From 99bb9b826655c96dc65b3bd8f103f1696de82d49 Mon Sep 17 00:00:00 2001 From: Matthew A Johnson Date: Thu, 13 Jun 2024 11:02:15 +0100 Subject: [PATCH 1/6] Updating tests to reflect the new output format Signed-off-by: Matthew A Johnson --- CMakeLists.txt | 2 +- Tests/compartment_allow_list.query.expected | 2 +- Tests/compartment_callers.query.expected | 2 +- Tests/compartment_check.query.expected | 2 +- Tests/demangle_compartment_call.query.expected | 2 +- Tests/demangle_libcall.query.expected | 2 +- Tests/mmio_check.query.expected | 2 +- Tests/sum_quotas.query.expected | 2 +- Tests/true.query.expected | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 4d1b3c0..82db061 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -12,7 +12,7 @@ endif () if (DEFINED ENV{REGOCPP_TAG}) set(REGOCPP_TAG $ENV{REGOCPP_TAG}) else () - set(REGOCPP_TAG "cb967637dbf7cee25117203bbdf9c10b62dfb25a") + set(REGOCPP_TAG "6f4f038df7ec3f17c5f631947d6f14cde871de09") endif() include(FetchContent) diff --git a/Tests/compartment_allow_list.query.expected b/Tests/compartment_allow_list.query.expected index 27ba77d..488e3d1 100644 --- a/Tests/compartment_allow_list.query.expected +++ b/Tests/compartment_allow_list.query.expected @@ -1 +1 @@ -true +{"expressions":[true]} diff --git a/Tests/compartment_callers.query.expected b/Tests/compartment_callers.query.expected index f84f071..7e313ff 100644 --- a/Tests/compartment_callers.query.expected +++ b/Tests/compartment_callers.query.expected @@ -1 +1 @@ -["allocator_test", "test_runner"] +{"expressions":[["allocator_test", "test_runner"]]} diff --git a/Tests/compartment_check.query.expected b/Tests/compartment_check.query.expected index 27ba77d..488e3d1 100644 --- a/Tests/compartment_check.query.expected +++ b/Tests/compartment_check.query.expected @@ -1 +1 @@ -true +{"expressions":[true]} diff --git a/Tests/demangle_compartment_call.query.expected b/Tests/demangle_compartment_call.query.expected index 646534c..1648075 100644 --- a/Tests/demangle_compartment_call.query.expected +++ b/Tests/demangle_compartment_call.query.expected @@ -1 +1 @@ -"heap_free(SObjStruct*, void*)" +{"expressions":["heap_free(SObjStruct*, void*)"]} diff --git a/Tests/demangle_libcall.query.expected b/Tests/demangle_libcall.query.expected index 27b02b2..d50850d 100644 --- a/Tests/demangle_libcall.query.expected +++ b/Tests/demangle_libcall.query.expected @@ -1 +1 @@ -"token_obj_unseal(SKeyStruct*, SObjStruct*)" +{"expressions":["token_obj_unseal(SKeyStruct*, SObjStruct*)"]} diff --git a/Tests/mmio_check.query.expected b/Tests/mmio_check.query.expected index 27ba77d..488e3d1 100644 --- a/Tests/mmio_check.query.expected +++ b/Tests/mmio_check.query.expected @@ -1 +1 @@ -true +{"expressions":[true]} diff --git a/Tests/sum_quotas.query.expected b/Tests/sum_quotas.query.expected index 318b6fa..4c6f889 100644 --- a/Tests/sum_quotas.query.expected +++ b/Tests/sum_quotas.query.expected @@ -1 +1 @@ -1070080 +{"expressions":[1070080]} diff --git a/Tests/true.query.expected b/Tests/true.query.expected index 27ba77d..488e3d1 100644 --- a/Tests/true.query.expected +++ b/Tests/true.query.expected @@ -1 +1 @@ -true +{"expressions":[true]} From 0394396e91b16764d5194422cf13124346eb1646 Mon Sep 17 00:00:00 2001 From: Matthew A Johnson Date: Thu, 13 Jun 2024 11:37:03 +0100 Subject: [PATCH 2/6] Update to CI to deal with new version of Rego Signed-off-by: Matthew A Johnson --- .github/workflows/main.