feat: Migrated Policy Pack engine to SDK repo

Author: Marco Franceschi

.eslintrc.json

@@ -1,5 +1,8 @@
 {
   "extends": [
     "@autocloud"
-  ]
+  ],
+  "rules": {
+    "no-plusplus": "off"
+  }
 }

jest.config.js

@@ -0,0 +1,7 @@
+/** @type {import('@ts-jest/dist/types').InitialOptionsTsJest} */
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  testMatch: ['<rootDir>/tests/**/*.test.ts'],
+  testPathIgnorePatterns: ['<rootDir>/lib/', '<rootDir>/node_modules/'],
+}

package.json

@@ -15,13 +15,16 @@
   "scripts": {
     "build": "yarn prepublish",
     "prepublish": "npx tsc",
+    "test": "NODE_ENV=test jest",
     "lint": "eslint --config .eslintrc.json --ext .js,.ts ./",
     "lint:fix": "eslint --fix --config .eslintrc.json --ext .js,.ts ./"
   },
   "author": "AutoCloud",
   "license": "MPL-2.0",
   "dependencies": {
     "inquirer": "^8.1.2",
+    "jsonpath": "^1.1.1",
+    "lodash": "^4.17.21",
     "ora": "^5.4.1"
   },
   "devDependencies": {
@@ -30,6 +33,7 @@
     "@semantic-release/git": "^10.0.0",
     "@semantic-release/gitlab": "^7.0.3",
     "@semantic-release/npm": "^7.1.3",
+    "@types/jest": "^26.0.24",
     "@types/node": "^16.4.12",
     "@typescript-eslint/eslint-plugin": "^4.28.5",
     "@typescript-eslint/parser": "^4.28.5",
@@ -39,9 +43,11 @@
     "eslint-plugin-import": "^2.22.1",
     "eslint-plugin-prettier": "^3.4.0",
     "husky": "^4.3.0",
+    "jest": "^27.0.6",
     "lint-staged": "^11.1.1",
     "semantic-release": "^18.0.0",
-    "typescript": "^4.3.5"
+    "typescript": "^4.3.5",
+    "ts-jest": "^27.0.4"
   },
   "husky": {
     "hooks": {

src/index.ts

@@ -1,9 +1,11 @@
 import logger, { Logger } from './logger'
 import Client from './client'
+import RulesEngine from './rules-engine'
 import { Opts, Service, ServiceConnection, ProviderData } from './types'
 
 export type { Opts, Service, ServiceConnection, Logger, Client, ProviderData }
 export default {
   logger,
   Client,
+  RulesEngine,
 }

src/rules-engine/evaluators/default-evaluator.ts

@@ -0,0 +1,13 @@
+import { Rule, RuleResult } from '../types'
+import { RuleEvaluator } from './rule-evaluator'
+
+export default class DefaultEvaluator implements RuleEvaluator<Rule> {
+  canEvaluate(/* rule: Rule */): boolean {
+    return true
+  }
+
+  async evaluateSingleResource(/* rule: Rule, data: ResourceData */): Promise<RuleResult> {
+    // any resource captured by the query is considered as a match (and shall produce a failed finding)
+    return RuleResult.MATCHES
+  }
+}

src/rules-engine/evaluators/js-evaluator.ts

@@ -0,0 +1,15 @@
+import { JsRule, ResourceData, Rule, RuleResult } from '../types'
+import { RuleEvaluator } from './rule-evaluator'
+
+export default class JsEvaluator implements RuleEvaluator<JsRule> {
+  canEvaluate(rule: Rule | JsRule): boolean {
+    return 'check' in rule
+  }
+
+  async evaluateSingleResource(
+    rule: JsRule,
+    data: ResourceData
+  ): Promise<RuleResult> {
+    return rule.check!(data) ? RuleResult.MATCHES : RuleResult.DOESNT_MATCH
+  }
+}

