rego

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 20, 2024 License: Apache-2.0 Imports: 30 Imported by: 3

Documentation

Overview

Package rego exposes high level APIs for evaluating Rego policies.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuiltinErrorList

func BuiltinErrorList(list *[]topdown.Error) func(r *Rego)

BuiltinErrorList supplies an error slice to store built-in function errors.

func Capabilities

func Capabilities(c *ast.Capabilities) func(r *Rego)

Capabilities configures the underlying compiler's capabilities. This option is ignored for module compilation if the caller supplies the compiler.

func Compiler

func Compiler(c *ast.Compiler) func(r *Rego)

Compiler returns an argument that sets the Rego compiler.

func DisableInlining

func DisableInlining(paths []string) func(r *Rego)

DisableInlining adds a set of paths to exclude from partial evaluation inlining.

func DistributedTracingOpts

func DistributedTracingOpts(tr tracing.Options) func(r *Rego)

DistributedTracingOpts sets the options to be used by distributed tracing.

func Dump

func Dump(w io.Writer) func(r *Rego)

Dump returns an argument that sets the writer to dump debugging information to.

func EnablePrintStatements

func EnablePrintStatements(yes bool) func(r *Rego)

EnablePrintStatements enables print() calls. If this option is not provided, print() calls will be erased from the policy. This option only applies to queries and policies that passed as raw strings, i.e., this function will not have any affect if the caller supplies the ast.Compiler instance.

func Function1

func Function1(decl *Function, f Builtin1) func(*Rego)

Function1 returns an option that adds a built-in function to the Rego object.

func Function2

func Function2(decl *Function, f Builtin2) func(*Rego)

Function2 returns an option that adds a built-in function to the Rego object.

func Function3

func Function3(decl *Function, f Builtin3) func(*Rego)

Function3 returns an option that adds a built-in function to the Rego object.

func Function4

func Function4(decl *Function, f Builtin4) func(*Rego)

Function4 returns an option that adds a built-in function to the Rego object.

func FunctionDecl

func FunctionDecl(decl *Function) func(*Rego)

FunctionDecl returns an option that adds a custom-built-in function __declaration__. NO implementation is provided. This is used for non-interpreter execution envs (e.g., Wasm).

func FunctionDyn

func FunctionDyn(decl *Function, f BuiltinDyn) func(*Rego)

FunctionDyn returns an option that adds a built-in function to the Rego object.

func GenerateJSON

func GenerateJSON(f func(*ast.Term, *EvalContext) (interface{}, error)) func(r *Rego)

GenerateJSON sets the AST to JSON converter for the results.

func Imports

func Imports(p []string) func(r *Rego)

Imports returns an argument that adds a Rego import to the query's context.

func Input

func Input(x interface{}) func(r *Rego)

Input returns an argument that sets the Rego input document. Input should be a native Go value representing the input document.

func Instrument

func Instrument(yes bool) func(r *Rego)

Instrument returns an argument that enables instrumentation for diagnosing performance issues.

func InterQueryBuiltinCache

func InterQueryBuiltinCache(c cache.InterQueryCache) func(r *Rego)

InterQueryBuiltinCache sets the inter-query cache that built-in functions can utilize during evaluation.

func InterQueryBuiltinValueCache

func InterQueryBuiltinValueCache(c cache.InterQueryValueCache) func(r *Rego)

InterQueryBuiltinValueCache sets the inter-query value cache that built-in functions can utilize during evaluation.

func IsPartialEvaluationNotEffectiveErr

func IsPartialEvaluationNotEffectiveErr(err error) bool

IsPartialEvaluationNotEffectiveErr returns true if err is an error returned by this package to indicate that partial evaluation was ineffective.

func Load

func Load(paths []string, filter loader.Filter) func(r *Rego)

Load returns an argument that adds a filesystem path to load data and Rego modules from. Any file with a *.rego, *.yaml, or *.json extension will be loaded. The path can be either a directory or file, directories are loaded recursively. The optional ignore string patterns can be used to filter which files are used. The Load option can only be used once. Note: Loading files will require a write transaction on the store.

func LoadBundle

func LoadBundle(path string) func(r *Rego)

LoadBundle returns an argument that adds a filesystem path to load a bundle from. The path can be a compressed bundle file or a directory to be loaded as a bundle. Note: Loading bundles will require a write transaction on the store.

func Metrics

func Metrics(m metrics.Metrics) func(r *Rego)

Metrics returns an argument that sets the metrics collection.

func Module

func Module(filename, input string) func(r *Rego)

Module returns an argument that adds a Rego module.

func NDBuiltinCache

func NDBuiltinCache(c builtins.NDBCache) func(r *Rego)

NDBuiltinCache sets the non-deterministic builtins cache.

func NewHaltError

func NewHaltError(err error) error

NewHaltError wraps an error such that the evaluation process will stop when it occurs.

func Package

func Package(p string) func(r *Rego)

Package returns an argument that sets the Rego package on the query's context.

func ParsedBundle

func ParsedBundle(name string, b *bundle.Bundle) func(r *Rego)

ParsedBundle returns an argument that adds a bundle to be loaded.

func ParsedImports

func ParsedImports(imp []*ast.Import) func(r *Rego)

ParsedImports returns an argument that adds Rego imports to the query's context.

func ParsedInput

func ParsedInput(x ast.Value) func(r *Rego)

ParsedInput returns an argument that sets the Rego input document.

func ParsedModule

func ParsedModule(module *ast.Module) func(*Rego)

ParsedModule returns an argument that adds a parsed Rego module. If a string module with the same filename name is added, it will override the parsed module.

func ParsedPackage

func ParsedPackage(pkg *ast.Package) func(r *Rego)

ParsedPackage returns an argument that sets the Rego package on the query's context.

func ParsedQuery

func ParsedQuery(q ast.Body) func(r *Rego)

ParsedQuery returns an argument that sets the Rego query.

func ParsedUnknowns

func ParsedUnknowns(unknowns []*ast.Term) func(r *Rego)

ParsedUnknowns returns an argument that sets the values to treat as unknown during partial evaluation.

func PartialNamespace

func PartialNamespace(ns string) func(r *Rego)

PartialNamespace returns an argument that sets the namespace to use for partial evaluation results. The namespace must be a valid package path component.

func PrintHook

func PrintHook(h print.Hook) func(r *Rego)

PrintHook sets the object to use for handling print statement outputs.

func PrintTrace

func PrintTrace(w io.Writer, r *Rego)

