@nitra/cursor 1.8.221 → 1.8.228

package/policy/k8s/gateway/gateway_test.rego

@@ -0,0 +1,122 @@
+# Тести для `k8s.gateway`. Запуск:
+#   conftest verify -p npm/policy/k8s/gateway --namespace k8s.gateway
+package k8s.gateway_test
+
+import rego.v1
+
+import data.k8s.gateway
+
+# ── HealthCheckPolicy ─────────────────────────────────────────────────────
+
+test_deny_hcp_targetref_without_hl_suffix if {
+	count(gateway.deny) > 0 with input as {
+		"apiVersion": "networking.gke.io/v1",
+		"kind": "HealthCheckPolicy",
+		"metadata": {"name": "hc"},
+		"spec": {"targetRef": {
+			"group": "",
+			"kind": "Service",
+			"name": "auth",
+		}},
+	}
+}
+
+test_allow_hcp_targetref_with_hl_suffix if {
+	count(gateway.deny) == 0 with input as {
+		"apiVersion": "networking.gke.io/v1",
+		"kind": "HealthCheckPolicy",
+		"metadata": {"name": "hc"},
+		"spec": {"targetRef": {
+			"group": "",
+			"kind": "Service",
+			"name": "auth-hl",
+		}},
+	}
+}
+
+test_deny_hcp_missing_targetref if {
+	count(gateway.deny) > 0 with input as {
+		"apiVersion": "networking.gke.io/v1",
+		"kind": "HealthCheckPolicy",
+		"metadata": {"name": "hc"},
+		"spec": {},
+	}
+}
+
+# Без kind=Service у targetRef правило не діє (інші kind не оцінюємо).
+test_allow_hcp_targetref_other_kind if {
+	count(gateway.deny) == 0 with input as {
+		"apiVersion": "networking.gke.io/v1",
+		"kind": "HealthCheckPolicy",
+		"metadata": {"name": "hc"},
+		"spec": {"targetRef": {
+			"kind": "Gateway",
+			"name": "gw",
+		}},
+	}
+}
+
+# ── HTTPRoute backendRef → Service з суфіксом `-hl` ──────────────────────
+
+test_deny_httproute_backend_without_hl if {
+	count(gateway.deny) > 0 with input as {
+		"apiVersion": "gateway.networking.k8s.io/v1",
+		"kind": "HTTPRoute",
+		"metadata": {"name": "r", "namespace": "dev"},
+		"spec": {"rules": [{"backendRefs": [{"name": "auth", "port": 8080}]}]},
+	}
+}
+
+test_allow_httproute_backend_with_hl if {
+	count(gateway.deny) == 0 with input as {
+		"apiVersion": "gateway.networking.k8s.io/v1",
+		"kind": "HTTPRoute",
+		"metadata": {"name": "r", "namespace": "dev"},
+		"spec": {"rules": [{"backendRefs": [{"name": "auth-hl", "port": 8080}]}]},
+	}
+}
+
+# ── HTTPRoute backendRef з redundant namespace ───────────────────────────
+
+test_deny_httproute_backend_redundant_namespace if {
+	count(gateway.deny) > 0 with input as {
+		"apiVersion": "gateway.networking.k8s.io/v1",
+		"kind": "HTTPRoute",
+		"metadata": {"name": "r", "namespace": "dev"},
+		"spec": {"rules": [{"backendRefs": [{
+			"name": "auth-hl",
+			"namespace": "dev",
+			"port": 8080,
+		}]}]},
+	}
+}
+
+test_allow_httproute_backend_different_namespace if {
+	count(gateway.deny) == 0 with input as {
+		"apiVersion": "gateway.networking.k8s.io/v1",
+		"kind": "HTTPRoute",
+		"metadata": {"name": "r", "namespace": "dev"},
+		"spec": {"rules": [{"backendRefs": [{
+			"name": "auth-hl",
+			"namespace": "other",
+			"port": 8080,
+		}]}]},
+	}
+}
+
+# Перевірка не діє на HTTPHeaderMatch (немає `port`).
