Reduce linting noise with future keywords

mrueg · mrueg · commit 690379547126 · 2024-12-13T21:56:22.000+01:00
diff --git a/examples/lib/core.rego b/examples/lib/core.rego
@@ -1,17 +1,19 @@
 package lib.core
 
+import future.keywords.if
+
 default is_gatekeeper := false
 
-is_gatekeeper {
+is_gatekeeper if {
 	has_field(input, "review")
 	has_field(input.review, "object")
 }
 
-resource := input.review.object {
+resource := input.review.object if {
 	is_gatekeeper
 }
 
-resource := input {
+resource := input if {
 	not is_gatekeeper
 }
 
@@ -34,24 +36,24 @@ annotations := resource.metadata.annotations
 
 gv := split(apiVersion, "/")
 
-group := gv[0] {
+group := gv[0] if {
 	contains(apiVersion, "/")
 }
 
-group := "core" {
+group := "core" if {
 	not contains(apiVersion, "/")
 }
 
 version := gv[count(gv) - 1]
 
-has_field(obj, field) {
+has_field(obj, field) if {
 	not object.get(obj, field, "N_DEFINED") == "N_DEFINED"
 }
 
-missing_field(obj, field) {
+missing_field(obj, field) if {
 	obj[field] == ""
 }
 
-missing_field(obj, field) {
+missing_field(obj, field) if {
 	not has_field(obj, field)
 }
diff --git a/examples/lib/core_test.rego b/examples/lib/core_test.rego
@@ -1,17 +1,19 @@
 package lib.core
 
-test_not_gk {
+import future.keywords.if
+
+test_not_gk if {
 	not is_gatekeeper with input as {"kind": "test"}
 }
 
-test_is_gk {
+test_is_gk if {
 	is_gatekeeper with input as {"review": {"object": {"kind": "test"}}}
 }
 
-test_has_field_pos {
+test_has_field_pos if {
 	has_field({"kind": "test"}, "kind")
 }
 
-test_missing_field {
+test_missing_field if {
 	not has_field({"kind": "test"}, "abc")
 }
diff --git a/examples/lib/pods.rego b/examples/lib/pods.rego
@@ -1,26 +1,29 @@
 package lib.pods
 
+import future.keywords.contains
+import future.keywords.if
+
 import data.lib.core
 
 default pod := false
 
-pod := core.resource.spec.template {
+pod := core.resource.spec.template if {
 	pod_templates := ["daemonset", "deployment", "job", "replicaset", "replicationcontroller", "statefulset"]
 	lower(core.kind) == pod_templates[_]
 }
 
-pod := core.resource {
+pod := core.resource if {
 	lower(core.kind) == "pod"
 }
 
-pod := core.resource.spec.jobTemplate.spec.template {
+pod := core.resource.spec.jobTemplate.spec.template if {
 	lower(core.kind) == "cronjob"
 }
 
-containers[container] {
+containers contains container if {
 	keys := {"containers", "initContainers"}
 	all_containers := [c | some k; keys[k]; c = pod.spec[k][_]]
 	container := all_containers[_]
 }
 
-volumes[pod.spec.volumes[_]]
+volumes contains pod.spec.volumes[_]
diff --git a/examples/lib/pods_test.rego b/examples/lib/pods_test.rego
@@ -1,6 +1,8 @@
 package lib.pods
 
-test_input_as_other {
+import future.keywords.if
+
+test_input_as_other if {
 	resource := pod with input as {
 		"kind": "Other",
 		"spec": {"containers": [{}]},
@@ -9,7 +11,7 @@ test_input_as_other {
 	not resource
 }
 
-test_input_as_pod {
+test_input_as_pod if {
 	resource := pod with input as {
 		"kind": "Pod",
 		"spec": {"containers": [{}]},
@@ -18,7 +20,7 @@ test_input_as_pod {
 	resource.spec.containers
 }
 