PrintTrace is a helper function to write a human-readable version of the trace to the writer w.

func PrintTraceWithLocation

func PrintTraceWithLocation(w io.Writer, r *Rego)

PrintTraceWithLocation is a helper function to write a human-readable version of the trace to the writer w.

func Query

func Query(q string) func(r *Rego)

Query returns an argument that sets the Rego query.

func QueryTracer

func QueryTracer(t topdown.QueryTracer) func(r *Rego)

QueryTracer returns an argument that adds a query tracer to r.

func RegisterBuiltin1

func RegisterBuiltin1(decl *Function, impl Builtin1)

RegisterBuiltin1 adds a built-in function globally inside the OPA runtime.

func RegisterBuiltin2

func RegisterBuiltin2(decl *Function, impl Builtin2)

RegisterBuiltin2 adds a built-in function globally inside the OPA runtime.

func RegisterBuiltin3

func RegisterBuiltin3(decl *Function, impl Builtin3)

RegisterBuiltin3 adds a built-in function globally inside the OPA runtime.

func RegisterBuiltin4

func RegisterBuiltin4(decl *Function, impl Builtin4)

RegisterBuiltin4 adds a built-in function globally inside the OPA runtime.

func RegisterBuiltinDyn

func RegisterBuiltinDyn(decl *Function, impl BuiltinDyn)

RegisterBuiltinDyn adds a built-in function globally inside the OPA runtime.

func RegisterPlugin

func RegisterPlugin(name string, p TargetPlugin)

func Resolver

func Resolver(ref ast.Ref, r resolver.Resolver) func(r *Rego)

Resolver sets a Resolver for a specified ref path.

func Runtime

func Runtime(term *ast.Term) func(r *Rego)

Runtime returns an argument that sets the runtime data to provide to the evaluation engine.

func Schemas

func Schemas(x *ast.SchemaSet) func(r *Rego)

Schemas sets the schemaSet

func Seed

func Seed(r io.Reader) func(*Rego)

Seed sets a reader that will seed randomization required by built-in functions. If a seed is not provided crypto/rand.Reader is used.

func SetRegoVersion

func SetRegoVersion(version ast.RegoVersion) func(r *Rego)

func ShallowInlining

func ShallowInlining(yes bool) func(r *Rego)

ShallowInlining prevents rules that depend on unknown values from being inlined. Rules that only depend on known values are inlined.

func SkipBundleVerification

func SkipBundleVerification(yes bool) func(r *Rego)

SkipBundleVerification skips verification of a signed bundle.

func SkipPartialNamespace

func SkipPartialNamespace(yes bool) func(r *Rego)

SkipPartialNamespace disables namespacing of partial evalution results for support rules generated from policy. Synthetic support rules are still namespaced.

func Store

func Store(s storage.Store) func(r *Rego)

Store returns an argument that sets the policy engine's data storage layer.

If using the Load, LoadBundle, or ParsedBundle options then a transaction must also be provided via the Transaction() option. After loading files or bundles the transaction should be aborted or committed.

func StoreReadAST

func StoreReadAST(enabled bool) func(r *Rego)

StoreReadAST returns an argument that sets whether the store should eagerly convert data to AST values.

Only applicable when no store has been set on the Rego object through the Store option.

func Strict

func Strict(yes bool) func(r *Rego)

Strict enables or disables strict-mode in the compiler

func StrictBuiltinErrors

func StrictBuiltinErrors(yes bool) func(r *Rego)

StrictBuiltinErrors tells the evaluator to treat all built-in function errors as fatal errors.

func Target

func Target(t string) func(r *Rego)

Target sets the runtime to exercise.

func Time

func Time(x time.Time) func(r *Rego)

Time sets the wall clock time to use during policy evaluation. Prepared queries do not inherit this parameter. Use EvalTime to set the wall clock time when executing a prepared query.

func Trace

func Trace(yes bool) func(r *Rego)

Trace returns an argument that enables tracing on r.

func Tracer

func Tracer(t topdown.Tracer) func(r *Rego)

Tracer returns an argument that adds a query tracer to r. Deprecated: Use QueryTracer instead.

func Transaction

func Transaction(txn storage.Transaction) func(r *Rego)

Transaction returns an argument that sets the transaction to use for storage layer operations.

Requires the store associated with the transaction to be provided via the Store() option. If using Load(), LoadBundle(), or ParsedBundle() options the transaction will likely require write params.

func Unknowns

func Unknowns(unknowns []string) func(r *Rego)

Unknowns returns an argument that sets the values to treat as unknown during partial evaluation.

func UnsafeBuiltins

func UnsafeBuiltins(unsafeBuiltins map[string]struct{}) func(r *Rego)

UnsafeBuiltins sets the built-in functions to treat as unsafe and not allow. This option is ignored for module compilation if the caller supplies the compiler. This option is always honored for query compilation. Provide an empty (non-nil) map to disable checks on queries.

Types

type Builtin1

type Builtin1 func(bctx BuiltinContext, op1 *ast.Term) (*ast.Term, error)

Builtin1 defines a built-in function that accepts 1 argument.

type Builtin2

type Builtin2 func(bctx BuiltinContext, op1, op2 *ast.Term) (*ast.Term, error)

Builtin2 defines a built-in function that accepts 2 arguments.

type Builtin3

type Builtin3 func(bctx BuiltinContext, op1, op2, op3 *ast.Term) (*ast.Term, error)

Builtin3 defines a built-in function that accepts 3 argument.

type Builtin4

type Builtin4 func(bctx BuiltinContext, op1, op2, op3, op4 *ast.Term) (*ast.Term, error)

Builtin4 defines a built-in function that accepts 4 argument.

type BuiltinContext

type BuiltinContext = topdown.BuiltinContext

BuiltinContext contains additional attributes from the evaluator that built-in functions can use, e.g., the request context.Context, caches, etc.

type BuiltinDyn

type BuiltinDyn func(bctx BuiltinContext, terms []*ast.Term) (*ast.Term, error)

BuiltinDyn defines a built-in function that accepts a list of arguments.

type CompileContext

type CompileContext struct {
	// contains filtered or unexported fields
}

CompileContext contains options for Compile calls.

type CompileOption

type CompileOption func(*CompileContext)

CompileOption defines a function to set options on Compile calls.

func CompilePartial

func CompilePartial(yes bool) CompileOption

CompilePartial defines an option to control whether partial evaluation is run before the query is planned and compiled.

