing.T) { note: "remove when value not defined in rule body", rawPolicy: []byte(` package system.log - mask[{"op": "remove", "path": "/input/password", "value": x}] { + import rego.v1 + mask contains {"op": "remove", "path": "/input/password", "value": x} if { input.input.password }`), - errManager: fmt.Errorf("1 error occurred: test.rego:3: rego_unsafe_var_error: var x is unsafe"), + errManager: fmt.Errorf("1 error occurred: test.rego:4: rego_unsafe_var_error: var x is unsafe"), }, { note: "simple erase - no match", @@ -1981,7 +1987,8 @@ func TestPluginMasking(t *testing.T) { note: "complex upsert - object key", rawPolicy: []byte(` package system.log - mask[{"op": "upsert", "path": "/input/foo", "value": x}] { + import rego.v1 + mask contains {"op": "upsert", "path": "/input/foo", "value": x} if { input.input.foo x := [ {"nabs": 1} @@ -2025,12 +2032,14 @@ func TestPluginMasking(t *testing.T) { rawPolicy: []byte(` package system.log - mask["/input/password"] { + import rego.v1 + + mask contains "/input/password" if { input.input.is_sensitive } # invalidate JWT signature - mask[{"op": "upsert", "path": "/input/jwt", "value": x}] { + mask contains {"op": "upsert", "path": "/input/jwt", "value": x} if { input.input.jwt # split jwt string @@ -2045,7 +2054,7 @@ func TestPluginMasking(t *testing.T) { } - mask[{"op": "upsert", "path": "/input/foo", "value": x}] { + mask contains {"op": "upsert", "path": "/input/foo", "value": x} if { input.input.foo x := [ {"changed": 1} @@ -2069,7 +2078,8 @@ func TestPluginMasking(t *testing.T) { note: "print() works", rawPolicy: []byte(` package system.log - mask["/input/password"] { + import rego.v1 + mask contains "/input/password" if { print("Erasing /input/password") input.input.is_sensitive }`), @@ -2087,7 +2097,8 @@ func TestPluginMasking(t *testing.T) { note: "simple upsert on nd_builtin_cache", rawPolicy: []byte(` package system.log - mask[{"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x}] { + import rego.v1 + mask contains {"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x} if { input.nd_builtin_cache["rand.intn"] x := "**REDACTED**" }`), @@ -2104,12 +2115,13 @@ func TestPluginMasking(t *testing.T) { note: "simple upsert on nd_builtin_cache with multiple entries", rawPolicy: []byte(` package system.log - mask[{"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x}] { + import rego.v1 + mask contains {"op": "upsert", "path": "/nd_builtin_cache/rand.intn", "value": x} if { input.nd_builtin_cache["rand.intn"] x := "**REDACTED**" } - mask[{"op": "upsert", "path": "/nd_builtin_cache/net.lookup_ip_addr", "value": y}] { + mask contains {"op": "upsert", "path": "/nd_builtin_cache/net.lookup_ip_addr", "value": y} if { obj := input.nd_builtin_cache["net.lookup_ip_addr"] y := object.union({k: "4.4.x.x" | obj[k]; startswith(k, "[\"4.4.")}, {k: obj[k] | obj[k]; not startswith(k, "[\"4.4.")}) @@ -2269,7 +2281,8 @@ func TestPluginDrop(t *testing.T) { note: "simple drop", rawPolicy: []byte(` package system.log - drop { + import rego.v1 + drop if { endswith(input.path, "bar") }`), event: &EventV1{Path: "foo/bar"}, @@ -2280,7 +2293,8 @@ func TestPluginDrop(t *testing.T) { note: "no drop", rawPolicy: []byte(` package system.log - drop { + import rego.v1 + drop if { endswith(input.path, "bar") }`), event: &EventV1{Path: "foo/foo"}, @@ -2353,7 +2367,8 @@ func TestPluginDrop(t *testing.T) { func TestPluginMaskErrorHandling(t *testing.T) { rawPolicy := []byte(` package system.log - drop { + import rego.v1 + drop if { endswith(input.path, "bar") }`) event := &EventV1{Path: "foo/bar"} @@ -2426,7 +2441,8 @@ func TestPluginMaskErrorHandling(t *testing.T) { func TestPluginDropErrorHandling(t *testing.T) { rawPolicy := []byte(` package system.log - drop { + import rego.v1 + drop if { endswith(input.path, "bar") }`) event := &EventV1{Path: "foo/bar"}