+test_allow_httproute_header_match_without_port if {
+	count(gateway.deny) == 0 with input as {
+		"apiVersion": "gateway.networking.k8s.io/v1",
+		"kind": "HTTPRoute",
+		"metadata": {"name": "r", "namespace": "dev"},
+		"spec": {"rules": [{
+			"matches": [{"headers": [{
+				"type": "Exact",
+				"name": "X-Tenant",
+				"value": "acme",
+			}]}],
+			"backendRefs": [{"name": "auth-hl", "port": 8080}],
+		}]},
+	}
+}

package/policy/k8s/hasura_configmap/hasura_configmap.rego

@@ -0,0 +1,69 @@
+# Порт перевірки ConfigMap для Hasura-Deployment з
+# `npm/scripts/check-k8s.mjs` (k8s.mdc): у ConfigMap, що сусідствує з
+# Hasura-Deployment, у `data` обов'язково має бути ключ
+# `HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS` зі значенням `"true"`.
+#
+# Запуск (локально, лише для ConfigMap у каталозі з Hasura-Deployment):
+#   conftest test path/to/k8s/.../configmap.yaml \
+#     -p npm/policy/k8s/hasura_configmap \
+#     --namespace k8s.hasura_configmap
+#
+# Прив'язка ConfigMap-Deployment cross-file — у JS (`check-k8s.mjs`:
+# `validateHasuraConfigMapRemoteSchemaPermissions` шукає Hasura-Deployment
+# у тому ж dir-у і викликає conftest з цією намеспейс лише для відповідних
+# ConfigMap-ів). JS authoritative (`hasuraConfigMapRemoteSchemaPermissionsViolation`,
+# константа `HASURA_REMOTE_SCHEMA_PERMISSIONS_KEY`).
+#
+# Структура каталогу збігається зі шляхом пакету (regal: directory-package-mismatch).
+# Конвенція проєкту — `import rego.v1` + multi-value `deny contains msg if { … }`.
+package k8s.hasura_configmap
+
+import rego.v1
+
+# Обов'язковий ключ у `data` (узгоджено з `check-k8s.mjs`).
+required_key := "HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS"
+
+key_missing_template := concat(" ", [
+	"data.%s: додай ключ зі значенням \"true\"",
+	"(Deployment з hasura/graphql-engine — k8s.mdc)",
+])
+
+key_value_wrong_template := concat(" ", ["data.%s: значення має бути \"true\" (зараз: %v) (k8s.mdc)"])
+
+deny contains msg if {
+	input.kind == "ConfigMap"
+	not is_object(object.get(input, "data", null))
+	msg := sprintf(key_missing_template, [required_key])
+}
+
+deny contains msg if {
+	input.kind == "ConfigMap"
+	d := object.get(input, "data", null)
+	is_object(d)
+	not key_present(d)
+	msg := sprintf(key_missing_template, [required_key])
+}
+
+deny contains msg if {
+	input.kind == "ConfigMap"
+	d := object.get(input, "data", null)
+	is_object(d)
+	key_present(d)
+	value := d[required_key]
+	not is_value_true(value)
+	msg := sprintf(key_value_wrong_template, [required_key, value])
+}
+
+key_present(d) if {
+	required_key in object.keys(d)
+}
+
+# Значення вважається "true", якщо це boolean true або рядок "true"
+# (case-insensitive). ConfigMap у Kubernetes тримає рядки, але YAML без лапок
+# дає boolean — приймаємо обидва варіанти.
+is_value_true(true)
+
+is_value_true(v) if {
+	is_string(v)
+	lower(trim_space(v)) == "true"
+}

package/policy/k8s/hasura_configmap/hasura_configmap_test.rego

@@ -0,0 +1,49 @@
+# Тести для `k8s.hasura_configmap`. Запуск:
+#   conftest verify -p npm/policy/k8s/hasura_configmap --namespace k8s.hasura_configmap
+package k8s.hasura_configmap_test
+
+import rego.v1
+
+import data.k8s.hasura_configmap
+
+required_key := "HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS"
+
+base_cm := {
+	"apiVersion": "v1",
+	"kind": "ConfigMap",
+	"metadata": {"name": "db-h", "namespace": "dev"},
+}
+
+with_data(value) := object.union(base_cm, {"data": {required_key: value}})
+
+test_deny_missing_data if {
+	count(hasura_configmap.deny) > 0 with input as base_cm
+}
+
+test_deny_missing_required_key if {
+	count(hasura_configmap.deny) > 0 with input as object.union(base_cm, {"data": {"OTHER": "foo"}})
+}
+
+test_deny_required_key_value_false if {
+	count(hasura_configmap.deny) > 0 with input as with_data("false")
+}
+
+test_allow_required_key_string_true if {
+	count(hasura_configmap.deny) == 0 with input as with_data("true")
+}
+
+test_allow_required_key_boolean_true if {
+	count(hasura_configmap.deny) == 0 with input as with_data(true)
+}
+
+test_allow_required_key_uppercase_true if {
+	count(hasura_configmap.deny) == 0 with input as with_data("TRUE")
+}
+
+test_allow_non_configmap if {
+	count(hasura_configmap.deny) == 0 with input as {
+		"apiVersion": "apps/v1",
+		"kind": "Deployment",
+		"metadata": {"name": "x"},
+	}
+}

package/policy/k8s/hasura_httproute/hasura_httproute.rego

@@ -0,0 +1,298 @@
+# Порт перевірки `httpRouteHasuraCanonViolation` з `npm/scripts/check-k8s.mjs`
+# (k8s.mdc): HTTPRoute, що сусідствує з Hasura-Deployment з тим самим
+# `metadata.name`, має містити канон з 4 правил у такому порядку:
+#
+#  1. Exact `<prefix>/ql` → RequestRedirect ReplaceFullPath `<prefix>/ql/console` 302
+#  2. Exact `<prefix>/ql/` → таке саме перенаправлення
+#  3. PathPrefix `<prefix>/ql` → URLRewrite ReplacePrefixMatch `/`, один backendRef
+#  4. WebSocket: PathPrefix `<prefix>/ql` + header `Upgrade: websocket` →
+#     URLRewrite ReplacePrefixMatch `/` + RequestHeaderModifier `remove: [Authorization]`,
+#     той самий backendRef
+#
+# Додаткові правила поверх канону дозволені — їх просто пропускаємо при пошуку.
+#
+# Запуск (локально, лише для HTTPRoute, парного з Hasura-Deployment):
+#   conftest test path/to/k8s/.../hr.yaml -p npm/policy/k8s/hasura_httproute \
+#     --namespace k8s.hasura_httproute
+#
+# Прив'язка Deployment-HTTPRoute (cross-file) — у JS (`validateHasuraHttpRouteCanon`,
+# `collectHasuraDeploymentsAndHttpRoutes`); JS викликає conftest з цією
+# намеспейс лише для відповідних HTTPRoute. JS authoritative.
+#
+# Структура каталогу збігається зі шляхом пакету (regal: directory-package-mismatch).
+# Конвенція проєкту — `import rego.v1` + multi-value `deny contains msg if { … }`.