type CompileResult

type CompileResult struct {
	Bytes []byte `json:"bytes"`
}

CompileResult represents the result of compiling a Rego query, zero or more Rego modules, and arbitrary contextual data into an executable.

type ErrorDetails

type ErrorDetails interface {
	Lines() []string
}

ErrorDetails interface is satisfied by an error that provides further details.

type Errors

type Errors []error

Errors represents a collection of errors returned when evaluating Rego.

func (Errors) Error

func (errs Errors) Error() string

type EvalContext

type EvalContext struct {
	// contains filtered or unexported fields
}

EvalContext defines the set of options allowed to be set at evaluation time. Any other options will need to be set on a new Rego object.

func (*EvalContext) Capabilities

func (e *EvalContext) Capabilities() *ast.Capabilities

func (*EvalContext) CompiledQuery

func (e *EvalContext) CompiledQuery() ast.Body

func (*EvalContext) InterQueryBuiltinCache

func (e *EvalContext) InterQueryBuiltinCache() cache.InterQueryCache

func (*EvalContext) InterQueryBuiltinValueCache

func (e *EvalContext) InterQueryBuiltinValueCache() cache.InterQueryValueCache

func (*EvalContext) Metrics

func (e *EvalContext) Metrics() metrics.Metrics

func (*EvalContext) NDBCache

func (e *EvalContext) NDBCache() builtins.NDBCache

func (*EvalContext) ParsedInput

func (e *EvalContext) ParsedInput() ast.Value

func (*EvalContext) PrintHook

func (e *EvalContext) PrintHook() print.Hook

func (*EvalContext) RawInput

func (e *EvalContext) RawInput() *interface{}

func (*EvalContext) Seed

func (e *EvalContext) Seed() io.Reader

func (*EvalContext) StrictBuiltinErrors

func (e *EvalContext) StrictBuiltinErrors() bool

func (*EvalContext) Time

func (e *EvalContext) Time() time.Time

func (*EvalContext) Transaction

func (e *EvalContext) Transaction() storage.Transaction

type EvalOption

type EvalOption func(*EvalContext)

EvalOption defines a function to set an option on an EvalConfig

func EvalCopyMaps

func EvalCopyMaps(yes bool) EvalOption

EvalCopyMaps causes the evaluator to copy `map[string]interface{}`s before returning them.

func EvalDisableInlining

func EvalDisableInlining(paths []ast.Ref) EvalOption

EvalDisableInlining returns an argument that adds a set of paths to exclude from partial evaluation inlining.

func EvalEarlyExit

func EvalEarlyExit(enabled bool) EvalOption

EvalEarlyExit will disable 'early exit' optimizations for the evaluation. This should only be used when tracing in debug mode.

func EvalHTTPRoundTripper

func EvalHTTPRoundTripper(t topdown.CustomizeRoundTripper) EvalOption

EvalHTTPRoundTripper allows customizing the http.RoundTripper for this evaluation.

func EvalInput

func EvalInput(input interface{}) EvalOption

EvalInput configures the input for a Prepared Query's evaluation

func EvalInstrument

func EvalInstrument(instrument bool) EvalOption

EvalInstrument enables or disables instrumenting for a Prepared Query's evaluation

func EvalInterQueryBuiltinCache

func EvalInterQueryBuiltinCache(c cache.InterQueryCache) EvalOption

EvalInterQueryBuiltinCache sets the inter-query cache that built-in functions can utilize during evaluation.

func EvalInterQueryBuiltinValueCache

func EvalInterQueryBuiltinValueCache(c cache.InterQueryValueCache) EvalOption

EvalInterQueryBuiltinValueCache sets the inter-query value cache that built-in functions can utilize during evaluation.

func EvalMetrics

func EvalMetrics(metric metrics.Metrics) EvalOption

EvalMetrics configures the metrics for a Prepared Query's evaluation

func EvalNDBuiltinCache

func EvalNDBuiltinCache(c builtins.NDBCache) EvalOption

EvalNDBuiltinCache sets the non-deterministic builtin cache that built-in functions can use during evaluation.

func EvalParsedInput

func EvalParsedInput(input ast.Value) EvalOption

EvalParsedInput configures the input for a Prepared Query's evaluation

func EvalParsedUnknowns

func EvalParsedUnknowns(unknowns []*ast.Term) EvalOption

EvalParsedUnknowns returns an argument that sets the values to treat as unknown during partial evaluation.

func EvalPartialNamespace

func EvalPartialNamespace(ns string) EvalOption

EvalPartialNamespace returns an argument that sets the namespace to use for partial evaluation results. The namespace must be a valid package path component.

func EvalPrintHook

func EvalPrintHook(ph print.Hook) EvalOption

EvalPrintHook sets the object to use for handling print statement outputs.

func EvalQueryTracer

func EvalQueryTracer(tracer topdown.QueryTracer) EvalOption

EvalQueryTracer configures a tracer for a Prepared Query's evaluation

func EvalResolver

func EvalResolver(ref ast.Ref, r resolver.Resolver) EvalOption

EvalResolver sets a Resolver for a specified ref path for this evaluation.

func EvalRuleIndexing

func EvalRuleIndexing(enabled bool) EvalOption

EvalRuleIndexing will disable indexing optimizations for the evaluation. This should only be used when tracing in debug mode.

func EvalSeed

func EvalSeed(r io.Reader) EvalOption

EvalSeed sets a reader that will seed randomization required by built-in functions. If a seed is not provided crypto/rand.Reader is used.

func EvalSortSets

func EvalSortSets(yes bool) EvalOption

EvalSortSets causes the evaluator to sort sets before returning them as JSON arrays.

func EvalTime

func EvalTime(x time.Time) EvalOption

EvalTime sets the wall clock time to use during policy evaluation. time.now_ns() calls will return this value.

func EvalTracer

func EvalTracer(tracer topdown.Tracer) EvalOption

EvalTracer configures a tracer for a Prepared Query's evaluation Deprecated: Use EvalQueryTracer instead.

func EvalTransaction

func EvalTransaction(txn storage.Transaction) EvalOption

EvalTransaction configures the Transaction for a Prepared Query's evaluation

func EvalUnknowns

func EvalUnknowns(unknowns []string) EvalOption

EvalUnknowns returns an argument that sets the values to treat as unknown during partial evaluation.

func EvalVirtualCache

func EvalVirtualCache(vc topdown.VirtualCache) EvalOption

EvalVirtualCache sets the topdown.VirtualCache to use for evaluation. This is optional, and if not set, the default cache is used.

