Assignment and Equality
# assign variable x to value of field foo.bar.baz in input
x := input.foo.bar.baz
# check if variable x has same value as variable y
x == y
# check if variable x is a set containing "foo" and "bar"
x == {"foo", "bar"}
# OR
{"foo", "bar"} == x
Lookup
Arrays
# lookup value at index 0
val := arr[0]
# check if value at index 0 is "foo"
"foo" == arr[0]
# find all indices i that have value "foo"
"foo" == arr[i]
# lookup last value
val := arr[count(arr)-1]
# with `import rego.v1` or `import future.keywords.in`
some 0, val in arr # lookup value at index 0
0, "foo" in arr # check if value at index 0 is "foo"
some i, "foo" in arr # find all indices i that have value "foo"
Objects
# lookup value for key "foo"
val := obj["foo"]
# check if value for key "foo" is "bar"
"bar" == obj["foo"]
# OR
"bar" == obj.foo
# check if key "foo" exists and is not false
obj.foo
# check if key assigned to variable k exists
k := "foo"
obj[k]
# check if path foo.bar.baz exists and is not false
obj.foo.bar.baz
# check if path foo.bar.baz, foo.bar, or foo does not exist or is false
not obj.foo.bar.baz
# with `import rego.v1` or `import future.keywords.in`
o := {"foo": false}
# check if value exists: the expression will be true
false in o
# check if value for key "foo" is false
"foo", false in o
Sets
# check if "foo" belongs to the set
a_set["foo"]
# check if "foo" DOES NOT belong to the set
not a_set["foo"]
# check if the array ["a", "b", "c"] belongs to the set
a_set[["a", "b", "c"]]
# find all arrays of the form [x, "b", z] in the set
a_set[[x, "b", z]]
# with `import rego.v1` or `import future.keywords.in`
"foo" in a_set
not "foo" in a_set
some ["a", "b", "c"] in a_set
some [x, "b", z] in a_set
Iteration
Arrays
# iterate over indices i
arr[i]
# iterate over values
val := arr[_]
# iterate over index/value pairs
val := arr[i]
# with `import rego.v1` or `import future.keywords.in`
some val in arr # iterate over values
some i, _ in arr # iterate over indices
some i, val in arr # iterate over index/value pairs
Objects
# iterate over keys
obj[key]
# iterate over values
val := obj[_]
# iterate over key/value pairs
val := obj[key]
# with `import rego.v1` or `import future.keywords.in`
some val in obj # iterate over values
some key, _ in obj # iterate over keys
some key, val in obj # key/value pairs
Sets
# iterate over values
set[val]
# with `import rego.v1` or `import future.keywords.in`
some val in set
Advanced
# nested: find key k whose bar.baz array index i is 7
foo[k].bar.baz[i] == 7
# simultaneous: find keys in objects foo and bar with same value
foo[k1] == bar[k2]
# simultaneous self: find 2 keys in object foo with same value
foo[k1] == foo[k2]; k1 != k2
# multiple conditions: k has same value in both conditions
foo[k].bar.baz[i] == 7; foo[k].qux > 3
For All
# assert no values in set match predicate
count({x | set[x]; f(x)}) == 0
# assert all values in set make function f true
count({x | set[x]; f(x)}) == count(set)
# assert no values in set make function f true (using negation and helper rule)
not any_match
# assert all values in set make function f true (using negation and helper rule)
not any_not_match
# with `import rego.v1`, or `import future.keywords.in` and `import future.keywords.if`
any_match if {
some x in set
f(x)
}
any_not_match if {
some x in set
not f(x)
}
Rules
In the examples below ...
represents one or more conditions.
Constants
a := {1, 2, 3}
b := {4, 5, 6}
c := a | b
Conditionals (Boolean)
# p is true if ...
p := true { ... }
# OR
# with `import rego.v1` or `import future.keywords.if`
p if { ... }
# OR
p { ... }
Conditionals
# with `import rego.v1` or `import future.keywords.if`
default a := 1
a := 5 if { ... }
a := 100 if { ... }
Incremental
# a_set will contain values of x and values of y
a_set[x] { ... }
a_set[y] { ... }
# alternatively, with `import rego.v1`, or `import future.keywords.contains` and `import future.keywords.if`
a_set contains x if { ... }
a_set contains y if { ... }
# a_map will contain key->value pairs x->y and w->z
a_map[x] := y if { ... }
a_map[w] := z if { ... }
Ordered (Else)
# with `import rego.v1` or `import future.keywords.if`
default a := 1
a := 5 if { ... }
else := 10 if { ... }
Functions (Boolean)
# with `import rego.v1` or `import future.keywords.if`
f(x, y) if {
...
}
# OR
f(x, y) := true if {
...
}
Functions (Conditionals)
# with `import rego.v1` or `import future.keywords.if`
f(x) := "A" if { x >= 90 }
f(x) := "B" if { x >= 80; x < 90 }
f(x) := "C" if { x >= 70; x < 80 }
Reference Heads
# with `import rego.v1`, or `import future.keywords.contains` and `import future.keywords.if`
fruit.apple.seeds = 12 if input == "apple" # complete document (single value rule)
fruit.pineapple.colors contains x if x := "yellow" # multi-value rule
fruit.banana.phone[x] = "bananular" if x := "cellular" # single value rule
fruit.banana.phone.cellular = "bananular" if true # equivalent single value rule
fruit.orange.color(x) = true if x == "orange" # function
For reasons of backwards-compatibility, partial sets need to use contains
in
their rule heads, i.e.
fruit.box contains "apples" if true
whereas
fruit.box[x] if { x := "apples" }
defines a complete document rule fruit.box.apples
with value true
.
The same is the case of rules with brackets that don’t contain dots, like
box[x] if { x := "apples" } # => {"box": {"apples": true }}
box2[x] { x := "apples" } # => {"box": ["apples"]}
For backwards-compatibility, rules without if and without dots will be interpreted
as defining partial sets, like box2
.
Tests
# define a rule that starts with test_
test_NAME { ... }
# override input.foo value using the 'with' keyword
data.foo.bar.deny with input.foo as {"bar": [1,2,3]}}
Built-in Functions
The built-in functions for the language provide basic operations to manipulate scalar values (e.g. numbers and strings), and aggregate functions that summarize complex types.
