Documentation ¶
Overview ¶
Package ast declares Rego syntax tree types and also includes a parser and compiler for preparing policies for execution in the policy engine.
Rego policies are defined using a relatively small set of types: modules, package and import declarations, rules, expressions, and terms. At their core, policies consist of rules that are defined by one or more expressions over documents available to the policy engine. The expressions are defined by intrinsic values (terms) such as strings, objects, variables, etc.
Rego policies are typically defined in text files and then parsed and compiled by the policy engine at runtime. The parsing stage takes the text or string representation of the policy and converts it into an abstract syntax tree (AST) that consists of the types mentioned above. The AST is organized as follows:
Module | +--- Package (Reference) | +--- Imports | | | +--- Import (Term) | +--- Rules | +--- Rule | +--- Head | | | +--- Name (Variable) | | | +--- Key (Term) | | | +--- Value (Term) | +--- Body | +--- Expression (Term | Terms | Variable Declaration)
At query time, the policy engine expects policies to have been compiled. The compilation stage takes one or more modules and compiles them into a format that the policy engine supports.
nolint: deadcode // Public API.
Index ¶
- Constants
- Variables
- func As(v Value, x interface{}) error
- func Compare(a, b interface{}) int
- func ContainsComprehensions(v interface{}) bool
- func ContainsRefs(v interface{}) bool
- func Copy(x interface{}) interface{}
- func IsComprehension(x Value) bool
- func IsConstant(v Value) bool
- func IsError(code string, err error) bool
- func IsKeyword(s string) bool
- func IsScalar(v Value) bool
- func IsUnknownValueErr(err error) bool
- func IsValidImportPath(v Value) (err error)
- func JSON(v Value) (interface{}, error)
- func JSONWithOpt(v Value, opt JSONOpt) (interface{}, error)
- func MustJSON(v Value) interface{}
- func ParseStatements(filename, input string) ([]Statement, []*Comment, error)
- func ParseStatementsWithOpts(filename, input string, popts ParserOptions) ([]Statement, []*Comment, error)
- func Pretty(w io.Writer, x interface{})
- func RegisterBuiltin(b *Builtin)
- func Transform(t Transformer, x interface{}) (interface{}, error)
- func TransformComprehensions(x interface{}, f func(interface{}) (Value, error)) (interface{}, error)
- func TransformRefs(x interface{}, f func(Ref) (Value, error)) (interface{}, error)
- func TransformVars(x interface{}, f func(Var) (Value, error)) (interface{}, error)
- func TypeName(x interface{}) string
- func ValueToInterface(v Value, resolver Resolver) (interface{}, error)
- func Walk(v Visitor, x interface{})
- func WalkBeforeAndAfter(v BeforeAndAfterVisitor, x interface{})
- func WalkBodies(x interface{}, f func(Body) bool)
- func WalkClosures(x interface{}, f func(interface{}) bool)
- func WalkExprs(x interface{}, f func(*Expr) bool)
- func WalkNodes(x interface{}, f func(Node) bool)
- func WalkRefs(x interface{}, f func(Ref) bool)
- func WalkRules(x interface{}, f func(*Rule) bool)
- func WalkTerms(x interface{}, f func(*Term) bool)
- func WalkVars(x interface{}, f func(Var) bool)
- func WalkWiths(x interface{}, f func(*With) bool)
- type Annotations
- type ArgErrDetail
- type Args
- type Array
- func (arr *Array) Append(v *Term) *Array
- func (arr *Array) Compare(other Value) int
- func (arr *Array) Copy() *Array
- func (arr *Array) Elem(i int) *Term
- func (arr *Array) Equal(other Value) bool
- func (arr *Array) Find(path Ref) (Value, error)
- func (arr *Array) Foreach(f func(*Term))
- func (arr *Array) Get(pos *Term) *Term
- func (arr *Array) Hash() int
- func (arr *Array) IsGround() bool
- func (arr *Array) Iter(f func(*Term) error) error
- func (arr *Array) Len() int
- func (arr *Array) MarshalJSON() ([]byte, error)
- func (arr *Array) Slice(i, j int) *Array
- func (arr *Array) Sorted() *Array
- func (arr *Array) String() string
- func (arr *Array) Until(f func(*Term) bool) bool
- type ArrayComprehension
- func (ac *ArrayComprehension) Compare(other Value) int
- func (ac *ArrayComprehension) Copy() *ArrayComprehension
- func (ac *ArrayComprehension) Equal(other Value) bool
- func (ac *ArrayComprehension) Find(path Ref) (Value, error)
- func (ac *ArrayComprehension) Hash() int
- func (ac *ArrayComprehension) IsGround() bool
- func (ac *ArrayComprehension) String() string
- type BeforeAfterVisitor
- type BeforeAndAfterVisitor
- type Body
- func (body *Body) Append(expr *Expr)
- func (body Body) Compare(other Body) int
- func (body Body) Contains(x *Expr) bool
- func (body Body) Copy() Body
- func (body Body) Equal(other Body) bool
- func (body Body) Hash() int
- func (body Body) IsGround() bool
- func (body Body) Loc() *Location
- func (body Body) MarshalJSON() ([]byte, error)
- func (body Body) Set(expr *Expr, pos int)
- func (body Body) SetLoc(loc *Location)
- func (body Body) String() string
- func (body Body) Vars(params VarVisitorParams) VarSet
- type Boolean
- type Builtin
- type Call
- type Capabilities
- type Comment
- type Compiler
- func (c *Compiler) Compile(modules map[string]*Module)
- func (c *Compiler) ComprehensionIndex(term *Term) *ComprehensionIndex
- func (c *Compiler) Failed() bool
- func (c *Compiler) GetArity(ref Ref) int
- func (c *Compiler) GetRules(ref Ref) (rules []*Rule)
- func (c *Compiler) GetRulesDynamic(ref Ref) (rules []*Rule)
- func (c *Compiler) GetRulesExact(ref Ref) (rules []*Rule)
- func (c *Compiler) GetRulesForVirtualDocument(ref Ref) (rules []*Rule)
- func (c *Compiler) GetRulesWithPrefix(ref Ref) (rules []*Rule)
- func (c *Compiler) PassesTypeCheck(body Body) bool
- func (c *Compiler) QueryCompiler() QueryCompiler
- func (c *Compiler) RuleIndex(path Ref) RuleIndex
- func (c *Compiler) SetErrorLimit(limit int) *Compiler
- func (c *Compiler) WithBuiltins(builtins map[string]*Builtin) *Compiler
- func (c *Compiler) WithCapabilities(capabilities *Capabilities) *Compiler
- func (c *Compiler) WithDebug(sink io.Writer) *Compiler
- func (c *Compiler) WithMetrics(metrics metrics.Metrics) *Compiler
- func (c *Compiler) WithModuleLoader(f ModuleLoader) *Compiler
- func (c *Compiler) WithPathConflictsCheck(fn func([]string) (bool, error)) *Compiler
- func (c *Compiler) WithSchemas(schemas *SchemaSet) *Compiler
- func (c *Compiler) WithStageAfter(after string, stage CompilerStageDefinition) *Compiler
- func (c *Compiler) WithUnsafeBuiltins(unsafeBuiltins map[string]struct{}) *Compiler
- type CompilerStage
- type CompilerStageDefinition
- type ComprehensionIndex
- type DocKind
- type Error
- type ErrorDetails
- type Errors
- type Expr
- func (expr *Expr) Compare(other *Expr) int
- func (expr *Expr) Complement() *Expr
- func (expr *Expr) Copy() *Expr
- func (expr *Expr) Equal(other *Expr) bool
- func (expr *Expr) Hash() int
- func (expr *Expr) IncludeWith(target *Term, value *Term) *Expr
- func (expr *Expr) IsAssignment() bool
- func (expr *Expr) IsCall() bool
- func (expr *Expr) IsEquality() bool
- func (expr *Expr) IsGround() bool
- func (expr *Expr) Loc() *Location
- func (expr *Expr) NoWith() *Expr
- func (expr *Expr) Operand(pos int) *Term
- func (expr *Expr) Operands() []*Term
- func (expr *Expr) Operator() Ref
- func (expr *Expr) SetLoc(loc *Location)
- func (expr *Expr) SetLocation(loc *Location) *Expr
- func (expr *Expr) SetOperator(term *Term) *Expr
- func (expr *Expr) String() string
- func (expr *Expr) UnmarshalJSON(bs []byte) error
- func (expr *Expr) Vars(params VarVisitorParams) VarSet
- type GenericTransformer
- type GenericVisitor
- type Graph
- type GraphTraversal
- type Head
- type Import
- type IndexResult
- type JSONOpt
- type Location
- type Module
- type ModuleLoader
- type ModuleTreeNode
- type Node
- type Null
- type Number
- func (num Number) Compare(other Value) int
- func (num Number) Equal(other Value) bool
- func (num Number) Find(path Ref) (Value, error)
- func (num Number) Float64() (float64, bool)
- func (num Number) Hash() int
- func (num Number) Int() (int, bool)
- func (num Number) Int64() (int64, bool)
- func (num Number) IsGround() bool
- func (num Number) MarshalJSON() ([]byte, error)
- func (num Number) String() string
- type Object
- type ObjectComprehension
- func (oc *ObjectComprehension) Compare(other Value) int
- func (oc *ObjectComprehension) Copy() *ObjectComprehension
- func (oc *ObjectComprehension) Equal(other Value) bool
- func (oc *ObjectComprehension) Find(path Ref) (Value, error)
- func (oc *ObjectComprehension) Hash() int
- func (oc *ObjectComprehension) IsGround() bool
- func (oc *ObjectComprehension) String() string
- type Package
- type Parser
- type ParserErrorDetail
- type ParserOptions
- type QueryCompiler
- type QueryCompilerStage
- type QueryCompilerStageDefinition
- type QueryContext
- type QueryIterator
- type Ref
- func (ref Ref) Append(term *Term) Ref
- func (ref Ref) Compare(other Value) int
- func (ref Ref) Concat(terms []*Term) Ref
- func (ref Ref) ConstantPrefix() Ref
- func (ref Ref) Copy() Ref
- func (ref Ref) Dynamic() int
- func (ref Ref) Equal(other Value) bool
- func (ref Ref) Extend(other Ref) Ref
- func (ref Ref) Find(path Ref) (Value, error)
- func (ref Ref) GroundPrefix() Ref
- func (ref Ref) HasPrefix(other Ref) bool
- func (ref Ref) Hash() int
- func (ref Ref) Insert(x *Term, pos int) Ref
- func (ref Ref) IsGround() bool
- func (ref Ref) IsNested() bool
- func (ref Ref) OutputVars() VarSet
- func (ref Ref) Ptr() (string, error)
- func (ref Ref) String() string
- type RefErrInvalidDetail
- type RefErrUnsupportedDetail
- type Resolver
- type Rule
- func MustParseRule(input string) *Rule
- func ParseCompleteDocRuleFromAssignmentExpr(module *Module, lhs, rhs *Term) (*Rule, error)
- func ParseCompleteDocRuleFromEqExpr(module *Module, lhs, rhs *Term) (*Rule, error)
- func ParsePartialObjectDocRuleFromEqExpr(module *Module, lhs, rhs *Term) (*Rule, error)
- func ParsePartialSetDocRuleFromTerm(module *Module, term *Term) (*Rule, error)
- func ParseRule(input string) (*Rule, error)
- func ParseRuleFromBody(module *Module, body Body) (*Rule, error)
- func ParseRuleFromCallEqExpr(module *Module, lhs, rhs *Term) (*Rule, error)
- func ParseRuleFromCallExpr(module *Module, terms []*Term) (*Rule, error)
- func ParseRuleFromExpr(module *Module, expr *Expr) (*Rule, error)
- type RuleIndex
- type RuleSet
- type SchemaAnnotation
- type SchemaSet
- type Set
- type SetComprehension
- func (sc *SetComprehension) Compare(other Value) int
- func (sc *SetComprehension) Copy() *SetComprehension
- func (sc *SetComprehension) Equal(other Value) bool
- func (sc *SetComprehension) Find(path Ref) (Value, error)
- func (sc *SetComprehension) Hash() int
- func (sc *SetComprehension) IsGround() bool
- func (sc *SetComprehension) String() string
- type SomeDecl
- type Statement
- type String
- type Term
- func ArrayComprehensionTerm(term *Term, body Body) *Term
- func ArrayTerm(a ...*Term) *Term
- func BooleanTerm(b bool) *Term
- func CallTerm(terms ...*Term) *Term
- func FloatNumberTerm(f float64) *Term
- func IntNumberTerm(i int) *Term
- func Item(key, value *Term) [2]*Term
- func MustParseTerm(input string) *Term
- func NewTerm(v Value) *Term
- func NullTerm() *Term
- func NumberTerm(n json.Number) *Term
- func ObjectComprehensionTerm(key, value *Term, body Body) *Term
- func ObjectTerm(o ...[2]*Term) *Term
- func ParseTerm(input string) (*Term, error)
- func RefTerm(r ...*Term) *Term
- func SetComprehensionTerm(term *Term, body Body) *Term
- func SetTerm(t ...*Term) *Term
- func StringTerm(s string) *Term
- func UIntNumberTerm(u uint64) *Term
- func VarTerm(v string) *Term
- func (term *Term) Copy() *Term
- func (term *Term) Equal(other *Term) bool
- func (term *Term) Get(name *Term) *Term
- func (term *Term) Hash() int
- func (term *Term) IsGround() bool
- func (term *Term) Loc() *Location
- func (term *Term) MarshalJSON() ([]byte, error)
- func (term *Term) SetLoc(loc *Location)
- func (term *Term) SetLocation(loc *Location) *Term
- func (term *Term) String() string
- func (term *Term) UnmarshalJSON(bs []byte) error
- func (term *Term) Vars() VarSet
- type Transformer
- type TreeNode
- type TypeEnv
- type UnificationErrDetail
- type UnknownValueErr
- type Value
- type ValueMap
- func (vs *ValueMap) Copy() *ValueMap
- func (vs *ValueMap) Delete(k Value)
- func (vs *ValueMap) Equal(other *ValueMap) bool
- func (vs *ValueMap) Get(k Value) Value
- func (vs *ValueMap) Hash() int
- func (vs *ValueMap) Iter(iter func(Value, Value) bool) bool
- func (vs *ValueMap) Len() int
- func (vs *ValueMap) MarshalJSON() ([]byte, error)
- func (vs *ValueMap) Put(k, v Value)
- func (vs *ValueMap) String() string
- type ValueResolver
- type Var
- type VarSet
- func (s VarSet) Add(v Var)
- func (s VarSet) Contains(v Var) bool
- func (s VarSet) Copy() VarSet
- func (s VarSet) Diff(vs VarSet) VarSet
- func (s VarSet) Equal(vs VarSet) bool
- func (s VarSet) Intersect(vs VarSet) VarSet
- func (s VarSet) Sorted() []Var
- func (s VarSet) String() string
- func (s VarSet) Update(vs VarSet)
- type VarVisitor
- type VarVisitorParams
- type Visitor
- type WasmABIVersion
- type With
Examples ¶
Constants ¶
const ( // ParseErr indicates an unclassified parse error occurred. ParseErr = "rego_parse_error" // CompileErr indicates an unclassified compile error occurred. CompileErr = "rego_compile_error" // TypeErr indicates a type error was caught. TypeErr = "rego_type_error" // UnsafeVarErr indicates an unsafe variable was found during compilation. UnsafeVarErr = "rego_unsafe_var_error" // RecursionErr indicates recursion was found during compilation. RecursionErr = "rego_recursion_error" )
const ( // CompleteDoc represents a document that is completely defined by the rule. CompleteDoc = iota // PartialSetDoc represents a set document that is partially defined by the rule. PartialSetDoc = iota // PartialObjectDoc represents an object document that is partially defined by the rule. PartialObjectDoc = iota )
const CompileErrorLimitDefault = 10
CompileErrorLimitDefault is the default number errors a compiler will allow before exiting.
Variables ¶
var Abs = &Builtin{ Name: "abs", Decl: types.NewFunction( types.Args(types.N), types.N, ), }
Abs returns the number without its sign.
var AddDate = &Builtin{ Name: "time.add_date", Decl: types.NewFunction( types.Args( types.N, types.N, types.N, types.N, ), types.N, ), }
AddDate returns the nanoseconds since epoch after adding years, months and days to nanoseconds.
var All = &Builtin{ Name: "all", Decl: types.NewFunction( types.Args( types.NewAny( types.NewSet(types.A), types.NewArray(nil, types.A), ), ), types.B, ), }
All takes a list and returns true if all of the items are true. A collection of length 0 returns true.
var And = &Builtin{ Name: "and", Infix: "&", Decl: types.NewFunction( types.Args( types.NewSet(types.A), types.NewSet(types.A), ), types.NewSet(types.A), ), }
And performs an intersection operation on sets.
var Any = &Builtin{ Name: "any", Decl: types.NewFunction( types.Args( types.NewAny( types.NewSet(types.A), types.NewArray(nil, types.A), ), ), types.B, ), }
Any takes a collection and returns true if any of the items is true. A collection of length 0 returns false.
var ArrayConcat = &Builtin{ Name: "array.concat", Decl: types.NewFunction( types.Args( types.NewArray(nil, types.A), types.NewArray(nil, types.A), ), types.NewArray(nil, types.A), ), }
ArrayConcat returns the result of concatenating two arrays together.
var ArraySlice = &Builtin{ Name: "array.slice", Decl: types.NewFunction( types.Args( types.NewArray(nil, types.A), types.NewNumber(), types.NewNumber(), ), types.NewArray(nil, types.A), ), }
ArraySlice returns a slice of a given array
var Assign = &Builtin{ Name: "assign", Infix: ":=", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
Assign represents the assignment (":=") operator.
var Base64Decode = &Builtin{ Name: "base64.decode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
Base64Decode deserializes the base64 encoded input string.
var Base64Encode = &Builtin{ Name: "base64.encode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
Base64Encode serializes the input string into base64 encoding.
var Base64IsValid = &Builtin{ Name: "base64.is_valid", Decl: types.NewFunction( types.Args(types.S), types.B, ), }
Base64IsValid verifies the input string is base64 encoded.
var Base64UrlDecode = &Builtin{ Name: "base64url.decode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
Base64UrlDecode deserializes the base64url encoded input string.
var Base64UrlEncode = &Builtin{ Name: "base64url.encode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
Base64UrlEncode serializes the input string into base64url encoding.
var Base64UrlEncodeNoPad = &Builtin{ Name: "base64url.encode_no_pad", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
Base64UrlEncodeNoPad serializes the input string into base64url encoding without padding.
var BitsAnd = &Builtin{ Name: "bits.and", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
BitsAnd returns the bitwise "and" of two integers.
var BitsNegate = &Builtin{ Name: "bits.negate", Decl: types.NewFunction( types.Args(types.N), types.N, ), }
BitsNegate returns the bitwise "negation" of an integer (i.e. flips each bit).
var BitsOr = &Builtin{ Name: "bits.or", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
BitsOr returns the bitwise "or" of two integers.
var BitsShiftLeft = &Builtin{ Name: "bits.lsh", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
BitsShiftLeft returns a new integer with its bits shifted some value to the left.
var BitsShiftRight = &Builtin{ Name: "bits.rsh", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
BitsShiftRight returns a new integer with its bits shifted some value to the right.
var BitsXOr = &Builtin{ Name: "bits.xor", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
BitsXOr returns the bitwise "exclusive-or" of two integers.
var BuiltinMap map[string]*Builtin
BuiltinMap provides a convenient mapping of built-in names to built-in definitions.
var Builtins []*Builtin
Builtins is the registry of built-in functions supported by OPA. Call RegisterBuiltin to add a new built-in.
var CastArray = &Builtin{ Name: "cast_array", Decl: types.NewFunction( types.Args(types.A), types.NewArray(nil, types.A), ), }
CastArray checks the underlying type of the input. If it is array or set, an array containing the values is returned. If it is not an array, an error is thrown.
var CastBoolean = &Builtin{ Name: "cast_boolean", Decl: types.NewFunction( types.Args(types.A), types.B, ), }
CastBoolean returns input if it is a boolean; if not returns error.
var CastNull = &Builtin{ Name: "cast_null", Decl: types.NewFunction( types.Args(types.A), types.NewNull(), ), }
CastNull returns null if input is null; if not returns error.
var CastObject = &Builtin{ Name: "cast_object", Decl: types.NewFunction( types.Args(types.A), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), ), }
CastObject returns the given object if it is null; throws an error otherwise
var CastSet = &Builtin{ Name: "cast_set", Decl: types.NewFunction( types.Args(types.A), types.NewSet(types.A), ), }
CastSet checks the underlying type of the input. If it is a set, the set is returned. If it is an array, the array is returned in set form (all duplicates removed) If neither, an error is thrown
var CastString = &Builtin{ Name: "cast_string", Decl: types.NewFunction( types.Args(types.A), types.S, ), }
CastString returns input if it is a string; if not returns error. For formatting variables, see sprintf
var Ceil = &Builtin{ Name: "ceil", Decl: types.NewFunction( types.Args(types.N), types.N, ), }
Ceil rounds the number up to the nearest integer.
var Clock = &Builtin{ Name: "time.clock", Decl: types.NewFunction( types.Args( types.NewAny( types.N, types.NewArray([]types.Type{types.N, types.S}, nil), ), ), types.NewArray([]types.Type{types.N, types.N, types.N}, nil), ), }
Clock returns the [hour, minute, second] of the day for the nanoseconds since epoch.
var Concat = &Builtin{ Name: "concat", Decl: types.NewFunction( types.Args( types.S, types.NewAny( types.NewSet(types.S), types.NewArray(nil, types.S), ), ), types.S, ), }
Concat joins an array of strings with an input string.
var Contains = &Builtin{ Name: "contains", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
Contains returns true if the search string is included in the base string
var Count = &Builtin{ Name: "count", Decl: types.NewFunction( types.Args( types.NewAny( types.NewSet(types.A), types.NewArray(nil, types.A), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), types.S, ), ), types.N, ), }
Count takes a collection or string and counts the number of elements in it.
var CryptoMd5 = &Builtin{ Name: "crypto.md5", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
CryptoMd5 returns a string representing the input string hashed with the md5 function
var CryptoSha1 = &Builtin{ Name: "crypto.sha1", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
CryptoSha1 returns a string representing the input string hashed with the sha1 function
var CryptoSha256 = &Builtin{ Name: "crypto.sha256", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
CryptoSha256 returns a string representing the input string hashed with the sha256 function
var CryptoX509ParseAndVerifyCertificates = &Builtin{ Name: "crypto.x509.parse_and_verify_certificates", Decl: types.NewFunction( types.Args(types.S), types.NewArray([]types.Type{ types.B, types.NewArray(nil, types.NewObject(nil, types.NewDynamicProperty(types.S, types.A))), }, nil), ), }
CryptoX509ParseAndVerifyCertificates returns one or more certificates from the given string containing PEM or base64 encoded DER certificates after verifying the supplied certificates form a complete certificate chain back to a trusted root.
The first certificate is treated as the root and the last is treated as the leaf, with all others being treated as intermediates
var CryptoX509ParseCertificateRequest = &Builtin{ Name: "crypto.x509.parse_certificate_request", Decl: types.NewFunction( types.Args(types.S), types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), ), }
CryptoX509ParseCertificateRequest returns a PKCS #10 certificate signing request from the given PEM-encoded PKCS#10 certificate signing request.
var CryptoX509ParseCertificates = &Builtin{ Name: "crypto.x509.parse_certificates", Decl: types.NewFunction( types.Args(types.S), types.NewArray(nil, types.NewObject(nil, types.NewDynamicProperty(types.S, types.A))), ), }
CryptoX509ParseCertificates returns one or more certificates from the given base64 encoded string containing DER encoded certificates that have been concatenated.
var Date = &Builtin{ Name: "time.date", Decl: types.NewFunction( types.Args( types.NewAny( types.N, types.NewArray([]types.Type{types.N, types.S}, nil), ), ), types.NewArray([]types.Type{types.N, types.N, types.N}, nil), ), }
Date returns the [year, month, day] for the nanoseconds since epoch.
var DefaultBuiltins = [...]*Builtin{}/* 156 elements not displayed */
DefaultBuiltins is the registry of built-in functions supported in OPA by default. When adding a new built-in function to OPA, update this list.
var DefaultRootDocument = VarTerm("data")
DefaultRootDocument is the default root document.
All package directives inside source files are implicitly prefixed with the DefaultRootDocument value.
var DefaultRootRef = Ref{DefaultRootDocument}
DefaultRootRef is a reference to the root of the default document.
All refs to data in the policy engine's storage layer are prefixed with this ref.
var Diff = &Builtin{ Name: "time.diff", Decl: types.NewFunction( types.Args( types.NewAny( types.N, types.NewArray([]types.Type{types.N, types.S}, nil), ), types.NewAny( types.N, types.NewArray([]types.Type{types.N, types.S}, nil), ), ), types.NewArray([]types.Type{types.N, types.N, types.N, types.N, types.N, types.N}, nil), ), }
Diff returns the difference [years, months, days, hours, minutes, seconds] between two unix timestamps in nanoseconds
var Divide = &Builtin{ Name: "div", Infix: "/", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
Divide divides the first number by the second number.
var EndsWith = &Builtin{ Name: "endswith", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
EndsWith returns true if the search string begins with the base string
var Equal = &Builtin{ Name: "equal", Infix: "==", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
Equal represents the "==" comparison operator.
var Equality = &Builtin{ Name: "eq", Infix: "=", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
Equality represents the "=" operator.
var Floor = &Builtin{ Name: "floor", Decl: types.NewFunction( types.Args(types.N), types.N, ), }
Floor rounds the number down to the nearest integer.
var FormatInt = &Builtin{ Name: "format_int", Decl: types.NewFunction( types.Args( types.N, types.N, ), types.S, ), }
FormatInt returns the string representation of the number in the given base after converting it to an integer value.
var FunctionArgRootDocument = VarTerm("args")
FunctionArgRootDocument names the document containing function arguments. It's only for internal usage, for referencing function arguments between the index and topdown.
var GlobMatch = &Builtin{ Name: "glob.match", Decl: types.NewFunction( types.Args( types.S, types.NewArray(nil, types.S), types.S, ), types.B, ), }
GlobMatch - not to be confused with regex.globs_match - parses and matches strings against the glob notation.
var GlobQuoteMeta = &Builtin{ Name: "glob.quote_meta", Decl: types.NewFunction( types.Args( types.S, ), types.S, ), }
GlobQuoteMeta returns a string which represents a version of the pattern where all asterisks have been escaped.
var GlobsMatch = &Builtin{ Name: "regex.globs_match", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
GlobsMatch takes two strings regexp-style strings and evaluates to true if their intersection matches a non-empty set of non-empty strings. Examples:
- "a.a." and ".b.b" -> true.
- "[a-z]*" and [0-9]+" -> not true.
var GreaterThan = &Builtin{ Name: "gt", Infix: ">", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
GreaterThan represents the ">" comparison operator.
var GreaterThanEq = &Builtin{ Name: "gte", Infix: ">=", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
GreaterThanEq represents the ">=" comparison operator.
var HTTPSend = &Builtin{ Name: "http.send", Decl: types.NewFunction( types.Args( types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), ), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), ), }
HTTPSend returns a HTTP response to the given HTTP request.
var HexDecode = &Builtin{ Name: "hex.decode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
HexDecode deserializes the hex encoded input string.
var HexEncode = &Builtin{ Name: "hex.encode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
HexEncode serializes the input string into hex encoding.
var IgnoreDuringPartialEval = []*Builtin{ NowNanos, HTTPSend, UUIDRFC4122, RandIntn, }
IgnoreDuringPartialEval is a set of built-in functions that should not be evaluated during partial evaluation. These functions are not partially evaluated because they are not pure.
var IndexOf = &Builtin{ Name: "indexof", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.N, ), }
IndexOf returns the index of a substring contained inside a string
var InputRootDocument = VarTerm("input")
InputRootDocument names the document containing query arguments.
var InputRootRef = Ref{InputRootDocument}
InputRootRef is a reference to the root of the input document.
All refs to query arguments are prefixed with this ref.
var Intersection = &Builtin{ Name: "intersection", Decl: types.NewFunction( types.Args( types.NewSet(types.NewSet(types.A)), ), types.NewSet(types.A), ), }
Intersection returns the intersection of the given input sets
var IsArray = &Builtin{ Name: "is_array", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
IsArray returns true if the input value is an array.
var IsBoolean = &Builtin{ Name: "is_boolean", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
IsBoolean returns true if the input value is a boolean.
var IsNull = &Builtin{ Name: "is_null", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
IsNull returns true if the input value is null.
var IsNumber = &Builtin{ Name: "is_number", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
IsNumber returns true if the input value is a number
var IsObject = &Builtin{ Name: "is_object", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
IsObject returns true if the input value is an object.
var IsSet = &Builtin{ Name: "is_set", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
IsSet returns true if the input value is a set.
var IsString = &Builtin{ Name: "is_string", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
IsString returns true if the input value is a string.
var JSONFilter = &Builtin{ Name: "json.filter", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty(types.A, types.A), ), types.NewAny( types.NewArray( nil, types.NewAny( types.S, types.NewArray( nil, types.A, ), ), ), types.NewSet( types.NewAny( types.S, types.NewArray( nil, types.A, ), ), ), ), ), types.A, ), }
JSONFilter filters the JSON object
var JSONIsValid = &Builtin{ Name: "json.is_valid", Decl: types.NewFunction( types.Args(types.S), types.B, ), }
JSONIsValid verifies the input string is a valid JSON document.
var JSONMarshal = &Builtin{ Name: "json.marshal", Decl: types.NewFunction( types.Args(types.A), types.S, ), }
JSONMarshal serializes the input term.
var JSONPatch = &Builtin{ Name: "json.patch", Decl: types.NewFunction( types.Args( types.A, types.NewArray( nil, types.NewObject( []*types.StaticProperty{ {Key: "op", Value: types.S}, {Key: "path", Value: types.A}, }, types.NewDynamicProperty(types.A, types.A), ), ), ), types.A, ), }
JSONPatch patches a JSON object according to RFC6902
var JSONRemove = &Builtin{ Name: "json.remove", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty(types.A, types.A), ), types.NewAny( types.NewArray( nil, types.NewAny( types.S, types.NewArray( nil, types.A, ), ), ), types.NewSet( types.NewAny( types.S, types.NewArray( nil, types.A, ), ), ), ), ), types.A, ), }
JSONRemove removes paths in the JSON object
var JSONUnmarshal = &Builtin{ Name: "json.unmarshal", Decl: types.NewFunction( types.Args(types.S), types.A, ), }
JSONUnmarshal deserializes the input string.
var JWTDecode = &Builtin{ Name: "io.jwt.decode", Decl: types.NewFunction( types.Args(types.S), types.NewArray([]types.Type{ types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), types.S, }, nil), ), }
JWTDecode decodes a JSON Web Token and outputs it as an Object.
var JWTDecodeVerify = &Builtin{ Name: "io.jwt.decode_verify", Decl: types.NewFunction( types.Args( types.S, types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), ), types.NewArray([]types.Type{ types.B, types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), }, nil), ), }
JWTDecodeVerify verifies a JWT signature under parameterized constraints and decodes the claims if it is valid.
var JWTEncodeSign = &Builtin{ Name: "io.jwt.encode_sign", Decl: types.NewFunction( types.Args( types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), ), types.S, ), }
JWTEncodeSign encodes and optionally sign a JSON Web Token. Inputs are protected headers, payload, secret
var JWTEncodeSignRaw = &Builtin{ Name: "io.jwt.encode_sign_raw", Decl: types.NewFunction( types.Args( types.S, types.S, types.S, ), types.S, ), }
JWTEncodeSignRaw encodes and optionally sign a JSON Web Token. Inputs are protected headers, payload, secret
var JWTVerifyES256 = &Builtin{ Name: "io.jwt.verify_es256", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyES256 verifies if a ES256 JWT signature is valid or not.
var JWTVerifyES384 = &Builtin{ Name: "io.jwt.verify_es384", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyES384 verifies if a ES384 JWT signature is valid or not.
var JWTVerifyES512 = &Builtin{ Name: "io.jwt.verify_es512", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyES512 verifies if a ES512 JWT signature is valid or not.
var JWTVerifyHS256 = &Builtin{ Name: "io.jwt.verify_hs256", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyHS256 verifies if a HS256 (secret) JWT signature is valid or not.
var JWTVerifyHS384 = &Builtin{ Name: "io.jwt.verify_hs384", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyHS384 verifies if a HS384 (secret) JWT signature is valid or not.
var JWTVerifyHS512 = &Builtin{ Name: "io.jwt.verify_hs512", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyHS512 verifies if a HS512 (secret) JWT signature is valid or not.
var JWTVerifyPS256 = &Builtin{ Name: "io.jwt.verify_ps256", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyPS256 verifies if a PS256 JWT signature is valid or not.
var JWTVerifyPS384 = &Builtin{ Name: "io.jwt.verify_ps384", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyPS384 verifies if a PS384 JWT signature is valid or not.
var JWTVerifyPS512 = &Builtin{ Name: "io.jwt.verify_ps512", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyPS512 verifies if a PS512 JWT signature is valid or not.
var JWTVerifyRS256 = &Builtin{ Name: "io.jwt.verify_rs256", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyRS256 verifies if a RS256 JWT signature is valid or not.
var JWTVerifyRS384 = &Builtin{ Name: "io.jwt.verify_rs384", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyRS384 verifies if a RS384 JWT signature is valid or not.
var JWTVerifyRS512 = &Builtin{ Name: "io.jwt.verify_rs512", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
JWTVerifyRS512 verifies if a RS512 JWT signature is valid or not.
var Keywords = [...]string{
"not",
"package",
"import",
"as",
"default",
"else",
"with",
"null",
"true",
"false",
"some",
}
Keywords contains strings that map to language keywords.
var LessThan = &Builtin{ Name: "lt", Infix: "<", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
LessThan represents the "<" comparison operator.
var LessThanEq = &Builtin{ Name: "lte", Infix: "<=", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
LessThanEq represents the "<=" comparison operator.
var Lower = &Builtin{ Name: "lower", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
Lower returns the input string but with all characters in lower-case
var Max = &Builtin{ Name: "max", Decl: types.NewFunction( types.Args( types.NewAny( types.NewSet(types.A), types.NewArray(nil, types.A), ), ), types.A, ), }
Max returns the maximum value in a collection.
var Min = &Builtin{ Name: "min", Decl: types.NewFunction( types.Args( types.NewAny( types.NewSet(types.A), types.NewArray(nil, types.A), ), ), types.A, ), }
Min returns the minimum value in a collection.
var Minus = &Builtin{ Name: "minus", Infix: "-", Decl: types.NewFunction( types.Args( types.NewAny(types.N, types.NewSet(types.A)), types.NewAny(types.N, types.NewSet(types.A)), ), types.NewAny(types.N, types.NewSet(types.A)), ), }
Minus subtracts the second number from the first number or computes the diff between two sets.
var Multiply = &Builtin{ Name: "mul", Infix: "*", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
Multiply multiplies two numbers together.
var NetCIDRContains = &Builtin{ Name: "net.cidr_contains", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
NetCIDRContains checks if a cidr or ip is contained within another cidr and returns true or false
var NetCIDRContainsMatches = &Builtin{ Name: "net.cidr_contains_matches", Decl: types.NewFunction( types.Args(netCidrContainsMatchesOperandType, netCidrContainsMatchesOperandType), types.NewSet(types.NewArray([]types.Type{types.A, types.A}, nil)), ), }
NetCIDRContainsMatches checks if collections of cidrs or ips are contained within another collection of cidrs and returns matches.
var NetCIDRExpand = &Builtin{ Name: "net.cidr_expand", Decl: types.NewFunction( types.Args( types.S, ), types.NewSet(types.S), ), }
NetCIDRExpand returns a set of hosts inside the specified cidr.
var NetCIDRIntersects = &Builtin{ Name: "net.cidr_intersects", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
NetCIDRIntersects checks if a cidr intersects with another cidr and returns true or false
var NetCIDRMerge = &Builtin{ Name: "net.cidr_merge", Decl: types.NewFunction( types.Args(netCidrMergeOperandType), types.NewSet(types.S), ), }
NetCIDRMerge merges IP addresses and subnets into the smallest possible list of CIDRs.
var NetCIDROverlap = &Builtin{ Name: "net.cidr_overlap", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
NetCIDROverlap has been replaced by the `net.cidr_contains` built-in.
var NotEqual = &Builtin{ Name: "neq", Infix: "!=", Decl: types.NewFunction( types.Args(types.A, types.A), types.B, ), }
NotEqual represents the "!=" comparison operator.
var NowNanos = &Builtin{ Name: "time.now_ns", Decl: types.NewFunction( nil, types.N, ), }
NowNanos returns the current time since epoch in nanoseconds.
var NumbersRange = &Builtin{ Name: "numbers.range", Decl: types.NewFunction( types.Args( types.N, types.N, ), types.NewArray(nil, types.N), ), }
NumbersRange returns an array of numbers in the given inclusive range.
var OPARuntime = &Builtin{ Name: "opa.runtime", Decl: types.NewFunction( nil, types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), ), }
OPARuntime returns an object containing OPA runtime information such as the configuration that OPA was booted with.
var ObjectFilter = &Builtin{ Name: "object.filter", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty(types.A, types.A), ), types.NewAny( types.NewArray(nil, types.A), types.NewSet(types.A), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), ), ), types.A, ), }
ObjectFilter filters the object by keeping only specified keys
var ObjectGet = &Builtin{ Name: "object.get", Decl: types.NewFunction( types.Args( types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), types.A, types.A, ), types.A, ), }
ObjectGet returns takes an object and returns a value under its key if present, otherwise it returns the default.
var ObjectRemove = &Builtin{ Name: "object.remove", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty(types.A, types.A), ), types.NewAny( types.NewArray(nil, types.A), types.NewSet(types.A), types.NewObject(nil, types.NewDynamicProperty(types.A, types.A)), ), ), types.A, ), }
ObjectRemove Removes specified keys from an object
var ObjectUnion = &Builtin{ Name: "object.union", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty(types.A, types.A), ), types.NewObject( nil, types.NewDynamicProperty(types.A, types.A), ), ), types.A, ), }
ObjectUnion creates a new object that is the asymmetric union of two objects
var Or = &Builtin{ Name: "or", Infix: "|", Decl: types.NewFunction( types.Args( types.NewSet(types.A), types.NewSet(types.A), ), types.NewSet(types.A), ), }
Or performs a union operation on sets.
var ParseDurationNanos = &Builtin{ Name: "time.parse_duration_ns", Decl: types.NewFunction( types.Args(types.S), types.N, ), }
ParseDurationNanos returns the duration in nanoseconds represented by a duration string. Duration string is similar to the Go time.ParseDuration string
var ParseNanos = &Builtin{ Name: "time.parse_ns", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.N, ), }
ParseNanos returns the time in nanoseconds parsed from the string in the given format.
var ParseRFC3339Nanos = &Builtin{ Name: "time.parse_rfc3339_ns", Decl: types.NewFunction( types.Args(types.S), types.N, ), }
ParseRFC3339Nanos returns the time in nanoseconds parsed from the string in RFC3339 format.
var Plus = &Builtin{ Name: "plus", Infix: "+", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
Plus adds two numbers together.
var Product = &Builtin{ Name: "product", Decl: types.NewFunction( types.Args( types.NewAny( types.NewSet(types.N), types.NewArray(nil, types.N), ), ), types.N, ), }
Product takes an array or set of numbers and multiplies them.
var RandIntn = &Builtin{ Name: "rand.intn", Decl: types.NewFunction( types.Args( types.S, types.N, ), types.N, ), }
RandIntn returns a random number 0 - n
var ReachableBuiltin = &Builtin{ Name: "graph.reachable", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty( types.A, types.NewAny( types.NewSet(types.A), types.NewArray(nil, types.A)), )), types.NewAny(types.NewSet(types.A), types.NewArray(nil, types.A)), ), types.NewSet(types.A), ), }
ReachableBuiltin computes the set of reachable nodes in the graph from a set of starting nodes.
var RegexFind = &Builtin{ Name: "regex.find_n", Decl: types.NewFunction( types.Args( types.S, types.S, types.N, ), types.NewArray(nil, types.S), ), }
RegexFind takes two strings and a number, the pattern, the value and number of match values to return, -1 means all match values.
var RegexFindAllStringSubmatch = &Builtin{ Name: "regex.find_all_string_submatch_n", Decl: types.NewFunction( types.Args( types.S, types.S, types.N, ), types.NewArray(nil, types.NewArray(nil, types.S)), ), }
RegexFindAllStringSubmatch returns an array of all successive matches of the expression. It takes two strings and a number, the pattern, the value and number of matches to return, -1 means all matches.
var RegexIsValid = &Builtin{ Name: "regex.is_valid", Decl: types.NewFunction( types.Args( types.S, ), types.B, ), }
RegexIsValid returns true if the regex pattern string is valid, otherwise false.
var RegexMatch = &Builtin{ Name: "regex.match", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
RegexMatch takes two strings and evaluates to true if the string in the second position matches the pattern in the first position.
var RegexMatchDeprecated = &Builtin{ Name: "re_match", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
RegexMatchDeprecated declares `re_match` which has been deprecated. Use `regex.match` instead.
var RegexSplit = &Builtin{ Name: "regex.split", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.NewArray(nil, types.S), ), }
RegexSplit splits the input string by the occurrences of the given pattern.
var RegexTemplateMatch = &Builtin{ Name: "regex.template_match", Decl: types.NewFunction( types.Args( types.S, types.S, types.S, types.S, ), types.B, ), }
RegexTemplateMatch takes two strings and evaluates to true if the string in the second position matches the pattern in the first position.
var RegoParseModule = &Builtin{ Name: "rego.parse_module", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.NewObject(nil, types.NewDynamicProperty(types.S, types.A)), ), }
RegoParseModule parses the input Rego file and returns a JSON representation of the AST.
var Rem = &Builtin{ Name: "rem", Infix: "%", Decl: types.NewFunction( types.Args(types.N, types.N), types.N, ), }
Rem returns the remainder for x%y for y != 0.
var Replace = &Builtin{ Name: "replace", Decl: types.NewFunction( types.Args( types.S, types.S, types.S, ), types.S, ), }
Replace returns the given string with all instances of the second argument replaced by the third.
var ReplaceN = &Builtin{ Name: "strings.replace_n", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty( types.S, types.S)), types.S, ), types.S, ), }
ReplaceN replaces a string from a list of old, new string pairs. Replacements are performed in the order they appear in the target string, without overlapping matches. The old string comparisons are done in argument order.
var ReservedVars = NewVarSet( DefaultRootDocument.Value.(Var), InputRootDocument.Value.(Var), )
ReservedVars is the set of names that refer to implicitly ground vars.
var RootDocumentNames = NewSet( DefaultRootDocument, InputRootDocument, )
RootDocumentNames contains the names of top-level documents that can be referred to in modules and queries.
Note, the schema document is not currently implemented in the evaluator so it is not registered as a root document name (yet).
var RootDocumentRefs = NewSet( NewTerm(DefaultRootRef), NewTerm(InputRootRef), )
RootDocumentRefs contains the prefixes of top-level documents that all non-local references start with.
var Round = &Builtin{ Name: "round", Decl: types.NewFunction( types.Args(types.N), types.N, ), }
Round rounds the number to the nearest integer.
var SafetyCheckVisitorParams = VarVisitorParams{ SkipRefCallHead: true, SkipClosures: true, }
SafetyCheckVisitorParams defines the AST visitor parameters to use for collecting variables during the safety check. This has to be exported because it's relied on by the copy propagation implementation in topdown.
var SchemaRootDocument = VarTerm("schema")
SchemaRootDocument names the document containing external data schemas.
var SchemaRootRef = Ref{SchemaRootDocument}
SchemaRootRef is a reference to the root of the schema document.
All refs to schema documents are prefixed with this ref. Note, the schema document is not currently implemented in the evaluator so it is not registered as a root document ref (yet).
var SemVerCompare = &Builtin{ Name: "semver.compare", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.N, ), }
SemVerCompare compares valid SemVer formatted version strings. Given two version strings, if A < B returns -1, if A > B returns 1. If A == B, returns 0
var SemVerIsValid = &Builtin{ Name: "semver.is_valid", Decl: types.NewFunction( types.Args( types.A, ), types.B, ), }
SemVerIsValid validiates a the term is a valid SemVer as a string, returns false for all other input
var SetDiff = &Builtin{ Name: "set_diff", Decl: types.NewFunction( types.Args( types.NewSet(types.A), types.NewSet(types.A), ), types.NewSet(types.A), ), }
SetDiff has been replaced by the minus built-in.
var Sort = &Builtin{ Name: "sort", Decl: types.NewFunction( types.Args( types.NewAny( types.NewArray(nil, types.A), types.NewSet(types.A), ), ), types.NewArray(nil, types.A), ), }
Sort returns a sorted array.
var Split = &Builtin{ Name: "split", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.NewArray(nil, types.S), ), }
Split returns an array containing elements of the input string split on a delimiter.
var Sprintf = &Builtin{ Name: "sprintf", Decl: types.NewFunction( types.Args( types.S, types.NewArray(nil, types.A), ), types.S, ), }
Sprintf returns the given string, formatted.
var StartsWith = &Builtin{ Name: "startswith", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.B, ), }
StartsWith returns true if the search string begins with the base string
var Substring = &Builtin{ Name: "substring", Decl: types.NewFunction( types.Args( types.S, types.N, types.N, ), types.S, ), }
Substring returns the portion of a string for a given start index and a length.
If the length is less than zero, then substring returns the remainder of the string.
var Sum = &Builtin{ Name: "sum", Decl: types.NewFunction( types.Args( types.NewAny( types.NewSet(types.N), types.NewArray(nil, types.N), ), ), types.N, ), }
Sum takes an array or set of numbers and sums them.
var SystemDocumentKey = String("system")
SystemDocumentKey is the name of the top-level key that identifies the system document.
var ToNumber = &Builtin{ Name: "to_number", Decl: types.NewFunction( types.Args( types.NewAny( types.N, types.S, types.B, types.NewNull(), ), ), types.N, ), }
ToNumber takes a string, bool, or number value and converts it to a number. Strings are converted to numbers using strconv.Atoi. Boolean false is converted to 0 and boolean true is converted to 1.
var Trace = &Builtin{ Name: "trace", Decl: types.NewFunction( types.Args( types.S, ), types.B, ), }
Trace prints a note that is included in the query explanation.
var Trim = &Builtin{ Name: "trim", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.S, ), }
Trim returns the given string with all leading or trailing instances of the second argument removed.
var TrimLeft = &Builtin{ Name: "trim_left", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.S, ), }
TrimLeft returns the given string with all leading instances of second argument removed.
var TrimPrefix = &Builtin{ Name: "trim_prefix", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.S, ), }
TrimPrefix returns the given string without the second argument prefix string. If the given string doesn't start with prefix, it is returned unchanged.
var TrimRight = &Builtin{ Name: "trim_right", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.S, ), }
TrimRight returns the given string with all trailing instances of second argument removed.
var TrimSpace = &Builtin{ Name: "trim_space", Decl: types.NewFunction( types.Args( types.S, ), types.S, ), }
TrimSpace return the given string with all leading and trailing white space removed.
var TrimSuffix = &Builtin{ Name: "trim_suffix", Decl: types.NewFunction( types.Args( types.S, types.S, ), types.S, ), }
TrimSuffix returns the given string without the second argument suffix string. If the given string doesn't end with suffix, it is returned unchanged.
var TypeNameBuiltin = &Builtin{ Name: "type_name", Decl: types.NewFunction( types.Args( types.NewAny( types.A, ), ), types.S, ), }
TypeNameBuiltin returns the type of the input.
var URLQueryDecode = &Builtin{ Name: "urlquery.decode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
URLQueryDecode decodes a URL encoded input string.
var URLQueryDecodeObject = &Builtin{ Name: "urlquery.decode_object", Decl: types.NewFunction( types.Args(types.S), types.NewObject(nil, types.NewDynamicProperty( types.S, types.NewArray(nil, types.S))), ), }
URLQueryDecodeObject decodes the given URL query string into an object.
var URLQueryEncode = &Builtin{ Name: "urlquery.encode", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
URLQueryEncode encodes the input string into a URL encoded string.
var URLQueryEncodeObject = &Builtin{ Name: "urlquery.encode_object", Decl: types.NewFunction( types.Args( types.NewObject( nil, types.NewDynamicProperty( types.S, types.NewAny( types.S, types.NewArray(nil, types.S), types.NewSet(types.S))))), types.S, ), }
URLQueryEncodeObject encodes the given JSON into a URL encoded query string.
var UUIDRFC4122 = &Builtin{ Name: "uuid.rfc4122", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
UUIDRFC4122 returns a version 4 UUID string.
var Union = &Builtin{ Name: "union", Decl: types.NewFunction( types.Args( types.NewSet(types.NewSet(types.A)), ), types.NewSet(types.A), ), }
Union returns the union of the given input sets
var UnitsParseBytes = &Builtin{ Name: "units.parse_bytes", Decl: types.NewFunction( types.Args( types.S, ), types.N, ), }
UnitsParseBytes converts strings like 10GB, 5K, 4mb, and the like into an integer number of bytes.
var Upper = &Builtin{ Name: "upper", Decl: types.NewFunction( types.Args(types.S), types.S, ), }
Upper returns the input string but with all characters in upper-case
var WalkBuiltin = &Builtin{ Name: "walk", Relation: true, Decl: types.NewFunction( types.Args(types.A), types.NewArray( []types.Type{ types.NewArray(nil, types.A), types.A, }, nil, ), ), }
WalkBuiltin generates [path, value] tuples for all nested documents (recursively).
var Weekday = &Builtin{ Name: "time.weekday", Decl: types.NewFunction( types.Args( types.NewAny( types.N, types.NewArray([]types.Type{types.N, types.S}, nil), ), ), types.S, ), }
Weekday returns the day of the week (Monday, Tuesday, ...) for the nanoseconds since epoch.
var Wildcard = &Term{Value: Var("_")}
Wildcard represents the wildcard variable as defined in the language.
var WildcardPrefix = "$"
WildcardPrefix is the special character that all wildcard variables are prefixed with when the statement they are contained in is parsed.
var YAMLIsValid = &Builtin{ Name: "yaml.is_valid", Decl: types.NewFunction( types.Args(types.S), types.B, ), }
YAMLIsValid verifies the input string is a valid YAML document.
var YAMLMarshal = &Builtin{ Name: "yaml.marshal", Decl: types.NewFunction( types.Args(types.A), types.S, ), }
YAMLMarshal serializes the input term.
var YAMLUnmarshal = &Builtin{ Name: "yaml.unmarshal", Decl: types.NewFunction( types.Args(types.S), types.A, ), }
YAMLUnmarshal deserializes the input string.
Functions ¶
func Compare ¶ added in v0.2.0
func Compare(a, b interface{}) int
Compare returns an integer indicating whether two AST values are less than, equal to, or greater than each other.
If a is less than b, the return value is negative. If a is greater than b, the return value is positive. If a is equal to b, the return value is zero.
Different types are never equal to each other. For comparison purposes, types are sorted as follows:
nil < Null < Boolean < Number < String < Var < Ref < Array < Object < Set < ArrayComprehension < ObjectComprehension < SetComprehension < Expr < SomeDecl < With < Body < Rule < Import < Package < Module.
Arrays and Refs are equal iff both a and b have the same length and all corresponding elements are equal. If one element is not equal, the return value is the same as for the first differing element. If all elements are equal but a and b have different lengths, the shorter is considered less than the other.
Objects are considered equal iff both a and b have the same sorted (key, value) pairs and are of the same length. Other comparisons are consistent but not defined.
Sets are considered equal iff the symmetric difference of a and b is empty. Other comparisons are consistent but not defined.
func ContainsComprehensions ¶ added in v0.5.8
func ContainsComprehensions(v interface{}) bool
ContainsComprehensions returns true if the Value v contains comprehensions.
func ContainsRefs ¶ added in v0.5.8
func ContainsRefs(v interface{}) bool
ContainsRefs returns true if the Value v contains refs.
func Copy ¶ added in v0.20.5
func Copy(x interface{}) interface{}
Copy returns a deep copy of the AST node x. If x is not an AST node, x is returned unmodified.
func IsComprehension ¶ added in v0.5.11
IsComprehension returns true if the supplied value is a comprehension.
func IsConstant ¶ added in v0.4.9
IsConstant returns true if the AST value is constant.
func IsUnknownValueErr ¶ added in v0.9.0
IsUnknownValueErr returns true if the err is an UnknownValueErr.
func IsValidImportPath ¶ added in v0.3.0
IsValidImportPath returns an error indicating if the import path is invalid. If the import path is invalid, err is nil.
func JSON ¶ added in v0.4.9
JSON returns the JSON representation of v. The value must not contain any refs or terms that require evaluation (e.g., vars, comprehensions, etc.)
func JSONWithOpt ¶ added in v0.27.1
JSONWithOpt returns the JSON representation of v. The value must not contain any refs or terms that require evaluation (e.g., vars, comprehensions, etc.)
func MustJSON ¶ added in v0.25.0
func MustJSON(v Value) interface{}
MustJSON returns the JSON representation of v. The value must not contain any refs or terms that require evaluation (e.g., vars, comprehensions, etc.) If the conversion fails, this function will panic. This function is mostly for test purposes.
func ParseStatements ¶
ParseStatements is deprecated. Use ParseStatementWithOpts instead.
func ParseStatementsWithOpts ¶ added in v0.28.0
func ParseStatementsWithOpts(filename, input string, popts ParserOptions) ([]Statement, []*Comment, error)
ParseStatementsWithOpts returns a slice of parsed statements. This is the default return value from the parser.
func Pretty ¶ added in v0.7.0
Pretty writes a pretty representation of the AST rooted at x to w.