type ExpressionValue

type ExpressionValue struct {
	Value    interface{} `json:"value"`
	Text     string      `json:"text"`
	Location *Location   `json:"location"`
}

ExpressionValue defines the value of an expression in a Rego query.

func (*ExpressionValue) String

func (ev *ExpressionValue) String() string

type Function

type Function struct {
	Name             string
	Description      string
	Decl             *types.Function
	Memoize          bool
	Nondeterministic bool
}

Function represents a built-in function that is callable in Rego.

type HaltError

type HaltError struct {
	// contains filtered or unexported fields
}

HaltError is an error type to return from a custom function implementation that will abort the evaluation process (analogous to topdown.Halt).

func (*HaltError) Error

func (h *HaltError) Error() string

Error delegates to the wrapped error

type Location

type Location struct {
	Row int `json:"row"`
	Col int `json:"col"`
}

Location defines a position in a Rego query or module.

type PartialQueries

type PartialQueries struct {
	Queries []ast.Body    `json:"queries,omitempty"`
	Support []*ast.Module `json:"modules,omitempty"`
}

PartialQueries contains the queries and support modules produced by partial evaluation.

type PartialResult

type PartialResult struct {
	// contains filtered or unexported fields
}

PartialResult represents the result of partial evaluation. The result can be used to generate a new query that can be run when inputs are known.

func (PartialResult) Rego

func (pr PartialResult) Rego(options ...func(*Rego)) *Rego

Rego returns an object that can be evaluated to produce a query result.

type PrepareConfig

type PrepareConfig struct {
	// contains filtered or unexported fields
}

PrepareConfig holds settings to control the behavior of the Prepare call.

func (*PrepareConfig) BuiltinFuncs

func (p *PrepareConfig) BuiltinFuncs() map[string]*topdown.Builtin

BuiltinFuncs allows retrieving the builtin funcs set via PrepareOption WithBuiltinFuncs.

type PrepareOption

type PrepareOption func(*PrepareConfig)

PrepareOption defines a function to set an option to control the behavior of the Prepare call.

func WithBuiltinFuncs

func WithBuiltinFuncs(bis map[string]*topdown.Builtin) PrepareOption

WithBuiltinFuncs carries the rego.Function{1,2,3} per-query function definitions to the target plugins.

func WithNoInline

func WithNoInline(paths []string) PrepareOption

WithNoInline adds a set of paths to exclude from partial evaluation inlining.

func WithPartialEval

func WithPartialEval() PrepareOption

WithPartialEval configures an option for PrepareForEval which will have it perform partial evaluation while preparing the query (similar to rego.Rego#PartialResult)

type PreparedEvalQuery

type PreparedEvalQuery struct {
	// contains filtered or unexported fields
}

PreparedEvalQuery holds the prepared Rego state that has been pre-processed for subsequent evaluations.

func (PreparedEvalQuery) Eval

func (pq PreparedEvalQuery) Eval(ctx context.Context, options ...EvalOption) (ResultSet, error)

Eval evaluates this PartialResult's Rego object with additional eval options and returns a ResultSet. If options are provided they will override the original Rego options respective value. The original Rego object transaction will *not* be re-used. A new transaction will be opened if one is not provided with an EvalOption.

func (PreparedEvalQuery) Modules

func (pq PreparedEvalQuery) Modules() map[string]*ast.Module

type PreparedPartialQuery

type PreparedPartialQuery struct {
	// contains filtered or unexported fields
}

PreparedPartialQuery holds the prepared Rego state that has been pre-processed for partial evaluations.

func (PreparedPartialQuery) Modules

func (pq PreparedPartialQuery) Modules() map[string]*ast.Module

func (PreparedPartialQuery) Partial

func (pq PreparedPartialQuery) Partial(ctx context.Context, options ...EvalOption) (*PartialQueries, error)

Partial runs partial evaluation on the prepared query and returns the result. The original Rego object transaction will *not* be re-used. A new transaction will be opened if one is not provided with an EvalOption.

type Rego

type Rego struct {
	// contains filtered or unexported fields
}

Rego constructs a query and can be evaluated to obtain results.

Example (Custom_function_caching)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/ast"
	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/topdown"
	"github.com/open-policy-agent/opa/v1/types"
)

func main() {
	i := 0

	r := rego.New(
		// An example query that uses a custom function.
		rego.Query(`x = mycounter("foo"); y = mycounter("foo")`),

		// A custom function that uses caching.
		rego.FunctionDyn(
			&rego.Function{
				Name:    "mycounter",
				Memoize: true,
				Decl: types.NewFunction(
					types.Args(types.S), // one string input
					types.N,             // one number output
				),
			},
			func(_ topdown.BuiltinContext, args []*ast.Term) (*ast.Term, error) {
				i++
				return ast.IntNumberTerm(i), nil
			},
		),
	)

	rs, err := r.Eval(context.Background())
	if err != nil {
		// handle error
	}

	fmt.Println("x:", rs[0].Bindings["x"])
	fmt.Println("y:", rs[0].Bindings["y"])

}
Output:


x: 1
y: 1
Example (Custom_function_global)
package main

import (
	"context"
	"fmt"
	"strings"

	"github.com/open-policy-agent/opa/v1/ast"
	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/types"
)

func main() {

	decl := &rego.Function{
		Name: "trim_and_split",
		Decl: types.NewFunction(
			types.Args(types.S, types.S), // two string inputs
			types.NewArray(nil, types.S), // variable-length string array output
		),
	}

	impl := func(_ rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {

		str, ok1 := a.Value.(ast.String)
		delim, ok2 := b.Value.(ast.String)

		// The function is undefined for non-string inputs. Built-in
		// functions should only return errors in unrecoverable cases.
		if !ok1 || !ok2 {
			return nil, nil
		}

		result := strings.Split(strings.Trim(string(str), string(delim)), string(delim))

		arr := make([]*ast.Term, len(result))
		for i := range result {
			arr[i] = ast.StringTerm(result[i])
		}

		return ast.ArrayTerm(arr...), nil
	}

	// The rego package exports helper functions for different arities and a
	// special version of the function that accepts a dynamic number.
	rego.RegisterBuiltin2(decl, impl)

	r := rego.New(
		// An example query that uses a custom function.
		rego.Query(`x = trim_and_split("/foo/bar/baz/", "/")`),
	)

	rs, err := r.Eval(context.Background())
	if err != nil {
		// handle error
	}

	fmt.Println(rs[0].Bindings["x"])

