forked from open-policy-agent/opa
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ast+topdown: add net.lookup_ip_addr built-in function (open-policy-ag…
…ent#3995) Since the golang stdlib function doesn't do any caching, we add the result to the BuiltinContext.Cache so it's cached, and consistent, within a single policy evaluation. There is no decision made here about using netgo or netcgo: we're following suit wrt how golang expects you to do it: From my understanding, using the OS means for DNS resolution is the preferred way: it gives you per-host caching, and it allows the user to affect how DNS resolution works in many ways. This means the same logic that applies to all other places where we resolve domain names into addresses (notably `http.send`) applies to this built-in, too. Also: * workflow/pull_request: don't fail-fast for matrix jobs Even if one platform fails it would be interesting to see what happens on the others. Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
- Loading branch information
Showing
443 changed files
with
41,233 additions
and
5,078 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
test/cases/testdata/netlookupipaddr/test-netlookupipaddr.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
cases: | ||
- data: | ||
modules: | ||
- | | ||
package test | ||
p = x { | ||
x := net.lookup_ip_addr("10.0.0.0") | ||
} | ||
note: net.lookup_ip_addr/simple ip4 returns that ip4 | ||
query: data.test.p = x | ||
want_result: | ||
- x: | ||
- 10.0.0.0 | ||
- data: | ||
modules: | ||
- | | ||
package test | ||
p = x { | ||
x := net.lookup_ip_addr("::") | ||
} | ||
note: net.lookup_ip_addr/simple ip6 returns that ip6 | ||
query: data.test.p = x | ||
want_result: | ||
- x: | ||
- '::' | ||
- data: | ||
modules: | ||
- | | ||
package test | ||
# one of these should be the case on any system | ||
p { | ||
net.lookup_ip_addr("localhost") == {"127.0.0.1"} | ||
} | ||
p { | ||
net.lookup_ip_addr("localhost") == {"127.0.0.1", "::1"} | ||
} | ||
p { | ||
net.lookup_ip_addr("localhost") == {"::1"} | ||
} | ||
note: net.lookup_ip_addr/localhost | ||
query: data.test.p = x | ||
want_result: | ||
- x: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
// Copyright 2021 The OPA Authors. All rights reserved. | ||
// Use of this source code is governed by an Apache2 | ||
// license that can be found in the LICENSE file. | ||
|
||
package topdown | ||
|
||
import ( | ||
"net" | ||
|
||
"github.com/open-policy-agent/opa/ast" | ||
"github.com/open-policy-agent/opa/topdown/builtins" | ||
) | ||
|
||
type lookupIPAddrCacheKey string | ||
|
||
// resolv is the same as net.DefaultResolver -- this is for mocking it out in tests | ||
var resolv = &net.Resolver{} | ||
|
||
func builtinLookupIPAddr(bctx BuiltinContext, operands []*ast.Term, iter func(*ast.Term) error) error { | ||
name, err := builtins.StringOperand(operands[0].Value, 1) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
key := lookupIPAddrCacheKey(name) | ||
if val, ok := bctx.Cache.Get(key); ok { | ||
return iter(val.(*ast.Term)) | ||
} | ||
|
||
addrs, err := resolv.LookupIPAddr(bctx.Context, string(name)) | ||
if err != nil { | ||
// NOTE(sr): We can't do better than this right now, see https://github.com/golang/go/issues/36208 | ||
if err.Error() == "operation was canceled" || err.Error() == "i/o timeout" { | ||
return Halt{ | ||
Err: &Error{ | ||
Code: CancelErr, | ||
Message: ast.NetLookupIPAddr.Name + ": " + err.Error(), | ||
Location: bctx.Location, | ||
}, | ||
} | ||
} | ||
return err | ||
} | ||
|
||
ret := ast.NewSet() | ||
for _, a := range addrs { | ||
ret.Add(ast.StringTerm(a.String())) | ||
|
||
} | ||
t := ast.NewTerm(ret) | ||
bctx.Cache.Put(key, t) | ||
return iter(t) | ||
} | ||
|
||
func init() { | ||
RegisterBuiltinFunc(ast.NetLookupIPAddr.Name, builtinLookupIPAddr) | ||
} |
Oops, something went wrong.