Merge pull request #1907 from DependencyTrack/simplify-cel-visitor

Author: nscuro

apiserver/src/main/java/org/dependencytrack/policy/cel/CelPolicyScriptVisitor.java

@@ -18,76 +18,58 @@
  */
 package org.dependencytrack.policy.cel;
 
-import alpine.common.logging.Logger;
 import com.google.api.expr.v1alpha1.Expr;
 import com.google.api.expr.v1alpha1.Type;
 import org.apache.commons.collections4.MultiValuedMap;
 import org.apache.commons.collections4.multimap.HashSetValuedHashMap;
 
-import java.util.ArrayDeque;
-import java.util.Deque;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-class CelPolicyScriptVisitor {
-
-    private static final Logger LOGGER = Logger.getLogger(CelPolicyScriptVisitor.class);
+final class CelPolicyScriptVisitor {
 
     record FunctionSignature(String function, Type targetType, List<Type> argumentTypes) {
     }
 
-    private final Map<Long, Type> types;
+    private final Map<Long, Type> typeByExpressionId;
     private final MultiValuedMap<Type, String> accessedFieldsByType;
     private final Set<FunctionSignature> usedFunctionSignatures;
-    private final Deque<String> callFunctionStack;
-    private final Deque<String> selectFieldStack;
-    private final Deque<Type> selectOperandTypeStack;
 
-    CelPolicyScriptVisitor(final Map<Long, Type> types) {
-        this.types = types;
+    CelPolicyScriptVisitor(Map<Long, Type> typeByExpressionId) {
+        this.typeByExpressionId = typeByExpressionId;
         this.accessedFieldsByType = new HashSetValuedHashMap<>();
         this.usedFunctionSignatures = new HashSet<>();
-        this.callFunctionStack = new ArrayDeque<>();
-        this.selectFieldStack = new ArrayDeque<>();
-        this.selectOperandTypeStack = new ArrayDeque<>();
     }
 
-    void visit(final Expr expr) {
+    void visit(Expr expr) {
         switch (expr.getExprKindCase()) {
             case CALL_EXPR -> visitCall(expr);
             case COMPREHENSION_EXPR -> visitComprehension(expr);
-            case CONST_EXPR -> visitConst(expr);
-            case IDENT_EXPR -> visitIdent(expr);
             case LIST_EXPR -> visitList(expr);
             case SELECT_EXPR -> visitSelect(expr);
             case STRUCT_EXPR -> visitStruct(expr);
-            case EXPRKIND_NOT_SET -> LOGGER.debug("Unknown expression: %s".formatted(expr));
+            case CONST_EXPR, EXPRKIND_NOT_SET, IDENT_EXPR -> {
+            }
         }
     }
 
-    private void visitCall(final Expr expr) {
-        logExpr(expr);
+    private void visitCall(Expr expr) {
         final Expr.Call callExpr = expr.getCallExpr();
 
-        final Type targetType = types.get(callExpr.getTarget().getId());
+        final Type targetType = typeByExpressionId.get(callExpr.getTarget().getId());
         final List<Type> argumentTypes = callExpr.getArgsList().stream()
                 .map(Expr::getId)
-                .map(types::get)
+                .map(typeByExpressionId::get)
                 .toList();
         usedFunctionSignatures.add(new FunctionSignature(callExpr.getFunction(), targetType, argumentTypes));
 
-        callFunctionStack.push(callExpr.getFunction());
         visit(callExpr.getTarget());
-        for (final Expr argExpr : callExpr.getArgsList()) {
-            visit(argExpr);
-        }
-        callFunctionStack.pop();
+        callExpr.getArgsList().forEach(this::visit);
     }
 
-    private void visitComprehension(final Expr expr) {
-        logExpr(expr);
+    private void visitComprehension(Expr expr) {
         final Expr.Comprehension comprehensionExpr = expr.getComprehensionExpr();
 
         visit(comprehensionExpr.getAccuInit());
@@ -97,40 +79,26 @@ private void visitComprehension(final Expr expr) {
         visit(comprehensionExpr.getResult());
     }
 
-    private void visitConst(final Expr expr) {
-        logExpr(expr);
-    }
-
-    private void visitIdent(final Expr expr) {
-        logExpr(expr);
-        selectOperandTypeStack.push(types.get(expr.getId()));
-    }
-
-    private void visitList(final Expr expr) {
-        logExpr(expr);
+    private void visitList(Expr expr) {
+        expr.getListExpr().getElementsList().forEach(this::visit);
     }
 
-    private void visitSelect(final Expr expr) {
-        logExpr(expr);
+    private void visitSelect(Expr expr) {
         final Expr.Select selectExpr = expr.getSelectExpr();
-
-        selectFieldStack.push(selectExpr.getField());
-        selectOperandTypeStack.push(types.get(expr.getId()));
+        final Type operandType = typeByExpressionId.get(selectExpr.getOperand().getId());
+        if (operandType != null) {
+            accessedFieldsByType.put(operandType, selectExpr.getField());
+        }
         visit(selectExpr.getOperand());
-        accessedFieldsByType.put(selectOperandTypeStack.pop(), selectFieldStack.pop());
-    }
-
-    private void visitStruct(final Expr expr) {
-        logExpr(expr);
     }
 