-test_input_as_deployment {
+test_input_as_deployment if {
 	resource := pod with input as {
 		"kind": "Deployment",
 		"spec": {"template": {"spec": {"containers": [{}]}}},
@@ -27,7 +29,7 @@ test_input_as_deployment {
 	resource.spec.containers
 }
 
-test_input_as_cronjob {
+test_input_as_cronjob if {
 	resource := pod with input as {
 		"kind": "CronJob",
 		"spec": {"jobTemplate": {"spec": {"template": {"spec": {"containers": [{}]}}}}},
@@ -36,7 +38,7 @@ test_input_as_cronjob {
 	resource.spec.containers
 }
 
-test_containers {
+test_containers if {
 	podcontainers := containers with input as {
 		"kind": "Pod",
 		"spec": {"containers": [{"name": "container"}]},
@@ -45,7 +47,7 @@ test_containers {
 	podcontainers[_].name == "container"
 }
 
-test_volumes {
+test_volumes if {
 	podvolumes := volumes with input as {
 		"kind": "Pod",
 		"spec": {"volumes": [{"name": "volume"}]},
diff --git a/examples/lib/psp.rego b/examples/lib/psp.rego
@@ -1,11 +1,15 @@
 package lib.psps
 
+import future.keywords.contains
+import future.keywords.if
+import future.keywords.in
+
 import data.lib.core
 
 # PodSecurityPolicies are not namespace scoped, so the default PSPs included
 # in managed Kubernetes offerings cannot be excluded using the normal
 # methods in Gatekeeper.
-is_exception {
+is_exception if {
 	exceptions := {
 		"gce.privileged", # GKE
 		"gce.persistent-volume-binder", # GKE
@@ -16,10 +20,10 @@ is_exception {
 		"gce.fluentd-gcp", # GKE
 	}
 
-	core.name == exceptions[_]
+	core.name in exceptions
 }
 
-psps[psp] {
+psps contains psp if {
 	lower(core.kind) = "podsecuritypolicy"
 	not is_exception
 	psp = core.resource
diff --git a/examples/lib/psp_test.rego b/examples/lib/psp_test.rego
@@ -1,9 +1,11 @@
 package lib.psps
 
-test_exception_pos {
+import future.keywords.if
+
+test_exception_pos if {
 	is_exception with input as {"metadata": {"name": "gce.privileged"}}
 }
 
-test_exception_neg {
+test_exception_neg if {
 	not is_exception with input as {"metadata": {"name": "test"}}
 }
diff --git a/examples/lib/rbac.rego b/examples/lib/rbac.rego
@@ -1,23 +1,24 @@
 package lib.rbac
 
+import future.keywords.if
 import future.keywords.in
 
 import data.lib.core
 
-rule_has_verb(rule, verb) {
+rule_has_verb(rule, verb) if {
 	verbs := ["*", lower(verb)]
 	verbs[_] == lower(rule.verbs[_])
 }
 
-rule_has_resource_type(rule, type) {
+rule_has_resource_type(rule, type) if {
 	types := ["*", lower(type)]
 	types[_] == lower(rule.resources[_])
 }
 
-rule_has_resource_name(rule, name) {
+rule_has_resource_name(rule, name) if {
 	name in rule.resourceNames
 }
 
-rule_has_resource_name(rule, _) {
+rule_has_resource_name(rule, _) if {
 	core.missing_field(rule, "resourceNames")
 }
diff --git a/examples/lib/rbac_test.rego b/examples/lib/rbac_test.rego
@@ -1,37 +1,39 @@
 package lib.rbac
 
-test_rule_has_verb_with_use {
+import future.keywords.if
+
+test_rule_has_verb_with_use if {
 	rule_has_verb({"verbs": ["use"]}, "use")
 }
 
-test_rule_has_verb_with_asterisk {
+test_rule_has_verb_with_asterisk if {
 	rule_has_verb({"verbs": ["*"]}, "use")
 }
 
-test_rule_has_verb_with_list {
+test_rule_has_verb_with_list if {
 	not rule_has_verb({"verbs": ["list"]}, "use")
 }
 
