Merge remote-tracking branch 'origin/joffref/4972' into joffref/4972

open-policy-agent · Nov 1, 2022 · fae3487 · fae3487
2 parents bf473ac + ddfed68
commit fae3487
Show file tree

Hide file tree

Showing 67 changed files with 2,384 additions and 515 deletions.
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -317,7 +317,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Download OPA
-        uses: open-policy-agent/setup-opa@v1
+        uses: open-policy-agent/setup-opa@v2
         with:
           version: edge
 

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -26,4 +26,5 @@ linters:
     - staticcheck
     - gosimple
     - prealloc
+    - unconvert
     # - gosec # too many false positives
diff --git a/ast/builtins.go b/ast/builtins.go
@@ -260,6 +260,7 @@ var DefaultBuiltins = [...]*Builtin{
 	NetCIDRExpand,
 	NetCIDRMerge,
 	NetLookupIPAddr,
+	NetCIDRIsValid,
 
 	// Glob
 	GlobMatch,
@@ -2771,6 +2772,17 @@ Supports both IPv4 and IPv6 notations. IPv6 inputs need a prefix length (e.g. "/
 	),
 }
 
+var NetCIDRIsValid = &Builtin{
+	Name:        "net.cidr_is_valid",
+	Description: "Parses an IPv4/IPv6 CIDR and returns a boolean indicating if the provided CIDR is valid.",
+	Decl: types.NewFunction(
+		types.Args(
+			types.Named("cidr", types.S),
+		),
+		types.Named("result", types.B),
+	),
+}
+
 var netCidrContainsMatchesOperandType = types.NewAny(
 	types.S,
 	types.NewArray(nil, types.NewAny(

diff --git a/ast/compile.go b/ast/compile.go
@@ -5151,7 +5151,7 @@ func validateWith(c *Compiler, unsafeBuiltinsMap map[string]struct{}, expr *Expr
 				for _, v := range child.Values {
 					if len(v.(*Rule).Head.Args) > 0 {
 						if ok, err := validateWithFunctionValue(c.builtins, unsafeBuiltinsMap, c.RuleTree, value); err != nil || ok {
-							return false, err // may be nil
+							return false, err // err may be nil
 						}
 					}
 				}
@@ -5173,7 +5173,7 @@ func validateWith(c *Compiler, unsafeBuiltinsMap map[string]struct{}, expr *Expr
 		}
 
 		if ok, err := validateWithFunctionValue(c.builtins, unsafeBuiltinsMap, c.RuleTree, value); err != nil || ok {
-			return false, err // may be nil
+			return false, err // err may be nil
 		}
 	default:
 		return false, NewError(TypeErr, target.Location, "with keyword target must reference existing %v, %v, or a function", InputRootDocument, DefaultRootDocument)

diff --git a/ast/compile_test.go b/ast/compile_test.go
@@ -5292,6 +5292,27 @@ func TestCompilerRewriteWithValue(t *testing.T) {
 			`,
 			expected: `p { true with http.send as {"body": "yay"} }`,
 		},
+		{
+			note: "built-in function: replaced by var",
+			input: `
+				p {
+					resp := { "body": "yay" }
+					true with http.send as resp
+				}
+			`,
+			expected: `p { __local0__ = {"body": "yay"}; true with http.send as __local0__ }`,
+		},
+		{
+			note: "non-built-in function: replaced by var",
+			input: `
+				p {
+					resp := true
+					f(true) with f as resp
+				}
+				f(false) { true }
+			`,
+			expected: `p { __local0__ = true; data.test.f(true) with data.test.f as __local0__ }`,
+		},
 		{
 			note: "built-in function: replaced by comprehension",
 			input: `