Feat bundle rego filter (#106)

* feat(bundle): support rego as bundle filter.

* feat(bundlae): sample rego filter.

* featbundle): rego matcher.

.wwhrd.yml

@@ -55,3 +55,5 @@ exceptions:
   - github.com/hashicorp/consul/api
   # BSD-2.0 - https://github.com/Nvveen/Gotty/blob/master/LICENSE
   - github.com/Nvveen/Gotty
+  # BSD-2.0 - https://github.com/rcrowley/go-metrics/blob/master/LICENSE
+  - github.com/rcrowley/go-metrics

api/proto/harp/bundle/v1/patch.proto

@@ -71,6 +71,10 @@ message PatchSelector {
   PatchSelectorMatchPath matchPath = 1;
   // Match a package using a JMESPath query.
   string jmesPath = 2;
+  // Match a package using a Rego policy.
+  string rego = 3;
+  // Match a package by secret.
+  PatchSelectorMatchSecret matchSecret = 4;
 }
 
 // PatchSelectorMatchPath represents package path matching strategies.
@@ -83,6 +87,16 @@ message PatchSelectorMatchPath {
   string regex = 2;
 }
 
+// PatchSelectorMatchPath represents package path matching strategies.
+message PatchSelectorMatchSecret {
+  // Strict case-sensitive secret matching.
+  // Value can be templatized.
+  string strict = 1;
+  // Regex secret matching.
+  // Value can be templatized.
+  string regex = 2;
+}
+
 // PatchPackagePath represents package path operations.
 message PatchPackagePath {
   // Template used to completely rewrite the package path.

cmd/harp/internal/cmd/bundle_filter.go

@@ -33,6 +33,7 @@ type bundleFilterParams struct {
 	excludePaths []string
 	keepPaths    []string
 	jmesPath     string
+	regoPolicy   string
 	reverseLogic bool
 }
 
@@ -55,6 +56,7 @@ var bundleFilterCmd = func() *cobra.Command {
 				ExcludePaths:    params.excludePaths,
 				KeepPaths:       params.keepPaths,
 				JMESPath:        params.jmesPath,
+				RegoPolicy:      params.regoPolicy,
 				ReverseLogic:    params.reverseLogic,
 			}
 
@@ -71,6 +73,7 @@ var bundleFilterCmd = func() *cobra.Command {
 	cmd.Flags().StringArrayVar(&params.excludePaths, "exclude", []string{}, "Exclude path")
 	cmd.Flags().StringArrayVar(&params.keepPaths, "keep", []string{}, "Keep path")
 	cmd.Flags().StringVar(&params.jmesPath, "query", "", "JMESPath query used as package filter")
+	cmd.Flags().StringVar(&params.regoPolicy, "policy", "", "OPA Rego policy file as package filter")
 	cmd.Flags().BoolVar(&params.reverseLogic, "not", false, "Reverse filter logic expression")
 
 	return cmd

docs/onboarding/3-secret-bundle/4-patch.md

@@ -20,6 +20,8 @@ bundle source without altering the source bundle.
       - [Match by strict path](#match-by-strict-path)
       - [Match by regex path](#match-by-regex-path)
       - [Match by JMES filter](#match-by-jmes-filter)
+      - [Match by Rego policy](#match-by-rego-policy)
+      - [Match by secret key](#match-by-secret-key)
       - [PatchSelectorMatchPath](#patchselectormatchpath)
     - [PatchPackage](#patchpackage)
       - [PatchPackagePath](#patchpackagepath)
@@ -181,6 +183,10 @@ message PatchSelector {
   PatchSelectorMatchPath matchPath = 1;
   // Match a package using a JMESPath query.
   string jmesPath = 2;
+  // Match a package using a Rego policy.
+  string rego = 3;
+  // Match a package by secret.
+  PatchSelectorMatchSecret matchSecret = 4;
 }
 ```
 
@@ -207,6 +213,33 @@ selector:
   jmesPath: labels.database == "postgres"
 ```
 
+#### Match by Rego policy
+
+```yaml
+selector:
+  rego: |-
+    package harp
+    default keep = false
+    keep {
+        input.annotations["infosec.elastic.co/v1/SecretPolicy#severity"] == "moderate"
+        input.secrets.data[_].key == "cookieEncryptionKey"
+    }
+```
+
+#### Match by secret key
+
+```yaml
+selector:
+  matchSecret:
+    strict: USER
+```
+
+```yaml
+selector:
+  matchSecret:
+    regex: "*_KEY"
+```
+
 #### PatchSelectorMatchPath
 
 `PatchSelectorMatchPath` is a package path matcher.

go.mod

@@ -68,7 +68,7 @@ require (
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20211210111614-af8b64212486
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
 	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
 	google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350
 	google.golang.org/grpc v1.44.0
@@ -79,6 +79,13 @@ require (
 	zntr.io/paseto v1.1.0
 )
 
+require (
+	github.com/OneOfOne/xxhash v1.2.8 // indirect
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
+	github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b // indirect
+)
+
 require (
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
@@ -137,6 +144,7 @@ require (
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
+	github.com/open-policy-agent/opa v0.37.1
 	github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -149,7 +157,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stoewer/go-strcase v1.2.0 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.etcd.io/etcd/api/v3 v3.5.1 // indirect
@@ -158,7 +166,7 @@ require (
 	go.uber.org/multierr v1.6.0 // indirect
 	golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect
+	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect