Documentation ¶
Overview ¶
Package ast declares Rego syntax tree types and also includes a parser and compiler for preparing policies for execution in the policy engine.
Rego policies are defined using a relatively small set of types: modules, package and import declarations, rules, expressions, and terms. At their core, policies consist of rules that are defined by one or more expressions over documents available to the policy engine. The expressions are defined by intrinsic values (terms) such as strings, objects, variables, etc.
Rego policies are typically defined in text files and then parsed and compiled by the policy engine at runtime. The parsing stage takes the text or string representation of the policy and converts it into an abstract syntax tree (AST) that consists of the types mentioned above. The AST is organized as follows:
Module | +--- Package (Reference) | +--- Imports | | | +--- Import (Term) | +--- Rules | +--- Rule | +--- Head | | | +--- Name (Variable) | | | +--- Key (Term) | | | +--- Value (Term) | +--- Body | +--- Expression (Term | Terms)
At query time, the policy engine expects policies to have been compiled. The compilation stage takes one or more modules and compiles them into a format that the policy engine supports.
Index ¶
- Constants
- Variables
- func Compare(a, b interface{}) int
- func IsError(code string, err error) bool
- func IsKeyword(s string) bool
- func IsScalar(v Value) bool
- func IsValidImportPath(v Value) (err error)
- func Parse(filename string, b []byte, opts ...Option) (interface{}, error)
- func ParseFile(filename string, opts ...Option) (interface{}, error)
- func ParseReader(filename string, r io.Reader, opts ...Option) (interface{}, error)
- func RegisterBuiltin(b *Builtin)
- func Transform(t Transformer, x interface{}) (interface{}, error)
- func TransformRefs(x interface{}, f func(Ref) (Value, error)) (interface{}, error)
- func TypeName(x interface{}) string
- func Walk(v Visitor, x interface{})
- func WalkBodies(x interface{}, f func(Body) bool)
- func WalkClosures(x interface{}, f func(interface{}) bool)
- func WalkRefs(x interface{}, f func(Ref) bool)
- func WalkVars(x interface{}, f func(Var) bool)
- func WalkWiths(x interface{}, f func(*With) bool)
- type Array
- type ArrayComprehension
- func (ac *ArrayComprehension) Copy() *ArrayComprehension
- func (ac *ArrayComprehension) Equal(other Value) bool
- func (ac *ArrayComprehension) Find(path []string) (Value, error)
- func (ac *ArrayComprehension) Hash() int
- func (ac *ArrayComprehension) IsGround() bool
- func (ac *ArrayComprehension) String() string
- type Body
- func (body *Body) Append(expr *Expr)
- func (body Body) Compare(other Body) int
- func (body Body) Contains(x *Expr) bool
- func (body Body) Copy() Body
- func (body Body) Equal(other Body) bool
- func (body Body) Hash() int
- func (body Body) IsGround() bool
- func (body Body) Loc() *Location
- func (body Body) OutputVars(safe VarSet) VarSet
- func (body Body) String() string
- func (body Body) Vars(params VarVisitorParams) VarSet
- type Boolean
- type Builtin
- type Comment
- type Compiler
- func (c *Compiler) Compile(modules map[string]*Module)
- func (c *Compiler) Failed() bool
- func (c *Compiler) GetRules(ref Ref) (rules []*Rule)
- func (c *Compiler) GetRulesExact(ref Ref) (rules []*Rule)
- func (c *Compiler) GetRulesForVirtualDocument(ref Ref) (rules []*Rule)
- func (c *Compiler) GetRulesWithPrefix(ref Ref) (rules []*Rule)
- func (c *Compiler) QueryCompiler() QueryCompiler
- func (c *Compiler) WithModuleLoader(f ModuleLoader) *Compiler
- type DocKind
- type Error
- type Errors
- type Expr
- func (expr *Expr) Compare(other *Expr) int
- func (expr *Expr) Complement() *Expr
- func (expr *Expr) Copy() *Expr
- func (expr *Expr) Equal(other *Expr) bool
- func (expr *Expr) Hash() int
- func (expr *Expr) IncludeWith(target *Term, value *Term) *Expr
- func (expr *Expr) IsEquality() bool
- func (expr *Expr) IsGround() bool
- func (expr *Expr) NoWith() *Expr
- func (expr *Expr) OutputVars(safe VarSet) VarSet
- func (expr *Expr) String() string
- func (expr *Expr) UnmarshalJSON(bs []byte) error
- func (expr *Expr) Vars(params VarVisitorParams) VarSet
- type GenericTransformer
- type GenericVisitor
- type Head
- type Import
- type Location
- type Module
- type ModuleLoader
- type ModuleTreeNode
- type Null
- type Number
- type Object
- func (obj Object) Copy() Object
- func (obj Object) Diff(other Object) Object
- func (obj Object) Equal(other Value) bool
- func (obj Object) Find(path []string) (Value, error)
- func (obj Object) Get(k *Term) *Term
- func (obj Object) Hash() int
- func (obj Object) Intersect(other Object) [][3]*Term
- func (obj Object) IsGround() bool
- func (obj Object) Keys() []*Term
- func (obj Object) MarshalJSON() ([]byte, error)
- func (obj Object) Merge(other Object) (Object, bool)
- func (obj Object) String() string
- type Option
- type Package
- type QueryCompiler
- type QueryContext
- type QueryIterator
- type Ref
- func (ref Ref) Append(term *Term) Ref
- func (ref Ref) Copy() Ref
- func (ref Ref) Equal(other Value) bool
- func (ref Ref) Extend(other Ref) Ref
- func (ref Ref) Find(path []string) (Value, error)
- func (ref Ref) GroundPrefix() Ref
- func (ref Ref) HasPrefix(other Ref) bool
- func (ref Ref) Hash() int
- func (ref Ref) IsGround() bool
- func (ref Ref) IsNested() bool
- func (ref Ref) OutputVars() VarSet
- func (ref Ref) String() string
- type Rule
- type RuleTreeNode
- type Set
- func (s *Set) Add(t *Term)
- func (s Set) Contains(t *Term) bool
- func (s *Set) Copy() *Set
- func (s *Set) Diff(other *Set) *Set
- func (s *Set) Equal(v Value) bool
- func (s *Set) Find(path []string) (Value, error)
- func (s *Set) Hash() int
- func (s *Set) Intersect(other *Set) *Set
- func (s *Set) IsGround() bool
- func (s *Set) Iter(f func(*Term) bool) (stop bool)
- func (s *Set) Map(f func(*Term) (*Term, error)) (*Set, error)
- func (s *Set) Reduce(i *Term, f func(*Term, *Term) (*Term, error)) (*Term, error)
- func (s *Set) String() string
- func (s *Set) Union(other *Set) *Set
- type Statement
- type String
- type Term
- func ArrayComprehensionTerm(term *Term, body Body) *Term
- func ArrayTerm(a ...*Term) *Term
- func BooleanTerm(b bool) *Term
- func FloatNumberTerm(f float64) *Term
- func IntNumberTerm(i int) *Term
- func Item(key, value *Term) [2]*Term
- func MustParseTerm(input string) *Term
- func NewTerm(v Value) *Term
- func NullTerm() *Term
- func NumberTerm(n json.Number) *Term
- func ObjectTerm(o ...[2]*Term) *Term
- func ParseTerm(input string) (*Term, error)
- func RefTerm(r ...*Term) *Term
- func SetTerm(t ...*Term) *Term
- func StringTerm(s string) *Term
- func VarTerm(v string) *Term
- type Transformer
- type Value
- type ValueMap
- func (vs *ValueMap) Copy() *ValueMap
- func (vs *ValueMap) Delete(k Value)
- func (vs *ValueMap) Equal(other *ValueMap) bool
- func (vs *ValueMap) Get(k Value) Value
- func (vs *ValueMap) Hash() int
- func (vs *ValueMap) Iter(iter func(Value, Value) bool) bool
- func (vs *ValueMap) Len() int
- func (vs *ValueMap) Put(k, v Value)
- func (vs *ValueMap) String() string
- type Var
- type VarSet
- type VarVisitor
- type VarVisitorParams
- type Visitor
- type With
Examples ¶
Constants ¶
const ( // ParseErr indicates an unclassified parse error occurred. ParseErr = "rego_parse_error" // CompileErr indicates an unclassified compile error occurred. CompileErr = "rego_compile_error" // TypeErr indicates a type error was caught. TypeErr = "rego_type_error" // UnsafeVarErr indicates an unsafe variable was found during compilation. UnsafeVarErr = "rego_unsafe_var_error" // RecursionErr indicates recursion was found during compilation. RecursionErr = "rego_recursion_error" // InputErr indicates the query depends on input but no input or conflicting // input was provided. InputErr = "rego_input_error" )
const ( // CompleteDoc represents a document that is completely defined by the rule. CompleteDoc = iota // PartialSetDoc represents a set document that is partially defined by the rule. PartialSetDoc = iota // PartialObjectDoc represents an object document that is partially defined by the rule. PartialObjectDoc = iota )
const ( NullTypeName = "null" BooleanTypeName = "boolean" StringTypeName = "string" NumberTypeName = "number" VarTypeName = "var" RefTypeName = "ref" ArrayTypeName = "array" ObjectTypeName = "object" SetTypeName = "set" ArrayComprehensionTypeName = "arraycomprehension" ExprTypeName = "expr" WithTypeName = "with" BodyTypeName = "body" HeadTypeName = "head" RuleTypeName = "rule" ImportTypeName = "import" PackageTypeName = "package" )
The type names provide consistent strings for types in error messages.
Variables ¶
var Abs = &Builtin{ Name: Var("abs"), NumArgs: 2, TargetPos: []int{1}, }
Abs returns the number without its sign.
var And = &Builtin{ Name: Var("and"), Infix: Var("&"), NumArgs: 3, TargetPos: []int{2}, }
And performs a binary AND operation on numbers and an intersection operation on sets.
var BuiltinMap map[Var]*Builtin
BuiltinMap provides a convenient mapping of built-in names to built-in definitions.
var Builtins []*Builtin
Builtins is the registry of built-in functions supported by OPA. Call RegisterBuiltin to add a new built-in.
var Concat = &Builtin{ Name: Var("concat"), NumArgs: 3, TargetPos: []int{2}, }
Concat joins an array of strings to with an input string.
var Contains = &Builtin{ Name: Var("contains"), NumArgs: 2, }
Contains returns true if the search string is included in the base string
var Count = &Builtin{ Name: Var("count"), NumArgs: 2, TargetPos: []int{1}, }
Count takes a collection and counts the number of elements in it.
var DefaultBuiltins = [...]*Builtin{ Equality, GreaterThan, GreaterThanEq, LessThan, LessThanEq, NotEqual, Plus, Minus, Multiply, Divide, Round, Abs, And, Or, Count, Sum, Max, ToNumber, RegexMatch, SetDiff, Concat, FormatInt, IndexOf, Substring, Lower, Upper, Contains, StartsWith, EndsWith, }
DefaultBuiltins is the registry of built-in functions supported in OPA by default. When adding a new built-in function to OPA, update this list.
var DefaultRootDocument = VarTerm("data")
DefaultRootDocument is the default root document.
All package directives inside source files are implicitly prefixed with the DefaultRootDocument value.
var DefaultRootRef = Ref{DefaultRootDocument}
DefaultRootRef is a reference to the root of the default document.
