Support appending to data lists

The goal is to allow users to append to rule data without overwriting the original rule data. This can be used to add a custom task to data.task-bundles for example.
enterprise-contract · Oct 31, 2023 · 7810fb7 · 7810fb7
1 parent 7200fd2
commit 7810fb7
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 1 deletion.
diff --git a/policy/lib/rule_data.rego b/policy/lib/rule_data.rego
@@ -67,6 +67,19 @@ rule_data_defaults := {
 	],
 }
 
+# The idea here is you can customize existing list in a rule data field by
+# appending to it, e.g. to add one more item to a default list.
+#
+rule_data(key_name) := r {
+	original_list := _rule_data(key_name)
+	is_array(original_list)
+	append_list := _append_rule_data(key_name)
+	is_array(append_list)
+	r := array.concat(original_list, append_list)
+} else := r {
+	r := _rule_data(key_name)
+}
+
 # Returns the "first found" of the following:
 #   data.rule_data__configuration__[key_name]
 #   data.rule_data_custom[key_name]
@@ -75,7 +88,7 @@ rule_data_defaults := {
 #
 # And falls back to an empty list if the key is not found anywhere.
 #
-rule_data(key_name) := value {
+_rule_data(key_name) := value {
 	# Expected to be defined under `configuration.rule_data` in the
 	# ECP configuration data being used when EC is run.
 	value := data.rule_data__configuration__[key_name]
@@ -94,3 +107,21 @@ rule_data(key_name) := value {
 	# If the key is not found, default to an empty list
 	value := []
 }
+
+# Returns items found in
+#   data.append_rule_data_custom[key_name]
+#   data.append_rule_data__configuration__[key_name]
+#
+# And falls back to an empty list if the key is not found in either
+# of those.
+#
+_append_rule_data(key_name) := value {
+	# If both `data.append_rule_data__configuration__[key_name]` and
+	# `data.append_rule_data_custom[key_name] are present then
+	# the user would reasonably expect them both to be appended
+	value := array.concat(data.append_rule_data_custom[key_name], data.append_rule_data__configuration__[key_name])
+} else := value {
+	value := data.append_rule_data_custom[key_name]
+} else := value {
+	value := data.append_rule_data__configuration__[key_name]
+} else := []
diff --git a/policy/lib/rule_data_test.rego b/policy/lib/rule_data_test.rego
@@ -24,6 +24,27 @@ test_rule_data {
 		with lib.rule_data_defaults as {"key3": 10}
 }
 
+test_appending_custom_rule_data {
+	lib.assert_equal(
+		[
+			["a", "b", "c", "d"],
+			["a", "d"],
+			["e"],
+			"zap",
+		],
+		[
+			# Test a few scenarios
+			lib.rule_data("foo"),
+			lib.rule_data("bar"),
+			lib.rule_data("baz"),
+			# Can't append to a non-array
+			lib.rule_data("zip"),
+		]
+	) with data.rule_data as {"foo": ["a", "b"], "bar": ["a"], "zip": "zap"}
+		with data.append_rule_data_custom as {"foo": ["c"], "baz": ["e"], "zip": ["zup"]}
+		with data.append_rule_data__configuration__ as {"foo": ["d"], "bar": ["d"]}
+}
+
 # Need this for 100% coverage
 test_rule_data_defaults {
 	lib.assert_not_empty(lib.rule_data_defaults)