}
Output:


[foo bar baz]
Example (Custom_function_nondeterministic)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/topdown/builtins"

	"github.com/open-policy-agent/opa/v1/ast"
	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/topdown"
	"github.com/open-policy-agent/opa/v1/types"
)

func main() {
	ndbCache := builtins.NDBCache{}
	r := rego.New(
		// An example query that uses a custom function.
		rego.Query(`x = myrandom()`),

		// A custom function that uses caching.
		rego.FunctionDyn(
			&rego.Function{
				Name:             "myrandom",
				Memoize:          true,
				Nondeterministic: true,
				Decl: types.NewFunction(
					nil,     // one string input
					types.N, // one number output
				),
			},
			func(_ topdown.BuiltinContext, args []*ast.Term) (*ast.Term, error) {
				i := 55555
				return ast.IntNumberTerm(i), nil
			},
		),
		rego.NDBuiltinCache(ndbCache),
	)

	rs, err := r.Eval(context.Background())
	if err != nil {
		// handle error
	}

	// Check the binding, and what the NDBCache saw.
	// This ensures the Nondeterministic flag propagated through correctly.
	fmt.Println("x:", rs[0].Bindings["x"])
	fmt.Println("NDBCache:", ndbCache["myrandom"])

}
Output:


x: 55555
NDBCache: {[]: 55555}
Example (Custom_functional_builtin)
package main

import (
	"context"
	"fmt"
	"strings"

	"github.com/open-policy-agent/opa/v1/ast"
	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/types"
)

func main() {

	r := rego.New(
		// An example query that uses a custom function.
		rego.Query(`x = trim_and_split("/foo/bar/baz/", "/")`),

		// A custom function that trims and splits strings on the same delimiter.
		rego.Function2(
			&rego.Function{
				Name: "trim_and_split",
				Decl: types.NewFunction(
					types.Args(types.S, types.S), // two string inputs
					types.NewArray(nil, types.S), // variable-length string array output
				),
			},
			func(_ rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {

				str, ok1 := a.Value.(ast.String)
				delim, ok2 := b.Value.(ast.String)

				// The function is undefined for non-string inputs. Built-in
				// functions should only return errors in unrecoverable cases.
				if !ok1 || !ok2 {
					return nil, nil
				}

				result := strings.Split(strings.Trim(string(str), string(delim)), string(delim))

				arr := make([]*ast.Term, len(result))
				for i := range result {
					arr[i] = ast.StringTerm(result[i])
				}

				return ast.ArrayTerm(arr...), nil
			},
		),
	)

	rs, err := r.Eval(context.Background())
	if err != nil {
		// handle error
	}

	fmt.Println(rs[0].Bindings["x"])

}
Output:


[foo bar baz]
Example (Print_statements)
package main

import (
	"bytes"
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/topdown"
)

func main() {

	var buf bytes.Buffer

	r := rego.New(
		rego.Query("data.example.rule_containing_print_call"),
		rego.Module("example.rego", `
			package example

			import rego.v1

			rule_containing_print_call if {
				print("input.foo is:", input.foo, "and input.bar is:", input.bar)
			}
		`),
		rego.Input(map[string]interface{}{
			"foo": 7,
		}),
		rego.EnablePrintStatements(true),
		rego.PrintHook(topdown.NewPrintHook(&buf)),
	)

	_, err := r.Eval(context.Background())
	if err != nil {
		// handle error
	}

	fmt.Println("buf:", buf.String())

}
Output:


buf: input.foo is: 7 and input.bar is: <undefined>

func New

func New(options ...func(r *Rego)) *Rego

New returns a new Rego object.

func (*Rego) Compile

func (r *Rego) Compile(ctx context.Context, opts ...CompileOption) (*CompileResult, error)

Compile returns a compiled policy query.

func (*Rego) Eval

func (r *Rego) Eval(ctx context.Context) (ResultSet, error)

Eval evaluates this Rego object and returns a ResultSet.

Example (Allowed)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Create query that returns a single boolean value.
	rego := rego.New(
		rego.Query("data.authz.allow"),
		rego.Module("example.rego",
			`package authz

import rego.v1

default allow = false
allow if {
	input.open == "sesame"
}`,
		),
		rego.Input(map[string]interface{}{"open": "sesame"}),
	)

	// Run evaluation.
	rs, err := rego.Eval(ctx)
	if err != nil {
		panic(err)
	}

	// Inspect result.
	fmt.Println("allowed:", rs.Allowed())

}
Output:


	allowed: true
Example (Compiler)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/ast"
	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Define a simple policy.
	module := `
		package example

		import rego.v1

		default allow = false

		allow if {
			input.identity = "admin"
		}

		allow if {
			input.method = "GET"
		}
	`

	// Compile the module. The keys are used as identifiers in error messages.
	compiler, err := ast.CompileModules(map[string]string{
		"example.rego": module,
	})

	// Create a new query that uses the compiled policy from above.
	rego := rego.New(
		rego.Query("data.example.allow"),
		rego.Compiler(compiler),
		rego.Input(
			map[string]interface{}{
				"identity": "bob",
				"method":   "GET",
			},
		),
	)

	// Run evaluation.
	rs, err := rego.Eval(ctx)

	if err != nil {
		// Handle error.
	}

	// Inspect results.
	fmt.Println("len:", len(rs))
	fmt.Println("value:", rs[0].Expressions[0].Value)
	fmt.Println("allowed:", rs.Allowed()) // helper method

}
Output:


len: 1
value: true
allowed: true
Example (Errors)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/ast"
	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	r := rego.New(
		rego.Query("data.example.p"),
		rego.Module("example_error.rego",
			`package example
import rego.v1

p = true if { not q[x] }
q = {1, 2, 3} if { true }`,
		))

	_, err := r.Eval(ctx)

	switch err := err.(type) {
	case ast.Errors:
		for _, e := range err {
			fmt.Println("code:", e.Code)
			fmt.Println("row:", e.Location.Row)
			fmt.Println("filename:", e.Location.File)
		}
	default:
		// Some other error occurred.
	}

}
Output:


code: rego_unsafe_var_error
row: 4
filename: example_error.rego
Example (Input)
package main

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Raw input data that will be used in evaluation.
	raw := `{"users": [{"id": "bob"}, {"id": "alice"}]}`
	d := json.NewDecoder(bytes.NewBufferString(raw))