All refs to data in the policy engine's storage layer are prefixed with this ref.
var Divide = &Builtin{ Name: Var("div"), Infix: Var("/"), NumArgs: 3, TargetPos: []int{2}, }
Divide divides the first number by the second number.
var EndsWith = &Builtin{ Name: Var("endswith"), NumArgs: 2, }
EndsWith returns true if the search string begins with the base string
var Equality = &Builtin{ Name: Var("eq"), Infix: Var("="), NumArgs: 2, TargetPos: []int{0, 1}, }
Equality represents the "=" operator.
var FormatInt = &Builtin{ Name: Var("format_int"), NumArgs: 3, TargetPos: []int{2}, }
FormatInt returns the string representation of the number in the given base after converting it to an integer value.
var GreaterThan = &Builtin{ Name: Var("gt"), Infix: Var(">"), NumArgs: 2, }
GreaterThan represents the ">" comparison operator.
var GreaterThanEq = &Builtin{ Name: Var("gte"), Infix: Var(">="), NumArgs: 2, }
GreaterThanEq represents the ">=" comparison operator.
var IndexOf = &Builtin{ Name: Var("indexof"), NumArgs: 3, TargetPos: []int{2}, }
IndexOf returns the index of a substring contained inside a string
var InputRootDocument = VarTerm("input")
InputRootDocument names the document containing query arguments.
var InputRootRef = Ref{InputRootDocument}
InputRootRef is a reference to the root of the input document.
All refs to query arguments are prefixed with this ref.
var Keywords = [...]string{
"not",
"package",
"import",
"as",
"default",
"with",
"null",
"true",
"false",
}
Keywords contains strings that map to language keywords.
var LessThan = &Builtin{ Name: Var("lt"), Infix: Var("<"), NumArgs: 2, }
LessThan represents the "<" comparison operator.
var LessThanEq = &Builtin{ Name: Var("lte"), Infix: Var("<="), NumArgs: 2, }
LessThanEq represents the "<=" comparison operator.
var Lower = &Builtin{ Name: Var("lower"), NumArgs: 2, TargetPos: []int{1}, }
Lower returns the input string but with all characters in lower-case
var Max = &Builtin{ Name: Var("max"), NumArgs: 2, TargetPos: []int{1}, }
Max returns the maximum value in a collection.
var Minus = &Builtin{ Name: Var("minus"), Infix: Var("-"), NumArgs: 3, TargetPos: []int{2}, }
Minus subtracts the second number from the first number or computes the diff between two sets.
var Multiply = &Builtin{ Name: Var("mul"), Infix: Var("*"), NumArgs: 3, TargetPos: []int{2}, }
Multiply multiplies two numbers together.
var NotEqual = &Builtin{ Name: Var("neq"), Infix: Var("!="), NumArgs: 2, }
NotEqual represents the "!=" comparison operator.
var Or = &Builtin{ Name: Var("or"), Infix: Var("|"), NumArgs: 3, TargetPos: []int{2}, }
Or performs a binary OR operation on numbers and a union operation on sets.
var Plus = &Builtin{ Name: Var("plus"), Infix: Var("+"), NumArgs: 3, TargetPos: []int{2}, }
Plus adds two numbers together.
var RegexMatch = &Builtin{ Name: Var("re_match"), NumArgs: 2, }
RegexMatch takes two strings and evaluates to true if the string in the second position matches the pattern in the first position.
var ReservedVars = NewVarSet( DefaultRootDocument.Value.(Var), InputRootDocument.Value.(Var), )
ReservedVars is the set of names that refer to implicitly ground vars.
var RootDocumentNames = &Set{ DefaultRootDocument, InputRootDocument, }
RootDocumentNames contains the names of top-level documents that can be referred to in modules and queries.
var RootDocumentRefs = &Set{ NewTerm(DefaultRootRef), NewTerm(InputRootRef), }
RootDocumentRefs contains the prefixes of top-level documents that all non-local references start with.
var Round = &Builtin{ Name: Var("round"), NumArgs: 2, TargetPos: []int{1}, }
Round rounds the number up to the nearest integer.
var SetDiff = &Builtin{ Name: Var("set_diff"), NumArgs: 3, TargetPos: []int{2}, }
SetDiff has been replaced by the minus built-in.
var StartsWith = &Builtin{ Name: Var("startswith"), NumArgs: 2, }
StartsWith returns true if the search string begins with the base string
var Substring = &Builtin{ Name: Var("substring"), NumArgs: 4, TargetPos: []int{3}, }
Substring returns the portion of a string for a given start index and a length.
If the length is less than zero, then substring returns the remainder of the string.
var Sum = &Builtin{ Name: Var("sum"), NumArgs: 2, TargetPos: []int{1}, }
Sum takes an array of numbers and sums them.
var SystemDocumentKey = String("system")
SystemDocumentKey is the name of the top-level key that identifies the system document.
var ToNumber = &Builtin{ Name: Var("to_number"), NumArgs: 2, TargetPos: []int{1}, }
ToNumber takes a string, bool, or number value and converts it to a number. Strings are converted to numbers using strconv.Atoi. Boolean false is converted to 0 and boolean true is converted to 1.
var Upper = &Builtin{ Name: Var("upper"), NumArgs: 2, TargetPos: []int{1}, }
Upper returns the input string but with all characters in upper-case
var Wildcard = &Term{Value: Var("_")}
Wildcard represents the wildcard variable as defined in the language.
var WildcardPrefix = "$"
WildcardPrefix is the special character that all wildcard variables are prefixed with when the statement they are contained in is parsed.
Functions ¶
func Compare ¶ added in v0.2.0
func Compare(a, b interface{}) int
Compare returns an integer indicating whether two AST values are less than, equal to, or greater than each other.
If a is less than b, the return value is negative. If a is greater than b, the return value is positive. If a is equal to b, the return value is zero.
Different types are never equal to each other. For comparison purposes, types are sorted as follows:
nil < Null < Boolean < Number < String < Var < Ref < Array < Object < Set < ArrayComprehension < Expr < Body < Rule < Import < Package < Module.
Arrays and Refs are equal iff both a and b have the same length and all corresponding elements are equal. If one element is not equal, the return value is the same as for the first differing element. If all elements are equal but a and b have different lengths, the shorter is considered less than the other.
