Rewrite policy resolver (#1465)

Things that are known to be different from the old implementation: - all queries are reported by code id. and these reporting jobs report to the mrn - Only the first matching variant is selected - A reporting job is created for a query by code id and mrn. The code id reporting job notifies the mrn based one - controls have the code id one as their child job so as not to be affected by impact. We should add a scoring system for controls so this hackery is not needed - impact is assigned to the query for cases where its not set to action ignore. this ensures the scores reported by mrn have impact accounted for - Data queries in a policy have their impact set to ignore score - There is one global impact for each query. The worst one is chosen and used everywhere - Anything that is not connected to an execution query is not added to the resolved policy. This will get rid of cases where we have policies / controls with no queries, frameworks with no controls
mondoohq · Nov 15, 2024 · f8f23bd · f8f23bd
1 parent e955b1f
commit f8f23bd
Show file tree

Hide file tree

Showing 8 changed files with 3,224 additions and 22 deletions.
diff --git a/internal/datalakes/inmemory/policyhub.go b/internal/datalakes/inmemory/policyhub.go
@@ -522,7 +522,7 @@ func (db *Db) entityGraphExecutionChecksum(ctx context.Context, mrn string) (str
 		}
 	}
 
-	return policy.BundleExecutionChecksum(policyObj, framework), nil
+	return policy.BundleExecutionChecksum(ctx, policyObj, framework), nil
 }
 
 // EntityGraphContentChecksum retrieves the content checksum for a given entity.

diff --git a/policy/bundle.go b/policy/bundle.go
@@ -91,7 +91,7 @@ func (l *BundleLoader) BundleFromPaths(paths ...string) (*Bundle, error) {
 
 // BundleExecutionChecksum creates a combined execution checksum from a policy
 // and framework. Either may be nil.
-func BundleExecutionChecksum(policy *Policy, framework *Framework) string {
+func BundleExecutionChecksum(ctx context.Context, policy *Policy, framework *Framework) string {
 	res := checksums.New
 	if policy != nil {
 		res = res.Add(policy.GraphExecutionChecksum)
@@ -102,7 +102,11 @@ func BundleExecutionChecksum(policy *Policy, framework *Framework) string {
 	// So far the checksum only includes the policy and the framework
 	// It does not change if any of the jobs changes, only if the policy or the framework changes
 	// To update the resolved policy, when we change how it is generated, change the incoporated version of the resolver
-	res = res.Add(RESOLVER_VERSION)
+	if IsNextGenResolver(ctx) {
+		res = res.Add(RESOLVER_VERSION_NG)
+	} else {
+		res = res.Add(RESOLVER_VERSION)
+	}
 
 	return res.String()
 }

diff --git a/policy/cnspec_policy.pb.go b/policy/cnspec_policy.pb.go
diff --git a/policy/cnspec_policy.proto b/policy/cnspec_policy.proto
@@ -556,12 +556,16 @@ message ReportingJob {
 
   enum Type {
     UNSPECIFIED = 0;
-    CHECK = 1;
-    DATA_QUERY = 2;
     CONTROL = 3;
     POLICY = 4;
     FRAMEWORK = 5;
     RISK_FACTOR = 6;
+
+    // DO NOT USE CHECK OR DATA_QUERY, THEY ARE DEPRECATED
+    // Here's the reason why:
+    // A query can be either or both. We cannot pick one in all cases
+    CHECK = 1;
+    DATA_QUERY = 2;
   }
 
   string checksum = 1;