Changes required to support tag based risk factors (#1563)

* support risk factors in space policy * add tags to risk factors * Allow setting owner on risk factors
mondoohq · Feb 5, 2025 · 85dc538 · 85dc538
1 parent 276280b
commit 85dc538
Show file tree

Hide file tree

Showing 7 changed files with 1,766 additions and 1,819 deletions.
diff --git a/internal/datalakes/inmemory/policyhub.go b/internal/datalakes/inmemory/policyhub.go
@@ -324,7 +324,7 @@ func (db *Db) getRiskFactor(ctx context.Context, mrn string) (*policy.RiskFactor
 	return found.(*policy.RiskFactor), nil
 }
 
-func (db *Db) SetRiskFactor(ctx context.Context, riskFactor *policy.RiskFactor) error {
+func (db *Db) SetRiskFactor(ctx context.Context, ownerMrn string, riskFactor *policy.RiskFactor) error {
 	db.cache.Set(dbIDRiskFactor+riskFactor.Mrn, riskFactor, 1)
 	return nil
 }

diff --git a/internal/datalakes/inmemory/policyresolver.go b/internal/datalakes/inmemory/policyresolver.go
@@ -632,7 +632,7 @@ func (db *Db) SetResolvedPolicy(ctx context.Context, mrn string, resolvedPolicy
 		if _, err := db.getRiskFactor(ctx, rf.Mrn); err == nil {
 			continue
 		}
-		if err := db.SetRiskFactor(ctx, rf); err != nil {
+		if err := db.SetRiskFactor(ctx, "", rf); err != nil {
 			return err
 		}
 	}

diff --git a/policy/cnspec_policy.pb.go b/policy/cnspec_policy.pb.go
diff --git a/policy/cnspec_policy.proto b/policy/cnspec_policy.proto
@@ -301,6 +301,7 @@ message RiskFactor {
   string indicator = 75;
 
   cnquery.explorer.Action action = 77;
+  map<string,string> tags = 78;
 }
 
 message RiskFactorDocs {

diff --git a/policy/datalake.go b/policy/datalake.go
@@ -61,7 +61,7 @@ type DataLake interface {
 	// SetPolicy stores a given policy in the data lake
 	SetPolicy(ctx context.Context, policy *Policy, filters []*explorer.Mquery) error
 	// SetRiskFactor creates and stores a risk factor
-	SetRiskFactor(ctx context.Context, riskFactor *RiskFactor) error
+	SetRiskFactor(ctx context.Context, ownerMrn string, riskFactor *RiskFactor) error
 
 	// List all policies for a given owner
 	// Note: Owner MRN is required

diff --git a/policy/hub.go b/policy/hub.go
@@ -201,7 +201,7 @@ func (s *LocalServices) SetBundleMap(ctx context.Context, bundleMap *PolicyBundl
 	}
 
 	for _, risk := range bundleMap.RiskFactors {
-		if err := s.DataLake.SetRiskFactor(ctx, risk); err != nil {
+		if err := s.DataLake.SetRiskFactor(ctx, bundleMap.OwnerMrn, risk); err != nil {
 			return err
 		}
 	}

diff --git a/policy/resolved_policy_builder.go b/policy/resolved_policy_builder.go
@@ -847,7 +847,7 @@ func (b *resolvedPolicyBuilder) addPolicy(policy *Policy) bool {
 
 	hasMatchingRiskFactor := false
 	for _, r := range policy.RiskFactors {
-		if len(r.Checks) == 0 || isOverride(r.Action, GroupType_UNCATEGORIZED) {
+		if len(r.Checks) == 0 {
 			continue
 		}