Comparison
x == y |
x (any) y (any) result (boolean) true if x is equal to y ; false otherwise | |
---|---|---|
x > y |
x (any) y (any) result (boolean) true if x is greater than y ; false otherwise | |
x >= y |
x (any) y (any) result (boolean) true if x is greater or equal to y ; false otherwise | |
x < y |
x (any) y (any) result (boolean) true if x is less than y ; false otherwise | |
x <= y |
x (any) y (any) result (boolean) true if x is less than or equal to y ; false otherwise | |
x != y |
x (any) y (any) result (boolean) true if x is not equal to y ; false otherwise |
Numbers
abs |
Returns the number without its sign. x (number) y (number) the absolute value of x | |
---|---|---|
ceil |
Rounds the number up to the nearest integer. x (number) the number to round y (number) the result of rounding x up | |
x / y |
Divides the first number by the second number. x (number) the dividend y (number) the divisor z (number) the result of x divided by y | |
floor |
Rounds the number down to the nearest integer. x (number) the number to round y (number) the result of rounding x down | |
x - y |
Minus subtracts the second number from the first number or computes the difference between two sets. x (any<number, set[any]>) y (any<number, set[any]>) z (any<number, set[any]>) the difference of x and y | |
x * y |
Multiplies two numbers. x (number) y (number) z (number) the product of x and y | |
numbers.range |
Returns an array of numbers in the given (inclusive) range. If a (number) b (number) range (array[number]) the range between a and b | |
numbers.range_step |
Returns an array of numbers in the given (inclusive) range incremented by a positive step. If “a==b”, then “range == [a]”; if “a > b”, then “range” is in descending order. If the provided “step” is less then 1, an error will be thrown. If “b” is not in the range of the provided “step”, “b” won’t be included in the result. a (number) b (number) step (number) range (array[number]) the range between a and b in step increments | |
x + y |
Plus adds two numbers together. x (number) y (number) z (number) the sum of x and y | |
rand.intn |
Returns a random integer between str (string) n (number) y (number) random integer in the range [0, abs(n)) | |
x % y |
Returns the remainder for of x (number) y (number) z (number) the remainder | |
round |
Rounds the number to the nearest integer. x (number) the number to round y (number) the result of rounding x |
Aggregates
count |
Count takes a collection or string and returns the number of elements (or characters) in it. collection (any<string, array[any], object[any: any], set[any]>) the set/array/object/string to be counted n (number) the count of elements, key/val pairs, or characters, respectively. | |
---|---|---|
max |
Returns the maximum value in a collection. collection (any<array[any], set[any]>) n (any) the maximum of all elements | |
min |
Returns the minimum value in a collection. collection (any<array[any], set[any]>) n (any) the minimum of all elements | |
product |
Muliplies elements of an array or set of numbers collection (any<array[number], set[number]>) n (number) the product of all elements | |
sort |
Returns a sorted array. collection (any<array[any], set[any]>) the array or set to be sorted n (array[any]) the sorted array | |
sum |
Sums elements of an array or set of numbers. collection (any<array[number], set[number]>) n (number) the sum of all elements |
Arrays
array.concat |
Concatenates two arrays. x (array[any]) y (array[any]) z (array[any]) the concatenation of x and y | |
---|---|---|
array.reverse |
Returns the reverse of a given array. arr (array[any]) the array to be reversed rev (array[any]) an array containing the elements of arr in reverse order | |
array.slice |
Returns a slice of a given array. If arr (array[any]) the array to be sliced start (number) the start index of the returned slice; if less than zero, it’s clamped to 0 stop (number) the stop index of the returned slice; if larger than count(arr) , it’s clamped to count(arr) slice (array[any]) the subslice of array , from start to end , including arr[start] , but excluding arr[end] |
Sets
x & y |
Returns the intersection of two sets. x (set[any]) y (set[any]) z (set[any]) the intersection of x and y | |
---|---|---|
intersection |
Returns the intersection of the given input sets. xs (set[set[any]]) set of sets to intersect y (set[any]) the intersection of all xs sets | |
x - y |
Minus subtracts the second number from the first number or computes the difference between two sets. x (any<number, set[any]>) y (any<number, set[any]>) z (any<number, set[any]>) the difference of x and y | |
x | y |
Returns the union of two sets. x (set[any]) y (set[any]) z (set[any]) the union of x and y | |
union |
Returns the union of the given input sets. xs (set[set[any]]) set of sets to merge y (set[any]) the union of all xs sets |
Objects
json.filter |
Filters the object. For example: object (object[any: any]) paths (any<array[any<string, array[any]>], set[any<string, array[any]>]>) JSON string paths filtered (any) remaining data from object with only keys specified in paths | |
---|---|---|
json.match_schema |
Checks that the document matches the JSON schema. document (any<string, object[any: any]>) document to verify by schema schema (any<string, object[any: any]>) schema to verify document by output (array<boolean, array[object<desc: string, error: string, field: string, type: string>]>) output is of the form [match, errors] . If the document is valid given the schema, then match is true , and errors is an empty array. Otherwise, match is false and errors is an array of objects describing the error(s). | |
json.patch |
Patches an object according to RFC6902. For example: object (any) patches (array[object<op: string, path: any>[any: any]]) output (any) result obtained after consecutively applying all patch operations in patches | |
json.remove |
Removes paths from an object. For example: object (object[any: any]) paths (any<array[any<string, array[any]>], set[any<string, array[any]>]>) JSON string paths output (any) result of removing all keys specified in paths | |
json.verify_schema |
Checks that the input is a valid JSON schema object. The schema can be either a JSON string or an JSON object. schema (any<string, object[any: any]>) the schema to verify output (array<boolean, any<null, string>>) output is of the form [valid, error] . If the schema is valid, then valid is true , and error is null . Otherwise, valid is false and error is a string describing the error. | |
object.filter |
Filters the object by keeping only specified keys. For example: object (object[any: any]) object to filter keys keys (any<array[any], object[any: any], set[any]>) filtered (any) remaining data from object with only keys specified in keys | |
object.get |
Returns value of an object’s key if present, otherwise a default. If the supplied object (object[any: any]) object to get key fromkey (any) key to lookup in object default (any) default to use when lookup fails value (any) object[key] if present, otherwise default | |
object.keys |
Returns a set of an object’s keys. For example: object (object[any: any]) object to get keys from value (set[any]) set of object ’s keys | |
object.remove |
Removes specified keys from an object. object (object[any: any]) object to remove keys from keys (any<array[any], object[any: any], set[any]>) keys to remove from x output (any) result of removing the specified keys from object | |
object.subset |
Determines if an object super (any<array[any], object[any: any], set[any]>) object to test if sub is a subset of sub (any<array[any], object[any: any], set[any]>) object to test if super is a superset of result (any) true if sub is a subset of super | |
object.union |
Creates a new object of the asymmetric union of two objects. For example: a (object[any: any]) b (object[any: any]) output (any) a new object which is the result of an asymmetric recursive union of two objects where conflicts are resolved by choosing the key from the right-hand object b | |
object.union_n |
Creates a new object that is the asymmetric union of all objects merged from left to right. For example: objects (array[object[any: any]]) output (any) asymmetric recursive union of all objects in objects , merged from left to right, where conflicts are resolved by choosing the key from the right-hand object |
When
keys
are provided as an object only the top level keys on the object will be used, values are ignored. For example:object.remove({"a": {"b": {"c": 2}}, "x": 123}, {"a": 1}) == {"x": 123}
regardless of the value for keya
in the keys object, the followingkeys
object gives the same resultobject.remove({"a": {"b": {"c": 2}}, "x": 123}, {"a": {"b": {"foo": "bar"}}}) == {"x": 123}
.The
json
stringpaths
may reference into array values by using index numbers. For example with the object{"a": ["x", "y", "z"]}
the patha/1
referencesy
. Nested structures are supported as well, for example:{"a": ["x", {"y": {"y1": {"y2": ["foo", "bar"]}}}, "z"]}
the patha/1/y1/y2/0
references"foo"
.The
json
stringpaths
support~0
, or~1
characters for~
and/
characters in key names. It does not support-
for last index of an array. For example the path/foo~1bar~0
will referencebaz
in{ "foo/bar~": "baz" }
.The
json
stringpaths
may be an array of string path segments rather than a/
separated string. For example the patha/b/c
can be passed in as["a", "b", "c"]
.