src/rules-engine/evaluators/json-evaluator.ts

@@ -0,0 +1,139 @@
+import lodash from 'lodash'
+import {
+  Condition,
+  JsonRule,
+  Operator,
+  ResourceData,
+  RuleResult,
+  _ResourceData,
+} from '../types'
+import { RuleEvaluator } from './rule-evaluator'
+
+export default class JsonEvaluator implements RuleEvaluator<JsonRule> {
+  canEvaluate(rule: JsonRule): boolean {
+    return 'conditions' in rule
+  }
+
+  async evaluateSingleResource(
+    rule: JsonRule,
+    data: ResourceData
+  ): Promise<RuleResult> {
+    return this.evaluateCondition(rule.conditions, data)
+      ? RuleResult.MATCHES
+      : RuleResult.DOESNT_MATCH
+  }
+
+  calculatePath = (data: _ResourceData, _path: string) => {
+    let path = _path
+    if (path.indexOf('@') === 0) {
+      // @ means the curr resource, we replace by base path
+      path = path.replace('@', data.resourcePath).substr(2) // remove `$.`
+    }
+    if (path.indexOf('[*]') === 0 && data.elementPath) {
+      // @ means the curr resource, we replace by base path
+      path = path.replace('[*]', data.elementPath)
+    }
+    return path
+  }
+
+  resolvePath = (data: _ResourceData, path: string): any => {
+    return lodash.get(data.data, path)
+  }
+
+  operators: { [key: string]: Operator } = {
+    // eslint-disable-next-line eqeqeq
+    equal: (a, b) => a == b, // == is fine
+    notEqual: (a, b) => a !== b,
+    in: (a, b) => (b as any[]).indexOf(a) > -1,
+    notIn: (a, b) => (b as any[]).indexOf(a) === -1,
+    contains: (a, b) => a.indexOf(b) > -1,
+    doesNotContain: (a, b) => a.indexOf(b) === -1,
+    lessThan: (a, b) => a < b,
+    lessThanInclusive: (a, b) => a <= b,
+    greaterThan: (a, b) => a > b,
+    greaterThanInclusive: (a, b) => a >= b,
+
+    daysAgo: a =>
+      Math.trunc((Date.now() - new Date(a).getTime()) / (60 * 60 * 1000 * 24)), // @TODO use library
+
+    or: (_, conditions: Condition[], data) => {
+      for (let i = 0; i < conditions.length; i++) {
+        // if 1 is true, it's true
+        if (this.evaluateCondition(conditions[i], data)) return true
+      }
+      return false
+    },
+    and: (_, conditions: Condition[], data) => {
+      for (let i = 0; i < conditions.length; i++) {
+        // if 1 is false, it's false
+        if (!this.evaluateCondition(conditions[i], data)) return false
+      }
+      return true
+    },
+    array_all: (array, conditions: Condition, data) => {
+      // an AND, but with every resource item
+      const baseElementPath = data.elementPath
+
+      for (let i = 0; i < array.length; i++) {
+        if (
+          !this.evaluateCondition(conditions, {
+            ...data,
+            elementPath: `${baseElementPath}[${i}]`,
+          })
+        )
+          return false
+      }
+      return true
+    },
+    array_any: (array, conditions, data) => {
+      // an OR, but with every resource item
+
+      const baseElementPath = data.elementPath
+      for (let i = 0; i < array.length; i++) {
+        if (
+          this.evaluateCondition(conditions as Condition, {
+            ...data,
+            elementPath: `${baseElementPath}[${i}]`,
+          })
+        )
+          return true
+      }
+      return false
+    },
+  }
+
+  isCondition = (a: unknown): boolean =>
+    !!a && (a as any).constructor === Object
+
+  evaluateCondition(
+    _condition: Condition,
+    _data: _ResourceData
+  ): boolean | number {
+    const condition = { ..._condition }
+    const { path, value } = condition
+    delete condition.path
+    delete condition.value
+    // remaining field should be the op name
+    const op = Object.keys(condition)[0] //
+    const operator = this.operators[op]
+    const otherArgs = condition[op] // {[and]: xxx }
+    if (!op || !operator) {
+      throw new Error(`unrecognized operation${JSON.stringify(condition)}`)
+    }
+
+    const data = { ..._data }
+    let firstArg
+
+    if (path) {
+      const elementPath = this.calculatePath(data, path)
+      data.elementPath = elementPath
+      firstArg = this.resolvePath(data, elementPath)
+    } else if (this.isCondition(value)) {
+      firstArg = this.evaluateCondition(value as any, data)
+    } else {
+      firstArg = value
+    }
+    // console.log(operator, firstArg, otherArgs, data)
+    return operator(firstArg, otherArgs, data)
+  }
+}

src/rules-engine/evaluators/rule-evaluator.ts

@@ -0,0 +1,7 @@
+import { ResourceData, Rule, RuleResult } from '../types'
+
+export interface RuleEvaluator<K extends Rule> {
+  canEvaluate: (rule: K) => boolean
+  evaluateSingleResource: (rule: K, data: ResourceData) => Promise<RuleResult>
+  // @TODO complex rules can take a query and return an array of resourceId + Result
+}