This is function is intended for debug purposes when inspecting ASTs.
func RegisterBuiltin ¶
func RegisterBuiltin(b *Builtin)
RegisterBuiltin adds a new built-in function to the registry.
func Transform ¶ added in v0.2.0
func Transform(t Transformer, x interface{}) (interface{}, error)
Transform iterates the AST and calls the Transform function on the Transformer t for x before recursing.
func TransformComprehensions ¶ added in v0.5.8
func TransformComprehensions(x interface{}, f func(interface{}) (Value, error)) (interface{}, error)
TransformComprehensions calls the functio nf on all comprehensions under x.
func TransformRefs ¶ added in v0.2.0
TransformRefs calls the function f on all references under x.
func TransformVars ¶ added in v0.7.0
TransformVars calls the function f on all vars under x.
func TypeName ¶ added in v0.3.0
func TypeName(x interface{}) string
TypeName returns a human readable name for the AST element type.
func ValueToInterface ¶ added in v0.4.9
ValueToInterface returns the Go representation of an AST value. The AST value should not contain any values that require evaluation (e.g., vars, comprehensions, etc.)
func Walk ¶
func Walk(v Visitor, x interface{})
Walk iterates the AST by calling the Visit function on the Visitor v for x before recursing. This is deprecated.
func WalkBeforeAndAfter ¶ added in v0.7.0
func WalkBeforeAndAfter(v BeforeAndAfterVisitor, x interface{})
WalkBeforeAndAfter iterates the AST by calling the Visit function on the Visitor v for x before recursing. This is deprecated.
func WalkBodies ¶ added in v0.2.0
WalkBodies calls the function f on all bodies under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkClosures ¶
func WalkClosures(x interface{}, f func(interface{}) bool)
WalkClosures calls the function f on all closures under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkExprs ¶ added in v0.4.9
WalkExprs calls the function f on all expressions under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkNodes ¶ added in v0.9.2
WalkNodes calls the function f on all nodes under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkRefs ¶
WalkRefs calls the function f on all references under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkRules ¶ added in v0.4.10
WalkRules calls the function f on all rules under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkTerms ¶ added in v0.7.0
WalkTerms calls the function f on all terms under x. If the function f returns true, AST nodes under the last node will not be visited.
Types ¶
type Annotations ¶ added in v0.28.0
type Annotations struct { Location *Location `json:"-"` Scope string `json:"scope"` Schemas []*SchemaAnnotation `json:"schemas,omitempty"` // contains filtered or unexported fields }
Annotations represents metadata attached to other AST nodes such as rules.
func (*Annotations) Compare ¶ added in v0.28.0
func (s *Annotations) Compare(other *Annotations) int
Compare returns an integer indicating if s is less than, equal to, or greater than other.
func (*Annotations) Copy ¶ added in v0.28.0
func (s *Annotations) Copy(node Node) *Annotations
Copy returns a deep copy of s.
func (*Annotations) Loc ¶ added in v0.28.0
func (s *Annotations) Loc() *Location
Loc returns the location of this annotation.
func (*Annotations) SetLoc ¶ added in v0.28.0
func (s *Annotations) SetLoc(l *Location)
SetLoc updates the location of this annotation.
func (*Annotations) String ¶ added in v0.28.0
func (s *Annotations) String() string
type ArgErrDetail ¶ added in v0.4.9
ArgErrDetail represents a generic argument error.
func (*ArgErrDetail) Lines ¶ added in v0.4.9
func (d *ArgErrDetail) Lines() []string
Lines returns the string representation of the detail.
type Args ¶ added in v0.5.0
type Args []*Term
Args represents zero or more arguments to a rule.
type Array ¶
type Array struct {
// contains filtered or unexported fields
}
Array represents an array as defined by the language. Arrays are similar to the same types as defined by JSON with the exception that they can contain Vars and References.
func NewArray ¶ added in v0.23.0
NewArray creates an Array with the terms provided. The array will use the provided term slice.
func (*Array) Compare ¶ added in v0.5.0
Compare compares arr to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
func (*Array) Iter ¶ added in v0.23.0
Iter calls f on each element in arr. If f returns an error, iteration stops and the return value is the error.
func (*Array) MarshalJSON ¶ added in v0.3.0
MarshalJSON returns JSON encoded bytes representing arr.
func (*Array) Slice ¶ added in v0.23.0
Slice returns a slice of arr starting from i index to j. -1 indicates the end of the array. The returned value array is not a copy and any modifications to either of arrays may be reflected to the other.
type ArrayComprehension ¶
ArrayComprehension represents an array comprehension as defined in the language.
func (*ArrayComprehension) Compare ¶ added in v0.5.0
func (ac *ArrayComprehension) Compare(other Value) int
Compare compares ac to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
func (*ArrayComprehension) Copy ¶ added in v0.2.2
func (ac *ArrayComprehension) Copy() *ArrayComprehension
Copy returns a deep copy of ac.
func (*ArrayComprehension) Equal ¶
func (ac *ArrayComprehension) Equal(other Value) bool
Equal returns true if ac is equal to other.
func (*ArrayComprehension) Find ¶ added in v0.4.5
func (ac *ArrayComprehension) Find(path Ref) (Value, error)
Find returns the current value or a not found error.
func (*ArrayComprehension) Hash ¶
func (ac *ArrayComprehension) Hash() int
Hash returns the hash code of the Value.
func (*ArrayComprehension) IsGround ¶
func (ac *ArrayComprehension) IsGround() bool
IsGround returns true if the Term and Body are ground.
func (*ArrayComprehension) String ¶
func (ac *ArrayComprehension) String() string
type BeforeAfterVisitor ¶ added in v0.17.0
type BeforeAfterVisitor struct {
// contains filtered or unexported fields
}
BeforeAfterVisitor provides a utility to walk over AST nodes using closures. If the before closure returns true, the visitor will not walk over AST nodes under x. The after closure is invoked always after visiting a node.
func NewBeforeAfterVisitor ¶ added in v0.17.0
func NewBeforeAfterVisitor(before func(x interface{}) bool, after func(x interface{})) *BeforeAfterVisitor
NewBeforeAfterVisitor returns a new BeforeAndAfterVisitor that will invoke the functions before and after AST nodes.
func (*BeforeAfterVisitor) Walk ¶ added in v0.17.0
func (vis *BeforeAfterVisitor) Walk(x interface{})
Walk iterates the AST by calling the functions on the BeforeAndAfterVisitor before and after recursing. Contrary to the generic Walk, this does not require allocating the visitor from heap.
type BeforeAndAfterVisitor ¶ added in v0.7.0
type BeforeAndAfterVisitor interface { Visitor Before(x interface{}) After(x interface{}) }
BeforeAndAfterVisitor wraps Visitor to provide hooks for being called before and after the AST has been visited. This is deprecated.
type Body ¶
type Body []*Expr
Body represents one or more expressions contained inside a rule or user function.
func MustParseBody ¶
MustParseBody returns a parsed body. If an error occurs during parsing, panic.
func NewBody ¶ added in v0.2.0
NewBody returns a new Body containing the given expressions. The indices of the immediate expressions will be reset.
func ParseBody ¶
ParseBody returns exactly one body. If multiple bodies are parsed, an error is returned.
func (*Body) Append ¶ added in v0.4.1
Append adds the expr to the body and updates the expr's index accordingly.
func (Body) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether body is less than, equal to, or greater than other.
If body is a subset of other, it is considered less than (and vice versa).
func (Body) MarshalJSON ¶ added in v0.9.0
MarshalJSON returns JSON encoded bytes representing body.
func (Body) Set ¶ added in v0.6.0
Set sets the expr in the body at the specified position and updates the expr's index accordingly.
func (Body) Vars ¶
func (body Body) Vars(params VarVisitorParams) VarSet
Vars returns a VarSet containing variables in body. The params can be set to control which vars are included.
type Boolean ¶
type Boolean bool
Boolean represents a boolean value defined by JSON.
func (Boolean) Compare ¶ added in v0.5.0
Compare compares bol to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
type Builtin ¶
type Builtin struct { Name string `json:"name"` // Unique name of built-in function, e.g., <name>(arg1,arg2,...,argN) Decl *types.Function `json:"decl"` // Built-in function type declaration. Infix string `json:"infix,omitempty"` // Unique name of infix operator. Default should be unset. Relation bool `json:"relation,omitempty"` // Indicates if the built-in acts as a relation. }
Builtin represents a built-in function supported by OPA. Every built-in function is uniquely identified by a name.
func (*Builtin) Call ¶ added in v0.7.0
Call creates a new term for the built-in with the given operands.
func (*Builtin) IsTargetPos ¶
IsTargetPos returns true if a variable in the i-th position will be bound by evaluating the call expression.
type Call ¶ added in v0.7.0
type Call []*Term
Call represents as function call in the language.
func (Call) Compare ¶ added in v0.7.0
Compare compares c to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
type Capabilities ¶ added in v0.23.0
type Capabilities struct { Builtins []*Builtin `json:"builtins"` // builtins is a set of built-in functions that are supported. WasmABIVersions []WasmABIVersion `json:"wasm_abi_versions"` }
Capabilities defines a structure containing data that describes the capablilities or features supported by a particular version of OPA.
func CapabilitiesForThisVersion ¶ added in v0.23.0
func CapabilitiesForThisVersion() *Capabilities
CapabilitiesForThisVersion returns the capabilities of this version of OPA.
func LoadCapabilitiesJSON ¶ added in v0.23.0
func LoadCapabilitiesJSON(r io.Reader) (*Capabilities, error)
LoadCapabilitiesJSON loads a JSON serialized capabilities structure from the reader r.
type Comment ¶ added in v0.4.0
Comment contains the raw text from the comment in the definition.
func NewComment ¶ added in v0.4.0
NewComment returns a new Comment object.
func (*Comment) Equal ¶ added in v0.10.3
Equal returns true if this comment equals the other comment. Unlike other equality checks on AST nodes, comment equality depends on location.
type Compiler ¶
type Compiler struct { // Errors contains errors that occurred during the compilation process. // If there are one or more errors, the compilation process is considered // "failed". Errors Errors // Modules contains the compiled modules. The compiled modules are the // output of the compilation process. If the compilation process failed, // there is no guarantee about the state of the modules. Modules map[string]*Module // ModuleTree organizes the modules into a tree where each node is keyed by // an element in the module's package path. E.g., given modules containing // the following package directives: "a", "a.b", "a.c", and "a.b", the // resulting module tree would be: // // root // | // +--- data (no modules) // | // +--- a (1 module) // | // +--- b (2 modules) // | // +--- c (1 module) // ModuleTree *ModuleTreeNode // RuleTree organizes rules into a tree where each node is keyed by an // element in the rule's path. The rule path is the concatenation of the // containing package and the stringified rule name. E.g., given the // following module: // // package ex // p[1] { true } // p[2] { true } // q = true // // root // | // +--- data (no rules) // | // +--- ex (no rules) // | // +--- p (2 rules) // | // +--- q (1 rule) RuleTree *TreeNode // Graph contains dependencies between rules. An edge (u,v) is added to the // graph if rule 'u' refers to the virtual document defined by 'v'. Graph *Graph // TypeEnv holds type information for values inferred by the compiler. TypeEnv *TypeEnv // RewrittenVars is a mapping of variables that have been rewritten // with the key being the generated name and value being the original. RewrittenVars map[Var]Var // contains filtered or unexported fields }
Compiler contains the state of a compilation process.
func CompileModules ¶ added in v0.10.2
CompileModules takes a set of Rego modules represented as strings and compiles them for evaluation. The keys of the map are used as filenames.
func MustCompileModules ¶ added in v0.10.2
MustCompileModules compiles a set of Rego modules represented as strings. If the compilation process fails, this function panics.
func (*Compiler) Compile ¶
Compile runs the compilation process on the input modules. The compiled version of the modules and associated data structures are stored on the compiler. If the compilation process fails for any reason, the compiler will contain a slice of errors.
Example ¶
package main import ( "fmt" "github.com/open-policy-agent/opa/ast" ) func main() { // Define an input module that will be compiled. exampleModule := `package opa.example import data.foo import input.bar p[x] { foo[x]; not bar[x]; x >= min_x } min_x = 100 { true }` // Parse the input module to obtain the AST representation. mod, err := ast.ParseModule("my_module", exampleModule) if err != nil { fmt.Println("Parse error:", err) } // Create a new compiler instance and compile the module. c := ast.NewCompiler() mods := map[string]*ast.Module{ "my_module": mod, } if c.Compile(mods); c.Failed() { fmt.Println("Compile error:", c.Errors) } fmt.Println("Expr 1:", c.Modules["my_module"].Rules[0].Body[0]) fmt.Println("Expr 2:", c.Modules["my_module"].Rules[0].Body[1]) fmt.Println("Expr 3:", c.Modules["my_module"].Rules[0].Body[2]) fmt.Println("Expr 4:", c.Modules["my_module"].Rules[0].Body[3]) }
Output: Expr 1: data.foo[x] Expr 2: not input.bar[x] Expr 3: __local0__ = data.opa.example.min_x Expr 4: gte(x, __local0__)
func (*Compiler) ComprehensionIndex ¶ added in v0.20.0
func (c *Compiler) ComprehensionIndex(term *Term) *ComprehensionIndex
ComprehensionIndex returns a data structure specifying how to index comprehension results so that callers do not have to recompute the comprehension more than once. If no index is found, returns nil.
func (*Compiler) GetArity ¶ added in v0.7.0
GetArity returns the number of args a function referred to by ref takes. If ref refers to built-in function, the built-in declaration is consulted, otherwise, the ref is used to perform a ruleset lookup.
func (*Compiler) GetRules ¶ added in v0.4.0
GetRules returns a slice of rules that are referred to by ref.
E.g., given the following module:
package a.b.c p[x] = y { q[x] = y; ... } # rule1 q[x] = y { ... } # rule2
The following calls yield the rules on the right.
GetRules("data.a.b.c.p") => [rule1] GetRules("data.a.b.c.p.x") => [rule1] GetRules("data.a.b.c.q") => [rule2] GetRules("data.a.b.c") => [rule1, rule2] GetRules("data.a.b.d") => nil
func (*Compiler) GetRulesDynamic ¶ added in v0.14.0
GetRulesDynamic returns a slice of rules that could be referred to by a ref. When parts of the ref are statically known, we use that information to narrow down which rules the ref could refer to, but in the most general case this will be an over-approximation.
E.g., given the following modules:
package a.b.c r1 = 1 # rule1
and:
package a.d.c r2 = 2 # rule2
The following calls yield the rules on the right.
GetRulesDynamic("data.a[x].c[y]") => [rule1, rule2] GetRulesDynamic("data.a[x].c.r2") => [rule2] GetRulesDynamic("data.a.b[x][y]") => [rule1]
func (*Compiler) GetRulesExact ¶ added in v0.2.0
GetRulesExact returns a slice of rules referred to by the reference.
E.g., given the following module:
package a.b.c p[k] = v { ... } # rule1 p[k1] = v1 { ... } # rule2
The following calls yield the rules on the right.
GetRulesExact("data.a.b.c.p") => [rule1, rule2] GetRulesExact("data.a.b.c.p.x") => nil GetRulesExact("data.a.b.c") => nil
func (*Compiler) GetRulesForVirtualDocument ¶ added in v0.2.0
GetRulesForVirtualDocument returns a slice of rules that produce the virtual document referred to by the reference.
E.g., given the following module:
package a.b.c p[k] = v { ... } # rule1 p[k1] = v1 { ... } # rule2
The following calls yield the rules on the right.
GetRulesForVirtualDocument("data.a.b.c.p") => [rule1, rule2] GetRulesForVirtualDocument("data.a.b.c.p.x") => [rule1, rule2] GetRulesForVirtualDocument("data.a.b.c") => nil
func (*Compiler) GetRulesWithPrefix ¶ added in v0.2.0
GetRulesWithPrefix returns a slice of rules that share the prefix ref.
E.g., given the following module:
package a.b.c p[x] = y { ... } # rule1 p[k] = v { ... } # rule2 q { ... } # rule3
The following calls yield the rules on the right.
GetRulesWithPrefix("data.a.b.c.p") => [rule1, rule2] GetRulesWithPrefix("data.a.b.c.p.a") => nil GetRulesWithPrefix("data.a.b.c") => [rule1, rule2, rule3]
func (*Compiler) PassesTypeCheck ¶ added in v0.26.0
PassesTypeCheck determines whether the given body passes type checking
func (*Compiler) QueryCompiler ¶ added in v0.2.2
func (c *Compiler) QueryCompiler() QueryCompiler
QueryCompiler returns a new QueryCompiler object.
func (*Compiler) RuleIndex ¶ added in v0.4.9
RuleIndex returns a RuleIndex built for the rule set referred to by path. The path must refer to the rule set exactly, i.e., given a rule set at path data.a.b.c.p, refs data.a.b.c.p.x and data.a.b.c would not return a RuleIndex built for the rule.
func (*Compiler) SetErrorLimit ¶ added in v0.5.3
SetErrorLimit sets the number of errors the compiler can encounter before it quits. Zero or a negative number indicates no limit.
func (*Compiler) WithBuiltins ¶ added in v0.14.0
WithBuiltins is deprecated. Use WithCapabilities instead.
func (*Compiler) WithCapabilities ¶ added in v0.23.0
func (c *Compiler) WithCapabilities(capabilities *Capabilities) *Compiler
WithCapabilities sets capabilities to enable during compilation. Capabilities allow the caller to specify the set of built-in functions available to the policy. In the future, capabilities may be able to restrict access to other language features. Capabilities allow callers to check if policies are compatible with a particular version of OPA. If policies are a compiled for a specific version of OPA, there is no guarantee that _this_ version of OPA can evaluate them successfully.
func (*Compiler) WithDebug ¶ added in v0.27.0
WithDebug sets where debug messages are written to. Passing `nil` has no effect.
func (*Compiler) WithMetrics ¶ added in v0.11.0
WithMetrics will set a metrics.Metrics and be used for profiling the Compiler instance.
func (*Compiler) WithModuleLoader ¶ added in v0.3.0
func (c *Compiler) WithModuleLoader(f ModuleLoader) *Compiler
WithModuleLoader sets f as the ModuleLoader on the compiler.
The compiler will invoke the ModuleLoader after resolving all references in the current set of input modules. The ModuleLoader can return a new collection of parsed modules that are to be included in the compilation process. This process will repeat until the ModuleLoader returns an empty collection or an error. If an error is returned, compilation will stop immediately.
func (*Compiler) WithPathConflictsCheck ¶ added in v0.10.4
WithPathConflictsCheck enables base-virtual document conflict detection. The compiler will check that rules don't overlap with paths that exist as determined by the provided callable.
func (*Compiler) WithSchemas ¶ added in v0.27.0
WithSchemas sets a schemaSet to the compiler
func (*Compiler) WithStageAfter ¶ added in v0.10.6
func (c *Compiler) WithStageAfter(after string, stage CompilerStageDefinition) *Compiler
WithStageAfter registers a stage to run during compilation after the named stage.
func (*Compiler) WithUnsafeBuiltins ¶ added in v0.13.0
WithUnsafeBuiltins is deprecated. Use WithCapabilities instead.
type CompilerStage ¶ added in v0.10.6
CompilerStage defines the interface for stages in the compiler.
type CompilerStageDefinition ¶ added in v0.11.0
type CompilerStageDefinition struct { Name string MetricName string Stage CompilerStage }
CompilerStageDefinition defines a compiler stage
type ComprehensionIndex ¶ added in v0.20.0
ComprehensionIndex specifies how the comprehension term can be indexed. The keys tell the evaluator what variables to use for indexing. In the future, the index could be expanded with more information that would allow the evaluator to index a larger fragment of comprehensions (e.g., by closing over variables in the outer query.)
func (*ComprehensionIndex) String ¶ added in v0.20.0
func (ci *ComprehensionIndex) String() string
type DocKind ¶
type DocKind int
DocKind represents the collection of document types that can be produced by rules.
type Error ¶ added in v0.2.0
type Error struct { Code string `json:"code"` Message string `json:"message"` Location *Location `json:"location,omitempty"` Details ErrorDetails `json:"details,omitempty"` }
Error represents a single error caught during parsing, compiling, etc.
type ErrorDetails ¶ added in v0.4.9
type ErrorDetails interface {
Lines() []string
}
ErrorDetails defines the interface for detailed error messages.
type Errors ¶ added in v0.2.0
type Errors []*Error
Errors represents a series of errors encountered during parsing, compiling, etc.
func CheckPathConflicts ¶ added in v0.10.4
CheckPathConflicts returns a set of errors indicating paths that are in conflict with the result of the provided callable.
type Expr ¶
type Expr struct { With []*With `json:"with,omitempty"` Terms interface{} `json:"terms"` Location *Location `json:"-"` Index int `json:"index"` Generated bool `json:"generated,omitempty"` Negated bool `json:"negated,omitempty"` }
Expr represents a single expression contained inside the body of a rule.
func MustParseExpr ¶ added in v0.2.0
MustParseExpr returns a parsed expression. If an error occurs during parsing, panic.
func NewBuiltinExpr ¶
NewBuiltinExpr creates a new Expr object with the supplied terms. The builtin operator must be the first term.
func NewExpr ¶ added in v0.2.1
func NewExpr(terms interface{}) *Expr
NewExpr returns a new Expr object.
func ParseExpr ¶ added in v0.2.0
ParseExpr returns exactly one expression. If multiple expressions are parsed, an error is returned.
func (*Expr) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether expr is less than, equal to, or greater than other.
Expressions are compared as follows:
1. Declarations are always less than other expressions. 2. Preceding expression (by Index) is always less than the other expression. 3. Non-negated expressions are always less than than negated expressions. 4. Single term expressions are always less than built-in expressions.
Otherwise, the expression terms are compared normally. If both expressions have the same terms, the modifiers are compared.
func (*Expr) Complement ¶
Complement returns a copy of this expression with the negation flag flipped.
func (*Expr) IncludeWith ¶ added in v0.4.1
IncludeWith returns a copy of expr with the with modifier appended.
func (*Expr) IsAssignment ¶ added in v0.7.0
IsAssignment returns true if this an assignment expression.
func (*Expr) IsEquality ¶
IsEquality returns true if this is an equality expression.
func (*Expr) NoWith ¶ added in v0.4.1
NoWith returns a copy of expr where the with modifier has been removed.
func (*Expr) Operand ¶ added in v0.4.9
Operand returns the term at the zero-based pos. If the expr does not include at least pos+1 terms, this function returns nil.
func (*Expr) Operator ¶ added in v0.5.9
Operator returns the name of the function or built-in this expression refers to. If this expression is not a function call, returns nil.
func (*Expr) SetLocation ¶ added in v0.5.6
SetLocation sets the expr's location and returns the expr itself.
func (*Expr) SetOperator ¶ added in v0.7.0
SetOperator sets the expr's operator and returns the expr itself. If expr is not a call expr, this function will panic.
func (*Expr) UnmarshalJSON ¶
UnmarshalJSON parses the byte array and stores the result in expr.
func (*Expr) Vars ¶
func (expr *Expr) Vars(params VarVisitorParams) VarSet
Vars returns a VarSet containing variables in expr. The params can be set to control which vars are included.
type GenericTransformer ¶ added in v0.2.0
type GenericTransformer struct {
// contains filtered or unexported fields
}
GenericTransformer implements the Transformer interface to provide a utility to transform AST nodes using a closure.
func NewGenericTransformer ¶ added in v0.5.11
func NewGenericTransformer(f func(x interface{}) (interface{}, error)) *GenericTransformer
NewGenericTransformer returns a new GenericTransformer that will transform AST nodes using the function f.
func (*GenericTransformer) Transform ¶ added in v0.2.0
func (t *GenericTransformer) Transform(x interface{}) (interface{}, error)
Transform calls the function f on the GenericTransformer.
type GenericVisitor ¶
type GenericVisitor struct {
// contains filtered or unexported fields
}
GenericVisitor provides a utility to walk over AST nodes using a closure. If the closure returns true, the visitor will not walk over AST nodes under x.
func NewGenericVisitor ¶ added in v0.4.1
func NewGenericVisitor(f func(x interface{}) bool) *GenericVisitor
NewGenericVisitor returns a new GenericVisitor that will invoke the function f on AST nodes.
func (*GenericVisitor) Walk ¶ added in v0.17.0
func (vis *GenericVisitor) Walk(x interface{})
Walk iterates the AST by calling the function f on the GenericVisitor before recursing. Contrary to the generic Walk, this does not require allocating the visitor from heap.
type Graph ¶ added in v0.5.0
type Graph struct {
// contains filtered or unexported fields
}
Graph represents the graph of dependencies between rules.
func NewGraph ¶ added in v0.5.0
NewGraph returns a new Graph based on modules. The list function must return the rules referred to directly by the ref.
func (*Graph) Dependencies ¶ added in v0.5.0
Dependencies returns the set of rules that x depends on.
func (*Graph) Dependents ¶ added in v0.20.0
Dependents returns the set of rules that depend on x.
type GraphTraversal ¶ added in v0.12.0
type GraphTraversal struct {
// contains filtered or unexported fields
}
GraphTraversal is a Traversal that understands the dependency graph
func NewGraphTraversal ¶ added in v0.12.0
func NewGraphTraversal(graph *Graph) *GraphTraversal
NewGraphTraversal returns a Traversal for the dependency graph
type Head ¶ added in v0.2.0
type Head struct { Location *Location `json:"-"` Name Var `json:"name"` Args Args `json:"args,omitempty"` Key *Term `json:"key,omitempty"` Value *Term `json:"value,omitempty"` Assign bool `json:"assign,omitempty"` }
Head represents the head of a rule.
func NewHead ¶ added in v0.4.1
NewHead returns a new Head object. If args are provided, the first will be used for the key and the second will be used for the value.
func (*Head) Compare ¶ added in v0.4.1
Compare returns an integer indicating whether head is less than, equal to, or greater than other.
type Import ¶
type Import struct { Location *Location `json:"-"` Path *Term `json:"path"` Alias Var `json:"alias,omitempty"` }
Import represents a dependency on a document outside of the policy namespace. Imports are optional.
func MustParseImports ¶ added in v0.2.2
MustParseImports returns a slice of imports. If an error occurs during parsing, panic.
func ParseImports ¶ added in v0.2.2
ParseImports returns a slice of Import objects.
func (*Import) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether imp is less than, equal to, or greater than other.
func (*Import) Name ¶ added in v0.2.2
Name returns the variable that is used to refer to the imported virtual document. This is the alias if defined otherwise the last element in the path.
type IndexResult ¶ added in v0.4.10
IndexResult contains the result of an index lookup.
func NewIndexResult ¶ added in v0.4.10
func NewIndexResult(kind DocKind) *IndexResult
NewIndexResult returns a new IndexResult object.
func (*IndexResult) Empty ¶ added in v0.4.10
func (ir *IndexResult) Empty() bool
Empty returns true if there are no rules to evaluate.
type JSONOpt ¶ added in v0.27.1
type JSONOpt struct {
SortSets bool // sort sets before serializing (this makes conversion more expensive)
}
JSONOpt defines parameters for AST to JSON conversion.
type Module ¶
type Module struct { Package *Package `json:"package"` Imports []*Import `json:"imports,omitempty"` Annotations []*Annotations `json:"annotations,omitempty"` Rules []*Rule `json:"rules,omitempty"` Comments []*Comment `json:"comments,omitempty"` }
Module represents a collection of policies (defined by rules) within a namespace (defined by the package) and optional dependencies on external documents (defined by imports).