-    private void logExpr(final Expr expr) {
-        if (!LOGGER.isDebugEnabled()) {
-            return;
-        }
-
-        LOGGER.debug("Visiting %s (id=%d, fieldStack=%s, fieldTypeStack=%s, functionStack=%s)"
-                .formatted(expr.getExprKindCase(), expr.getId(), selectFieldStack, selectOperandTypeStack, callFunctionStack));
+    private void visitStruct(Expr expr) {
+        expr.getStructExpr().getEntriesList().forEach(entry -> {
+            if (entry.hasMapKey()) {
+                visit(entry.getMapKey());
+            }
+            visit(entry.getValue());
+        });
     }
 
     MultiValuedMap<Type, String> getAccessedFieldsByType() {

apiserver/src/test/java/org/dependencytrack/policy/cel/CelPolicyScriptHostTest.java

@@ -38,10 +38,10 @@
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
-public class CelPolicyScriptHostTest {
+class CelPolicyScriptHostTest {
 
     @Test
-    public void testCompileWithCache() throws Exception {
+    void testCompileWithCache() throws Exception {
         final var scriptSrc = """
                 component.name == "foo"
                 """;
@@ -55,7 +55,7 @@ public void testCompileWithCache() throws Exception {
     }
 
     @Test
-    public void testCompileWithoutCache() throws Exception {
+    void testCompileWithoutCache() throws Exception {
         final var scriptSrc = """
                 component.name == "foo"
                 """;
@@ -69,7 +69,7 @@ public void testCompileWithoutCache() throws Exception {
     }
 
     @Test
-    public void testRequirementsAnalysis() throws Exception {
+    void testRequirementsAnalysis() throws Exception {
         final CelPolicyScript compiledScript = CelPolicyScriptHost.getInstance(CelPolicyType.COMPONENT).compile("""
                 component.resolved_license.groups.exists(licenseGroup, licenseGroup.name == "Permissive")
                   && vulns.exists(vuln, vuln.severity in ["HIGH", "CRITICAL"] && has(vuln.aliases))
@@ -96,7 +96,43 @@ public void testRequirementsAnalysis() throws Exception {
     }
 
     @Test
-    public void testVisitVersRangeCheck() {
+    void testRequirementsAnalysisWithFieldAccessInList() throws Exception {
+        final CelPolicyScript compiledScript = CelPolicyScriptHost.getInstance(CelPolicyType.COMPONENT).compile("""
+                [component.name, project.name].exists(name, name == "foo")
+                """, CacheMode.NO_CACHE);
+
+        final Map<Type, Collection<String>> requirements = compiledScript.getRequirements().asMap();
+        assertThat(requirements).containsOnlyKeys(TYPE_COMPONENT, TYPE_PROJECT);
+        assertThat(requirements.get(TYPE_COMPONENT)).containsOnly("name");
+        assertThat(requirements.get(TYPE_PROJECT)).containsOnly("name");
+    }
+
+    @Test
+    void testRequirementsAnalysisWithFieldAccessInStructValue() throws Exception {
+        final CelPolicyScript compiledScript = CelPolicyScriptHost.getInstance(CelPolicyType.COMPONENT).compile("""
+                project.depends_on(v1.Component{name: component.name})
+                """, CacheMode.NO_CACHE);
+
+        final Map<Type, Collection<String>> requirements = compiledScript.getRequirements().asMap();
+        assertThat(requirements).containsOnlyKeys(TYPE_COMPONENT, TYPE_PROJECT);
+        assertThat(requirements.get(TYPE_COMPONENT)).containsOnly("name");
+        assertThat(requirements.get(TYPE_PROJECT)).containsOnly("uuid");
+    }
+
+    @Test
+    void testRequirementsAnalysisWithFieldAccessInMapKey() throws Exception {
+        final CelPolicyScript compiledScript = CelPolicyScriptHost.getInstance(CelPolicyType.COMPONENT).compile("""
+                {component.name: project.name}.size() > 0
+                """, CacheMode.NO_CACHE);
+
+        final Map<Type, Collection<String>> requirements = compiledScript.getRequirements().asMap();
+        assertThat(requirements).containsOnlyKeys(TYPE_COMPONENT, TYPE_PROJECT);
+        assertThat(requirements.get(TYPE_COMPONENT)).containsOnly("name");
+        assertThat(requirements.get(TYPE_PROJECT)).containsOnly("name");
+    }
+
+    @Test
+    void testVisitVersRangeCheck() {
         var exception = assertThrows(ScriptCreateException.class, () -> CelPolicyScriptHost.getInstance(CelPolicyType.COMPONENT).compile("""
                 project.name == "foo" && project.matches_range("vers:generic<1")
                   && project.depends_on(v1.Component{