From fe707c04fbb419015556518fe2a0778dba003b4c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Tue, 10 Oct 2023 16:22:03 +0200
Subject: [PATCH] feat: use -> for explicit bindings (#92)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 pkg/engine/assert/expression.go      |  2 +-
 pkg/engine/assert/expression_test.go | 14 +++++++-------
 testdata/escaped/payload.yaml        |  2 +-
 testdata/escaped/policy.yaml         |  6 +++---
 testdata/pod-no-latest/out.txt       |  2 +-
 testdata/pod-no-latest/policy.yaml   |  8 ++++----
 6 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/pkg/engine/assert/expression.go b/pkg/engine/assert/expression.go
index a569140f..3d589cd8 100644
--- a/pkg/engine/assert/expression.go
+++ b/pkg/engine/assert/expression.go
@@ -10,7 +10,7 @@ import (
 
 var (
 	foreachRegex = regexp.MustCompile(`^~(\w+)?\.(.*)`)
-	bindingRegex = regexp.MustCompile(`(.*)@(\w+)$`)
+	bindingRegex = regexp.MustCompile(`(.*)\s*->\s*(\w+)$`)
 	escapeRegex  = regexp.MustCompile(`^\\(.+)\\$`)
 	engineRegex  = regexp.MustCompile(`^\((?:(\w+):)?(.+)\)$`)
 )
diff --git a/pkg/engine/assert/expression_test.go b/pkg/engine/assert/expression_test.go
index c6c4a317..401ea183 100644
--- a/pkg/engine/assert/expression_test.go
+++ b/pkg/engine/assert/expression_test.go
@@ -77,7 +77,7 @@ func Test_parseExpressionRegex(t *testing.T) {
 		},
 	}, {
 		name: "binding",
-		in:   "test@foo",
+		in:   "test->foo",
 		want: &expression{
 			foreach:     false,
 			foreachName: "",
@@ -86,7 +86,7 @@ func Test_parseExpressionRegex(t *testing.T) {
 		},
 	}, {
 		name: "binding",
-		in:   "(test)@foo",
+		in:   "(test)->foo",
 		want: &expression{
 			foreach:     false,
 			foreachName: "",
@@ -96,7 +96,7 @@ func Test_parseExpressionRegex(t *testing.T) {
 		},
 	}, {
 		name: "foreach and binding",
-		in:   "~.test@foo",
+		in:   "~.test->foo",
 		want: &expression{
 			foreach:     true,
 			foreachName: "",
@@ -105,7 +105,7 @@ func Test_parseExpressionRegex(t *testing.T) {
 		},
 	}, {
 		name: "foreach and binding",
-		in:   "~.(test)@foo",
+		in:   "~.(test)->foo",
 		want: &expression{
 			foreach:     true,
 			foreachName: "",
@@ -115,11 +115,11 @@ func Test_parseExpressionRegex(t *testing.T) {
 		},
 	}, {
 		name: "escape",
-		in:   `\~(test)@foo\`,
+		in:   `\~(test)->foo\`,
 		want: &expression{
 			foreach:     false,
 			foreachName: "",
-			statement:   "~(test)@foo",
+			statement:   "~(test)->foo",
 			binding:     "",
 		},
 	}, {
@@ -160,7 +160,7 @@ func Test_parseExpressionRegex(t *testing.T) {
 		},
 	}, {
 		name: "escape",
-		in:   `~index.\(test)\@name`,
+		in:   `~index.\(test)\->name`,
 		want: &expression{
 			foreach:     true,
 			foreachName: "index",
diff --git a/testdata/escaped/payload.yaml b/testdata/escaped/payload.yaml
index 9386ce4c..b37028dd 100644
--- a/testdata/escaped/payload.yaml
+++ b/testdata/escaped/payload.yaml
@@ -1,6 +1,6 @@
 foo:
   (bar): 4
-  (bar)@test: 6
+  (bar)->test: 6
   ~foos:
   - 1
   - 2
diff --git a/testdata/escaped/policy.yaml b/testdata/escaped/policy.yaml
index 40e25d92..c1c85195 100644
--- a/testdata/escaped/policy.yaml
+++ b/testdata/escaped/policy.yaml
@@ -13,14 +13,14 @@ spec:
                 \(bar)\: 4
           - check:
               foo:
-                \(bar)\@test:
+                \(bar)\->test:
                   ($test): 4
           - check:
               foo:
-                \(bar)@test\: 6
+                \(bar)->test\: 6
           - check:
               foo:
-                \(bar)@test\@test:
+                \(bar)->test\->test:
                   ($test): 6
           - check:
               foo:
diff --git a/testdata/pod-no-latest/out.txt b/testdata/pod-no-latest/out.txt
index 38857687..0ee0d2e9 100644
--- a/testdata/pod-no-latest/out.txt
+++ b/testdata/pod-no-latest/out.txt
@@ -2,5 +2,5 @@ Loading policies ...
