in sg/internal/engine/rego_query.go [89:162]
func (engine *RegoEngine) queryPackage(
ctx context.Context,
policyPackage policy.Package,
loadedConfiguration loadedConfiguration,
) (result.QueryResults, error) {
// NOTE: because an rego query returns all failures for a given rule,
// even if the rule is repeated with different bodies. Therefore,
// we should only query the distinct rules. At the end, the total success
// rules should be the count of total rules minus the query results plus
// succeeded query results.
allRules := policyPackage.Rules()
distinctRules := make([]policy.Rule, 0, len(allRules))
rulesSet := make(map[string]struct{}, len(allRules))
for _, rule := range allRules {
primaryRuleKey := rule.Query()
if _, ok := rulesSet[primaryRuleKey]; ok {
// skip duplicate rules
continue
}
rulesSet[primaryRuleKey] = struct{}{}
distinctRules = append(distinctRules, rule)
}
mm := iter.Mapper[policy.Rule, result.QueryResults]{
MaxGoroutines: len(distinctRules),
}
queryResults, err := mm.MapErr(
distinctRules,
func(rulePtr *policy.Rule) (result.QueryResults, error) {
done := engine.limiter.acquire()
defer done()
rule := *rulePtr
rv := result.QueryResults{}
if rule.Namespace != PackageMain {
// we only care about rules in the main package
return rv, nil
}
if !rule.IsKind(policy.QueryKindWarn, policy.QueryKindDeny, policy.QueryKindViolation) {
// not a query rule
return rv, nil
}
if err := engine.queryRule(
ctx,
policyPackage, rule,
loadedConfiguration, &rv,
); err != nil {
return rv, fmt.Errorf("failed to query rule: %w", err)
}
return rv, nil
},
)
if err != nil {
return result.QueryResults{}, nil
}
queryResult := result.QueryResults{}
for _, qr := range queryResults {
queryResult = queryResult.Merge(qr)
}
resultsCount := queryResult.Successes + len(queryResult.Failures) + len(queryResult.Warnings) + len(queryResult.Exceptions)
if duplicatedRulesCount := len(allRules) - resultsCount; duplicatedRulesCount > 0 {
queryResult.Successes += duplicatedRulesCount
}
return queryResult, nil
}