-test_rule_has_resource_type_with_pod {
+test_rule_has_resource_type_with_pod if {
 	rule_has_resource_type({"resources": ["Pod"]}, "pod")
 }
 
-test_rule_has_resource_type_with_resourceall {
+test_rule_has_resource_type_with_resourceall if {
 	rule_has_resource_type({"resources": ["*"]}, "pod")
 }
 
-test_rule_has_resource_type_with_container {
+test_rule_has_resource_type_with_container if {
 	not rule_has_resource_type({"resources": ["Container"]}, "pod")
 }
 
-test_rule_has_resource_name_match {
+test_rule_has_resource_name_match if {
 	rule_has_resource_name({"resourceNames": ["test"]}, "test")
 }
 
-test_rule_has_resource_name_no_match {
+test_rule_has_resource_name_no_match if {
 	not rule_has_resource_name({"resourceNames": ["test"]}, "wrong")
 }
 
-test_rule_has_resource_name_null {
+test_rule_has_resource_name_null if {
 	rule_has_resource_name({}, "wrong")
 }
diff --git a/examples/lib/security.rego b/examples/lib/security.rego
@@ -1,21 +1,23 @@
 package lib.security
 
-dropped_capability(container, cap) {
+import future.keywords.if
+
+dropped_capability(container, cap) if {
 	lower(container.securityContext.capabilities.drop[_]) == lower(cap)
 }
 
-dropped_capability(psp, cap) {
+dropped_capability(psp, cap) if {
 	lower(psp.spec.requiredDropCapabilities[_]) == lower(cap)
 }
 
-added_capability(container, cap) {
+added_capability(container, cap) if {
 	lower(container.securityContext.capabilities.add[_]) == lower(cap)
 }
 
-added_capability(psp, cap) {
+added_capability(psp, cap) if {
 	lower(psp.spec.allowedCapabilities[_]) == lower(cap)
 }
 
-added_capability(psp, cap) {
+added_capability(psp, cap) if {
 	lower(psp.spec.defaultAddCapabilities[_]) == lower(cap)
 }
diff --git a/examples/lib/security_test.rego b/examples/lib/security_test.rego
@@ -1,33 +1,35 @@
 package lib.security
 
-test_added_capabilities_container_match {
+import future.keywords.if
+
+test_added_capabilities_container_match if {
 	added_capability({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}, "CAP_SYS_ADMIN")
 }
 
-test_added_capabilities_container_nomatch {
+test_added_capabilities_container_nomatch if {
 	not added_capability({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}, "test")
 }
 
-test_added_capabilities_psp_match {
+test_added_capabilities_psp_match if {
 	added_capability({"spec": {"allowedCapabilities": ["CAP_SYS_ADMIN"]}}, "CAP_SYS_ADMIN")
 }
 
-test_added_capabilities_psp_nomatch {
+test_added_capabilities_psp_nomatch if {
 	not added_capability({"spec": {"allowedCapabilities": ["CAP_SYS_ADMIN"]}}, "test")
 }
 
-test_dropped_capabilities_container_match {
+test_dropped_capabilities_container_match if {
 	dropped_capability({"securityContext": {"capabilities": {"drop": ["CAP_SYS_ADMIN"]}}}, "CAP_SYS_ADMIN")
 }
 
-test_dropped_capabilities_container_nomatch {
+test_dropped_capabilities_container_nomatch if {
 	not dropped_capability({"securityContext": {"capabilities": {"drop": ["CAP_SYS_ADMIN"]}}}, "test")
 }
 
-test_dropped_capabilities_psp_match {
+test_dropped_capabilities_psp_match if {
 	dropped_capability({"spec": {"requiredDropCapabilities": ["CAP_SYS_ADMIN"]}}, "CAP_SYS_ADMIN")
 }
 
