diff --git a/bundle/regal/rules/style/external-reference/external_reference.rego b/bundle/regal/rules/style/external-reference/external_reference.rego index b3285820..797ec869 100644 --- a/bundle/regal/rules/style/external-reference/external_reference.rego +++ b/bundle/regal/rules/style/external-reference/external_reference.rego @@ -13,7 +13,7 @@ report contains violation if { some fn in ast.functions - named_args := {arg.value | some arg in fn.head.args; arg.type == "var"} + args_vars := _args_vars(fn) head_vars := {v.value | some v in ast.find_vars(fn.head.value)} body_vars := {v.value | some v in ast.find_vars(fn.body)} @@ -21,7 +21,7 @@ report contains violation if { own_vars := (body_vars | head_vars) | else_vars # note: parens added by opa fmt 🤦 - allowed_refs := (named_args | own_vars) | fn_namespaces + allowed_refs := (args_vars | own_vars) | fn_namespaces walk(fn, [path, value]) @@ -33,6 +33,15 @@ report contains violation if { violation := result.fail(rego.metadata.chain(), result.location(value)) } +_args_vars(fn) := {name | + some arg in fn.head.args + some name in _named_vars(arg) +} + +_named_vars(arg) := {arg.value} if arg.type == "var" + +_named_vars(arg) := {var.value | some var in ast.find_term_vars(arg)} if arg.type in {"array", "object", "set"} + # METADATA # scope: document # description: | diff --git a/bundle/regal/rules/style/external-reference/external_reference_test.rego b/bundle/regal/rules/style/external-reference/external_reference_test.rego index 76d58547..2256e506 100644 --- a/bundle/regal/rules/style/external-reference/external_reference_test.rego +++ b/bundle/regal/rules/style/external-reference/external_reference_test.rego @@ -160,6 +160,13 @@ test_success_function_references_external_function_in_expr if { r == set() } +# verify fix for https://github.com/StyraInc/regal/issues/1283 +test_success_variable_from_nested_arg_term if { + r := rule.report with input as ast.policy(`f([x]) := to_number(x)`) + with data.internal.combined_config as {"capabilities": capabilities.provided} + r == set() +} + expected := { "category": "style", "description": "External reference in function",