Objects are considered equal iff both a and b have the same sorted (key, value) pairs and are of the same length. Other comparisons are consistent but not defined.
Sets are considered equal iff the symmetric difference of a and b is empty. Other comparisons are consistent but not defined.
func IsValidImportPath ¶ added in v0.3.0
IsValidImportPath returns an error indicating if the import path is invalid. If the import path is invalid, err is nil.
func ParseReader ¶
ParseReader parses the data from r using filename as information in the error messages.
func RegisterBuiltin ¶
func RegisterBuiltin(b *Builtin)
RegisterBuiltin adds a new built-in function to the registry.
func Transform ¶ added in v0.2.0
func Transform(t Transformer, x interface{}) (interface{}, error)
Transform iterates the AST and calls the Transform function on the Transformer t for x before recursing.
func TransformRefs ¶ added in v0.2.0
TransformRefs calls the function f on all references under x.
func TypeName ¶ added in v0.3.0
func TypeName(x interface{}) string
TypeName returns a human readable name for the AST element type.
func Walk ¶
func Walk(v Visitor, x interface{})
Walk iterates the AST by calling the Visit function on the Visitor v for x before recursing.
func WalkBodies ¶ added in v0.2.0
WalkBodies calls the function f on all bodies under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkClosures ¶
func WalkClosures(x interface{}, f func(interface{}) bool)
WalkClosures calls the function f on all closures under x. If the function f returns true, AST nodes under the last node will not be visited.
func WalkRefs ¶
WalkRefs calls the function f on all references under x. If the function f returns true, AST nodes under the last node will not be visited.
Types ¶
type Array ¶
type Array []*Term
Array represents an array as defined by the language. Arrays are similar to the same types as defined by JSON with the exception that they can contain Vars and References.
func (Array) MarshalJSON ¶ added in v0.3.0
MarshalJSON returns JSON encoded bytes representing arr.
type ArrayComprehension ¶
ArrayComprehension represents an array comprehension as defined in the language.
func (*ArrayComprehension) Copy ¶ added in v0.2.2
func (ac *ArrayComprehension) Copy() *ArrayComprehension
Copy returns a deep copy of ac.
func (*ArrayComprehension) Equal ¶
func (ac *ArrayComprehension) Equal(other Value) bool
Equal returns true if ac is equal to other.
func (*ArrayComprehension) Find ¶ added in v0.4.5
func (ac *ArrayComprehension) Find(path []string) (Value, error)
Find returns the current value or a not found error.
func (*ArrayComprehension) Hash ¶
func (ac *ArrayComprehension) Hash() int
Hash returns the hash code of the Value.
func (*ArrayComprehension) IsGround ¶
func (ac *ArrayComprehension) IsGround() bool
IsGround returns true if the Term and Body are ground.
func (*ArrayComprehension) String ¶
func (ac *ArrayComprehension) String() string
type Body ¶
type Body []*Expr
Body represents one or more expressios contained inside a rule.
func MustParseBody ¶
MustParseBody returns a parsed body. If an error occurs during parsing, panic.
func NewBody ¶ added in v0.2.0
NewBody returns a new Body containing the given expressions. The indices of the immediate expressions will be reset.
func ParseBody ¶
ParseBody returns exactly one body. If multiple bodies are parsed, an error is returned.
func (*Body) Append ¶ added in v0.4.1
Append adds the expr to the body and updates the expr's index accordingly.
func (Body) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether body is less than, equal to, or greater than other.
If body is a subset of other, it is considered less than (and vice versa).
func (Body) OutputVars ¶
OutputVars returns a VarSet containing the variables that would be bound by evaluating the body.
func (Body) Vars ¶
func (body Body) Vars(params VarVisitorParams) VarSet
Vars returns a VarSet containing variables in body. The params can be set to control which vars are included.
type Boolean ¶
type Boolean bool
Boolean represents a boolean value defined by JSON.
type Builtin ¶
type Builtin struct { Name Var // Unique name of built-in function, e.g., <Name>(term,term,...,term) Infix Var // Unique name of infix operator. Default should be unset. NumArgs int // Total number of args required by built-in. TargetPos []int // Argument positions that bind outputs. Indexing is zero-based. }
Builtin represents a built-in function supported by OPA. Every built-in function is uniquely identified by a name.
func (*Builtin) IsTargetPos ¶
IsTargetPos returns true if a variable in the i-th position will be bound when the expression is evaluated.
type Comment ¶ added in v0.4.0
Comment contains the raw text from the comment in the definition.
func NewComment ¶ added in v0.4.0
NewComment returns a new Comment object.
type Compiler ¶
type Compiler struct { // Errors contains errors that occurred during the compilation process. // If there are one or more errors, the compilation process is considered // "failed". Errors Errors // Modules contains the compiled modules. The compiled modules are the // output of the compilation process. If the compilation process failed, // there is no guarantee about the state of the modules. Modules map[string]*Module // ModuleTree organizes the modules into a tree where each node is keyed by // an element in the module's package path. E.g., given modules containing // the following package directives: "a", "a.b", "a.c", and "a.b", the // resulting module tree would be: // // root // | // +--- data (no modules) // | // +--- a (1 module) // | // +--- b (2 modules) // | // +--- c (1 module) // ModuleTree *ModuleTreeNode // RuleTree organizes rules into a tree where each node is keyed by an // element in the rule's path. The rule path is the concatenation of the // containing package and the stringified rule name. E.g., given the // following module: // // package ex // p[1] { true } // p[2] { true } // q = true // // root // | // +--- data (no rules) // | // +--- ex (no rules) // | // +--- p (2 rules) // | // +--- q (1 rule) RuleTree *RuleTreeNode // RuleGraph represents the rule dependencies. // An edge (u, v) is added to the graph if rule "u" depends on rule "v". // A rule depends on another rule if it refers to it. RuleGraph map[*Rule]map[*Rule]struct{} // contains filtered or unexported fields }
Compiler contains the state of a compilation process.
func (*Compiler) Compile ¶
Compile runs the compilation process on the input modules. The compiled version of the modules and associated data structures are stored on the compiler. If the compilation process fails for any reason, the compiler will contain a slice of errors.
Example ¶
package main import ( "fmt" "github.com/open-policy-agent/opa/ast" ) func main() { // Define an input module that will be compiled. exampleModule := `package opa.example import data.foo import input.bar p[x] { foo[x]; not bar[x]; x >= min_x } min_x = 100 { true }` // Parse the input module to obtain the AST representation. mod, err := ast.ParseModule("my_module", exampleModule) if err != nil { fmt.Println("Parse error:", err) } // Create a new compiler instance and compile the module. c := ast.NewCompiler() mods := map[string]*ast.Module{ "my_module": mod, } if c.Compile(mods); c.Failed() { fmt.Println("Compile error:", c.Errors) } fmt.Println("Expr 1:", c.Modules["my_module"].Rules[0].Body[0]) fmt.Println("Expr 2:", c.Modules["my_module"].Rules[0].Body[1]) fmt.Println("Expr 3:", c.Modules["my_module"].Rules[0].Body[2]) }
Output: Expr 1: data.foo[x] Expr 2: not input.bar[x] Expr 3: x >= data.opa.example.min_x
func (*Compiler) GetRules ¶ added in v0.4.0
GetRules returns a slice of rules that are referred to by ref.
E.g., given the following module:
package a.b.c p[x] = y { q[x] = y; ... } # rule1 q[x] = y { ... } # rule2
The following calls yield the rules on the right.
GetRules("data.a.b.c.p") => [rule1] GetRules("data.a.b.c.p.x") => [rule1] GetRules("data.a.b.c.q") => [rule2] GetRules("data.a.b.c") => [rule1, rule2] GetRules("data.a.b.d") => nil
func (*Compiler) GetRulesExact ¶ added in v0.2.0
GetRulesExact returns a slice of rules referred to by the reference.
E.g., given the following module:
package a.b.c p[k] = v { ... } # rule1 p[k1] = v1 { ... } # rule2
The following calls yield the rules on the right.
GetRulesExact("data.a.b.c.p") => [rule1, rule2] GetRulesExact("data.a.b.c.p.x") => nil GetRulesExact("data.a.b.c") => nil
func (*Compiler) GetRulesForVirtualDocument ¶ added in v0.2.0
GetRulesForVirtualDocument returns a slice of rules that produce the virtual document referred to by the reference.
E.g., given the following module:
package a.b.c p[k] = v { ... } # rule1 p[k1] = v1 { ... } # rule2
The following calls yield the rules on the right.
GetRulesForVirtualDocument("data.a.b.c.p") => [rule1, rule2] GetRulesForVirtualDocument("data.a.b.c.p.x") => [rule1, rule2] GetRulesForVirtualDocument("data.a.b.c") => nil
func (*Compiler) GetRulesWithPrefix ¶ added in v0.2.0
GetRulesWithPrefix returns a slice of rules that share the prefix ref.
E.g., given the following module:
package a.b.c p[x] = y { ... } # rule1 p[k] = v { ... } # rule2 q { ... } # rule3
The following calls yield the rules on the right.
GetRulesWithPrefix("data.a.b.c.p") => [rule1, rule2] GetRulesWithPrefix("data.a.b.c.p.a") => nil GetRulesWithPrefix("data.a.b.c") => [rule1, rule2, rule3]
func (*Compiler) QueryCompiler ¶ added in v0.2.2
func (c *Compiler) QueryCompiler() QueryCompiler
QueryCompiler returns a new QueryCompiler object.
func (*Compiler) WithModuleLoader ¶ added in v0.3.0
func (c *Compiler) WithModuleLoader(f ModuleLoader) *Compiler
WithModuleLoader sets f as the ModuleLoader on the compiler.
The compiler will invoke the ModuleLoader after resolving all references in the current set of input modules. The ModuleLoader can return a new collection of parsed modules that are to be included in the compilation process. This process will repeat until the ModuleLoader returns an empty collection or an error. If an error is returned, compilation will stop immediately.
type DocKind ¶
type DocKind int
DocKind represents the collection of document types that can be produced by rules.
type Error ¶ added in v0.2.0
type Error struct { Code string `json:"code"` Message string `json:"message"` Location *Location `json:"location,omitempty"` }
Error represents a single error caught during parsing, compiling, etc.
type Errors ¶ added in v0.2.0
type Errors []*Error
Errors represents a series of errors encountered during parsing, compiling, etc.
type Expr ¶
type Expr struct { Location *Location `json:"-"` Index int `json:"index"` Negated bool `json:"negated,omitempty"` Terms interface{} `json:"terms"` With []*With `json:"with,omitempty"` }
Expr represents a single expression contained inside the body of a rule.
func MustParseExpr ¶ added in v0.2.0
MustParseExpr returns a parsed expression. If an error occurs during parsing, panic.
func NewBuiltinExpr ¶
NewBuiltinExpr creates a new Expr object with the supplied terms. The builtin operator must be the first term.
func NewExpr ¶ added in v0.2.1
func NewExpr(terms interface{}) *Expr
NewExpr returns a new Expr object.
func ParseExpr ¶ added in v0.2.0
ParseExpr returns exactly one expression. If multiple expressions are parsed, an error is returned.
func (*Expr) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether expr is less than, equal to, or greater than other.
Expressions are compared as follows:
1. Preceding expression (by Index) is always less than the other expression. 2. Non-negated expressions are always less than than negated expressions. 3. Single term expressions are always less than built-in expressions.
