Documentation ¶
Overview ¶
Package policy provides an extensible parser and compiler for composing a graph of CEL expressions into a single evaluable expression.
Index ¶
- func Compile(env *cel.Env, p *Policy, opts ...CompilerOption) (*cel.Ast, *cel.Issues)
- type CompiledMatch
- type CompiledRule
- type CompiledVariable
- type CompilerOption
- type Config
- type ExtensionConfig
- type ExtensionFactory
- type ExtensionResolver
- type FunctionDecl
- type Import
- type Match
- func (m *Match) Condition() ValueString
- func (m *Match) Explanation() ValueString
- func (m *Match) HasExplanation() bool
- func (m *Match) HasOutput() bool
- func (m *Match) HasRule() bool
- func (m *Match) Output() ValueString
- func (m *Match) Rule() *Rule
- func (m *Match) SetCondition(c ValueString)
- func (m *Match) SetExplanation(e ValueString)
- func (m *Match) SetOutput(o ValueString)
- func (m *Match) SetRule(r *Rule)
- type OutputValue
- type OverloadDecl
- type Parser
- type ParserContext
- type ParserOption
- type Policy
- func (p *Policy) AddImport(i *Import)
- func (p *Policy) GetExplanationOutputPolicy() *Policy
- func (p *Policy) Imports() []*Import
- func (p *Policy) Metadata(name string) (any, bool)
- func (p *Policy) MetadataKeys() []string
- func (p *Policy) Name() ValueString
- func (p *Policy) Rule() *Rule
- func (p *Policy) SetMetadata(name string, value any)
- func (p *Policy) SetName(name ValueString)
- func (p *Policy) SetRule(r *Rule)
- func (p *Policy) Source() *Source
- func (p *Policy) SourceInfo() *ast.SourceInfo
- type RelativeSource
- type Rule
- func (r *Rule) AddMatch(m *Match)
- func (r *Rule) AddVariable(v *Variable)
- func (r *Rule) Description() ValueString
- func (r *Rule) ID() ValueString
- func (r *Rule) Matches() []*Match
- func (r *Rule) SetDescription(desc ValueString)
- func (r *Rule) SetID(id ValueString)
- func (r *Rule) Variables() []*Variable
- type RuleComposer
- type Source
- type TagVisitor
- type TestCase
- type TestInput
- type TestSection
- type TestSuite
- type TypeDecl
- type ValueString
- type Variable
- type VariableDecl
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CompiledMatch ¶
type CompiledMatch struct {
// contains filtered or unexported fields
}
CompiledMatch represents a match block which has an optional condition (true, by default) as well as an output or a nested rule (one or the other, but not both).
func (*CompiledMatch) Condition ¶
func (m *CompiledMatch) Condition() *cel.Ast
Condition returns the compiled predicate expression which must evaluate to true before the output or subrule is entered.
func (*CompiledMatch) ConditionIsLiteral ¶
func (m *CompiledMatch) ConditionIsLiteral(val ref.Val) bool
ConditionIsLiteral indicates whether the condition for the match is a literal with a given value.
func (*CompiledMatch) NestedRule ¶
func (m *CompiledMatch) NestedRule() *CompiledRule
NestedRule returns the nested rule, if set.
func (*CompiledMatch) Output ¶
func (m *CompiledMatch) Output() *OutputValue
Output returns the compiled output expression associated with the match block, if set.
func (*CompiledMatch) OutputType ¶
func (m *CompiledMatch) OutputType() *cel.Type
OutputType returns the cel.Type associated with output expression.
func (*CompiledMatch) SourceID ¶
func (m *CompiledMatch) SourceID() int64
SourceID returns the source identifier associated with the compiled match.
type CompiledRule ¶
type CompiledRule struct {
// contains filtered or unexported fields
}
CompiledRule represents the variables and match blocks associated with a rule block.
func CompileRule ¶
func CompileRule(env *cel.Env, p *Policy, opts ...CompilerOption) (*CompiledRule, *cel.Issues)
CompileRule creates a compiled rules from the policy which contains a set of compiled variables and match statements. The compiled rule defines an expression graph, which can be composed into a single expression via the RuleComposer.Compose method.
func (*CompiledRule) HasOptionalOutput ¶
func (r *CompiledRule) HasOptionalOutput() bool
HasOptionalOutput returns whether the rule returns a concrete or optional value. The rule may return an optional value if all match expressions under the rule are conditional.
func (*CompiledRule) ID ¶
func (r *CompiledRule) ID() *ValueString
ID returns the expression id associated with the rule.
func (*CompiledRule) Matches ¶
func (r *CompiledRule) Matches() []*CompiledMatch
Matches returns the list of matches associated with the rule.
func (*CompiledRule) OutputType ¶
func (r *CompiledRule) OutputType() *cel.Type
OutputType returns the output type of the first match clause as all match clauses are validated for agreement prior to construction fo the CompiledRule.
func (*CompiledRule) SourceID ¶
func (r *CompiledRule) SourceID() int64
SourceID returns the source metadata identifier associated with the compiled rule.
func (*CompiledRule) Variables ¶
func (r *CompiledRule) Variables() []*CompiledVariable
Variables rturns the list of CompiledVariable values associated with the rule.
type CompiledVariable ¶
type CompiledVariable struct {
// contains filtered or unexported fields
}
CompiledVariable represents the variable name, expression, and associated type-check declaration.
func (*CompiledVariable) Declaration ¶
func (v *CompiledVariable) Declaration() *decls.VariableDecl
Declaration returns the type-check declaration associated with the variable.
func (*CompiledVariable) Expr ¶
func (v *CompiledVariable) Expr() *cel.Ast
Expr returns the compiled expression associated with the variable name.
func (*CompiledVariable) Name ¶
func (v *CompiledVariable) Name() string
Name returns the variable name.
func (*CompiledVariable) SourceID ¶
func (v *CompiledVariable) SourceID() int64
SourceID returns the source metadata identifier associated with the variable.
type CompilerOption ¶
type CompilerOption func(*compiler) error
CompilerOption specifies a functional option to be applied to new RuleComposer instances.
func MaxNestedExpressions ¶
func MaxNestedExpressions(limit int) CompilerOption
MaxNestedExpressions limits the number of variable and nested rule expressions during compilation.
Defaults to 100 if not set.
type Config ¶
type Config struct { Name string `yaml:"name"` Description string `yaml:"description"` Container string `yaml:"container"` Extensions []*ExtensionConfig `yaml:"extensions"` Variables []*VariableDecl `yaml:"variables"` Functions []*FunctionDecl `yaml:"functions"` }
Config represents a YAML serializable CEL environment configuration.
type ExtensionConfig ¶
type ExtensionConfig struct { Name string `yaml:"name"` Version string `yaml:"version"` ExtensionResolver }
ExtensionConfig represents a YAML serializable definition of a versioned extension library reference.
func (*ExtensionConfig) AsEnvOption ¶
AsEnvOption converts an ExtensionConfig value to a CEL environment option.
type ExtensionFactory ¶
ExtensionFactory accepts a version number and produces a CEL environment associated with the versioned extension.
type ExtensionResolver ¶
type ExtensionResolver interface { // ResolveExtension returns an ExtensionFactory bound to the given name, if one exists. ResolveExtension(name string) (ExtensionFactory, bool) }
ExtensionResolver provides a way to lookup ExtensionFactory instances by extension name.
type FunctionDecl ¶
type FunctionDecl struct { Name string `yaml:"name"` Overloads []*OverloadDecl `yaml:"overloads"` }
FunctionDecl represents a YAML serializable declaration of a CEL function.
func (*FunctionDecl) AsEnvOption ¶
AsEnvOption converts a FunctionDecl value into a cel.EnvOption using the input environment.
type Import ¶
type Import struct {
// contains filtered or unexported fields
}
Import represents an imported type name which is aliased within CEL expressions.
func (*Import) Name ¶
func (i *Import) Name() ValueString
Name returns the fully qualified type name.
func (*Import) SetName ¶
func (i *Import) SetName(name ValueString)
SetName updates the fully qualified type name for the import.
type Match ¶
type Match struct {
// contains filtered or unexported fields
}
Match declares a condition (defaults to true) as well as an output or a rule. Either the output or the rule field may be set, but not both.
func (*Match) Condition ¶
func (m *Match) Condition() ValueString
Condition returns the condition CEL expression.
func (*Match) Explanation ¶
func (m *Match) Explanation() ValueString
Explanation returns the explanation expression, or empty expression if output is not set.
func (*Match) HasExplanation ¶
HasExplanation indicates whether the explanation field is set of the match.
func (*Match) Output ¶
func (m *Match) Output() ValueString
Output returns the output expression, or empty expression if output is not set.
func (*Match) SetCondition ¶
func (m *Match) SetCondition(c ValueString)
SetCondition sets the CEL condition for the match.
func (*Match) SetExplanation ¶
func (m *Match) SetExplanation(e ValueString)
SetExplanation sets the explanation expression for the match.
func (*Match) SetOutput ¶
func (m *Match) SetOutput(o ValueString)
SetOutput sets the output expression for the match.
type OutputValue ¶
type OutputValue struct {
// contains filtered or unexported fields
}
OutputValue represents the output expression associated with a match block.