	// Numeric values must be represented using json.Number.
	d.UseNumber()

	var input interface{}

	if err := d.Decode(&input); err != nil {
		panic(err)
	}

	// Create a simple query over the input.
	rego := rego.New(
		rego.Query("input.users[idx].id = user_id"),
		rego.Input(input))

	//Run evaluation.
	rs, err := rego.Eval(ctx)

	if err != nil {
		// Handle error.
	}

	// Inspect results.
	fmt.Println("len:", len(rs))
	fmt.Println("bindings.idx:", rs[1].Bindings["idx"])
	fmt.Println("bindings.user_id:", rs[1].Bindings["user_id"])

}
Output:


len: 2
bindings.idx: 1
bindings.user_id: alice
Example (MultipleBindings)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Create query that produces multiple bindings for variable.
	rego := rego.New(
		rego.Query(`a = ["ex", "am", "ple"]; x = a[_]; not p[x]`),
		rego.Package(`example`),
		rego.Module("example.rego", `package example

		import rego.v1

		p contains "am" if { true }
		`),
	)

	// Run evaluation.
	rs, err := rego.Eval(ctx)

	// Inspect results.
	fmt.Println("len:", len(rs))
	fmt.Println("err:", err)
	for i := range rs {
		fmt.Printf("bindings[\"x\"]: %v (i=%d)\n", rs[i].Bindings["x"], i)
	}

}
Output:


len: 2
err: <nil>
bindings["x"]: ex (i=0)
bindings["x"]: ple (i=1)
Example (MultipleDocuments)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Create query that produces multiple documents.
	rego := rego.New(
		rego.Query("data.example.p[x]"),
		rego.Module("example.rego",
			`package example

import rego.v1

p = {"hello": "alice", "goodbye": "bob"} if { true }`,
		))

	// Run evaluation.
	rs, err := rego.Eval(ctx)

	// Inspect results.
	fmt.Println("len:", len(rs))
	fmt.Println("err:", err)
	for i := range rs {
		fmt.Printf("bindings[\"x\"]: %v (i=%d)\n", rs[i].Bindings["x"], i)
		fmt.Printf("value: %v (i=%d)\n", rs[i].Expressions[0].Value, i)
	}

}
Output:


len: 2
err: <nil>
bindings["x"]: goodbye (i=0)
value: bob (i=0)
bindings["x"]: hello (i=1)
value: alice (i=1)
Example (Persistent_storage)
package main

import (
	"context"
	"fmt"
	"os"

	"github.com/open-policy-agent/opa/v1/logging"
	"github.com/open-policy-agent/opa/v1/storage/disk"

	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/storage"
	"github.com/open-policy-agent/opa/v1/util"
)

func main() {

	ctx := context.Background()

	data := `{
        "example": {
            "users": {
				"alice": {
					"likes": ["dogs", "clouds"]
				},
				"bob": {
					"likes": ["pizza", "cats"]
				}
			}
        }
    }`

	var json map[string]interface{}

	err := util.UnmarshalJSON([]byte(data), &json)
	if err != nil {
		// Handle error.
	}

	// Manually create a persistent storage-layer in a temporary directory.
	rootDir, err := os.MkdirTemp("", "rego_example")
	if err != nil {
		panic(err)
	}

	defer os.RemoveAll(rootDir)

	// Configure the store to partition data at `/example/users` so that each
	// user's data is stored on a different row. Assuming the policy only reads
	// data for a single user to process the policy query, OPA can avoid loading
	// _all_ user data into memory this way.
	store, err := disk.New(ctx, logging.NewNoOpLogger(), nil, disk.Options{
		Dir:        rootDir,
		Partitions: []storage.Path{{"example", "user"}},
	})
	if err != nil {
		// Handle error.
	}

	err = storage.WriteOne(ctx, store, storage.AddOp, storage.Path{}, json)
	if err != nil {
		// Handle error
	}

	// Run a query that returns the value
	rs, err := rego.New(
		rego.Query(`data.example.users["alice"].likes`),
		rego.Store(store)).Eval(ctx)
	if err != nil {
		// Handle error.
	}

	// Inspect the result.
	fmt.Println("value:", rs[0].Expressions[0].Value)

	// Re-open the store in the same directory.
	store.Close(ctx)

	store2, err := disk.New(ctx, logging.NewNoOpLogger(), nil, disk.Options{
		Dir:        rootDir,
		Partitions: []storage.Path{{"example", "user"}},
	})
	if err != nil {
		// Handle error.
	}

	// Run the same query with a new store.
	rs, err = rego.New(
		rego.Query(`data.example.users["alice"].likes`),
		rego.Store(store2)).Eval(ctx)
	if err != nil {
		// Handle error.
	}

	// Inspect the result and observe the same result.
	fmt.Println("value:", rs[0].Expressions[0].Value)

}
Output:


value: [dogs clouds]
value: [dogs clouds]
Example (Simple)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Create very simple query that binds a single variable.
	rego := rego.New(rego.Query("x = 1"))

	// Run evaluation.
	rs, err := rego.Eval(ctx)

	// Inspect results.
	fmt.Println("len:", len(rs))
	fmt.Println("bindings:", rs[0].Bindings)
	fmt.Println("err:", err)

}
Output:


len: 1
bindings: map[x:1]
err: <nil>
Example (SingleDocument)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Create query that produces a single document.
	rego := rego.New(
		rego.Query("data.example.p"),
		rego.Module("example.rego",
			`package example

import rego.v1

p = ["hello", "world"] if { true }`,
		))

	// Run evaluation.
	rs, err := rego.Eval(ctx)

	// Inspect result.
	fmt.Println("value:", rs[0].Expressions[0].Value)
	fmt.Println("err:", err)

}
Output:


value: [hello world]
err: <nil>
Example (Storage)
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/storage/inmem"
	"github.com/open-policy-agent/opa/v1/util"
)

func main() {

	ctx := context.Background()

	data := `{
        "example": {
            "users": [
                {
                    "name": "alice",
                    "likes": ["dogs", "clouds"]
                },
                {
                    "name": "bob",
                    "likes": ["pizza", "cats"]
                }
            ]
        }
    }`

	var json map[string]interface{}

	err := util.UnmarshalJSON([]byte(data), &json)
	if err != nil {
		// Handle error.
	}

	// Manually create the storage layer. inmem.NewFromObject returns an
	// in-memory store containing the supplied data.
	store := inmem.NewFromObject(json)