Otherwise, the expression terms are compared normally. If both expressions have the same terms, the modifiers are compared.
func (*Expr) Complement ¶
Complement returns a copy of this expression with the negation flag flipped.
func (*Expr) IncludeWith ¶ added in v0.4.1
IncludeWith returns a copy of expr with the with modifier appended.
func (*Expr) IsEquality ¶
IsEquality returns true if this is an equality expression.
func (*Expr) NoWith ¶ added in v0.4.1
NoWith returns a copy of expr where the with modifier has been removed.
func (*Expr) OutputVars ¶
OutputVars returns a VarSet containing variables that would be bound by evaluating this expression.
func (*Expr) UnmarshalJSON ¶
UnmarshalJSON parses the byte array and stores the result in expr.
func (*Expr) Vars ¶
func (expr *Expr) Vars(params VarVisitorParams) VarSet
Vars returns a VarSet containing variables in expr. The params can be set to control which vars are included.
type GenericTransformer ¶ added in v0.2.0
type GenericTransformer struct {
// contains filtered or unexported fields
}
GenericTransformer implements the Transformer interface to provide a utility to transform AST nodes using a closure.
func (*GenericTransformer) Transform ¶ added in v0.2.0
func (t *GenericTransformer) Transform(x interface{}) (interface{}, error)
Transform calls the function f on the GenericTransformer.
type GenericVisitor ¶
type GenericVisitor struct {
// contains filtered or unexported fields
}
GenericVisitor implements the Visitor interface to provide a utility to walk over AST nodes using a closure. If the closure returns true, the visitor will not walk over AST nodes under x.
func NewGenericVisitor ¶ added in v0.4.1
func NewGenericVisitor(f func(x interface{}) bool) *GenericVisitor
NewGenericVisitor returns a new GenericVisitor that will invoke the function f on AST nodes.
func (*GenericVisitor) Visit ¶
func (vis *GenericVisitor) Visit(x interface{}) Visitor
Visit calls the function f on the GenericVisitor.
type Head ¶ added in v0.2.0
type Head struct { Location *Location `json:"-"` Name Var `json:"name"` Key *Term `json:"key,omitempty"` Value *Term `json:"value,omitempty"` }
Head represents the head of a rule.
func NewHead ¶ added in v0.4.1
NewHead returns a new Head object. If args are provided, the first will be used for the key and the second will be used for the value.
func (*Head) Compare ¶ added in v0.4.1
Compare returns an integer indicating whether head is less than, equal to, or greater than other.
type Import ¶
type Import struct { Location *Location `json:"-"` Path *Term `json:"path"` Alias Var `json:"alias,omitempty"` }
Import represents a dependency on a document outside of the policy namespace. Imports are optional.
func MustParseImports ¶ added in v0.2.2
MustParseImports returns a slice of imports. If an error occurs during parsing, panic.
func ParseImports ¶ added in v0.2.2
ParseImports returns a slice of Import objects.
func (*Import) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether imp is less than, equal to, or greater than other.
type Location ¶
type Location struct { Text []byte `json:"-"` // The original text fragment from the source. File string `json:"file"` // The name of the source file (which may be empty). Row int `json:"row"` // The line in the source. Col int `json:"col"` // The column in the row. }
Location records a position in source code
func NewLocation ¶
NewLocation returns a new Location object.
func (*Location) Errorf ¶
Errorf returns a new error value with a message formatted to include the location info (e.g., line, column, filename, etc.)
type Module ¶
type Module struct { Package *Package `json:"package"` Imports []*Import `json:"imports,omitempty"` Rules []*Rule `json:"rules,omitempty"` }
Module represents a collection of policies (defined by rules) within a namespace (defined by the package) and optional dependencies on external documents (defined by imports).
func MustParseModule ¶
MustParseModule returns a parsed module. If an error occurs during parsing, panic.
func ParseModule ¶
ParseModule returns a parsed Module object. For details on Module objects and their fields, see policy.go. Empty input will return nil, nil.
func (*Module) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether mod is less than, equal to, or greater than other.
type ModuleLoader ¶ added in v0.3.0
ModuleLoader defines the interface that callers can implement to enable lazy loading of modules during compilation.
type ModuleTreeNode ¶
type ModuleTreeNode struct { Key Value Modules []*Module Children map[Value]*ModuleTreeNode Hide bool }
ModuleTreeNode represents a node in the module tree. The module tree is keyed by the package path.
func NewModuleTree ¶
func NewModuleTree(mods map[string]*Module) *ModuleTreeNode
NewModuleTree returns a new ModuleTreeNode that represents the root of the module tree populated with the given modules.
func (*ModuleTreeNode) DepthFirst ¶ added in v0.2.2
func (n *ModuleTreeNode) DepthFirst(f func(node *ModuleTreeNode) bool)
DepthFirst performs a depth-first traversal of the module tree rooted at n. If f returns true, traversal will not continue to the children of n.
func (*ModuleTreeNode) Size ¶
func (n *ModuleTreeNode) Size() int
Size returns the number of modules in the tree.
type Null ¶
type Null struct{}
Null represents the null value defined by JSON.
type Number ¶
Number represents a numeric value as defined by JSON.
func (Number) MarshalJSON ¶ added in v0.3.0
MarshalJSON returns JSON encoded bytes representing num.
type Object ¶
type Object [][2]*Term
Object represents an object as defined by the language. Objects are similar to the same types as defined by JSON with the exception that they can contain Vars and References.
func (Object) Diff ¶
Diff returns a new Object that contains only the key/value pairs that exist in obj.
func (Object) Intersect ¶
Intersect returns a slice of term triplets that represent the intersection of keys between obj and other. For each intersecting key, the values from obj and other are included as the last two terms in the triplet (respectively).
func (Object) MarshalJSON ¶ added in v0.3.0
MarshalJSON returns JSON encoded bytes representing obj.
func (Object) Merge ¶
Merge returns a new Object containing the non-overlapping keys of obj and other. If there are overlapping keys between obj and other, the values of associated with the keys are merged. Only objects can be merged with other objects. If the values cannot be merged, the second turn value will be false.
type Option ¶
type Option func(*parser) Option
Option is a function that can set an option on the parser. It returns the previous setting as an Option.
func Debug ¶
Debug creates an Option to set the debug flag to b. When set to true, debugging information is printed to stdout while parsing.