func (*OutputValue) Expr ¶
func (o *OutputValue) Expr() *cel.Ast
Expr returns the compiled expression associated with the output.
func (*OutputValue) SourceID ¶
func (o *OutputValue) SourceID() int64
SourceID returns the expression id associated with the output expression.
type OverloadDecl ¶
type OverloadDecl struct { OverloadID string `yaml:"id"` Target *TypeDecl `yaml:"target"` Args []*TypeDecl `yaml:"args"` Return *TypeDecl `yaml:"return"` }
OverloadDecl represents a YAML serializable declaration of a CEL function overload.
func (*OverloadDecl) AsFunctionOption ¶
func (od *OverloadDecl) AsFunctionOption(baseEnv *cel.Env) (cel.FunctionOpt, error)
AsFunctionOption converts an OverloadDecl value into a cel.FunctionOpt using the input environment.
type Parser ¶
type Parser struct {
TagVisitor
}
Parser parses policy files into a canonical Policy representation.
func NewParser ¶
func NewParser(opts ...ParserOption) (*Parser, error)
NewParser creates a new Parser object with a set of functional options.
func (*Parser) Parse ¶
Parse generates an internal parsed policy representation from a YAML input file. The internal representation ensures that CEL expressions are tracked relative to where they occur within the file, thus making error messages relative to the whole file rather than the individual expression.
type ParserContext ¶
type ParserContext interface { // NextID returns a monotonically increasing identifier for a source fragment. // This ID is implicitly created and tracked within the CollectMetadata method. NextID() int64 // CollectMetadata records the source position information of a given YAML node, and returns // the id associated with the source metadata which is returned in the Policy SourceInfo object. CollectMetadata(*yaml.Node) int64 // NewPolicy creates a new Policy instance with an ID associated with the YAML node. NewPolicy(*yaml.Node) (*Policy, int64) // NewRule creates a new Rule instance with an ID associated with the YAML node. NewRule(*yaml.Node) (*Rule, int64) // NewVariable creates a new Variable instance with an ID associated with the YAML node. NewVariable(*yaml.Node) (*Variable, int64) // NewMatch creates a new Match instance with an ID associated with the YAML node. NewMatch(*yaml.Node) (*Match, int64) // NewString creates a new ValueString from the YAML node. NewString(*yaml.Node) ValueString // ParsePolicy will parse the target yaml node as though it is the top-level policy. ParsePolicy(ParserContext, *yaml.Node) *Policy // ParseRule will parse the current yaml node as though it is the entry point to a rule. ParseRule(ParserContext, *Policy, *yaml.Node) *Rule // ParseMatch will parse the current yaml node as though it is the entry point to a match. ParseMatch(ParserContext, *Policy, *yaml.Node) *Match // ParseVariable will parse the current yaml node as though it is the entry point to a variable. ParseVariable(ParserContext, *Policy, *yaml.Node) *Variable // ReportErrorAtID logs an error during parsing which is included in the issue set returned from // a failed parse. ReportErrorAtID(id int64, msg string, args ...any) }
ParserContext declares a set of interfaces for creating and managing metadata for parsed policies.
type ParserOption ¶
ParserOption is a function parser option for configuring Parser behavior.
type Policy ¶
type Policy struct {
// contains filtered or unexported fields
}
Policy declares a name, rule, and evaluation semantic for a given expression graph.
func NewPolicy ¶
func NewPolicy(src *Source, info *ast.SourceInfo) *Policy
NewPolicy creates a policy object which references a policy source and source information.
func (*Policy) GetExplanationOutputPolicy ¶
GetExplanationOutputPolicy returns a copy of the policy, except the output of each match block is replaced by the expression in the explanation field.
func (*Policy) MetadataKeys ¶
MetadataKeys returns a list of metadata keys set on the policy.
func (*Policy) SetMetadata ¶
SetMetadata updates a named metadata key with the given value.
func (*Policy) SetName ¶
func (p *Policy) SetName(name ValueString)
SetName configures the policy name.
func (*Policy) SourceInfo ¶
func (p *Policy) SourceInfo() *ast.SourceInfo
SourceInfo returns the policy file metadata about expression positions.
type RelativeSource ¶
RelativeSource represents an embedded source element within a larger source.
func (*RelativeSource) Content ¶
func (rel *RelativeSource) Content() string
Content returns the embedded source snippet.
func (*RelativeSource) OffsetLocation ¶
func (rel *RelativeSource) OffsetLocation(offset int32) (common.Location, bool)
OffsetLocation returns the absolute location given the relative offset, if found.
type Rule ¶
type Rule struct {
// contains filtered or unexported fields
}
Rule declares a rule identifier, description, along with a set of variables and match statements.
func (*Rule) AddVariable ¶
AddVariable adds a variable to the rule.
func (*Rule) Description ¶
func (r *Rule) Description() ValueString
Description returns the rule description if it is set.
func (*Rule) SetDescription ¶
func (r *Rule) SetDescription(desc ValueString)
SetDescription configures the description for the rule.
type RuleComposer ¶
type RuleComposer struct {
// contains filtered or unexported fields
}
RuleComposer optimizes a set of expressions into a single expression.
func NewRuleComposer ¶
func NewRuleComposer(env *cel.Env, p *Policy) *RuleComposer
NewRuleComposer creates a rule composer which stitches together rules within a policy into a single CEL expression.
func (*RuleComposer) Compose ¶
func (c *RuleComposer) Compose(r *CompiledRule) (*cel.Ast, *cel.Issues)
Compose stitches together a set of expressions within a CompiledRule into a single CEL ast.
type Source ¶
Source represents the contents of a single source file.
func ByteSource ¶
ByteSource converts a byte sequence and location description to a model.Source.
func StringSource ¶
StringSource converts a string and location description to a model.Source.
type TagVisitor ¶
type TagVisitor interface { // PolicyTag accepts a parser context, field id, tag name, yaml node, and parent Policy to allow for // continued parsing within a custom tag. PolicyTag(ParserContext, int64, string, *yaml.Node, *Policy) // RuleTag accepts a parser context, field id, tag name, yaml node, as well as the parent policy and // current rule to allow for continued parsing within custom tags. RuleTag(ParserContext, int64, string, *yaml.Node, *Policy, *Rule) // MatchTag accepts a parser context, field id, tag name, yaml node, as well as the parent policy and // current match to allow for continued parsing within custom tags. MatchTag(ParserContext, int64, string, *yaml.Node, *Policy, *Match) // VariableTag accepts a parser context, field id, tag name, yaml node, as well as the parent policy and // current variable to allow for continued parsing within custom tags. VariableTag(ParserContext, int64, string, *yaml.Node, *Policy, *Variable) }
TagVisitor declares a set of interfaces for handling custom tags which would otherwise be unsupported within the policy, rule, match, or variable objects.
func DefaultTagVisitor ¶
func DefaultTagVisitor() TagVisitor
DefaultTagVisitor creates a tag visitor which produces errors for any non-canonical YAML tag.
type TestCase ¶
type TestCase struct { Name string `yaml:"name"` Input map[string]TestInput `yaml:"input"` Output string `yaml:"output"` }
TestCase describes a named test scenario with a set of inputs and expected outputs.
Note, when a test requires additional functions to be provided to execute, the test harness must supply these functions.
type TestInput ¶
type TestInput struct { // Value is a simple literal value. Value any `yaml:"value"` // Expr is a CEL expression based input. Expr string `yaml:"expr"` // ContextExpr is a CEL expression which is used as cel.ContextProtoVars ContextExpr string `yaml:"context_expr"` }
TestInput represents an input literal value or expression.
type TestSection ¶
TestSection describes a related set of tests associated with a behavior.
type TestSuite ¶
type TestSuite struct { Description string `yaml:"description"` Sections []*TestSection `yaml:"section"` }
TestSuite describes a set of tests divided by section.
type TypeDecl ¶
type TypeDecl struct { TypeName string `yaml:"type_name"` Params []*TypeDecl `yaml:"params"` IsTypeParam bool `yaml:"is_type_param"` }
TypeDecl represents a YAML serializable CEL type reference.
type ValueString ¶
ValueString contains an identifier corresponding to source metadata and a simple string.
type Variable ¶
type Variable struct {
// contains filtered or unexported fields
}
Variable is a named expression which may be referenced in subsequent expressions.
func NewVariable ¶
NewVariable creates a variable instance.
func (*Variable) Expression ¶
func (v *Variable) Expression() ValueString
Expression returns the variable expression.
func (*Variable) SetExpression ¶
func (v *Variable) SetExpression(e ValueString)
SetExpression sets the variable expression.
func (*Variable) SetName ¶
func (v *Variable) SetName(name ValueString)
SetName sets the variable name.
type VariableDecl ¶
type VariableDecl struct { Name string `yaml:"name"` Type *TypeDecl `yaml:"type"` ContextProto string `yaml:"context_proto"` }
VariableDecl represents a YAML serializable CEL variable declaration.
func (*VariableDecl) AsEnvOption ¶
AsEnvOption converts a VariableDecl type to a CEL environment option.
Note, variable definitions with differing type definitions will result in an error during the compile step.