add policies check

Contrast-Security-OSS · Nov 19, 2024 · 4e76a28 · 4e76a28
1 parent 8c2457f
commit 4e76a28
Show file tree

Hide file tree

Showing 7 changed files with 896 additions and 20 deletions.
diff --git a/model/contrast/registry.yaml b/model/contrast/registry.yaml
@@ -31,11 +31,10 @@ groups:
               value: "PRODUCTION"
               brief: "production environment"
   - id: registry.contrast.action
-    prefix: contrast
     type: attribute_group
     brief: "This document defines semantic convention attributes in the Contrast namespace"
     attributes:
-      - id: action
+      - id: contrast.action
         brief: >
           The type of action that was observed.
         requirement_level: required
@@ -84,11 +83,10 @@ groups:
 
 
   - id: contrast.action.authn
-    prefix: contrast.authentication
     type: attribute_group
     brief: "Describes attributes for Contrast Action span of type authn-request"
     attributes:
-      - id: mechanism
+      - id: contrast.authentication.mechanism
         brief: >
           An authentication mechanism is a specific method or approach used to
           verify the identity of a user, system, or entity attempting to access a resource.
@@ -112,7 +110,7 @@ groups:
               value: "mfa"
               brief: "Two or more of the above mechanisms are used"
 
-      - id: protocol
+      - id: contrast.authentication.protocol
         brief: >
           An authentication protocol is a set of rules and procedures that
           dictate how authentication mechanisms should operate to establish
@@ -136,12 +134,11 @@ groups:
 
 
   - id: contrast.action.authz
-    prefix: contrast.authorization
     type: attribute_group
     brief: >
       Describes attributes for Contrast Action span of type authz-request
     attributes:
-      - id: mechanism
+      - id: contrast.authorization.mechanism
         brief: >
           How are authz decisions made for the resource.
         examples: [rbac, dac, pbac]
@@ -172,37 +169,36 @@ groups:
               value: "tbac"
               brief: Time Based Access Control
 
-      - id: rbac.role
+      - id: contrast.authorization.rbac.role
         brief: >
           Role Requested for authz check. The values here are very domain specific, but
           will always be normalized to a lowercase value in the data here.
         examples: [user, editor, manager]
         type: string
-      - id: dac.permission
+      - id: contrast.authorization.dac.permission
         brief: >
           Permission requested for access to the resource. The values here are very domain specific, but
           will always be normalized to a lowercase value in the data here.
         examples: [read, write, append, delete]
         type: string
-      - id: mac.labels
+      - id: contrast.authorization.mac.labels
         brief: >
           Labels on the requested resource. The values here are very domain specific, but
           will always be normalized to a lowercase value in the data here.
         examples: [top_secret, confidential, internal, public]
         type: string
 
   - id: contrast.action.file-open-create
-    prefix: contrast.file.open
     type: attribute_group
     brief: >
       Describes attributes for Contrast Action span of type file-open-create.
     attributes:
-      - id: path
+      - id: contrast.file.open.path
         brief: >
           The absolute path that was accessed.
         examples: [/etc/myconfig, /foo/bar, /some/tmp]
         type: string
-      - id: flags
+      - id: contrast.file.open.flags
         brief: >
           The flags used when the file was opened or created.
         examples: [o_rdonly, o_rdwr]

diff --git a/model/contrast/spans.yaml b/model/contrast/spans.yaml
@@ -1,5 +1,5 @@
 groups:
-  - id: contrast.action.span.authn
+  - id: span.contrast.action.authn
     type: span
     brief: "Describes attributes for Contrast Authentication Action spans"
     attributes:
@@ -12,7 +12,7 @@ groups:
       - ref: contrast.authorization.mac.labels
         requirement_level: recommended
 
-  - id: contrast.action.span.authz
+  - id: span.contrast.action.authz
     type: span
     brief: "Describes attributes for Contrast Authorization Action spans"
     attributes:
@@ -28,7 +28,7 @@ groups:
         requirement_level:
           recommended: If mechanism is 'mac'
 
-  - id: contrast.action.span.file-open-create
+  - id: span.contrast.action.file-open-create
     type: span
     brief: >
       Describes attributes for Contrast Action span of type file-open-create.
@@ -38,28 +38,28 @@ groups:
       - ref: contrast.file.open.flags
         requirement_level: recommended
 
-  - id: contrast.action.span.host-cmd-exec
+  - id: span.contrast.action.host-cmd-exec
     type: span
     brief: >
       Describes attributes for Contrast Action span of type host-cmd-exec.
     attributes:
       - ref: contrast.file.open.path
       #- ref: contrast.host-cmd-exec.cmd
 
-  - id: contrast.action.span.outbound-service-call
+  - id: span.contrast.action.span.outbound-service-call
     type: span
     extends: trace.http.client
     brief: >
       Describes attributes for Contrast Action span of type outbound-service-call.
       These actions are always using the http protocol.
 