The default is false.
func Memoize ¶
Memoize creates an Option to set the memoize flag to b. When set to true, the parser will cache all results so each expression is evaluated only once. This guarantees linear parsing time even for pathological cases, at the expense of more memory and slower times for typical cases.
The default is false.
type Package ¶
Package represents the namespace of the documents produced by rules inside the module.
func MustParsePackage ¶ added in v0.2.2
MustParsePackage returns a Package. If an error occurs during parsing, panic.
func ParsePackage ¶ added in v0.2.2
ParsePackage returns exactly one Package. If multiple statements are parsed, an error is returned.
func (*Package) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether pkg is less than, equal to, or greater than other.
type QueryCompiler ¶ added in v0.2.2
type QueryCompiler interface { // Compile should be called to compile ad-hoc queries. The return value is // the compiled version of the query. Compile(q Body) (Body, error) // WithContext sets the QueryContext on the QueryCompiler. Subsequent calls // to Compile will take the QueryContext into account. WithContext(qctx *QueryContext) QueryCompiler }
QueryCompiler defines the interface for compiling ad-hoc queries.
type QueryContext ¶ added in v0.2.2
QueryContext contains contextual information for running an ad-hoc query.
Ad-hoc queries can be run in the context of a package and imports may be included to provide concise access to data.
func NewQueryContext ¶ added in v0.2.2
func NewQueryContext() *QueryContext
NewQueryContext returns a new QueryContext object.
func (*QueryContext) Copy ¶ added in v0.2.2
func (qc *QueryContext) Copy() *QueryContext
Copy returns a deep copy of qc.
func (*QueryContext) InputDefined ¶ added in v0.4.1
func (qc *QueryContext) InputDefined() bool
InputDefined returns true if the input document is defined in qc.
func (*QueryContext) WithImports ¶ added in v0.4.0
func (qc *QueryContext) WithImports(imports []*Import) *QueryContext
WithImports sets the imports on qc.
func (*QueryContext) WithInput ¶ added in v0.4.0
func (qc *QueryContext) WithInput(input Value) *QueryContext
WithInput sets the input on qc.
func (*QueryContext) WithPackage ¶ added in v0.4.0
func (qc *QueryContext) WithPackage(pkg *Package) *QueryContext
WithPackage sets the pkg on qc.
type QueryIterator ¶
QueryIterator defines the interface for querying AST documents with references.
type Ref ¶
type Ref []*Term
Ref represents a reference as defined by the language.
func MustParseRef ¶
MustParseRef returns a parsed reference. If an error occurs during parsing, panic.
func (Ref) Extend ¶ added in v0.3.0
Extend returns a copy of ref with the terms from other appended. The head of other will be converted to a string.
func (Ref) GroundPrefix ¶ added in v0.2.0
GroundPrefix returns the ground portion of the ref starting from the head. By definition, the head of the reference is always ground.
func (Ref) HasPrefix ¶ added in v0.2.0
HasPrefix returns true if the other ref is a prefix of this ref.
func (Ref) OutputVars ¶
OutputVars returns a VarSet containing variables that would be bound by evaluating
this expression in isolation.
type Rule ¶
type Rule struct { Default bool `json:"default,omitempty"` Head *Head `json:"head"` Body Body `json:"body"` }
Rule represents a rule as defined in the language. Rules define the content of documents that represent policy decisions.
func MustParseRule ¶
MustParseRule returns a parsed rule. If an error occurs during parsing, panic.
func ParseRule ¶
ParseRule returns exactly one rule. If multiple rules are parsed, an error is returned.
func ParseRuleFromBody ¶ added in v0.3.0
ParseRuleFromBody attempts to return a rule from a body. Equality expressions of the form <var> = <term> can be converted into rules of the form <var> = <term> { true }. This is a concise way of defining constants inside modules.
func (*Rule) Compare ¶ added in v0.2.0
Compare returns an integer indicating whether rule is less than, equal to, or greater than other.
type RuleTreeNode ¶ added in v0.2.0
type RuleTreeNode struct { Key Value Rules []*Rule Children map[Value]*RuleTreeNode Hide bool }
RuleTreeNode represents a node in the rule tree. The rule tree is keyed by rule path.
func NewRuleTree ¶ added in v0.2.0
func NewRuleTree(mtree *ModuleTreeNode) *RuleTreeNode
NewRuleTree returns a new RuleTreeNode that represents the root of the rule tree populated with the given rules.
func (*RuleTreeNode) Child ¶ added in v0.4.3
func (n *RuleTreeNode) Child(k Value) *RuleTreeNode
Child returns n's child with key k.
func (*RuleTreeNode) DepthFirst ¶ added in v0.2.2
func (n *RuleTreeNode) DepthFirst(f func(node *RuleTreeNode) bool)
DepthFirst performs a depth-first traversal of the rule tree rooted at n. If f returns true, traversal will not continue to the children of n.
func (*RuleTreeNode) Size ¶ added in v0.2.0
func (n *RuleTreeNode) Size() int
Size returns the number of rules in the tree.
type Set ¶ added in v0.2.0
type Set []*Term
Set represents a set as defined by the language.
func (*Set) Intersect ¶ added in v0.4.2
Intersect returns the set containing elements in both s and other.
func (*Set) Iter ¶ added in v0.4.0
Iter calls f on each element in s. If f returns true, iteration stops and the return value is true.
type Statement ¶
type Statement interface {
Loc() *Location
}
Statement represents a single statement in a policy module.
func MustParseStatement ¶
MustParseStatement returns exactly one statement. If an error occurs during parsing, panic.