-test_dropped_capabilities_psp_nomatch {
+test_dropped_capabilities_psp_nomatch if {
 	not dropped_capability({"spec": {"requiredDropCapabilities": ["CAP_SYS_ADMIN"]}}, "test")
 }

Original file line number	Diff line number	Diff line change
`@@ -1,17 +1,19 @@`
`1`	`1`	`package lib.core`
`2`	`2`
	`3`	`+import future.keywords.if`
	`4`	`+`
`3`	`5`	`default is_gatekeeper := false`
`4`	`6`
`5`		`-is_gatekeeper {`
	`7`	`+is_gatekeeper if {`
`6`	`8`	`has_field(input, "review")`
`7`	`9`	`has_field(input.review, "object")`
`8`	`10`	`}`
`9`	`11`
`10`		`-resource := input.review.object {`
	`12`	`+resource := input.review.object if {`
`11`	`13`	`is_gatekeeper`
`12`	`14`	`}`
`13`	`15`
`14`		`-resource := input {`
	`16`	`+resource := input if {`
`15`	`17`	`not is_gatekeeper`
`16`	`18`	`}`
`17`	`19`
`@@ -34,24 +36,24 @@ annotations := resource.metadata.annotations`
`34`	`36`
`35`	`37`	`gv := split(apiVersion, "/")`
`36`	`38`
`37`		`-group := gv[0] {`
	`39`	`+group := gv[0] if {`
`38`	`40`	`contains(apiVersion, "/")`
`39`	`41`	`}`
`40`	`42`
`41`		`-group := "core" {`
	`43`	`+group := "core" if {`
`42`	`44`	`not contains(apiVersion, "/")`
`43`	`45`	`}`
`44`	`46`
`45`	`47`	`version := gv[count(gv) - 1]`
`46`	`48`
`47`		`-has_field(obj, field) {`
	`49`	`+has_field(obj, field) if {`
`48`	`50`	`not object.get(obj, field, "N_DEFINED") == "N_DEFINED"`
`49`	`51`	`}`
`50`	`52`
`51`		`-missing_field(obj, field) {`
	`53`	`+missing_field(obj, field) if {`
`52`	`54`	`obj[field] == ""`
`53`	`55`	`}`
`54`	`56`
`55`		`-missing_field(obj, field) {`
	`57`	`+missing_field(obj, field) if {`
`56`	`58`	`not has_field(obj, field)`
`57`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,17 +1,19 @@`
`1`	`1`	`package lib.core`
`2`	`2`
`3`		`-test_not_gk {`
	`3`	`+import future.keywords.if`
	`4`	`+`
	`5`	`+test_not_gk if {`
`4`	`6`	`not is_gatekeeper with input as {"kind": "test"}`
`5`	`7`	`}`
`6`	`8`
`7`		`-test_is_gk {`
	`9`	`+test_is_gk if {`
`8`	`10`	`is_gatekeeper with input as {"review": {"object": {"kind": "test"}}}`
`9`	`11`	`}`
`10`	`12`
`11`		`-test_has_field_pos {`
	`13`	`+test_has_field_pos if {`
`12`	`14`	`has_field({"kind": "test"}, "kind")`
`13`	`15`	`}`
`14`	`16`
`15`		`-test_missing_field {`
	`17`	`+test_missing_field if {`
`16`	`18`	`not has_field({"kind": "test"}, "abc")`
`17`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,11 @@`
`1`	`1`	`package lib.psps`
`2`	`2`
`3`		`-test_exception_pos {`
	`3`	`+import future.keywords.if`
	`4`	`+`
	`5`	`+test_exception_pos if {`
`4`	`6`	`is_exception with input as {"metadata": {"name": "gce.privileged"}}`
`5`	`7`	`}`
`6`	`8`
`7`		`-test_exception_neg {`
	`9`	`+test_exception_neg if {`
`8`	`10`	`not is_exception with input as {"metadata": {"name": "test"}}`
`9`	`11`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,23 +1,24 @@`
