Feature/#20 fix (#23)

* fixed is-in-list test in common functions Signed-off-by: Saurabh Pandit <[email protected]> * Tidy up Signed-off-by: Saurabh Pandit <[email protected]>
xunholy · Jun 9, 2020 · fb658d8 · fb658d8
1 parent 4d0b2e5
commit fb658d8
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 22 deletions.
diff --git a/policies/CIS.1.2.11.rego b/policies/CIS.1.2.11.rego
@@ -3,8 +3,8 @@ package cis_1_2_11
 import data.lib.kubernetes
 
 default_parameters = {
-	"key": "--enable-admission-plugins",
-	"deniedValue": "AlwaysAdmit"
+  "key": "--enable-admission-plugins",
+  "deniedValue": "AlwaysAdmit"
 }
 
 params = object.union(default_parameters, kubernetes.parameters)

diff --git a/policies/CIS.1.2.11_test.rego b/policies/CIS.1.2.11_test.rego
@@ -3,15 +3,15 @@ package cis_1_2_11
 import data.lib.test
 
 test_violation {
-	test.violations(violation) with input as policy_input("--enable-admission-plugins=AlwaysAdmit")
+  test.violations(violation) with input as policy_input("--enable-admission-plugins=AlwaysAdmit")
 }
 
 test_no_violation {
-	test.no_violations(violation) with input as policy_input("--enable-admission-plugins=NodeRestriction")
+  test.no_violations(violation) with input as policy_input("--enable-admission-plugins=NodeRestriction")
 }
 
 test_no_violation_2 {
-	test.no_violations(violation) with input as policy_input("")
+  test.no_violations(violation) with input as policy_input("")
 }
 
 policy_input(kv) = {
@@ -35,4 +35,3 @@ policy_input(kv) = {
     ]
   }
 }
-
diff --git a/policies/lib/kubernetes.rego b/policies/lib/kubernetes.rego
@@ -155,33 +155,28 @@ pod_containers(pod) = all_containers {
 }
 
 containers[container] {
-	pods[pod]
-	all_containers = pod_containers(pod)
-	container = all_containers[_]
+    pods[pod]
+    all_containers = pod_containers(pod)
+    container = all_containers[_]
 }
 
 containers[container] {
-	all_containers = pod_containers(object)
-	container = all_containers[_]
+    all_containers = pod_containers(object)
+    container = all_containers[_]
 }
 
 volumes[volume] {
-	pods[pod]
-	volume = pod.spec.volumes[_]
+    pods[pod]
+    volume = pod.spec.volumes[_]
 }
 
 #############
 # Functions #
 #############
 
 flag_contains_string(array, key, value) {
-  elems := [elem | contains(array[i], key); elem := array[i]]
-  contains(elems[_], value)
+    elems := [elem | contains(array[i], key); elem := array[i]]
+    pattern := sprintf("%v=|,", [key])
+    v = { l | l := regex.split(pattern, elems[i])[_] }
+    v[value]
 }
-
-# flag_contains_string(array, key, value) {
-# 	elems := [elem | contains(array[i], key); elem := array[i]]
-# 	pattern := sprintf("%v=|,", [key])
-# 	v := regex.split(pattern, elems[_])
-# 	value != v[_]
-# }