func MustParseStatements ¶
MustParseStatements returns a slice of parsed statements. If an error occurs during parsing, panic.
func ParseStatement ¶
ParseStatement returns exactly one statement. A statement might be a term, expression, rule, etc. Regardless, this function expects *exactly* one statement. If multiple statements are parsed, an error is returned.
func ParseStatements ¶
ParseStatements returns a slice of parsed statements. This is the default return value from the parser.
type String ¶
type String string
String represents a string value as defined by JSON.
type Term ¶
type Term struct { Value Value `json:"value"` // the value of the Term as represented in Go Location *Location `json:"-"` // the location of the Term in the source }
Term is an argument to a function.
func ArrayComprehensionTerm ¶
ArrayComprehensionTerm creates a new Term with an ArrayComprehension value.
func BooleanTerm ¶
BooleanTerm creates a new Term with a Boolean value.
func FloatNumberTerm ¶ added in v0.3.0
FloatNumberTerm creates a new Term with a floating point Number value.
func IntNumberTerm ¶ added in v0.3.0
IntNumberTerm creates a new Term with an integer Number value.
func Item ¶
Item is a helper for constructing an tuple containing two Terms representing a key/value pair in an Object.
func MustParseTerm ¶
MustParseTerm returns a parsed term. If an error occurs during parsing, panic.
func NumberTerm ¶
NumberTerm creates a new Term with a Number value.
func ObjectTerm ¶
ObjectTerm creates a new Term with an Object value.
func ParseTerm ¶
ParseTerm returns exactly one term. If multiple terms are parsed, an error is returned.
func StringTerm ¶
StringTerm creates a new Term with a String value.
func (*Term) Equal ¶
Equal returns true if this term equals the other term. Equality is defined for each kind of term.
func (*Term) MarshalJSON ¶
MarshalJSON returns the JSON encoding of the term.
Specialized marshalling logic is required to include a type hint for Value.
func (*Term) UnmarshalJSON ¶
UnmarshalJSON parses the byte array and stores the result in term. Specialized unmarshalling is required to handle Value.
type Transformer ¶ added in v0.2.0
type Transformer interface {
Transform(v interface{}) (interface{}, error)
}
Transformer defines the interface for transforming AST elements. If the transformer returns nil and does not indicate an error, the AST element will be set to nil and no transformations will be applied to children of the element.
type Value ¶
type Value interface { Equal(other Value) bool // Equal returns true if this value equals the other value. Find(path []string) (Value, error) // Find returns value referred or an error if path is not found. Hash() int // Returns hash code of the value. IsGround() bool // IsGround returns true if this value is not a variable or contains no variables. String() string // String returns a human readable string representation of the value. }
Value declares the common interface for all Term values. Every kind of Term value in the language is represented as a type that implements this interface:
- Null, Boolean, Number, String - Object, Array, Set - Variables, References - Array Comprehensions
func InterfaceToValue ¶
InterfaceToValue converts a native Go value x to a Value.
func MustInterfaceToValue ¶ added in v0.4.5
func MustInterfaceToValue(x interface{}) Value
MustInterfaceToValue converts a native Go value x to a Value. If the conversion fails, this function will panic. This function is mostly for test purposes.
type ValueMap ¶ added in v0.2.0
type ValueMap struct {
// contains filtered or unexported fields
}
ValueMap represents a key/value map between AST term values. Any type of term can be used as a key in the map.
func (*ValueMap) Iter ¶ added in v0.2.0
Iter calls the iter function for each key/value pair in the map. If the iter function returns true, iteration stops.
type Var ¶
type Var string
Var represents a variable as defined by the language.
func (Var) Equal ¶
Equal returns true if the other Value is a Variable and has the same value (name).
func (Var) IsWildcard ¶ added in v0.2.0
IsWildcard returns true if this is a wildcard variable.
type VarSet ¶
type VarSet map[Var]struct{}
VarSet represents a set of variables.
func Unify ¶
Unify returns a set of variables that will be unified when the equality expression defined by terms a and b is evaluated. The unifier assumes that variables in the VarSet safe are already unified.
func (VarSet) Equal ¶ added in v0.2.1
Equal returns true if s contains exactly the same elements as vs.
type VarVisitor ¶ added in v0.3.0
type VarVisitor struct {
// contains filtered or unexported fields
}
VarVisitor walks AST nodes under a given node and collects all encountered variables. The collected variables can be controlled by specifying VarVisitorParams when creating the visitor.
func NewVarVisitor ¶ added in v0.3.0
func NewVarVisitor() *VarVisitor
NewVarVisitor returns a new VarVisitor object.
func (*VarVisitor) Vars ¶ added in v0.3.0
func (vis *VarVisitor) Vars() VarSet
Vars returns a VarSet that contains collected vars.
func (*VarVisitor) Visit ¶ added in v0.3.0
func (vis *VarVisitor) Visit(v interface{}) Visitor
Visit is called to walk the AST node v.
func (*VarVisitor) WithParams ¶ added in v0.3.0
func (vis *VarVisitor) WithParams(params VarVisitorParams) *VarVisitor
WithParams sets the parameters in params on vis.
type VarVisitorParams ¶ added in v0.3.0
type VarVisitorParams struct { SkipRefHead bool SkipObjectKeys bool SkipClosures bool SkipBuiltinOperators bool SkipWithTarget bool }
VarVisitorParams contains settings for a VarVisitor.
type Visitor ¶
type Visitor interface {
Visit(v interface{}) (w Visitor)
}
Visitor defines the interface for iterating AST elements. The Visit function can return a Visitor w which will be used to visit the children of the AST element v. If the Visit function returns nil, the children will not be visited.
type With ¶ added in v0.4.1
type With struct { Location *Location `json:"-"` Target *Term `json:"target"` Value *Term `json:"value"` }
With represents a modifier on an expression.
func (*With) Compare ¶ added in v0.4.1
Compare returns an integer indicating whether w is less than, equal to, or greater than other.