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d460e82..2e9d5bf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -17,37 +17,43 @@ jobs: name: "Ubuntu Latest Release", os: "ubuntu-latest", build-type: Release, - dependencies: "sudo apt install ninja-build" + dependencies: "sudo apt install ninja-build", + defines: "" } - { name: "Ubuntu 20.04 Release", os: "ubuntu-20.04", build-type: Release, - dependencies: "sudo apt install ninja-build" + dependencies: "sudo apt install ninja-build", + defines: "-DREGOCPP_USE_CXX17=ON" } - { name: "macOS Release", os: "macos-latest", build-type: Release, - dependencies: "brew update && brew install cmake ninja" + dependencies: "brew update && brew install cmake ninja", + defines: "" } - { name: "Ubuntu Latest Debug", os: "ubuntu-latest", build-type: Debug, - dependencies: "sudo apt install ninja-build" + dependencies: "sudo apt install ninja-build", + defines: "" } - { name: "Ubuntu 20.04 Debug", os: "ubuntu-20.04", build-type: Debug, - dependencies: "sudo apt install ninja-build" + dependencies: "sudo apt install ninja-build", + defines: "-DREGOCPP_USE_CXX17=ON" } - { name: "macOS Debug", os: "macos-latest", build-type: Debug, - dependencies: "brew update && brew install cmake ninja" + dependencies: "brew update && brew install cmake ninja", + defines: "" } runs-on: ${{ matrix.config.os }} name: ${{ matrix.config.name }} @@ -56,7 +62,7 @@ jobs: - name: Install ninja run: ${{ matrix.config.dependencies }} - name: Configure CMake - run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{matrix.config.build-type}} -G Ninja + run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{matrix.config.build-type}} ${{matrix.config.defines}} -G Ninja - name: Build working-directory: ${{github.workspace}}/build # Build your program with the given configuration From cea759db5af2f25b73d2e9aee4878391ad33ab5e Mon Sep 17 00:00:00 2001 From: Matthew A Johnson Date: Thu, 13 Jun 2024 13:23:54 +0100 Subject: [PATCH 3/6] Pointing at fixed semicolon version of Rego Signed-off-by: Matthew A Johnson --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 82db061..670fb9b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -12,7 +12,7 @@ endif () if (DEFINED ENV{REGOCPP_TAG}) set(REGOCPP_TAG $ENV{REGOCPP_TAG}) else () - set(REGOCPP_TAG "6f4f038df7ec3f17c5f631947d6f14cde871de09") + set(REGOCPP_TAG "1ea2261e5fd5cde09fa726bd58aad2140a7161b2") endif() include(FetchContent) From 1a26275e84e1eb8087461cfcddc75280692e2d01 Mon Sep 17 00:00:00 2001 From: Matthew Johnson Date: Fri, 14 Jun 2024 09:40:26 +0100 Subject: [PATCH 4/6] Changing audit code to extract the first expression Signed-off-by: Matthew Johnson --- Tests/compartment_allow_list.query.expected | 2 +- Tests/compartment_callers.query.expected | 2 +- Tests/compartment_check.query.expected | 2 +- .../demangle_compartment_call.query.expected | 2 +- Tests/demangle_libcall.query.expected | 2 +- Tests/mmio_check.query.expected | 2 +- Tests/sum_quotas.query.expected | 2 +- Tests/true.query.expected | 2 +- Tests/undefined.query | 2 + Tests/undefined.query.expected | 1 + audit.cc | 68 ++++++++++++++++++- 11 files changed, 78 insertions(+), 9 deletions(-) create mode 100644 Tests/undefined.query create mode 100644 Tests/undefined.query.expected diff --git a/Tests/compartment_allow_list.query.expected b/Tests/compartment_allow_list.query.expected index 488e3d1..27ba77d 100644 --- a/Tests/compartment_allow_list.query.expected +++ b/Tests/compartment_allow_list.query.expected @@ -1 +1 @@ -{"expressions":[true]} +true diff --git a/Tests/compartment_callers.query.expected b/Tests/compartment_callers.query.expected index 7e313ff..8736f87 100644 --- a/Tests/compartment_callers.query.expected +++ b/Tests/compartment_callers.query.expected @@ -1 +1 @@ -{"expressions":[["allocator_test", "test_runner"]]} +["allocator_test","test_runner"] diff --git a/Tests/compartment_check.query.expected b/Tests/compartment_check.query.expected index 488e3d1..27ba77d 100644 --- a/Tests/compartment_check.query.expected +++ b/Tests/compartment_check.query.expected @@ -1 +1 @@ -{"expressions":[true]} +true diff --git a/Tests/demangle_compartment_call.query.expected b/Tests/demangle_compartment_call.query.expected index 1648075..646534c 100644 --- a/Tests/demangle_compartment_call.query.expected +++ b/Tests/demangle_compartment_call.query.expected @@ -1 +1 @@ -{"expressions":["heap_free(SObjStruct*, void*)"]} +"heap_free(SObjStruct*, void*)" diff --git a/Tests/demangle_libcall.query.expected b/Tests/demangle_libcall.query.expected index d50850d..27b02b2 100644 --- a/Tests/demangle_libcall.query.expected +++ b/Tests/demangle_libcall.query.expected @@ -1 +1 @@ -{"expressions":["token_obj_unseal(SKeyStruct*, SObjStruct*)"]} +"token_obj_unseal(SKeyStruct*, SObjStruct*)" diff --git a/Tests/mmio_check.query.expected b/Tests/mmio_check.query.expected index 488e3d1..27ba77d 100644 --- a/Tests/mmio_check.query.expected +++ b/Tests/mmio_check.query.expected @@ -1 +1 @@ -{"expressions":[true]} +true diff --git a/Tests/sum_quotas.query.expected b/Tests/sum_quotas.query.expected index 4c6f889..318b6fa 100644 --- a/Tests/sum_quotas.query.expected +++ b/Tests/sum_quotas.query.expected @@ -1 +1 @@ -{"expressions":[1070080]} +1070080 diff --git a/Tests/true.query.expected b/Tests/true.query.expected index 488e3d1..27ba77d 100644 --- a/Tests/true.query.expected +++ b/Tests/true.query.expected @@ -1 +1 @@ -{"expressions":[true]} +true diff --git a/Tests/undefined.query b/Tests/undefined.query new file mode 100644 index 0000000..8f71e3f --- /dev/null +++ b/Tests/undefined.query @@ -0,0 +1,2 @@ +# Check that invalid queries return undefined +--board inputs/sail.json -j inputs/test-suite.json -q 'data.this.is.undefined' diff --git a/Tests/undefined.query.expected b/Tests/undefined.query.expected new file mode 100644 index 0000000..417b7b5 --- /dev/null +++ b/Tests/undefined.query.expected @@ -0,0 +1 @@ +undefined diff --git a/audit.cc b/audit.cc index f2e46ba..dfd9c9d 100644 --- a/audit.cc +++ b/audit.cc @@ -243,6 +243,71 @@ namespace return scalar(std::move(result)); } + std::string + extract_first_expression_from_result(const std::string &result_json) + { + if(result_json == "undefined"){ + return result_json; + } + + nlohmann::json result; + try + { + result = result.parse(result_json); + } + catch (nlohmann::json::parse_error &e) + { + return e.what(); + } + + if (result.is_array()) + { + if (result.empty()) + { + std::cerr << "warning: query returned no results." << std::endl; + } + else + { + if (result.size() > 1) + { + std::cerr + << "warning: query returned multiple results. Only " + "the first will be used." + << std::endl; + } + + result = result[0]; + } + } + + if (result.is_object() && result.contains("expressions")) + { + auto &expressions = result["expressions"]; + if (expressions.is_array()) + { + if (expressions.empty()) + { + std::cerr << "warning: query returned no results." + << std::endl; + } + else + { + return expressions[0].dump(); + } + } + else + { + std::cerr << "error: expected 'expressions' to be an array" + << std::endl; + } + } + + std::cerr + << "error: expected results to be either an array or an object." + << std::endl; + return ""; + } + } // namespace int main(int argc, char **argv) @@ -287,5 +352,6 @@ int main(int argc, char **argv) { rego.add_module_file(modulePath); } - std::cout << rego.query(query) << std::endl; + std::cout << extract_first_expression_from_result(rego.query(query)) + << std::endl; } From b1e5b031e9925407131a51c7b85643c2f6b3b9b9 Mon Sep 17 00:00:00 2001 From: Matthew Johnson Date: Fri, 14 Jun 2024 09:47:42 +0100 Subject: [PATCH 5/6] Flattening conditions Signed-off-by: Matthew Johnson --- audit.cc | 72 +++++++++++++++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/audit.cc b/audit.cc index dfd9c9d..0bbd747 100644 --- a/audit.cc +++ b/audit.cc @@ -246,7 +246,8 @@ namespace std::string extract_first_expression_from_result(const std::string &result_json) { - if(result_json == "undefined"){ + if (result_json == "undefined") + { return result_json; } @@ -265,49 +266,50 @@ namespace if (result.empty()) { std::cerr << "warning: query returned no results." << std::endl; + return result_json; } - else - { - if (result.size() > 1) - { - std::cerr - << "warning: query returned multiple results. Only " - "the first will be used." - << std::endl; - } - result = result[0]; + if (result.size() > 1) + { + std::cerr << "warning: query returned multiple results. Only " + "the first will be used." + << std::endl; } + + result = result[0]; } - if (result.is_object() && result.contains("expressions")) + if (!result.is_object()) { - auto &expressions = result["expressions"]; - if (expressions.is_array()) - { - if (expressions.empty()) - { - std::cerr << "warning: query returned no results." - << std::endl; - } - else - { - return expressions[0].dump(); - } - } - else - { - std::cerr << "error: expected 'expressions' to be an array" - << std::endl; - } + std::cerr + << "error: expected results to be either an array or an object." + << std::endl; + return result_json; } - std::cerr - << "error: expected results to be either an array or an object." - << std::endl; - return ""; - } + if (!result.contains("expressions")) + { + std::cerr << "error: result object does not contain 'expressions'" + << std::endl; + return result_json; + } + + auto &expressions = result["expressions"]; + if (!expressions.is_array()) + { + std::cerr << "error: expected 'expressions' to be an array" + << std::endl; + return result_json; + } + if (expressions.empty()) + { + std::cerr << "warning: query returned no results." << std::endl; + return result_json; + } + + return expressions[0].dump(); + } } // namespace int main(int argc, char **argv) From 3357bc84014e91749dd14877e9ed0069b3d190e2 Mon Sep 17 00:00:00 2001 From: Matthew Johnson Date: Tue, 18 Jun 2024 12:17:10 +0100 Subject: [PATCH 6/6] Updating to the latest version of rego-cpp Signed-off-by: Matthew Johnson --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 670fb9b..9bde60a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -12,7 +12,7 @@ endif () if (DEFINED ENV{REGOCPP_TAG}) set(REGOCPP_TAG $ENV{REGOCPP_TAG}) else () - set(REGOCPP_TAG "1ea2261e5fd5cde09fa726bd58aad2140a7161b2") + set(REGOCPP_TAG "cfabe01a63e1d302e3924d03531aa0ad41e8947b") endif() include(FetchContent)