Skip to content

Custom parsing for globs_match: wildcarded hostname overlap use case #2463

Open
@marshallford

Description

@marshallford

Expected Behavior

While writing a rule for preventing overlapping hostnames I reached for regex.globs_match in the hopes that the function would be able to parse strings that may contain a wildcard in the left most component. Examples: a.com, *.a.b.c.com, and *. Is it possible for OPA to support custom parsing for this sort of use case? I'm writing a rule for Istio Gateway resources in k8s but I would guess there are plenty of situations where determining intersections in strings with wildcards might be handy.

Thanks.

should_return_true := regex.globs_match("*.foo.com", "bar.foo.com")

Actual Behavior

library/uniquegatewayhost/src.rego:15: eval_builtin_error: regex.globs_match: input:*.foo.com, pos:1, flag '*' must be preceded by a non-flag: the input provided is invalid

Steps to Reproduce the Problem

source:

package k8suniquegatewayhost

identical(obj, review) {
  obj.metadata.namespace == review.object.metadata.namespace
  obj.metadata.name == review.object.metadata.name
}

violation[{"msg": msg}] {
  input.review.kind.kind == "Gateway"
  input.review.kind.group == "networking.istio.io"
  host := input.review.object.spec.servers[_].hosts[_]
  port := input.review.object.spec.servers[_].port.number
  other := data.inventory.namespace[ns][othergroupversion]["Gateway"][name]
  re_match("^networking.istio.io/.+$", othergroupversion)
  # other.spec.servers[_].hosts[_] == host
  regex.globs_match(other.spec.servers[_].hosts[_], host) <--- I wish this had flexible parsing
  other.spec.servers[_].port.number == port
  not identical(other, input.review)
  msg := sprintf("gateway host conflicts with an existing gateway <%v>", [host])
}
  • OPA version
❯ opa version
Version: 0.20.5
Build Commit: 64dd76e1
Build Timestamp: 2020-06-01T18:35:14Z
Build Hostname: 8f7822bb4c39

Additional Info

Error discovered while writing tests.

opa test -v **/*.rego

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions