Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite policy resolver #1465

Merged
merged 18 commits into from
Nov 15, 2024
Merged

Rewrite policy resolver #1465

merged 18 commits into from
Nov 15, 2024

Conversation

jaym
Copy link
Contributor

@jaym jaym commented Oct 31, 2024
edited
Loading

Things that are known to be different from the old implementation:

  • all queries are reported by code id. and these reporting jobs report to the mrn
  • Only the first matching variant is selected
  • A reporting job is created for a query by code id and mrn. The code id reporting job notifies the mrn based one
    • controls have the code id one as their child job so as not to be affected by impact. We should add a scoring system for controls so this hackery is not needed
  • Data queries in a policy have their impact set to ignore score
  • There is one global impact for each query. The worst one is chosen and used everywhere
  • Anything that is not connected to an execution query is not added to the resolved policy. This will get rid of cases where we have policies / controls with no queries, frameworks with no controls

@jaym jaym force-pushed the jdm/rewrite-policy-resolver branch from dc4d538 to f89203b Compare November 7, 2024 18:58
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 7, 2024
edited
Loading

Test Results

  1 files  ± 0   26 suites  ±0   22s ⏱️ -1s
490 tests +49  489 ✅ +49  1 💤 ±0  0 ❌ ±0 
491 runs  +49  490 ✅ +49  1 💤 ±0  0 ❌ ±0 

Results for commit 94971c5. ± Comparison against base commit e955b1f.

♻️ This comment has been updated with latest results.

@jaym jaym force-pushed the jdm/rewrite-policy-resolver branch from f89203b to 9b9d5dd Compare November 7, 2024 20:22
@jaym jaym marked this pull request as ready for review November 12, 2024 18:44
@jaym jaym force-pushed the jdm/rewrite-policy-resolver branch 2 times, most recently from b094599 to c0c98b1 Compare November 12, 2024 20:06
imilchev
imilchev reviewed Nov 13, 2024
View reviewed changes
Copy link
Member

@imilchev imilchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested it and seems to work fine. Only added 1 typo comment

policy/resolved_policy_builder.go Outdated
// to. We need to do this because we cannot have a space frame and space
// policy reporting job because they would have the same qr id.
// TODO: we should create a new reporting job type for asset and space
// reporting jobs so its cleare that we can connect both frameworks and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// reporting jobs so its cleare that we can connect both frameworks and
// reporting jobs so its clear that we can connect both frameworks and

czunker
czunker reviewed Nov 13, 2024
View reviewed changes
policy/resolver_v2_test.go Show resolved Hide resolved
policy/resolver_v2_test.go Show resolved Hide resolved
policy/resolver_v2_test.go Show resolved Hide resolved
policy/resolver_v2_test.go Show resolved Hide resolved
policy/resolver.go
return nil, err
}

return resolvedPolicy, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely not a blocker, more like personal preference:

On first read, I skipped the return statement and was expecting an else.
I'm not sure whether it is actually possible, but would it be possible to choose between current and ng resolver outside of the tryResolve?
As said, more like a personal preference, feel free to ignore it.

policy/resolved_policy_builder.go Outdated Show resolved Hide resolved
policy/cnspec_policy.proto Show resolved Hide resolved
@jaym
Copy link
Contributor Author

jaym commented Nov 13, 2024

A bug i've found so far:

  • risk factors check scores are sent. This ends up causing errors like Couldn't find any queries for incoming value for BP5NURsd9Pw. There is some code in the cnspec execution that tries to determine if a non risk tried to run the query and only then sends it up. However that algorithm is no longer working

@jaym jaym force-pushed the jdm/rewrite-policy-resolver branch from 44eefa1 to 94971c5 Compare November 15, 2024 15:36
@jaym jaym merged commit f8f23bd into main Nov 15, 2024
14 checks passed
@jaym jaym deleted the jdm/rewrite-policy-resolver branch November 15, 2024 16:16
@github-actions github-actions bot locked and limited conversation to collaborators Nov 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@czunker czunker czunker left review comments

@imilchev imilchev imilchev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jaym @czunker @imilchev