 Loading payload ...
 Pre processing ...
 Running ( evaluating 1 resource against 1 policy ) ...
-- test / pod-no-latest /  FAILED: all[0].check.spec.~foo.containers@foos[0].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false; all[0].check.spec.~foo.containers@foos[1].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false; all[0].check.spec.~foo.containers@foos[2].(at($foos, $foo).image)@foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false; all[1].check.spec.~.containers@foo[0].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[1].check.spec.~.containers@foo[1].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[1].check.spec.~.containers@foo[2].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[2].check.~index.(spec.containers[*].image)@images[0].(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[2].check.~index.(spec.containers[*].image)@images[1].(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[2].check.~index.(spec.containers[*].image)@images[2].(ends_with(@, ':latest')): Invalid value: true: Expected value: false
+- test / pod-no-latest /  FAILED: all[0].check.spec.~foo.containers->foos[0].(at($foos, $foo).image)->foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false; all[0].check.spec.~foo.containers->foos[1].(at($foos, $foo).image)->foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false; all[0].check.spec.~foo.containers->foos[2].(at($foos, $foo).image)->foo.(ends_with($foo, $tag)): Invalid value: true: Expected value: false; all[1].check.spec.~.containers->foo[0].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[1].check.spec.~.containers->foo[1].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[1].check.spec.~.containers->foo[2].image.(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[2].check.~index.(spec.containers[*].image)->images[0].(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[2].check.~index.(spec.containers[*].image)->images[1].(ends_with(@, ':latest')): Invalid value: true: Expected value: false; all[2].check.~index.(spec.containers[*].image)->images[2].(ends_with(@, ':latest')): Invalid value: true: Expected value: false
 Done
diff --git a/testdata/pod-no-latest/policy.yaml b/testdata/pod-no-latest/policy.yaml
index 246a3e6e..6662bd69 100644
--- a/testdata/pod-no-latest/policy.yaml
+++ b/testdata/pod-no-latest/policy.yaml
@@ -17,22 +17,22 @@ spec:
           all:
           - check:
               spec:
-                ~foo.containers@foos:
-                  (at($foos, $foo).image)@foo:
+                ~foo.containers->foos:
+                  (at($foos, $foo).image)->foo:
                     # an image tag is required
                     (contains($foo, ':')): true
                     # using a mutable image tag e.g. 'latest' is not allowed
                     (ends_with($foo, $tag)): false
           - check:
               spec:
-                ~.containers@foo:
+                ~.containers->foo:
                   image:
                     # an image tag is required
                     (contains(@, ':')): true
                     # using a mutable image tag e.g. 'latest' is not allowed
                     (ends_with(@, ':latest')): false
           - check:
-              ~index.(spec.containers[*].image)@images:
+              ~index.(spec.containers[*].image)->images:
                 # an image tag is required
                 (contains(@, ':')): true
                 # using a mutable image tag e.g. 'latest' is not allowed