func MustParseModule ¶
MustParseModule returns a parsed module. If an error occurs during parsing, panic.
func ParseModule ¶
ParseModule returns a parsed Module object. For details on Module objects and their fields, see policy.go. Empty input will return nil, nil.
func ParseModuleWithOpts ¶ added in v0.28.0
func ParseModuleWithOpts(filename, input string, popts ParserOptions) (*Module, error)
ParseModuleWithOpts returns a parsed Module object, and has an additional input ParserOptions For details on Module objects and their fields, see policy.go. Empty input will return nil, nil.
func (*Module) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether mod is less than, equal to, or greater than other.
func (*Module) RuleSet ¶ added in v0.4.9
RuleSet returns a RuleSet containing named rules in the mod.
func (*Module) UnmarshalJSON ¶ added in v0.15.1
UnmarshalJSON parses bs and stores the result in mod. The rules in the module will have their module pointer set to mod.
type ModuleLoader ¶ added in v0.3.0
ModuleLoader defines the interface that callers can implement to enable lazy loading of modules during compilation.
type ModuleTreeNode ¶
type ModuleTreeNode struct { Key Value Modules []*Module Children map[Value]*ModuleTreeNode Hide bool }
ModuleTreeNode represents a node in the module tree. The module tree is keyed by the package path.
func NewModuleTree ¶
func NewModuleTree(mods map[string]*Module) *ModuleTreeNode
NewModuleTree returns a new ModuleTreeNode that represents the root of the module tree populated with the given modules.
func (*ModuleTreeNode) DepthFirst ¶ added in v0.2.2
func (n *ModuleTreeNode) DepthFirst(f func(node *ModuleTreeNode) bool)
DepthFirst performs a depth-first traversal of the module tree rooted at n. If f returns true, traversal will not continue to the children of n.
func (*ModuleTreeNode) Size ¶
func (n *ModuleTreeNode) Size() int
Size returns the number of modules in the tree.
type Node ¶ added in v0.9.2
Node represents a node in an AST. Nodes may be statements in a policy module or elements of an ad-hoc query, expression, etc.
type Null ¶
type Null struct{}
Null represents the null value defined by JSON.
func (Null) Compare ¶ added in v0.5.0
Compare compares null to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
type Number ¶
Number represents a numeric value as defined by JSON.
func (Number) Compare ¶ added in v0.5.0
Compare compares num to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
func (Number) Float64 ¶ added in v0.8.2
Float64 returns the float64 representation of num if possible.
func (Number) MarshalJSON ¶ added in v0.3.0
MarshalJSON returns JSON encoded bytes representing num.
type Object ¶
type Object interface { Value Len() int Get(*Term) *Term Copy() Object Insert(*Term, *Term) Iter(func(*Term, *Term) error) error Until(func(*Term, *Term) bool) bool Foreach(func(*Term, *Term)) Map(func(*Term, *Term) (*Term, *Term, error)) (Object, error) Diff(other Object) Object Intersect(other Object) [][3]*Term Merge(other Object) (Object, bool) MergeWith(other Object, conflictResolver func(v1, v2 *Term) (*Term, bool)) (Object, bool) Filter(filter Object) (Object, error) Keys() []*Term Elem(i int) (*Term, *Term) // contains filtered or unexported methods }
Object represents an object as defined by the language.
type ObjectComprehension ¶ added in v0.5.2
type ObjectComprehension struct { Key *Term `json:"key"` Value *Term `json:"value"` Body Body `json:"body"` }
ObjectComprehension represents an object comprehension as defined in the language.
func (*ObjectComprehension) Compare ¶ added in v0.5.2
func (oc *ObjectComprehension) Compare(other Value) int
Compare compares oc to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
func (*ObjectComprehension) Copy ¶ added in v0.5.2
func (oc *ObjectComprehension) Copy() *ObjectComprehension
Copy returns a deep copy of oc.
func (*ObjectComprehension) Equal ¶ added in v0.5.2
func (oc *ObjectComprehension) Equal(other Value) bool
Equal returns true if oc is equal to other.
func (*ObjectComprehension) Find ¶ added in v0.5.2
func (oc *ObjectComprehension) Find(path Ref) (Value, error)
Find returns the current value or a not found error.
func (*ObjectComprehension) Hash ¶ added in v0.5.2
func (oc *ObjectComprehension) Hash() int
Hash returns the hash code of the Value.
func (*ObjectComprehension) IsGround ¶ added in v0.5.2
func (oc *ObjectComprehension) IsGround() bool
IsGround returns true if the Key, Value and Body are ground.
func (*ObjectComprehension) String ¶ added in v0.5.2
func (oc *ObjectComprehension) String() string
type Package ¶
Package represents the namespace of the documents produced by rules inside the module.
func MustParsePackage ¶ added in v0.2.2
MustParsePackage returns a Package. If an error occurs during parsing, panic.
func ParsePackage ¶ added in v0.2.2
ParsePackage returns exactly one Package. If multiple statements are parsed, an error is returned.
func (*Package) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether pkg is less than, equal to, or greater than other.
type Parser ¶ added in v0.19.0
type Parser struct {
// contains filtered or unexported fields
}
Parser is used to parse Rego statements.
func NewParser ¶ added in v0.19.0
func NewParser() *Parser
NewParser creates and initializes a Parser.
func (*Parser) Parse ¶ added in v0.19.0
Parse will read the Rego source and parse statements and comments as they are found. Any errors encountered while parsing will be accumulated and returned as a list of Errors.
func (*Parser) WithFilename ¶ added in v0.19.0
WithFilename provides the filename for Location details on parsed statements.
func (*Parser) WithProcessAnnotation ¶ added in v0.28.0
WithProcessAnnotation enables or disables the processing of annotations by the Parser
type ParserErrorDetail ¶ added in v0.15.0
ParserErrorDetail holds additional details for parser errors.
func (ParserErrorDetail) Lines ¶ added in v0.15.0
func (d ParserErrorDetail) Lines() []string
Lines returns the pretty formatted line output for the error details.
type ParserOptions ¶ added in v0.28.0
type ParserOptions struct {
ProcessAnnotation bool
}
ParserOptions defines the options for parsing Rego statements.
type QueryCompiler ¶ added in v0.2.2
type QueryCompiler interface { // Compile should be called to compile ad-hoc queries. The return value is // the compiled version of the query. Compile(q Body) (Body, error) // TypeEnv returns the type environment built after running type checking // on the query. TypeEnv() *TypeEnv // WithContext sets the QueryContext on the QueryCompiler. Subsequent calls // to Compile will take the QueryContext into account. WithContext(qctx *QueryContext) QueryCompiler // WithUnsafeBuiltins sets the built-in functions to treat as unsafe and not // allow inside of queries. By default the query compiler inherits the // compiler's unsafe built-in functions. This function allows callers to // override that set. If an empty (non-nil) map is provided, all built-ins // are allowed. WithUnsafeBuiltins(unsafe map[string]struct{}) QueryCompiler // WithStageAfter registers a stage to run during query compilation after // the named stage. WithStageAfter(after string, stage QueryCompilerStageDefinition) QueryCompiler // RewrittenVars maps generated vars in the compiled query to vars from the // parsed query. For example, given the query "input := 1" the rewritten // query would be "__local0__ = 1". The mapping would then be {__local0__: input}. RewrittenVars() map[Var]Var // ComprehensionIndex returns an index data structure for the given comprehension // term. If no index is found, returns nil. ComprehensionIndex(term *Term) *ComprehensionIndex }
QueryCompiler defines the interface for compiling ad-hoc queries.
type QueryCompilerStage ¶ added in v0.7.0
type QueryCompilerStage func(QueryCompiler, Body) (Body, error)
QueryCompilerStage defines the interface for stages in the query compiler.
type QueryCompilerStageDefinition ¶ added in v0.11.0
type QueryCompilerStageDefinition struct { Name string MetricName string Stage QueryCompilerStage }
QueryCompilerStageDefinition defines a QueryCompiler stage
type QueryContext ¶ added in v0.2.2
QueryContext contains contextual information for running an ad-hoc query.
Ad-hoc queries can be run in the context of a package and imports may be included to provide concise access to data.
func NewQueryContext ¶ added in v0.2.2
func NewQueryContext() *QueryContext
NewQueryContext returns a new QueryContext object.
func (*QueryContext) Copy ¶ added in v0.2.2
func (qc *QueryContext) Copy() *QueryContext
Copy returns a deep copy of qc.
func (*QueryContext) WithImports ¶ added in v0.4.0
func (qc *QueryContext) WithImports(imports []*Import) *QueryContext
WithImports sets the imports on qc.
func (*QueryContext) WithPackage ¶ added in v0.4.0
func (qc *QueryContext) WithPackage(pkg *Package) *QueryContext
WithPackage sets the pkg on qc.
type QueryIterator ¶
QueryIterator defines the interface for querying AST documents with references.
type Ref ¶
type Ref []*Term
Ref represents a reference as defined by the language.
func MustParseRef ¶
MustParseRef returns a parsed reference. If an error occurs during parsing, panic.
func PtrRef ¶ added in v0.10.4
PtrRef returns a new reference against the head for the pointer s. Path components in the pointer are unescaped.
func (Ref) Compare ¶ added in v0.5.0
Compare compares ref to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
func (Ref) ConstantPrefix ¶ added in v0.5.3
ConstantPrefix returns the constant portion of the ref starting from the head.
func (Ref) Dynamic ¶ added in v0.4.9
Dynamic returns the offset of the first non-constant operand of ref.
func (Ref) Extend ¶ added in v0.3.0
Extend returns a copy of ref with the terms from other appended. The head of other will be converted to a string.
func (Ref) GroundPrefix ¶ added in v0.2.0
GroundPrefix returns the ground portion of the ref starting from the head. By definition, the head of the reference is always ground.
func (Ref) HasPrefix ¶ added in v0.2.0
HasPrefix returns true if the other ref is a prefix of this ref.
func (Ref) Insert ¶ added in v0.6.0
Insert returns a copy of the ref with x inserted at pos. If pos < len(ref), existing elements are shifted to the right. If pos > len(ref)+1 this function panics.
func (Ref) OutputVars ¶
OutputVars returns a VarSet containing variables that would be bound by evaluating
this expression in isolation.
type RefErrInvalidDetail ¶ added in v0.5.2
type RefErrInvalidDetail struct { Ref Ref `json:"ref"` // invalid ref Pos int `json:"pos"` // invalid element Have types.Type `json:"have,omitempty"` // type of invalid element (for var/ref elements) Want types.Type `json:"want"` // allowed type (for non-object values) OneOf []Value `json:"oneOf"` // allowed values (e.g., for object keys) }
RefErrInvalidDetail describes an undefined reference error where the referenced value does not support the reference operand (e.g., missing object key, invalid key type, etc.)
func (*RefErrInvalidDetail) Lines ¶ added in v0.5.2
func (r *RefErrInvalidDetail) Lines() []string
Lines returns the string representation of the detail.
type RefErrUnsupportedDetail ¶ added in v0.5.2
type RefErrUnsupportedDetail struct { Ref Ref `json:"ref"` // invalid ref Pos int `json:"pos"` // invalid element Have types.Type `json:"have"` // referenced type }
RefErrUnsupportedDetail describes an undefined reference error where the referenced value does not support dereferencing (e.g., scalars).
func (*RefErrUnsupportedDetail) Lines ¶ added in v0.5.2
func (r *RefErrUnsupportedDetail) Lines() []string
Lines returns the string representation of the detail.
type Resolver ¶ added in v0.4.9
Resolver defines the interface for resolving references to native Go values.
type Rule ¶
type Rule struct { Location *Location `json:"-"` Default bool `json:"default,omitempty"` Head *Head `json:"head"` Body Body `json:"body"` Else *Rule `json:"else,omitempty"` // Module is a pointer to the module containing this rule. If the rule // was NOT created while parsing/constructing a module, this should be // left unset. The pointer is not included in any standard operations // on the rule (e.g., printing, comparison, visiting, etc.) Module *Module `json:"-"` }
Rule represents a rule as defined in the language. Rules define the content of documents that represent policy decisions.
func MustParseRule ¶
MustParseRule returns a parsed rule. If an error occurs during parsing, panic.
func ParseCompleteDocRuleFromAssignmentExpr ¶ added in v0.14.0
ParseCompleteDocRuleFromAssignmentExpr returns a rule if the expression can be interpreted as a complete document definition declared with the assignment operator.
func ParseCompleteDocRuleFromEqExpr ¶ added in v0.5.6
ParseCompleteDocRuleFromEqExpr returns a rule if the expression can be interpreted as a complete document definition.
func ParsePartialObjectDocRuleFromEqExpr ¶ added in v0.5.6
ParsePartialObjectDocRuleFromEqExpr returns a rule if the expression can be interpreted as a partial object document definition.
func ParsePartialSetDocRuleFromTerm ¶ added in v0.5.6
ParsePartialSetDocRuleFromTerm returns a rule if the term can be interpreted as a partial set document definition.
func ParseRule ¶
ParseRule returns exactly one rule. If multiple rules are parsed, an error is returned.
func ParseRuleFromBody ¶ added in v0.3.0
ParseRuleFromBody returns a rule if the body can be interpreted as a rule definition. Otherwise, an error is returned.
func ParseRuleFromCallEqExpr ¶ added in v0.7.0
ParseRuleFromCallEqExpr returns a rule if the term can be interpreted as a function definition (e.g., f(x) = y => f(x) = y { true }).
func ParseRuleFromCallExpr ¶ added in v0.5.9
ParseRuleFromCallExpr returns a rule if the terms can be interpreted as a function returning true or some value (e.g., f(x) => f(x) = true { true }).
func ParseRuleFromExpr ¶ added in v0.5.6
ParseRuleFromExpr returns a rule if the expression can be interpreted as a rule definition.
func (*Rule) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether rule is less than, equal to, or greater than other.
func (*Rule) Path ¶ added in v0.2.0
Path returns a ref referring to the document produced by this rule. If rule is not contained in a module, this function panics.
type RuleIndex ¶ added in v0.4.9
type RuleIndex interface { // Build tries to construct an index for the given rules. If the index was // constructed, it returns true, otherwise false. Build(rules []*Rule) bool // Lookup searches the index for rules that will match the provided // resolver. If the resolver returns an error, it is returned via err. Lookup(resolver ValueResolver) (*IndexResult, error) // AllRules traverses the index and returns all rules that will match // the provided resolver without any optimizations (effectively with // indexing disabled). If the resolver returns an error, it is returned // via err. AllRules(resolver ValueResolver) (*IndexResult, error) }
RuleIndex defines the interface for rule indices.
type RuleSet ¶ added in v0.4.9
type RuleSet []*Rule
RuleSet represents a collection of rules that produce a virtual document.
func NewRuleSet ¶ added in v0.4.9
NewRuleSet returns a new RuleSet containing the given rules.
func (RuleSet) Diff ¶ added in v0.4.9
Diff returns a new RuleSet containing rules in rs that are not in other.
type SchemaAnnotation ¶ added in v0.28.0
type SchemaAnnotation struct { Path Ref `json:"path"` Schema Ref `json:"schema,omitempty"` Definition *interface{} `json:"definition,omitempty"` }
SchemaAnnotation contains a schema declaration for the document identified by the path.
func (*SchemaAnnotation) Compare ¶ added in v0.28.0
func (s *SchemaAnnotation) Compare(other *SchemaAnnotation) int
Compare returns an integer indicating if s is less than, equal to, or greater than other.
func (*SchemaAnnotation) Copy ¶ added in v0.28.0
func (s *SchemaAnnotation) Copy() *SchemaAnnotation
Copy returns a deep copy of s.
func (*SchemaAnnotation) String ¶ added in v0.28.0
func (s *SchemaAnnotation) String() string
type SchemaSet ¶ added in v0.27.0
type SchemaSet struct {
// contains filtered or unexported fields
}
SchemaSet holds a map from a path to a schema.
func NewSchemaSet ¶ added in v0.28.0
func NewSchemaSet() *SchemaSet
NewSchemaSet returns an empty SchemaSet.
type Set ¶ added in v0.2.0
type Set interface { Value Len() int Copy() Set Diff(Set) Set Intersect(Set) Set Union(Set) Set Add(*Term) Iter(func(*Term) error) error Until(func(*Term) bool) bool Foreach(func(*Term)) Contains(*Term) bool Map(func(*Term) (*Term, error)) (Set, error) Reduce(*Term, func(*Term, *Term) (*Term, error)) (*Term, error) Sorted() *Array Slice() []*Term }
Set represents a set as defined by the language.
type SetComprehension ¶ added in v0.5.2
SetComprehension represents a set comprehension as defined in the language.
func (*SetComprehension) Compare ¶ added in v0.5.2
func (sc *SetComprehension) Compare(other Value) int
Compare compares sc to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
func (*SetComprehension) Copy ¶ added in v0.5.2
func (sc *SetComprehension) Copy() *SetComprehension
Copy returns a deep copy of sc.
func (*SetComprehension) Equal ¶ added in v0.5.2
func (sc *SetComprehension) Equal(other Value) bool
Equal returns true if sc is equal to other.
func (*SetComprehension) Find ¶ added in v0.5.2
func (sc *SetComprehension) Find(path Ref) (Value, error)
Find returns the current value or a not found error.
func (*SetComprehension) Hash ¶ added in v0.5.2
func (sc *SetComprehension) Hash() int
Hash returns the hash code of the Value.
func (*SetComprehension) IsGround ¶ added in v0.5.2
func (sc *SetComprehension) IsGround() bool
IsGround returns true if the Term and Body are ground.
func (*SetComprehension) String ¶ added in v0.5.2
func (sc *SetComprehension) String() string
type SomeDecl ¶ added in v0.11.0
SomeDecl represents a variable declaration statement. The symbols are variables.
func (*SomeDecl) Compare ¶ added in v0.11.0
Compare returns an integer indicating whether d is less than, equal to, or greater than other.
type Statement ¶
type Statement interface { Node }
Statement represents a single statement in a policy module.
func MustParseStatement ¶
MustParseStatement returns exactly one statement. If an error occurs during parsing, panic.
func MustParseStatements ¶
MustParseStatements returns a slice of parsed statements. If an error occurs during parsing, panic.
func ParseStatement ¶
ParseStatement returns exactly one statement. A statement might be a term, expression, rule, etc. Regardless, this function expects *exactly* one statement. If multiple statements are parsed, an error is returned.
type String ¶
type String string
String represents a string value as defined by JSON.
func (String) Compare ¶ added in v0.5.0
Compare compares str to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
type Term ¶
type Term struct { Value Value `json:"value"` // the value of the Term as represented in Go Location *Location `json:"-"` // the location of the Term in the source }
Term is an argument to a function.
func ArrayComprehensionTerm ¶
ArrayComprehensionTerm creates a new Term with an ArrayComprehension value.
func BooleanTerm ¶
BooleanTerm creates a new Term with a Boolean value.
func CallTerm ¶ added in v0.7.0
CallTerm returns a new Term with a Call value defined by terms. The first term is the operator and the rest are operands.
func FloatNumberTerm ¶ added in v0.3.0
FloatNumberTerm creates a new Term with a floating point Number value.
func IntNumberTerm ¶ added in v0.3.0
IntNumberTerm creates a new Term with an integer Number value.
func Item ¶
Item is a helper for constructing an tuple containing two Terms representing a key/value pair in an Object.
func MustParseTerm ¶
MustParseTerm returns a parsed term. If an error occurs during parsing, panic.
func NumberTerm ¶
NumberTerm creates a new Term with a Number value.
func ObjectComprehensionTerm ¶ added in v0.5.2
ObjectComprehensionTerm creates a new Term with an ObjectComprehension value.
func ObjectTerm ¶
ObjectTerm creates a new Term with an Object value.
func ParseTerm ¶
ParseTerm returns exactly one term. If multiple terms are parsed, an error is returned.
func SetComprehensionTerm ¶ added in v0.5.2
SetComprehensionTerm creates a new Term with an SetComprehension value.
func StringTerm ¶
StringTerm creates a new Term with a String value.
func UIntNumberTerm ¶ added in v0.22.0
UIntNumberTerm creates a new Term with an unsigned integer Number value.
func (*Term) Equal ¶
Equal returns true if this term equals the other term. Equality is defined for each kind of term.
func (*Term) MarshalJSON ¶
MarshalJSON returns the JSON encoding of the term.
Specialized marshalling logic is required to include a type hint for Value.
func (*Term) SetLocation ¶ added in v0.5.0
SetLocation updates the term's Location and returns the term itself.
func (*Term) UnmarshalJSON ¶
UnmarshalJSON parses the byte array and stores the result in term. Specialized unmarshalling is required to handle Value.
type Transformer ¶ added in v0.2.0
type Transformer interface {
Transform(v interface{}) (interface{}, error)
}
Transformer defines the interface for transforming AST elements. If the transformer returns nil and does not indicate an error, the AST element will be set to nil and no transformations will be applied to children of the element.
type TreeNode ¶ added in v0.5.0
type TreeNode struct { Key Value Values []util.T Children map[Value]*TreeNode Sorted []Value Hide bool }
TreeNode represents a node in the rule tree. The rule tree is keyed by rule path.
func NewRuleTree ¶ added in v0.2.0
func NewRuleTree(mtree *ModuleTreeNode) *TreeNode
NewRuleTree returns a new TreeNode that represents the root of the rule tree populated with the given rules.
func (*TreeNode) DepthFirst ¶ added in v0.5.0
DepthFirst performs a depth-first traversal of the rule tree rooted at n. If f returns true, traversal will not continue to the children of n.
type TypeEnv ¶ added in v0.4.9
type TypeEnv struct {
// contains filtered or unexported fields
}
TypeEnv contains type info for static analysis such as type checking.
type UnificationErrDetail ¶ added in v0.4.9
UnificationErrDetail describes a type mismatch error when two values are unified (e.g., x = [1,2,y]).
func (*UnificationErrDetail) Lines ¶ added in v0.4.9
func (a *UnificationErrDetail) Lines() []string
Lines returns the string representation of the detail.
type UnknownValueErr ¶ added in v0.9.0
type UnknownValueErr struct{}
UnknownValueErr indicates a ValueResolver was unable to resolve a reference because the reference refers to an unknown value.
func (UnknownValueErr) Error ¶ added in v0.9.0
func (UnknownValueErr) Error() string
type Value ¶
type Value interface { Compare(other Value) int // Compare returns <0, 0, or >0 if this Value is less than, equal to, or greater than other, respectively. Find(path Ref) (Value, error) // Find returns value referred to by path or an error if path is not found. Hash() int // Returns hash code of the value. IsGround() bool // IsGround returns true if this value is not a variable or contains no variables. String() string // String returns a human readable string representation of the value. }
Value declares the common interface for all Term values. Every kind of Term value in the language is represented as a type that implements this interface:
- Null, Boolean, Number, String - Object, Array, Set - Variables, References - Array, Set, and Object Comprehensions - Calls
func InterfaceToValue ¶
InterfaceToValue converts a native Go value x to a Value.
func MustInterfaceToValue ¶ added in v0.4.5
func MustInterfaceToValue(x interface{}) Value
MustInterfaceToValue converts a native Go value x to a Value. If the conversion fails, this function will panic. This function is mostly for test purposes.
type ValueMap ¶ added in v0.2.0
type ValueMap struct {
// contains filtered or unexported fields
}
ValueMap represents a key/value map between AST term values. Any type of term can be used as a key in the map.
func (*ValueMap) Iter ¶ added in v0.2.0
Iter calls the iter function for each key/value pair in the map. If the iter function returns true, iteration stops.
func (*ValueMap) MarshalJSON ¶ added in v0.15.0
MarshalJSON provides a custom marshaller for the ValueMap which will include the key, value, and value type.
type ValueResolver ¶ added in v0.4.9
ValueResolver defines the interface for resolving references to AST values.
type Var ¶
type Var string
Var represents a variable as defined by the language.
func (Var) Compare ¶ added in v0.5.0
Compare compares v to other, return <0, 0, or >0 if it is less than, equal to, or greater than other.
func (Var) Equal ¶
Equal returns true if the other Value is a Variable and has the same value (name).
func (Var) IsGenerated ¶ added in v0.5.11
IsGenerated returns true if this variable was generated during compilation.
func (Var) IsWildcard ¶ added in v0.2.0
IsWildcard returns true if this is a wildcard variable.
type VarSet ¶
type VarSet map[Var]struct{}
VarSet represents a set of variables.
func OutputVarsFromBody ¶ added in v0.20.0
OutputVarsFromBody returns all variables which are the "output" for the given body. For safety checks this means that they would be made safe by the body.
func OutputVarsFromExpr ¶ added in v0.20.0
OutputVarsFromExpr returns all variables which are the "output" for the given expression. For safety checks this means that they would be made safe by the expr.
func Unify ¶
Unify returns a set of variables that will be unified when the equality expression defined by terms a and b is evaluated. The unifier assumes that variables in the VarSet safe are already unified.
func (VarSet) Equal ¶ added in v0.2.1
Equal returns true if s contains exactly the same elements as vs.
type VarVisitor ¶ added in v0.3.0
type VarVisitor struct {
// contains filtered or unexported fields
}
VarVisitor walks AST nodes under a given node and collects all encountered variables. The collected variables can be controlled by specifying VarVisitorParams when creating the visitor.
func NewVarVisitor ¶ added in v0.3.0
func NewVarVisitor() *VarVisitor
NewVarVisitor returns a new VarVisitor object.
func (*VarVisitor) Vars ¶ added in v0.3.0
func (vis *VarVisitor) Vars() VarSet
Vars returns a VarSet that contains collected vars.
func (*VarVisitor) Walk ¶ added in v0.17.0
func (vis *VarVisitor) Walk(x interface{})
Walk iterates the AST by calling the function f on the GenericVisitor before recursing. Contrary to the generic Walk, this does not require allocating the visitor from heap.
func (*VarVisitor) WithParams ¶ added in v0.3.0
func (vis *VarVisitor) WithParams(params VarVisitorParams) *VarVisitor
WithParams sets the parameters in params on vis.
type VarVisitorParams ¶ added in v0.3.0
type VarVisitorParams struct { SkipRefHead bool SkipRefCallHead bool SkipObjectKeys bool SkipClosures bool SkipWithTarget bool SkipSets bool }
VarVisitorParams contains settings for a VarVisitor.
type Visitor ¶
type Visitor interface {
Visit(v interface{}) (w Visitor)
}
Visitor defines the interface for iterating AST elements. The Visit function can return a Visitor w which will be used to visit the children of the AST element v. If the Visit function returns nil, the children will not be visited. This is deprecated.
type WasmABIVersion ¶ added in v0.27.0
WasmABIVersion captures the Wasm ABI version. Its `Minor` version is indicating backwards-compatible changes.
type With ¶ added in v0.4.1
type With struct { Location *Location `json:"-"` Target *Term `json:"target"` Value *Term `json:"value"` }
With represents a modifier on an expression.
func (*With) Compare ¶ added in v0.4.1
Compare returns an integer indicating whether w is less than, equal to, or greater than other.
func (*With) SetLocation ¶ added in v0.7.0
SetLocation sets the location on w.