-  - id: contrast.action.span.el-execution
+  - id: span.contrast.action.el-execution
     type: span
     extends: contrast.code-exec
     brief: >
       Describes attributes for Contrast Action span of type el-execution. The Spring Expression Language (SpEL for short) is a
       powerful expression language that supports querying and manipulating an object graph at runtime.
-  - id: contrast.action.span.ognl-execution
+  - id: span.contrast.action.ognl-execution
     extends: contrast.code-exec
     type: span
     brief: >

diff --git a/policies/attribute_name_collisions.rego b/policies/attribute_name_collisions.rego
@@ -0,0 +1,84 @@
+package after_resolution
+
+import rego.v1
+
+# Data structures to make checking things faster.
+attribute_names := { obj |
+    group := input.groups[_];
+    attr := group.attributes[_];
+    obj := { "name": attr.name, "const_name": to_const_name(attr.name), "namespace_prefix": to_namespace_prefix(attr.name) }
+}
+
+# check that attribute constant names do not collide
+deny contains attr_registry_collision(description, name) if {
+    some i
+    name := attribute_names[i].name
+    const_name := attribute_names[i].const_name
+    not excluded_const_collisions[name]
+    collisions := [other.name |
+        other := attribute_names[_]
+        other.name != name
+        other.const_name == const_name
+        not excluded_const_collisions[other.name]
+    ]
+    count(collisions) > 0
+    # TODO (https://github.com/open-telemetry/weaver/issues/279): provide other violation properties once weaver supports it.
+    description := sprintf("Attribute '%s' has the same constant name '%s' as '%s'.", [name, const_name, collisions])
+}
+
+# check that attribute names do not collide with namespaces
+deny contains attr_registry_collision(description, name) if {
+    some i
+    name := attribute_names[i].name
+    prefix := attribute_names[i].namespace_prefix
+    not excluded_namespace_collisions[name]
+    collisions := [other.name |
+        other := attribute_names[_]
+        other.name != name
+        startswith(other.name, prefix)
+    ]
+    count(collisions) > 0
+    # TODO (https://github.com/open-telemetry/weaver/issues/279): provide other violation properties once weaver supports it.
+    description := sprintf("Attribute '%s' name is used as a namespace in the following attributes '%s'.", [name, collisions])
+}
+
+# check that attribute is not defined or referenced more than once within the same group
+deny contains attr_registry_collision(description, name) if {
+    group := input.groups[_]
+    attr := group.attributes[_]
+    name := attr.name
+
+    collisions := [n | n := group.attributes[_].name; n == name ]
+    count(collisions) > 1
+
+    description := sprintf("Attribute '%s' is already defined in the group '%s'. Attributes must be unique.", [name, group.id])
+}
+
+attr_registry_collision(description, attr_name) = violation if {
+    violation := {
+        "id": description,
+        "type": "semconv_attribute",
+        "category": "naming_collision",
+        "attr": attr_name,
+        "group": "",
+    }
+}
+
+to_namespace_prefix(name) = namespace if {
+    namespace := concat("", [name, "."])
+}
+
+to_const_name(name) = const_name if {
+    const_name := replace(name, ".", "_")
+}
+
+# These lists contain exceptions for existing collisions that were introduced unintentionally.
+# We'll have a way to specify how collision resolution happens in the schema -
+# see phase 2 in https://github.com/open-telemetry/semantic-conventions/issues/1118#issuecomment-2173803006
+# For now we'll exclude existing collisions from the checks.
+# ADDING NEW EXCEPTIONS IS NOT ALLOWED.
+
+# DO NOT ADD ATTRIBUTES TO THIS LIST
+excluded_const_collisions := {"messaging.client_id"}
+# DO NOT ADD ATTRIBUTES TO THIS LIST
+excluded_namespace_collisions := {"messaging.operation", "db.operation", "deployment.environment"}