	// Create new query that returns the value
	rego := rego.New(
		rego.Query("data.example.users[0].likes"),
		rego.Store(store))

	// Run evaluation.
	rs, err := rego.Eval(ctx)
	if err != nil {
		// Handle error.
	}

	// Inspect the result.
	fmt.Println("value:", rs[0].Expressions[0].Value)

}
Output:


value: [dogs clouds]
Example (Trace_simple)
package main

import (
	"context"
	"os"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Create very simple query that binds a single variable and enables tracing.
	r := rego.New(
		rego.Query("x = 1"),
		rego.Trace(true),
	)

	// Run evaluation.
	r.Eval(ctx)

	// Inspect results.
	rego.PrintTraceWithLocation(os.Stdout, r)

}
Output:


query:1     Enter x = 1
query:1     | Eval x = 1
query:1     | Unify x = 1
query:1     | Exit x = 1
query:1     Redo x = 1
query:1     | Redo x = 1
Example (Tracer)
package main

import (
	"context"
	"os"

	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/topdown"
)

func main() {

	ctx := context.Background()

	buf := topdown.NewBufferTracer()

	// Create very simple query that binds a single variable and provides a tracer.
	rego := rego.New(
		rego.Query("x = 1"),
		rego.QueryTracer(buf),
	)

	// Run evaluation.
	rego.Eval(ctx)

	// Inspect results.
	topdown.PrettyTraceWithLocation(os.Stdout, *buf)

}
Output:


query:1     Enter x = 1
query:1     | Eval x = 1
query:1     | Unify x = 1
query:1     | Exit x = 1
query:1     Redo x = 1
query:1     | Redo x = 1
Example (Transactions)
package main

import (
	"bytes"
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/storage"
	"github.com/open-policy-agent/opa/v1/storage/inmem"
)

func main() {

	ctx := context.Background()

	// Create storage layer and load dummy data.
	store := inmem.NewFromReader(bytes.NewBufferString(`{
		"favourites": {
			"pizza": "cheese",
			"colour": "violet"
		}
	}`))

	// Open a write transaction on the store that will perform write operations.
	txn, err := store.NewTransaction(ctx, storage.WriteParams)
	if err != nil {
		// Handle error.
	}

	// Create rego query that uses the transaction created above.
	inside := rego.New(
		rego.Query("data.favourites.pizza"),
		rego.Store(store),
		rego.Transaction(txn),
	)

	// Create rego query that DOES NOT use the transaction created above. Under
	// the hood, the rego package will create it's own transaction to
	// ensure it evaluates over a consistent snapshot of the storage layer.
	outside := rego.New(
		rego.Query("data.favourites.pizza"),
		rego.Store(store),
	)

	// Write change to storage layer inside the transaction.
	err = store.Write(ctx, txn, storage.AddOp, storage.MustParsePath("/favourites/pizza"), "pepperoni")
	if err != nil {
		// Handle error.
	}

	// Run evaluation INSIDE the transaction.
	rs, err := inside.Eval(ctx)
	if err != nil {
		// Handle error.
	}

	fmt.Println("value (inside txn):", rs[0].Expressions[0].Value)

	// Run evaluation OUTSIDE the transaction.
	rs, err = outside.Eval(ctx)
	if err != nil {
		// Handle error.
	}

	fmt.Println("value (outside txn):", rs[0].Expressions[0].Value)

	if err := store.Commit(ctx, txn); err != nil {
		// Handle error.
	}

	// Run evaluation AFTER the transaction commits.
	rs, err = outside.Eval(ctx)
	if err != nil {
		// Handle error.
	}

	fmt.Println("value (after txn):", rs[0].Expressions[0].Value)

}
Output:


value (inside txn): pepperoni
value (outside txn): cheese
value (after txn): pepperoni

func (*Rego) Partial

func (r *Rego) Partial(ctx context.Context) (*PartialQueries, error)

Partial runs partial evaluation on r and returns the result.

Example
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Define a simple policy for example purposes.
	module := `package test

	import rego.v1

	allow if {
		input.method = read_methods[_]
		input.path = ["reviews", user]
		input.user = user
	}

	allow if {
		input.method = read_methods[_]
		input.path = ["reviews", _]
		input.is_admin
	}

	read_methods = ["GET"]
	`

	r := rego.New(rego.Query("data.test.allow == true"), rego.Module("example.rego", module))
	pq, err := r.Partial(ctx)
	if err != nil {
		// Handle error.
	}

	// Inspect result.
	for i := range pq.Queries {
		fmt.Printf("Query #%d: %v\n", i+1, pq.Queries[i])
	}

}
Output:


Query #1: "GET" = input.method; input.path = ["reviews", _]; input.is_admin
Query #2: "GET" = input.method; input.path = ["reviews", user3]; user3 = input.user

func (*Rego) PartialEval

func (r *Rego) PartialEval(ctx context.Context) (PartialResult, error)

PartialEval has been deprecated and renamed to PartialResult.

func (*Rego) PartialResult

func (r *Rego) PartialResult(ctx context.Context) (PartialResult, error)

PartialResult partially evaluates this Rego object and returns a PartialResult.

Example
package main

import (
	"bytes"
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
	"github.com/open-policy-agent/opa/v1/storage/inmem"
)

func main() {

	ctx := context.Background()

	// Define a role-based access control (RBAC) policy that decides whether to
	// allow or deny requests. Requests are allowed if the user is bound to a
	// role that grants permission to perform the operation on the resource.
	module := `
		package example

		import rego.v1
		import data.bindings
		import data.roles

		default allow = false

		allow if {
			user_has_role[role_name]
			role_has_permission[role_name]
		}

		user_has_role contains role_name if {
			b = bindings[_]
			b.role = role_name
			b.user = input.subject.user
		}

		role_has_permission contains role_name if {
			r = roles[_]
			r.name = role_name
			match_with_wildcard(r.operations, input.operation)
			match_with_wildcard(r.resources, input.resource)
		}

		match_with_wildcard(allowed, value) if {
			allowed[_] = "*"
		}

		match_with_wildcard(allowed, value) if {
			allowed[_] = value
		}
	`

	// Define dummy roles and role bindings for the example. In real-world
	// scenarios, this data would be pushed or pulled into the service
	// embedding OPA either from an external API or configuration file.
	store := inmem.NewFromReader(bytes.NewBufferString(`{
		"roles": [
			{
				"resources": ["documentA", "documentB"],
				"operations": ["read"],
				"name": "analyst"
			},
			{
				"resources": ["*"],
				"operations": ["*"],
				"name": "admin"
			}
		],
		"bindings": [
			{
				"user": "bob",
				"role": "admin"
			},
			{
				"user": "alice",
				"role": "analyst"
			}
		]
	}`))

