package bluejayinfra.public_method_allowlist

public_hosts := {"brochure.flowercore.io", "dist.flowercore.io", "dns.iamworkin.lan"}

deny[msg] {
  input.kind == "IngressRoute"
  route := input.spec.routes[_]
  match := object.get(route, "match", "")
  host := public_hosts[_]
  contains(match, sprintf("Host(`%s`)", [host]))
  not contains(match, "Method(`GET`)")
  msg := sprintf("IngressRoute %s/%s is missing Method(GET) for public read-only host %s", [input.metadata.namespace, input.metadata.name, host])
}

deny[msg] {
  input.kind == "IngressRoute"
  route := input.spec.routes[_]
  match := object.get(route, "match", "")
  host := public_hosts[_]
  contains(match, sprintf("Host(`%s`)", [host]))
  not contains(match, "Method(`HEAD`)")
  msg := sprintf("IngressRoute %s/%s is missing Method(HEAD) for public read-only host %s", [input.metadata.namespace, input.metadata.name, host])
}