+package k8s.hasura_httproute
+
+import rego.v1
+
+rule1_missing_msg := concat(" ", [
+	"не знайдено правило 1 Hasura-канона:",
+	"Exact \"<prefix>/ql\" + RequestRedirect ReplaceFullPath",
+	"\"<prefix>/ql/console\" statusCode 302 (k8s.mdc)",
+])
+
+rule1_filters_template := concat(" ", [
+	"правило 1 Hasura-канона (rules[%d], prefix %q):",
+	"Exact %q має мати RequestRedirect ReplaceFullPath %q statusCode 302 (k8s.mdc)",
+])
+
+rule2_missing_template := concat(" ", [
+	"правило 2 Hasura-канона: після правила 1 має бути Exact %q",
+	"+ RequestRedirect ReplaceFullPath %q statusCode 302 (k8s.mdc)",
+])
+
+rule3_missing_template := concat(" ", [
+	"правило 3 Hasura-канона: після правила 2 має бути PathPrefix %q",
+	"+ URLRewrite ReplacePrefixMatch \"/\"",
+	"+ один backendRef на headless Service (k8s.mdc)",
+])
+
+rule4_missing_template := concat(" ", [
+	"правило 4 Hasura-канона (WebSocket): після правила 3 має бути PathPrefix %q",
+	"+ header \"Upgrade: websocket\" + URLRewrite ReplacePrefixMatch \"/\"",
+	"+ RequestHeaderModifier remove [Authorization] + backendRef %q (k8s.mdc)",
+])
+
+# ── deny: structural shortcut перевірки до пошуку правила 1 ──────────────
+
+deny contains "HTTPRoute без spec — канон Hasura вимагає 4 правил (k8s.mdc)" if {
+	input.kind == "HTTPRoute"
+	not is_object(object.get(input, "spec", null))
+}
+
+deny contains "spec.rules порожній — канон Hasura вимагає 4 правил у порядку (k8s.mdc)" if {
+	input.kind == "HTTPRoute"
+	is_object(object.get(input, "spec", null))
+	not has_non_empty_rules
+}
+
+deny contains rule1_missing_msg if {
+	input.kind == "HTTPRoute"
+	has_non_empty_rules
+	canon_start == null
+}
+
+# ── deny: канонічна частина (правила 1-4) ────────────────────────────────
+
+deny contains msg if {
+	input.kind == "HTTPRoute"
+	canon_outcome.stage == "rule1_filters"
+	msg := sprintf(rule1_filters_template, [
+		canon_outcome.start_index,
+		canon_outcome.prefix,
+		canon_outcome.ql_path,
+		canon_outcome.console_path,
+	])
+}
+
+deny contains msg if {
+	input.kind == "HTTPRoute"
+	canon_outcome.stage == "rule2_missing"
+	msg := sprintf(rule2_missing_template, [canon_outcome.ql_slash_path, canon_outcome.console_path])
+}
+
+deny contains msg if {
+	input.kind == "HTTPRoute"
+	canon_outcome.stage == "rule3_missing"
+	msg := sprintf(rule3_missing_template, [canon_outcome.ql_path])
+}
+
+deny contains msg if {
+	input.kind == "HTTPRoute"
+	canon_outcome.stage == "rule4_missing"
+	msg := sprintf(rule4_missing_template, [canon_outcome.ql_path, canon_outcome.backend_name])
+}
+
+# ── helpers ───────────────────────────────────────────────────────────────
+
+has_non_empty_rules if {
+	rules := object.get(object.get(input, "spec", {}), "rules", [])
+	is_array(rules)
+	count(rules) > 0
+}
+
+# Перше правило з matches=[{path={type: Exact, value: <prefix>/ql}}] (без headers).
+# Повертаємо {prefix, start_index} або null, якщо нема.
+default canon_start := null
+
+canon_start := canon_start_candidates[0] if {
+	count(canon_start_candidates) > 0
+}
+
+canon_start_candidates := [{"prefix": substring(p.value, 0, count(p.value) - 3), "start_index": i} |
+	some i, rule in input.spec.rules
+	matches := object.get(rule, "matches", [])
+	count(matches) == 1
+	m := matches[0]
+	not m.headers
+	p := object.get(m, "path", {})
+	p.type == "Exact"
+	is_string(p.value)
+	endswith(p.value, "/ql")
+]
+
+# Стиснений результат канон-перевірки. Повертає об'єкт з полем `stage`:
+# "ok" | "rule1_filters" | "rule2_missing" | "rule3_missing" | "rule4_missing".
+default canon_outcome := {"stage": "skip"}
+
+canon_outcome := outcome if {
+	has_non_empty_rules
+	canon_start != null
+	prefix := canon_start.prefix
+	start_index := canon_start.start_index
+	console_path := sprintf("%s/ql/console", [prefix])
+	ql_slash_path := sprintf("%s/ql/", [prefix])
+	ql_path := sprintf("%s/ql", [prefix])
+	outcome := evaluate_canon(prefix, start_index, console_path, ql_slash_path, ql_path)
+}
+
+evaluate_canon(prefix, start_index, console_path, ql_slash_path, ql_path) := result if {
+	not rule_has_exact_redirect(input.spec.rules[start_index], console_path)
+	ctx := canon_ctx(prefix, start_index, console_path, ql_slash_path, ql_path)
+	result := object.union(ctx, {"stage": "rule1_filters"})
+} else := result if {
+	rule_has_exact_redirect(input.spec.rules[start_index], console_path)
+	rule2_index(start_index, ql_slash_path, console_path) == -1
+	ctx := canon_ctx(prefix, start_index, console_path, ql_slash_path, ql_path)
+	result := object.union(ctx, {"stage": "rule2_missing"})
+} else := result if {
+	rule_has_exact_redirect(input.spec.rules[start_index], console_path)
+	i2 := rule2_index(start_index, ql_slash_path, console_path)
+	i2 != -1
+	rule3_index(i2, ql_path) == -1
+	ctx := canon_ctx(prefix, start_index, console_path, ql_slash_path, ql_path)
+	result := object.union(ctx, {"stage": "rule3_missing"})
+} else := result if {
+	rule_has_exact_redirect(input.spec.rules[start_index], console_path)
+	i2 := rule2_index(start_index, ql_slash_path, console_path)
+	i3 := rule3_index(i2, ql_path)
+	i3 != -1
+	backend_name := single_backend_name(input.spec.rules[i3])
+	rule4_index(i3, ql_path, backend_name) == -1
+	result := {
+		"stage": "rule4_missing",
+		"prefix": prefix,
+		"ql_path": ql_path,
+		"backend_name": backend_name,
+	}
+} else := {"stage": "ok"}
+
+canon_ctx(prefix, start_index, console_path, ql_slash_path, ql_path) := {
+	"prefix": prefix,
+	"start_index": start_index,
+	"console_path": console_path,
+	"ql_slash_path": ql_slash_path,
+	"ql_path": ql_path,
+}
+
+# Правило: matches=[{path={type, value}}] без headers.
+rule_matches_single_path_no_headers(rule, path_type, path_value) if {
+	matches := object.get(rule, "matches", [])
+	count(matches) == 1
+	m := matches[0]
+	not m.headers
+	p := object.get(m, "path", {})
+	p.type == path_type
+	p.value == path_value
+}
+
+rule_has_exact_redirect(rule, to_path) if {
+	filters := object.get(rule, "filters", [])
+	count(filters) == 1
+	f := filters[0]
+	f.type == "RequestRedirect"
+	rr := object.get(f, "requestRedirect", {})
+	rr.statusCode == 302
+	p := object.get(rr, "path", {})
+	p.type == "ReplaceFullPath"
+	p.replaceFullPath == to_path
+}
+
+# Серед filters є URLRewrite з ReplacePrefixMatch "/".
+filters_include_url_rewrite_to_slash(filters) if {
+	some f in filters
+	f.type == "URLRewrite"
+	rw := object.get(f, "urlRewrite", {})
+	p := object.get(rw, "path", {})
+	p.type == "ReplacePrefixMatch"
+	p.replacePrefixMatch == "/"
+}
+
+# Серед filters є RequestHeaderModifier з remove=[Authorization].
+filters_remove_authorization(filters) if {
+	some f in filters
+	f.type == "RequestHeaderModifier"
+	mod := object.get(f, "requestHeaderModifier", {})
+	remove := object.get(mod, "remove", [])
+	count(remove) == 1
+	remove[0] == "Authorization"
+}
+
+default single_backend_name(_) := ""
+
+single_backend_name(rule) := refs[0].name if {
+	refs := object.get(rule, "backendRefs", [])
+	count(refs) == 1
+	is_string(refs[0].name)
+}
+
+# Шукаємо індекс правила 2 (після `from`); -1 якщо немає.
+default rule2_index(_, _, _) := -1
+
+rule2_index(from, ql_slash_path, console_path) := indices[0] if {
+	indices := [i |
+		some i, rule in input.spec.rules
+		i > from
+		rule_matches_single_path_no_headers(rule, "Exact", ql_slash_path)
+		rule_has_exact_redirect(rule, console_path)
+	]
+	count(indices) > 0
+}
+
+# Шукаємо індекс правила 3 (після `from`); -1 якщо немає.
+default rule3_index(_, _) := -1
+
+rule3_index(from, ql_path) := indices[0] if {
+	indices := [i |
+		some i, rule in input.spec.rules
+		i > from
+		rule_matches_single_path_no_headers(rule, "PathPrefix", ql_path)
+		filters := object.get(rule, "filters", [])
+		count(filters) == 1
+		filters_include_url_rewrite_to_slash(filters)
+		single_backend_name(rule) != ""
+	]
+	count(indices) > 0
+}
+
+# Шукаємо індекс правила 4 (WebSocket) (після `from`); -1 якщо немає.
+default rule4_index(_, _, _) := -1
+
+rule4_index(from, ql_path, backend_name) := indices[0] if {
+	indices := [i |
+		some i, rule in input.spec.rules
+		i > from
+		is_websocket_rule(rule, ql_path)
+		single_backend_name(rule) == backend_name
+	]
+	count(indices) > 0
+}
+
+is_websocket_rule(rule, ql_path) if {
+	matches := object.get(rule, "matches", [])
+	count(matches) == 1
+	m := matches[0]
+	p := object.get(m, "path", {})
+	p.type == "PathPrefix"
+	p.value == ql_path
+	headers := object.get(m, "headers", [])
+	count(headers) == 1
+	h := headers[0]
+	h.type == "Exact"
+	h.name == "Upgrade"
+	h.value == "websocket"
+	filters := object.get(rule, "filters", [])
+	count(filters) == 2
+	filters_include_url_rewrite_to_slash(filters)
+	filters_remove_authorization(filters)
+}

package/policy/k8s/hasura_httproute/hasura_httproute_test.rego

@@ -0,0 +1,148 @@
+# Тести для `k8s.hasura_httproute`. Запуск:
+#   conftest verify -p npm/policy/k8s/hasura_httproute --namespace k8s.hasura_httproute
+package k8s.hasura_httproute_test
+
+import rego.v1
+
+import data.k8s.hasura_httproute
+
+base_route := {
+	"apiVersion": "gateway.networking.k8s.io/v1",
+	"kind": "HTTPRoute",
+	"metadata": {"name": "db-h", "namespace": "dev"},
+}
+
+rule1(prefix) := {
+	"matches": [{"path": {"type": "Exact", "value": sprintf("%s/ql", [prefix])}}],
+	"filters": [{
+		"type": "RequestRedirect",
+		"requestRedirect": {
+			"path": {"type": "ReplaceFullPath", "replaceFullPath": sprintf("%s/ql/console", [prefix])},
+			"statusCode": 302,
+		},
+	}],
+}
+
+rule2(prefix) := {
+	"matches": [{"path": {"type": "Exact", "value": sprintf("%s/ql/", [prefix])}}],
+	"filters": [{
+		"type": "RequestRedirect",
+		"requestRedirect": {
+			"path": {"type": "ReplaceFullPath", "replaceFullPath": sprintf("%s/ql/console", [prefix])},
+			"statusCode": 302,
+		},
+	}],
+}
+
+rule3(prefix, backend) := {
+	"matches": [{"path": {"type": "PathPrefix", "value": sprintf("%s/ql", [prefix])}}],
+	"filters": [{
+		"type": "URLRewrite",
+		"urlRewrite": {"path": {"type": "ReplacePrefixMatch", "replacePrefixMatch": "/"}},
+	}],
+	"backendRefs": [{"name": backend, "port": 8080}],
+}
+
+rule4(prefix, backend) := {
+	"matches": [{
+		"path": {"type": "PathPrefix", "value": sprintf("%s/ql", [prefix])},
+		"headers": [{"type": "Exact", "name": "Upgrade", "value": "websocket"}],
+	}],
+	"filters": [
+		{
+			"type": "URLRewrite",
+			"urlRewrite": {"path": {"type": "ReplacePrefixMatch", "replacePrefixMatch": "/"}},
+		},
+		{
+			"type": "RequestHeaderModifier",
+			"requestHeaderModifier": {"remove": ["Authorization"]},
+		},
+	],
+	"backendRefs": [{"name": backend, "port": 8080}],
+}
+
+# ── canonical positive case ─────────────────────────────────────────────
+
+test_allow_canonical_route_empty_prefix if {
+	count(hasura_httproute.deny) == 0 with input as object.union(base_route, {"spec": {"rules": [
+		rule1(""),
+		rule2(""),
+		rule3("", "db-h-hl"),
+		rule4("", "db-h-hl"),
+	]}})
+}
+
+test_allow_canonical_route_with_prefix if {
+	count(hasura_httproute.deny) == 0 with input as object.union(base_route, {"spec": {"rules": [
+		rule1("/notify"),
+		rule2("/notify"),
+		rule3("/notify", "db-h-hl"),
+		rule4("/notify", "db-h-hl"),
+	]}})
+}
+
+# ── deny-кейси ───────────────────────────────────────────────────────────
+
+test_deny_missing_spec if {
+	count(hasura_httproute.deny) > 0 with input as base_route
+}
+
+test_deny_empty_rules if {
+	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": []}})
+}
+
+test_deny_missing_rule1 if {
+	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [{
+		"matches": [{"path": {"type": "PathPrefix", "value": "/api"}}],
+		"backendRefs": [{"name": "api-hl", "port": 8080}],
+	}]}})
+}
+
+test_deny_rule1_wrong_redirect if {
+	bad_rule1 := object.union(rule1(""), {"filters": [{
+		"type": "RequestRedirect",
+		"requestRedirect": {
+			"path": {"type": "ReplaceFullPath", "replaceFullPath": "/wrong"},
+			"statusCode": 302,
+		},
+	}]})
+	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
+		bad_rule1,
+		rule2(""),
+		rule3("", "db-h-hl"),
+		rule4("", "db-h-hl"),
+	]}})
+}
+
+test_deny_rule2_missing if {
+	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
+		rule1(""),
+		rule3("", "db-h-hl"),
+		rule4("", "db-h-hl"),
+	]}})
+}
+
+test_deny_rule3_missing if {
+	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
+		rule1(""),
+		rule2(""),
+		rule4("", "db-h-hl"),
+	]}})
+}
+
+test_deny_rule4_missing if {
+	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
+		rule1(""),
+		rule2(""),
+		rule3("", "db-h-hl"),
+	]}})
+}
+
+test_deny_rule4_wrong_backend if {
+	count(hasura_httproute.deny) > 0 with input as object.union(base_route, {"spec": {"rules": [
+		rule1(""),
+		rule2(""),
+		rule3("", "db-h-hl"),
+		rule4("", "other-hl"),
+	]}})
+}