`1`	`1`	`package lib.rbac`
`2`	`2`
	`3`	`+import future.keywords.if`
`3`	`4`	`import future.keywords.in`
`4`	`5`
`5`	`6`	`import data.lib.core`
`6`	`7`
`7`		`-rule_has_verb(rule, verb) {`
	`8`	`+rule_has_verb(rule, verb) if {`
`8`	`9`	`verbs := ["*", lower(verb)]`
`9`	`10`	`verbs[_] == lower(rule.verbs[_])`
`10`	`11`	`}`
`11`	`12`
`12`		`-rule_has_resource_type(rule, type) {`
	`13`	`+rule_has_resource_type(rule, type) if {`
`13`	`14`	`types := ["*", lower(type)]`
`14`	`15`	`types[_] == lower(rule.resources[_])`
`15`	`16`	`}`
`16`	`17`
`17`		`-rule_has_resource_name(rule, name) {`
	`18`	`+rule_has_resource_name(rule, name) if {`
`18`	`19`	`name in rule.resourceNames`
`19`	`20`	`}`
`20`	`21`
`21`		`-rule_has_resource_name(rule, _) {`
	`22`	`+rule_has_resource_name(rule, _) if {`
`22`	`23`	`core.missing_field(rule, "resourceNames")`
`23`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,37 +1,39 @@`
`1`	`1`	`package lib.rbac`
`2`	`2`
`3`		`-test_rule_has_verb_with_use {`
	`3`	`+import future.keywords.if`
	`4`	`+`
	`5`	`+test_rule_has_verb_with_use if {`
`4`	`6`	`rule_has_verb({"verbs": ["use"]}, "use")`
`5`	`7`	`}`
`6`	`8`
`7`		`-test_rule_has_verb_with_asterisk {`
	`9`	`+test_rule_has_verb_with_asterisk if {`
`8`	`10`	`rule_has_verb({"verbs": ["*"]}, "use")`
`9`	`11`	`}`
`10`	`12`
`11`		`-test_rule_has_verb_with_list {`
	`13`	`+test_rule_has_verb_with_list if {`
`12`	`14`	`not rule_has_verb({"verbs": ["list"]}, "use")`
`13`	`15`	`}`
`14`	`16`
`15`		`-test_rule_has_resource_type_with_pod {`
	`17`	`+test_rule_has_resource_type_with_pod if {`
`16`	`18`	`rule_has_resource_type({"resources": ["Pod"]}, "pod")`
`17`	`19`	`}`
`18`	`20`
`19`		`-test_rule_has_resource_type_with_resourceall {`
	`21`	`+test_rule_has_resource_type_with_resourceall if {`
`20`	`22`	`rule_has_resource_type({"resources": ["*"]}, "pod")`
`21`	`23`	`}`
`22`	`24`
`23`		`-test_rule_has_resource_type_with_container {`
	`25`	`+test_rule_has_resource_type_with_container if {`
`24`	`26`	`not rule_has_resource_type({"resources": ["Container"]}, "pod")`
`25`	`27`	`}`
`26`	`28`
`27`		`-test_rule_has_resource_name_match {`
	`29`	`+test_rule_has_resource_name_match if {`
`28`	`30`	`rule_has_resource_name({"resourceNames": ["test"]}, "test")`
`29`	`31`	`}`
`30`	`32`
`31`		`-test_rule_has_resource_name_no_match {`
	`33`	`+test_rule_has_resource_name_no_match if {`
`32`	`34`	`not rule_has_resource_name({"resourceNames": ["test"]}, "wrong")`
`33`	`35`	`}`
`34`	`36`
`35`		`-test_rule_has_resource_name_null {`
	`37`	`+test_rule_has_resource_name_null if {`
`36`	`38`	`rule_has_resource_name({}, "wrong")`
`37`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,21 +1,23 @@`
`1`	`1`	`package lib.security`
`2`	`2`
`3`		`-dropped_capability(container, cap) {`
	`3`	`+import future.keywords.if`
	`4`	`+`