	// Prepare and run partial evaluation on the query. The result of partial
	// evaluation can be cached for performance. When the data or policy
	// change, partial evaluation should be re-run.
	r := rego.New(
		rego.Query("data.example.allow"),
		rego.Module("example.rego", module),
		rego.Store(store),
	)

	pr, err := r.PartialResult(ctx)
	if err != nil {
		// Handle error.
	}

	// Define example inputs (representing requests) that will be used to test
	// the policy.
	examples := []map[string]interface{}{
		{
			"resource":  "documentA",
			"operation": "write",
			"subject": map[string]interface{}{
				"user": "bob",
			},
		},
		{
			"resource":  "documentB",
			"operation": "write",
			"subject": map[string]interface{}{
				"user": "alice",
			},
		},
		{
			"resource":  "documentB",
			"operation": "read",
			"subject": map[string]interface{}{
				"user": "alice",
			},
		},
	}

	for i := range examples {

		// Prepare and run normal evaluation from the result of partial
		// evaluation.
		r := pr.Rego(
			rego.Input(examples[i]),
		)

		rs, err := r.Eval(ctx)

		if err != nil || len(rs) != 1 || len(rs[0].Expressions) != 1 {
			// Handle erorr.
		} else {
			fmt.Printf("input %d allowed: %v\n", i+1, rs[0].Expressions[0].Value)
		}
	}

}
Output:


input 1 allowed: true
input 2 allowed: false
input 3 allowed: true

func (*Rego) PrepareForEval

func (r *Rego) PrepareForEval(ctx context.Context, opts ...PrepareOption) (PreparedEvalQuery, error)

PrepareForEval will parse inputs, modules, and query arguments in preparation of evaluating them.

Example
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {
	ctx := context.Background()

	// Create a simple query
	r := rego.New(
		rego.Query("input.x == 1"),
	)

	// Prepare for evaluation
	pq, err := r.PrepareForEval(ctx)

	if err != nil {
		// Handle error.
	}

	// Raw input data that will be used in the first evaluation
	input := map[string]interface{}{"x": 2}

	// Run the evaluation
	rs, err := pq.Eval(ctx, rego.EvalInput(input))

	if err != nil {
		// Handle error.
	}

	// Inspect results.
	fmt.Println("initial result:", rs[0].Expressions[0])

	// Update input
	input["x"] = 1

	// Run the evaluation with new input
	rs, err = pq.Eval(ctx, rego.EvalInput(input))

	if err != nil {
		// Handle error.
	}

	// Inspect results.
	fmt.Println("updated result:", rs[0].Expressions[0])

}
Output:


initial result: false
updated result: true

func (*Rego) PrepareForPartial

func (r *Rego) PrepareForPartial(ctx context.Context, opts ...PrepareOption) (PreparedPartialQuery, error)

PrepareForPartial will parse inputs, modules, and query arguments in preparation of partially evaluating them.

Example
package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/v1/rego"
)

func main() {

	ctx := context.Background()

	// Define a simple policy for example purposes.
	module := `package test

	import rego.v1

	allow if {
		input.method = read_methods[_]
		input.path = ["reviews", user]
		input.user = user
	}

	allow if {
		input.method = read_methods[_]
		input.path = ["reviews", _]
		input.is_admin
	}

	read_methods = ["GET"]
	`

	r := rego.New(
		rego.Query("data.test.allow == true"),
		rego.Module("example.rego", module),
	)

	pq, err := r.PrepareForPartial(ctx)
	if err != nil {
		// Handle error.
	}

	pqs, err := pq.Partial(ctx)
	if err != nil {
		// Handle error.
	}

	// Inspect result
	fmt.Println("First evaluation")
	for i := range pqs.Queries {
		fmt.Printf("Query #%d: %v\n", i+1, pqs.Queries[i])
	}

	// Evaluate with specified input
	exampleInput := map[string]string{
		"method": "GET",
	}

	// Evaluate again with different input and unknowns
	pqs, err = pq.Partial(ctx,
		rego.EvalInput(exampleInput),
		rego.EvalUnknowns([]string{"input.user", "input.is_admin", "input.path"}),
	)
	if err != nil {
		// Handle error.
	}

	// Inspect result
	fmt.Println("Second evaluation")
	for i := range pqs.Queries {
		fmt.Printf("Query #%d: %v\n", i+1, pqs.Queries[i])
	}

}
Output:


First evaluation
Query #1: "GET" = input.method; input.path = ["reviews", _]; input.is_admin
Query #2: "GET" = input.method; input.path = ["reviews", user3]; user3 = input.user
Second evaluation
Query #1: input.path = ["reviews", _]; input.is_admin
Query #2: input.path = ["reviews", user3]; user3 = input.user

func (*Rego) RegoVersion

func (r *Rego) RegoVersion() ast.RegoVersion

type Result

type Result struct {
	Expressions []*ExpressionValue `json:"expressions"`
	Bindings    Vars               `json:"bindings,omitempty"`
}

Result defines the output of Rego evaluation.

type ResultSet

type ResultSet []Result

ResultSet represents a collection of output from Rego evaluation. An empty result set represents an undefined query.

func (ResultSet) Allowed

func (rs ResultSet) Allowed() bool

Allowed is a helper method that'll return true if all of these conditions hold: - the result set only has one element - there is only one expression in the result set's only element - that expression has the value `true` - there are no bindings.

If bindings are present, this will yield `false`: it would be a pitfall to return `true` for a query like `data.authz.allow = x`, which always has result set element with value true, but could also have a binding `x: false`.

type TargetPlugin

type TargetPlugin interface {
	IsTarget(string) bool
	PrepareForEval(context.Context, *ir.Policy, ...PrepareOption) (TargetPluginEval, error)
}

type TargetPluginEval

type TargetPluginEval interface {
	Eval(context.Context, *EvalContext, ast.Value) (ast.Value, error)
}

type Vars

type Vars map[string]interface{}

Vars represents a collection of variable bindings. The keys are the variable names and the values are the binding values.

func (Vars) WithoutWildcards

func (v Vars) WithoutWildcards() Vars

WithoutWildcards returns a copy of v with wildcard variables removed.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL