Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add built-in functions to perform CIDR math #897

Closed
tsandall opened this issue Aug 21, 2018 · 6 comments
Closed

Add built-in functions to perform CIDR math #897

tsandall opened this issue Aug 21, 2018 · 6 comments
Labels
good first issue help wanted

Comments

@tsandall
Copy link
Member

Admission control policies that constrain the attributes of network policies are an obvious use case for OPA. To improve the user experience for policy authors, we should add built-in functions to perform CIDR math.

For example:

net.cidr_overlap(x, y, output)
net.cidr_supernet(parent, child, output)
  • cidr_overlap returns true if cidr x overlaps with cidr y
  • cidr_supernet returns true if child is a subnet of parent
@aeneasr aeneasr mentioned this issue Sep 14, 2018
Closed
@aeneasr
Copy link

aeneasr commented Sep 16, 2018
edited
Loading

I'm assuming this should be done here and adding the concrete implementation here?

@tsandall
Copy link
Member Author

Yep, add the declaration to ast/builtins.go like the rest and the put the implementation inside topdown. If you'd like to upstream this that would be awesome. If you can implement it on top of the Go standard library (instead of pulling in a thirdparty library) that would be ideal.

@aeneasr
Copy link

aeneasr commented Sep 18, 2018

If you can implement it on top of the Go standard library (instead of pulling in a thirdparty library) that would be ideal.

stdlib over everything, I don't think supernet is supported by stdlib though, but I'll make sure to verify first!

@aeneasr
Copy link

aeneasr commented Sep 18, 2018

What and where should I add tests for that?

@tsandall
Copy link
Member Author

tsandall commented Sep 18, 2018
edited
Loading

Take a look at topdown/aggregates_test.go for an example. You can copy that structure more or less.

runTopDownTestCase(t, data, tc.note, tc.rules, tc.expected)

This will execute the test case in a subtest. The test will invoke the the rule p and then assert the result is equal to the expected value.

For these, it should be enough to test the different branches. No overlap, x superset of y, y superset of x, etc.

Also, please add a section to the language reference docs so that we can refer to these and link people to them.

aeneasr pushed a commit to aeneasr/opa that referenced this issue Sep 19, 2018
Add NetCIDROverlap built-in
43519ee 
This patch adds a new built-in `net.cidr_overlap`.

See open-policy-agent#897

Signed-off-by: arekkas <[email protected]>
tsandall pushed a commit that referenced this issue Sep 19, 2018
@tsandall
Add NetCIDROverlap built-in
f265f9b 
This patch adds a new built-in `net.cidr_overlap`.

See #897

Signed-off-by: arekkas <[email protected]>
@tsandall
Copy link
Member Author

Closing this now that #959 is merged. We can revisit other cidr built-ins as needed.

@patrick-east patrick-east mentioned this issue Mar 26, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsandall @aeneasr