	`5`	`+dropped_capability(container, cap) if {`
`4`	`6`	`lower(container.securityContext.capabilities.drop[_]) == lower(cap)`
`5`	`7`	`}`
`6`	`8`
`7`		`-dropped_capability(psp, cap) {`
	`9`	`+dropped_capability(psp, cap) if {`
`8`	`10`	`lower(psp.spec.requiredDropCapabilities[_]) == lower(cap)`
`9`	`11`	`}`
`10`	`12`
`11`		`-added_capability(container, cap) {`
	`13`	`+added_capability(container, cap) if {`
`12`	`14`	`lower(container.securityContext.capabilities.add[_]) == lower(cap)`
`13`	`15`	`}`
`14`	`16`
`15`		`-added_capability(psp, cap) {`
	`17`	`+added_capability(psp, cap) if {`
`16`	`18`	`lower(psp.spec.allowedCapabilities[_]) == lower(cap)`
`17`	`19`	`}`
`18`	`20`
`19`		`-added_capability(psp, cap) {`
	`21`	`+added_capability(psp, cap) if {`
`20`	`22`	`lower(psp.spec.defaultAddCapabilities[_]) == lower(cap)`
`21`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,33 +1,35 @@`
`1`	`1`	`package lib.security`
`2`	`2`
`3`		`-test_added_capabilities_container_match {`
	`3`	`+import future.keywords.if`
	`4`	`+`
	`5`	`+test_added_capabilities_container_match if {`
`4`	`6`	`added_capability({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}, "CAP_SYS_ADMIN")`
`5`	`7`	`}`
`6`	`8`
`7`		`-test_added_capabilities_container_nomatch {`
	`9`	`+test_added_capabilities_container_nomatch if {`
`8`	`10`	`not added_capability({"securityContext": {"capabilities": {"add": ["CAP_SYS_ADMIN"]}}}, "test")`
`9`	`11`	`}`
`10`	`12`
`11`		`-test_added_capabilities_psp_match {`
	`13`	`+test_added_capabilities_psp_match if {`
`12`	`14`	`added_capability({"spec": {"allowedCapabilities": ["CAP_SYS_ADMIN"]}}, "CAP_SYS_ADMIN")`
`13`	`15`	`}`
`14`	`16`
`15`		`-test_added_capabilities_psp_nomatch {`
	`17`	`+test_added_capabilities_psp_nomatch if {`
`16`	`18`	`not added_capability({"spec": {"allowedCapabilities": ["CAP_SYS_ADMIN"]}}, "test")`
`17`	`19`	`}`
`18`	`20`
`19`		`-test_dropped_capabilities_container_match {`
	`21`	`+test_dropped_capabilities_container_match if {`
`20`	`22`	`dropped_capability({"securityContext": {"capabilities": {"drop": ["CAP_SYS_ADMIN"]}}}, "CAP_SYS_ADMIN")`
`21`	`23`	`}`
`22`	`24`
`23`		`-test_dropped_capabilities_container_nomatch {`
	`25`	`+test_dropped_capabilities_container_nomatch if {`
`24`	`26`	`not dropped_capability({"securityContext": {"capabilities": {"drop": ["CAP_SYS_ADMIN"]}}}, "test")`
`25`	`27`	`}`
`26`	`28`
`27`		`-test_dropped_capabilities_psp_match {`
	`29`	`+test_dropped_capabilities_psp_match if {`
`28`	`30`	`dropped_capability({"spec": {"requiredDropCapabilities": ["CAP_SYS_ADMIN"]}}, "CAP_SYS_ADMIN")`
`29`	`31`	`}`
`30`	`32`
`31`		`-test_dropped_capabilities_psp_nomatch {`
	`33`	`+test_dropped_capabilities_psp_nomatch if {`
`32`	`34`	`not dropped_capability({"spec": {"requiredDropCapabilities": ["CAP_SYS_ADMIN"]}}, "test")`
`33`	`35`	`}`