Strings
concat |
Joins a set or array of strings with a delimiter. delimiter (string) collection (any<array[string], set[string]>) strings to join output (string) | |
---|---|---|
contains |
Returns haystack (string) string to search in needle (string) substring to look for result (boolean) result of the containment check | |
endswith |
Returns true if the search string ends with the base string. search (string) search string base (string) base string result (boolean) result of the suffix check | |
format_int |
Returns the string representation of the number in the given base after rounding it down to an integer value. number (number) number to format base (number) base of number representation to use output (string) formatted number | |
indexof |
Returns the index of a substring contained inside a string. haystack (string) string to search in needle (string) substring to look for output (number) index of first occurrence, -1 if not found | |
indexof_n |
Returns a list of all the indexes of a substring contained inside a string. haystack (string) string to search in needle (string) substring to look for output (array[number]) all indices at which needle occurs in haystack , may be empty | |
lower |
Returns the input string but with all characters in lower-case. x (string) string that is converted to lower-case y (string) lower-case of x | |
replace |
Replace replaces all instances of a sub-string. x (string) string being processed old (string) substring to replace new (string) string to replace old withy (string) string with replaced substrings | |
split |
Split returns an array containing elements of the input string split on a delimiter. x (string) string that is split delimiter (string) delimiter used for splitting ys (array[string]) splitted parts | |
sprintf |
Returns the given string, formatted. format (string) string with formatting verbs values (array[any]) arguments to format into formatting verbs output (string) format formatted by the values in values | |
startswith |
Returns true if the search string begins with the base string. search (string) search string base (string) base string result (boolean) result of the prefix check | |
strings.any_prefix_match |
Returns true if any of the search strings begins with any of the base strings. search (any<string, array[string], set[string]>) search string(s) base (any<string, array[string], set[string]>) base string(s) result (boolean) result of the prefix check | |
strings.any_suffix_match |
Returns true if any of the search strings ends with any of the base strings. search (any<string, array[string], set[string]>) search string(s) base (any<string, array[string], set[string]>) base string(s) result (boolean) result of the suffix check | |
strings.render_template |
Renders a templated string with given template variables injected. For a given templated string and key/value mapping, values will be injected into the template where they are referenced by key. For examples of templating syntax, see https://pkg.go.dev/text/template value (string) a templated string vars (object[string: any]) a mapping of template variable keys to values result (string) rendered template with template variables injected | |
strings.replace_n |
Replaces a string from a list of old, new string pairs. Replacements are performed in the order they appear in the target string, without overlapping matches. The old string comparisons are done in argument order. patterns (object[string: string]) replacement pairs value (string) string to replace substring matches in output (string) | |
strings.reverse |
Reverses a given string. x (string) y (string) | |
substring |
Returns the portion of a string for a given value (string) offset (number) offset, must be positive length (number) length of the substring starting from offset output (string) substring of value from offset , of length length | |
trim |
Returns value (string) string to trim cutset (string) string of characters that are cut off output (string) string trimmed of cutset characters | |
trim_left |
Returns value (string) string to trim cutset (string) string of characters that are cut off on the left output (string) string left-trimmed of cutset characters | |
trim_prefix |
Returns value (string) string to trim prefix (string) prefix to cut off output (string) string with prefix cut off | |
trim_right |
Returns value (string) string to trim cutset (string) string of characters that are cut off on the right output (string) string right-trimmed of cutset characters | |
trim_space |
Return the given string with all leading and trailing white space removed. value (string) string to trim output (string) string leading and trailing white space cut off | |
trim_suffix |
Returns value (string) string to trim suffix (string) suffix to cut off output (string) string with suffix cut off | |
upper |
Returns the input string but with all characters in upper-case. x (string) string that is converted to upper-case y (string) upper-case of x |
Regex
regex.find_all_string_submatch_n |
Returns all successive matches of the expression. pattern (string) regular expression value (string) string to match number (number) number of matches to return; -1 means all matchesoutput (array[array[string]]) | |
---|---|---|
regex.find_n |
Returns the specified number of matches when matching the input against the pattern. pattern (string) regular expression value (string) string to match number (number) number of matches to return, if -1 , returns all matchesoutput (array[string]) collected matches | |
regex.globs_match |
Checks if the intersection of two glob-style regular expressions matches a non-empty set of non-empty strings.
The set of regex symbols is limited for this builtin: only glob1 (string) glob2 (string) result (boolean) | |
regex.is_valid |
Checks if a string is a valid regular expression: the detailed syntax for patterns is defined by https://github.com/google/re2/wiki/Syntax. pattern (string) regular expression result (boolean) | |
regex.match |
Matches a string against a regular expression. pattern (string) regular expression value (string) value to match against pattern result (boolean) | |
regex.replace |
Find and replaces the text using the regular expression pattern. s (string) string being processed pattern (string) regex pattern to be applied value (string) regex value output (string) | |
regex.split |
Splits the input string by the occurrences of the given pattern. pattern (string) regular expression value (string) string to match output (array[string]) the parts obtained by splitting value | |
regex.template_match |
Matches a string against a pattern, where there pattern may be glob-like template (string) template expression containing 0..n regular expressionsvalue (string) string to match delimiter_start (string) start delimiter of the regular expression in template delimiter_end (string) end delimiter of the regular expression in template result (boolean) |
Glob
glob.match |
Parses and matches strings against the glob notation. Not to be confused with pattern (string) delimiters (any<null, array[string]>) glob pattern delimiters, e.g. [".", ":"] , defaults to ["."] if unset. If delimiters is null , glob match without delimiter.match (string) result (boolean) true if match can be found in pattern which is separated by delimiters | |
---|---|---|
glob.quote_meta |
Returns a string which represents a version of the pattern where all asterisks have been escaped. pattern (string) output (string) the escaped string of pattern |
The following table shows examples of how glob.match
works:
call | output | Description |
---|---|---|
output := glob.match("*.github.com", [], "api.github.com") | true | A glob with the default ["."] delimiter. |
output := glob.match("*.github.com", [], "api.cdn.github.com") | false | A glob with the default ["."] delimiter. |
output := glob.match("*hub.com", null, "api.cdn.github.com") | true | A glob without delimiter. |
output := glob.match("*:github:com", [":"], "api:github:com") | true | A glob with delimiters [":"] . |
output := glob.match("api.**.com", [], "api.github.com") | true | A super glob. |
output := glob.match("api.**.com", [], "api.cdn.github.com") | true | A super glob. |
output := glob.match("?at", [], "cat") | true | A glob with a single character wildcard. |
output := glob.match("?at", [], "at") | false | A glob with a single character wildcard. |
output := glob.match("[abc]at", [], "bat") | true | A glob with character-list matchers. |
output := glob.match("[abc]at", [], "cat") | true | A glob with character-list matchers. |
output := glob.match("[abc]at", [], "lat") | false | A glob with character-list matchers. |
output := glob.match("[!abc]at", [], "cat") | false | A glob with negated character-list matchers. |
output := glob.match("[!abc]at", [], "lat") | true | A glob with negated character-list matchers. |
output := glob.match("[a-c]at", [], "cat") | true | A glob with character-range matchers. |
output := glob.match("[a-c]at", [], "lat") | false | A glob with character-range matchers. |
output := glob.match("[!a-c]at", [], "cat") | false | A glob with negated character-range matchers. |
output := glob.match("[!a-c]at", [], "lat") | true | A glob with negated character-range matchers. |
output := glob.match("{cat,bat,[fr]at}", [], "cat") | true | A glob with pattern-alternatives matchers. |
output := glob.match("{cat,bat,[fr]at}", [], "bat") | true | A glob with pattern-alternatives matchers. |
output := glob.match("{cat,bat,[fr]at}", [], "rat") | true | A glob with pattern-alternatives matchers. |
output := glob.match("{cat,bat,[fr]at}", [], "at") | false | A glob with pattern-alternatives matchers. |
Bitwise
bits.and |
Returns the bitwise “AND” of two integers. x (number) y (number) z (number) | |
---|---|---|
bits.lsh |
Returns a new integer with its bits shifted x (number) s (number) z (number) | |
bits.negate |
Returns the bitwise negation (flip) of an integer. x (number) z (number) | |
bits.or |
Returns the bitwise “OR” of two integers. x (number) y (number) z (number) | |
bits.rsh |
Returns a new integer with its bits shifted x (number) s (number) z (number) | |
bits.xor |
Returns the bitwise “XOR” (exclusive-or) of two integers. x (number) y (number) z (number) |
Conversions
to_number |
Converts a string, bool, or number value to a number: Strings are converted to numbers using x (any<null, boolean, number, string>) num (number) |
---|
Units
units.parse |
Converts strings like “10G”, “5K”, “4M”, “1500m” and the like into a number. This number can be a non-integer, such as 1.5, 0.22, etc. Supports standard metric decimal and binary SI units (e.g., K, Ki, M, Mi, G, Gi etc.) m, K, M, G, T, P, and E are treated as decimal units and Ki, Mi, Gi, Ti, Pi, and Ei are treated as binary units. Note that ’m’ and ‘M’ are case-sensitive, to allow distinguishing between “milli” and “mega” units respectively. Other units are case-insensitive. x (string) the unit to parse y (number) the parsed number | |
---|---|---|
units.parse_bytes |
Converts strings like “10GB”, “5K”, “4mb” into an integer number of bytes. Supports standard byte units (e.g., KB, KiB, etc.) KB, MB, GB, and TB are treated as decimal units and KiB, MiB, GiB, and TiB are treated as binary units. The bytes symbol (b/B) in the unit is optional and omitting it wil give the same result (e.g. Mi and MiB). x (string) the byte unit to parse y (number) the parsed number |
Types
is_array |
Returns x (any) result (boolean) true if x is an array, false otherwise. | |
---|---|---|
is_boolean |
Returns x (any) result (boolean) true if x is an boolean, false otherwise. | |
is_null |
Returns x (any) result (boolean) true if x is null, false otherwise. | |
is_number |
Returns x (any) result (boolean) true if x is a number, false otherwise. | |
is_object |
Returns true if the input value is an object x (any) result (boolean) true if x is an object, false otherwise. | |
is_set |
Returns x (any) result (boolean) true if x is a set, false otherwise. | |
is_string |
Returns x (any) result (boolean) true if x is a string, false otherwise. | |
type_name |
Returns the type of its input value. x (any) type (string) one of “null”, “boolean”, “number”, “string”, “array”, “object”, “set” |
Encoding
base64.decode |
Deserializes the base64 encoded input string. x (string) y (string) base64 deserialization of x | |
---|---|---|
base64.encode |
Serializes the input string into base64 encoding. x (string) y (string) base64 serialization of x | |
base64.is_valid |
Verifies the input string is base64 encoded. x (string) result (boolean) true if x is valid base64 encoded value, false otherwise | |
base64url.decode |
Deserializes the base64url encoded input string. x (string) y (string) base64url deserialization of x | |
base64url.encode |
Serializes the input string into base64url encoding. x (string) y (string) base64url serialization of x | |
base64url.encode_no_pad |
Serializes the input string into base64url encoding without padding. x (string) y (string) base64url serialization of x | |
hex.decode |
Deserializes the hex-encoded input string. x (string) a hex-encoded string y (string) deseralized from x | |
hex.encode |
Serializes the input string using hex-encoding. x (string) y (string) serialization of x using hex-encoding | |
json.is_valid |
Verifies the input string is a valid JSON document. x (string) a JSON string result (boolean) true if x is valid JSON, false otherwise | |
json.marshal |
Serializes the input term to JSON. x (any) the term to serialize y (string) the JSON string representation of x | |
json.unmarshal |
Deserializes the input string. x (string) a JSON string y (any) the term deseralized from x | |
urlquery.decode |
Decodes a URL-encoded input string. x (string) y (string) URL-encoding deserialization of x | |
urlquery.decode_object |
Decodes the given URL query string into an object. x (string) the query string object (object[string: array[string]]) the resulting object | |
urlquery.encode |
Encodes the input string into a URL-encoded string. x (string) y (string) URL-encoding serialization of x | |
urlquery.encode_object |
Encodes the given object into a URL encoded query string. object (object[string: any<string, array[string], set[string]>]) y (string) the URL-encoded serialization of object | |
yaml.is_valid |
Verifies the input string is a valid YAML document. x (string) a YAML string result (boolean) true if x is valid YAML, false otherwise | |
yaml.marshal |
Serializes the input term to YAML. x (any) the term to serialize y (string) the YAML string representation of x | |
yaml.unmarshal |
Deserializes the input string. x (string) a YAML string y (any) the term deseralized from x |
Token Signing
io.jwt.encode_sign |
Encodes and optionally signs a JSON Web Token. Inputs are taken as objects, not encoded strings (see headers (object[string: any]) JWS Protected Header payload (object[string: any]) JWS Payload key (object[string: any]) JSON Web Key (RFC7517) output (string) signed JWT | |
---|---|---|
io.jwt.encode_sign_raw |
Encodes and optionally signs a JSON Web Token. headers (string) JWS Protected Header payload (string) JWS Payload key (string) JSON Web Key (RFC7517) output (string) signed JWT |
OPA provides two builtins that implement JSON Web Signature RFC7515 functionality.
io.jwt.encode_sign_raw()
takes three JSON Objects (strings) as parameters and returns their JWS Compact Serialization.
This builtin should be used by those that want maximum control over the signing and serialization procedure. It is
important to remember that StringOrURI values are compared as case-sensitive strings with no transformations or
canonicalizations applied. Therefore, line breaks and whitespaces are significant.
io.jwt.encode_sign()
takes three Rego Objects as parameters and returns their JWS Compact Serialization. This builtin
should be used by those that want to use rego objects for signing during policy evaluation.
The following algorithms are supported:
ES256 "ES256" // ECDSA using P-256 and SHA-256
ES384 "ES384" // ECDSA using P-384 and SHA-384
ES512 "ES512" // ECDSA using P-521 and SHA-512
HS256 "HS256" // HMAC using SHA-256
HS384 "HS384" // HMAC using SHA-384
HS512 "HS512" // HMAC using SHA-512
PS256 "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
PS384 "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
PS512 "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
RS256 "RS256" // RSASSA-PKCS-v1.5 using SHA-256
RS384 "RS384" // RSASSA-PKCS-v1.5 using SHA-384
RS512 "RS512" // RSASSA-PKCS-v1.5 using SHA-512
Token Signing Examples
Symmetric Key (HMAC with SHA-256)
io.jwt.encode_sign({
"typ": "JWT",
"alg": "HS256"
}, {
"iss": "joe",
"exp": 1300819380,
"aud": ["bob", "saul"],
"http://example.com/is_root": true,
"privateParams": {
"private_one": "one",
"private_two": "two"
}
}, {
"kty": "oct",
"k": "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
})
"eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJhdWQiOiBbImJvYiIsICJzYXVsIl0sICJleHAiOiAxMzAwODE5MzgwLCAiaHR0cDovL2V4YW1wbGUuY29tL2lzX3Jvb3QiOiB0cnVlLCAiaXNzIjogImpvZSIsICJwcml2YXRlUGFyYW1zIjogeyJwcml2YXRlX29uZSI6ICJvbmUiLCAicHJpdmF0ZV90d28iOiAidHdvIn19.M10TcaFADr_JYAx7qJ71wktdyuN4IAnhWvVbgrZ5j_4"
Symmetric Key with empty JSON payload
io.jwt.encode_sign({
"typ": "JWT",
"alg": "HS256"},
{}, {
"kty": "oct",
"k": "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
})
"eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.e30.Odp4A0Fj6NoKsV4Gyoy1NAmSs6KVZiC15S9VRGZyR20"
RSA Key (RSA Signature with SHA-256)
io.jwt.encode_sign({
"alg": "RS256"
}, {
"iss": "joe",
"exp": 1300819380,
"aud": ["bob", "saul"],
"http://example.com/is_root": true,
"privateParams": {
"private_one": "one",
"private_two": "two"
}
},
{
"kty": "RSA",
"n": "ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddxHmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMsD1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSHSXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ",
"e": "AQAB",
"d": "Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97IjlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYTCBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLhBOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ",
"p": "4BzEEOtIpmVdVEZNCqS7baC4crd0pqnRH_5IB3jw3bcxGn6QLvnEtfdUdiYrqBdss1l58BQ3KhooKeQTa9AB0Hw_Py5PJdTJNPY8cQn7ouZ2KKDcmnPGBY5t7yLc1QlQ5xHdwW1VhvKn-nXqhJTBgIPgtldC-KDV5z-y2XDwGUc",
"q": "uQPEfgmVtjL0Uyyx88GZFF1fOunH3-7cepKmtH4pxhtCoHqpWmT8YAmZxaewHgHAjLYsp1ZSe7zFYHj7C6ul7TjeLQeZD_YwD66t62wDmpe_HlB-TnBA-njbglfIsRLtXlnDzQkv5dTltRJ11BKBBypeeF6689rjcJIDEz9RWdc",
"dp": "BwKfV3Akq5_MFZDFZCnW-wzl-CCo83WoZvnLQwCTeDv8uzluRSnm71I3QCLdhrqE2e9YkxvuxdBfpT_PI7Yz-FOKnu1R6HsJeDCjn12Sk3vmAktV2zb34MCdy7cpdTh_YVr7tss2u6vneTwrA86rZtu5Mbr1C1XsmvkxHQAdYo0",
"dq": "h_96-mK1R_7glhsum81dZxjTnYynPbZpHziZjeeHcXYsXaaMwkOlODsWa7I9xXDoRwbKgB719rrmI2oKr6N3Do9U0ajaHF-NKJnwgjMd2w9cjz3_-kyNlxAr2v4IKhGNpmM5iIgOS1VZnOZ68m6_pbLBSp3nssTdlqvd0tIiTHU",
"qi": "IYd7DHOhrWvxkwPQsRM2tOgrjbcrfvtQJipd-DlcxyVuuM9sQLdgjVk2oy26F0EmpScGLq2MowX7fhd_QJQ3ydy5cY7YIBi87w93IKLEdfnbJtoOPLUW0ITrJReOgo1cq9SbsxYawBgfp_gh6A5603k2-ZQwVK0JKSHuLFkuQ3U"
})
"eyJhbGciOiAiUlMyNTYifQ.eyJhdWQiOiBbImJvYiIsICJzYXVsIl0sICJleHAiOiAxMzAwODE5MzgwLCAiaHR0cDovL2V4YW1wbGUuY29tL2lzX3Jvb3QiOiB0cnVlLCAiaXNzIjogImpvZSIsICJwcml2YXRlUGFyYW1zIjogeyJwcml2YXRlX29uZSI6ICJvbmUiLCAicHJpdmF0ZV90d28iOiAidHdvIn19.ITpfhDICCeVV__1nHRN2CvUFni0yyYESvhNlt4ET0yiySMzJ5iySGynrsM3kgzAv7mVmx5uEtSCs_xPHyLVfVnADKmDFtkZfuvJ8jHfcOe8TUqR1f7j1Zf_kDkdqJAsuGuqkJoFJ3S_gxWcZNwtDXV56O3k_7Mq03Ixuuxtip2oF0X3fB7QtUzjzB8mWPTJDFG2TtLLOYCcobPHmn36aAgesHMzJZj8U8sRLmqPXsIc-Lo_btt8gIUc9zZSgRiy7NOSHxw5mYcIMlKl93qvLXu7AaAcVLvzlIOCGWEnFpGGcRFgSOLnShQX6hDylWavKLQG-VOUJKmtXH99KBK-OYQ"
Raw Token Signing
If you need to generate the signature for a serialized token you an use the
io.jwt.encode_sign_raw
built-in function which accepts JSON serialized string
parameters.
io.jwt.encode_sign_raw(
`{"typ":"JWT","alg":"HS256"}`,
`{"iss":"joe","exp":1300819380,"http://example.com/is_root":true}`,
`{"kty":"oct","k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"}`
)
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.lliDzOlRAdGUCfCHCPx_uisb6ZfZ1LRQa0OJLeYTTpY"
Token Verification
io.jwt.decode |
Decodes a JSON Web Token and outputs it as an object. jwt (string) JWT token to decode output (array<object[any: any], object[any: any], string>) [header, payload, sig] , where header and payload are objects; sig is the hexadecimal representation of the signature on the token. | |
---|---|---|
io.jwt.decode_verify |
Verifies a JWT signature under parameterized constraints and decodes the claims if it is valid. Supports the following algorithms: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384 and PS512. jwt (string) JWT token whose signature is to be verified and whose claims are to be checked constraints (object[string: any]) claim verification constraints output (array<boolean, object[any: any], object[any: any]>) [valid, header, payload] : if the input token is verified and meets the requirements of constraints then valid is true ; header and payload are objects containing the JOSE header and the JWT claim set; otherwise, valid is false , header and payload are {} | |
io.jwt.verify_es256 |
Verifies if a ES256 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_es384 |
Verifies if a ES384 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_es512 |
Verifies if a ES512 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_hs256 |
Verifies if a HS256 (secret) JWT signature is valid. jwt (string) JWT token whose signature is to be verified secret (string) plain text secret used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_hs384 |
Verifies if a HS384 (secret) JWT signature is valid. jwt (string) JWT token whose signature is to be verified secret (string) plain text secret used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_hs512 |
Verifies if a HS512 (secret) JWT signature is valid. jwt (string) JWT token whose signature is to be verified secret (string) plain text secret used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_ps256 |
Verifies if a PS256 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_ps384 |
Verifies if a PS384 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_ps512 |
Verifies if a PS512 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_rs256 |
Verifies if a RS256 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_rs384 |
Verifies if a RS384 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise | |
io.jwt.verify_rs512 |
Verifies if a RS512 JWT signature is valid. jwt (string) JWT token whose signature is to be verified certificate (string) PEM encoded certificate, PEM encoded public key, or the JWK key (set) used to verify the signature result (boolean) true if the signature is valid, false otherwise |
The input string
is a JSON Web Token encoded with JWS Compact Serialization. JWE and JWS JSON Serialization are not supported. If nested signing was used, the header
, payload
and signature
will represent the most deeply nested token.
For io.jwt.decode_verify
, constraints
is an object with the following members:
Name | Meaning | Required |
---|---|---|
cert | A PEM encoded certificate, PEM encoded public key, or a JWK key (set) containing an RSA or ECDSA public key. | See below |
secret | The secret key for HS256, HS384 and HS512 verification. | See below |
alg | The JWA algorithm name to use. If it is absent then any algorithm that is compatible with the key is accepted. | Optional |
iss | The issuer string. If it is present the only tokens with this issuer are accepted. If it is absent then any issuer is accepted. | Optional |
time | The time in nanoseconds to verify the token at. If this is present then the exp and nbf claims are compared against this value. If it is absent then they are compared against the current time. | Optional |
aud | The audience that the verifier identifies with. If this is present then the aud claim is checked against it. If it is absent then the aud claim must be absent too. | Optional |
Exactly one of cert
and secret
must be present. If there are any
unrecognized constraints then the token is considered invalid.
Token Verification Examples
The examples below use the following token:
es256_token := "eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJFUzI1NiJ9.eyJuYmYiOiAxNDQ0NDc4NDAwLCAiaXNzIjogInh4eCJ9.lArczfN-pIL8oUU-7PU83u-zfXougXBZj6drFeKFsPEoVhy9WAyiZlRshYqjTSXdaw8yw2L-ovt4zTUZb2PWMg"
Using JWKS
This example shows a two-step process to verify the token signature and then decode it for further checks of the payload content. This approach gives more flexibility in verifying only the claims that the policy needs to enforce.
jwks := `{
"keys": [{
"kty":"EC",
"crv":"P-256",
"x":"z8J91ghFy5o6f2xZ4g8LsLH7u2wEpT2ntj8loahnlsE",
"y":"7bdeXLH61KrGWRdh7ilnbcGQACxykaPKfmBccTHIOUo"
}]
}`
io.jwt.verify_es256(es256_token, jwks) # Verify the token with the JWKS
[header, payload, _] := io.jwt.decode(es256_token) # Decode the token
payload.iss == "xxx" # Ensure the issuer (`iss`) claim is the expected value
+-----------------------------+--------------------------------+
| header | payload |
+-----------------------------+--------------------------------+
| {"alg":"ES256","typ":"JWT"} | {"iss":"xxx","nbf":1444478400} |
+-----------------------------+--------------------------------+
The next example shows doing the token signature verification, decoding, and content checks
all in one call using io.jwt.decode_verify
. Note that this gives less flexibility in validating
the payload content as all claims defined in the JWT spec are verified with the provided
constraints.
[valid, header, payload] := io.jwt.decode_verify(es256_token, {
"cert": jwks,
"iss": "xxx",
})
+-----------------------------+--------------------------------+-------+
| header | payload | valid |
+-----------------------------+--------------------------------+-------+
| {"alg":"ES256","typ":"JWT"} | {"iss":"xxx","nbf":1444478400} | true |
+-----------------------------+--------------------------------+-------+
Using PEM encoded X.509 Certificate
The following examples will demonstrate verifying tokens using an X.509 Certificate defined as:
cert := `-----BEGIN CERTIFICATE-----
MIIBcDCCARagAwIBAgIJAMZmuGSIfvgzMAoGCCqGSM49BAMCMBMxETAPBgNVBAMM
CHdoYXRldmVyMB4XDTE4MDgxMDE0Mjg1NFoXDTE4MDkwOTE0Mjg1NFowEzERMA8G
A1UEAwwId2hhdGV2ZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATPwn3WCEXL
mjp/bFniDwuwsfu7bASlPae2PyWhqGeWwe23Xlyx+tSqxlkXYe4pZ23BkAAscpGj
yn5gXHExyDlKo1MwUTAdBgNVHQ4EFgQUElRjSoVgKjUqY5AXz2o74cLzzS8wHwYD
VR0jBBgwFoAUElRjSoVgKjUqY5AXz2o74cLzzS8wDwYDVR0TAQH/BAUwAwEB/zAK
BggqhkjOPQQDAgNIADBFAiEA4yQ/88ZrUX68c6kOe9G11u8NUaUzd8pLOtkKhniN
OHoCIHmNX37JOqTcTzGn2u9+c8NlnvZ0uDvsd1BmKPaUmjmm
-----END CERTIFICATE-----`
This example shows a two-step process to verify the token signature and then decode it for further checks of the payload content. This approach gives more flexibility in verifying only the claims that the policy needs to enforce.
io.jwt.verify_es256(es256_token, cert) # Verify the token with the certificate
[header, payload, _] := io.jwt.decode(es256_token) # Decode the token
payload.iss == "xxx" # Ensure the issuer claim is the expected value
+-----------------------------+--------------------------------+
| header | payload |
+-----------------------------+--------------------------------+
| {"alg":"ES256","typ":"JWT"} | {"iss":"xxx","nbf":1444478400} |
+-----------------------------+--------------------------------+
The next example shows doing the same token signature verification, decoding, and content checks
but instead with a single call to io.jwt.decode_verify
. Note that this gives less flexibility
in validating the payload content as all claims defined in the JWT spec are verified with the
provided constraints.
[valid, header, payload] := io.jwt.decode_verify( # Decode and verify in one-step
es256_token,
{ # With the supplied constraints:
"cert": cert, # Verify the token with the certificate
"iss": "xxx", # Ensure the issuer claim is the expected value
}
)
+-----------------------------+--------------------------------+-------+
| header | payload | valid |
+-----------------------------+--------------------------------+-------+
| {"alg":"ES256","typ":"JWT"} | {"iss":"xxx","nbf":1444478400} | true |
+-----------------------------+--------------------------------+-------+
Round Trip - Sign and Verify
This example shows how to encode a token, verify, and decode it with the different options available.
Start with using the io.jwt.encode_sign_raw
built-in:
raw_result_hs256 := io.jwt.encode_sign_raw(
`{"alg":"HS256","typ":"JWT"}`,
`{}`,
`{"kty":"oct","k":"Zm9v"}` # "Zm9v" == base64url.encode_no_pad("foo")
)
# Important!! - Use the un-encoded plain text secret to verify and decode
raw_result_valid_hs256 := io.jwt.verify_hs256(raw_result_hs256, "foo")
raw_result_parts_hs256 := io.jwt.decode_verify(raw_result_hs256, {"secret": "foo"})
+----------------------------------------------------------------------------------------+---------------------------------------+------------------------+
| raw_result_hs256 | raw_result_parts_hs256 | raw_result_valid_hs256 |
+----------------------------------------------------------------------------------------+---------------------------------------+------------------------+
| "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.Duw7jWmGY54yEu6kcqd2w1TKp1EspzboBnx8EeMc-z0" | [true,{"alg":"HS256","typ":"JWT"},{}] | true |
+----------------------------------------------------------------------------------------+---------------------------------------+------------------------+
Now encode the and sign the same token contents but with io.jwt.encode_sign
instead of the raw
variant.
result_hs256 := io.jwt.encode_sign(
{
"alg":"HS256",
"typ":"JWT"
},
{},
{
"kty":"oct",
"k":"Zm9v"
}
)
# Important!! - Use the un-encoded plain text secret to verify and decode
result_parts_hs256 := io.jwt.decode_verify(result_hs256, {"secret": "foo"})
result_valid_hs256 := io.jwt.verify_hs256(result_hs256, "foo")
+--------------------------------------------------------------------------------------------+---------------------------------------+--------------------+
| result_hs256 | result_parts_hs256 | result_valid_hs256 |
+--------------------------------------------------------------------------------------------+---------------------------------------+--------------------+
| "eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.e30.h4crob8QjgDq0JlZpf5mtylPvUzULS0XzdbG2-z_YKc" | [true,{"alg":"HS256","typ":"JWT"},{}] | true |
+--------------------------------------------------------------------------------------------+---------------------------------------+--------------------+
Time
time.add_date |
Returns the nanoseconds since epoch after adding years, months and days to nanoseconds. Month & day values outside their usual ranges after the operation and will be normalized - for example, October 32 would become November 1. ns (number) nanoseconds since the epoch years (number) months (number) days (number) output (number) nanoseconds since the epoch representing the input time, with years, months and days added | |
---|---|---|
time.clock |
Returns the x (any<number, array<number, string>>) a number representing the nanoseconds since the epoch (UTC); or a two-element array of the nanoseconds, and a timezone string output (array<number, number, number>) the hour , minute (0-59), and second (0-59) representing the time of day for the nanoseconds since epoch in the supplied timezone (or UTC) | |
time.date |
Returns the x (any<number, array<number, string>>) a number representing the nanoseconds since the epoch (UTC); or a two-element array of the nanoseconds, and a timezone string date (array<number, number, number>) an array of year , month (1-12), and day (1-31) | |
time.diff |
Returns the difference between two unix timestamps in nanoseconds (with optional timezone strings). ns1 (any<number, array<number, string>>) ns2 (any<number, array<number, string>>) output (array<number, number, number, number, number, number>) difference between ns1 and ns2 (in their supplied timezones, if supplied, or UTC) as array of numbers: [years, months, days, hours, minutes, seconds] | |
time.format |
Returns the formatted timestamp for the nanoseconds since epoch. x (any<number, array<number, string>, array<number, string, string>>) a number representing the nanoseconds since the epoch (UTC); or a two-element array of the nanoseconds, and a timezone string; or a three-element array of ns, timezone string and a layout string or golang defined formatting constant (see golang supported time formats) formatted timestamp (string) the formatted timestamp represented for the nanoseconds since the epoch in the supplied timezone (or UTC) | |
time.now_ns |
Returns the current time since epoch in nanoseconds. now (number) nanoseconds since epoch | |
time.parse_duration_ns |
Returns the duration in nanoseconds represented by a string. ns (number) the duration in nanoseconds | |
time.parse_ns |
Returns the time in nanoseconds parsed from the string in the given format. layout (string) format used for parsing, see the Go time package documentation for more detailsvalue (string) input to parse according to layout ns (number) value in nanoseconds since epoch | |
time.parse_rfc3339_ns |
Returns the time in nanoseconds parsed from the string in RFC3339 format. value (string) ns (number) value in nanoseconds since epoch | |
time.weekday |
Returns the day of the week (Monday, Tuesday, …) for the nanoseconds since epoch. x (any<number, array<number, string>>) a number representing the nanoseconds since the epoch (UTC); or a two-element array of the nanoseconds, and a timezone string day (string) the weekday represented by ns nanoseconds since the epoch in the supplied timezone (or UTC) |
Timezones can be specified as
- an IANA Time Zone string e.g. “America/New_York”
- “UTC” or “”, which are equivalent to not passing a timezone (i.e. will return as UTC)
- “Local”, which will use the local timezone.
Note that OPA will use the time/tzdata
data if none is present on the runtime filesystem (see the
Go time.LoadLocation()
documentation for more information).
Timestamp Parsing
OPA can parse timestamps of nearly arbitrary formats, and currently accepts the same inputs as Go’s time.Parse()
utility.
As a result, either you will pass a supported constant, or you must describe the format of your timestamps using the Reference Timestamp that Go’s time
module expects:
2006-01-02T15:04:05Z07:00
In other date formats, that same value is rendered as:
- January 2, 15:04:05, 2006, in time zone seven hours west of GMT
- Unix time:
1136239445
- Unix
date
command output:Mon Jan 2 15:04:05 MST 2006
- RFC3339 timestamp:
2006-01-02T15:04:05Z07:00
Examples of valid values for each timestamp field:
- Year:
"2006"
"06"
- Month:
"Jan"
"January"
"01"
"1"
- Day of the week:
"Mon"
"Monday"
- Day of the month:
"2"
"_2"
"02"
- Day of the year:
"__2"
"002"
- Hour:
"15"
"3"
"03"
(PM or AM) - Minute:
"4"
"04"
- Second:
"5"
"05"
- AM/PM mark:
"PM"
For supported constants, formatting of nanoseconds, time zones, and other fields, see the Go time/format
module documentation.
Timestamp Parsing Example
In OPA, we can parse a simple YYYY-MM-DD
timestamp as follows:
ts := "1985-10-27"
result := time.parse_ns("2006-01-02", ts)
Cryptography
crypto.hmac.equal |
Returns a boolean representing the result of comparing two MACs for equality without leaking timing information. mac1 (string) mac1 to compare mac2 (string) mac2 to compare result (boolean) true if the MACs are equals, false otherwise | |
---|---|---|
crypto.hmac.md5 |
Returns a string representing the MD5 HMAC of the input message using the input key. x (string) input string key (string) key to use y (string) MD5-HMAC of x | |
crypto.hmac.sha1 |
Returns a string representing the SHA1 HMAC of the input message using the input key. x (string) input string key (string) key to use y (string) SHA1-HMAC of x | |
crypto.hmac.sha256 |
Returns a string representing the SHA256 HMAC of the input message using the input key. x (string) input string key (string) key to use y (string) SHA256-HMAC of x | |
crypto.hmac.sha512 |
Returns a string representing the SHA512 HMAC of the input message using the input key. x (string) input string key (string) key to use y (string) SHA512-HMAC of x | |
crypto.md5 |
Returns a string representing the input string hashed with the MD5 function x (string) y (string) MD5-hash of x | |
crypto.parse_private_keys |
Returns zero or more private keys from the given encoded string containing DER certificate data. If the input is empty, the function will return null. The input string should be a list of one or more concatenated PEM blocks. The whole input of concatenated PEM blocks can optionally be Base64 encoded. keys (string) PEM encoded data containing one or more private keys as concatenated blocks. Optionally Base64 encoded. output (array[object[string: any]]) parsed private keys represented as objects | |
crypto.sha1 |
Returns a string representing the input string hashed with the SHA1 function x (string) y (string) SHA1-hash of x | |
crypto.sha256 |
Returns a string representing the input string hashed with the SHA256 function x (string) y (string) SHA256-hash of x | |
crypto.x509.parse_and_verify_certificates |
Returns one or more certificates from the given string containing PEM or base64 encoded DER certificates after verifying the supplied certificates form a complete certificate chain back to a trusted root. The first certificate is treated as the root and the last is treated as the leaf, with all others being treated as intermediates. certs (string) base64 encoded DER or PEM data containing two or more certificates where the first is a root CA, the last is a leaf certificate, and all others are intermediate CAs output (array<boolean, array[object[string: any]]>) array of [valid, certs] : if the input certificate chain could be verified then valid is true and certs is an array of X.509 certificates represented as objects; if the input certificate chain could not be verified then valid is false and certs is [] | |
crypto.x509.parse_and_verify_certificates_with_options |
Returns one or more certificates from the given string containing PEM or base64 encoded DER certificates after verifying the supplied certificates form a complete certificate chain back to a trusted root. A config option passed as the second argument can be used to configure the validation options used. The first certificate is treated as the root and the last is treated as the leaf, with all others being treated as intermediates. certs (string) base64 encoded DER or PEM data containing two or more certificates where the first is a root CA, the last is a leaf certificate, and all others are intermediate CAs options (object[string: any]) object containing extra configs to verify the validity of certificates. options object supports four fields which maps to same fields in x509.VerifyOptions struct. DNSName , CurrentTime : Nanoseconds since the Unix Epoch as a number, MaxConstraintComparisons and KeyUsages . KeyUsages is list and can have possible values as in: "KeyUsageAny" , "KeyUsageServerAuth" , "KeyUsageClientAuth" , "KeyUsageCodeSigning" , "KeyUsageEmailProtection" , "KeyUsageIPSECEndSystem" , "KeyUsageIPSECTunnel" , "KeyUsageIPSECUser" , "KeyUsageTimeStamping" , "KeyUsageOCSPSigning" , "KeyUsageMicrosoftServerGatedCrypto" , "KeyUsageNetscapeServerGatedCrypto" , "KeyUsageMicrosoftCommercialCodeSigning" , "KeyUsageMicrosoftKernelCodeSigning" output (array<boolean, array[object[string: any]]>) array of [valid, certs] : if the input certificate chain could be verified then valid is true and certs is an array of X.509 certificates represented as objects; if the input certificate chain could not be verified then valid is false and certs is [] | |
crypto.x509.parse_certificate_request |
Returns a PKCS #10 certificate signing request from the given PEM-encoded PKCS#10 certificate signing request. csr (string) base64 string containing either a PEM encoded or DER CSR or a string containing a PEM CSR output (object[string: any]) X.509 CSR represented as an object | |
crypto.x509.parse_certificates |
Returns zero or more certificates from the given encoded string containing DER certificate data. If the input is empty, the function will return null. The input string should be a list of one or more concatenated PEM blocks. The whole input of concatenated PEM blocks can optionally be Base64 encoded. certs (string) base64 encoded DER or PEM data containing one or more certificates or a PEM string of one or more certificates output (array[object[string: any]]) parsed X.509 certificates represented as objects | |
crypto.x509.parse_keypair |
Returns a valid key pair cert (string) string containing PEM or base64 encoded DER certificates pem (string) string containing PEM or base64 encoded DER keys output (object[string: any]) if key pair is valid, returns the tls.certificate(https://pkg.go.dev/crypto/tls#Certificate) as an object. If the key pair is invalid, nil and an error are returned. | |
crypto.x509.parse_rsa_private_key |
Returns a JWK for signing a JWT from the given PEM-encoded RSA private key. pem (string) base64 string containing a PEM encoded RSA private key output (object[string: any]) JWK as an object |
Graphs
graph.reachable |
Computes the set of reachable nodes in the graph from a set of starting nodes. graph (object[any: any<array[any], set[any]>]) object containing a set or array of neighboring vertices initial (any<array[any], set[any]>) set or array of root vertices output (set[any]) set of vertices reachable from the initial vertices in the directed graph | |
---|---|---|
graph.reachable_paths |
Computes the set of reachable paths in the graph from a set of starting nodes. graph (object[any: any<array[any], set[any]>]) object containing a set or array of root vertices initial (any<array[any], set[any]>) initial paths output (set[array[any]]) paths reachable from the initial vertices in the directed graph | |
walk |
Generates x (any) output (array<array[any], any>) pairs of path and value : path is an array representing the pointer to value in x . If path is assigned a wildcard (_ ), the walk function will skip path creation entirely for faster evaluation. |
A common class of recursive rules can be reduced to a graph reachability
problem, so graph.reachable
is useful for more than just graph analysis.
This usually requires some pre- and postprocessing. The following example
shows you how to “flatten” a hierarchy of access permissions.
package graph_reachable_example
org_chart_data := {
"ceo": {},
"human_resources": {"owner": "ceo", "access": ["salaries", "complaints"]},
"staffing": {"owner": "human_resources", "access": ["interviews"]},
"internships": {"owner": "staffing", "access": ["blog"]}
}
org_chart_graph[entity_name] := edges {
org_chart_data[entity_name]
edges := {neighbor | org_chart_data[neighbor].owner == entity_name}
}
org_chart_permissions[entity_name] := access {
org_chart_data[entity_name]
reachable := graph.reachable(org_chart_graph, {entity_name})
access := {item | reachable[k]; item := org_chart_data[k].access[_]}
}
org_chart_permissions[entity_name]
+-------------------+-----------------------------------------------+
| entity_name | org_chart_permissions[entity_name] |
+-------------------+-----------------------------------------------+
| "ceo" | ["blog","complaints","interviews","salaries"] |
| "human_resources" | ["blog","complaints","interviews","salaries"] |
| "internships" | ["blog"] |
| "staffing" | ["blog","interviews"] |
+-------------------+-----------------------------------------------+
It may be useful to find all reachable paths from a root element. graph.reachable_paths
can be used for this. Note that cyclical paths will terminate on the repeated node. If an element references a nonexistent element, the path will be terminated, and excludes the nonexistent node.
package graph_reachable_paths_example
path_data := {
"aTop": [],
"cMiddle": ["aTop"],
"bBottom": ["cMiddle"],
"dIgnored": []
}
all_paths[root] := paths {
path_data[root]
paths := graph.reachable_paths(path_data, {root})
}
all_paths[entity_name]
+-------------+--------------------------------+
| entity_name | all_paths[entity_name] |
+-------------+--------------------------------+
| "aTop" | [["aTop"]] |
| "bBottom" | [["bBottom","cMiddle","aTop"]] |
| "cMiddle" | [["cMiddle","aTop"]] |
| "dIgnored" | [["dIgnored"]] |
+-------------+--------------------------------+
GraphQL
graphql.is_valid |
Checks that a GraphQL query is valid against a given schema. The query and/or schema can be either GraphQL strings or AST objects from the other GraphQL builtin functions. query (any<string, object[any: any]>) schema (any<string, object[any: any]>) output (boolean) true if the query is valid under the given schema. false otherwise. | |
---|---|---|
graphql.parse |
Returns AST objects for a given GraphQL query and schema after validating the query against the schema. Returns undefined if errors were encountered during parsing or validation. The query and/or schema can be either GraphQL strings or AST objects from the other GraphQL builtin functions. query (any<string, object[any: any]>) schema (any<string, object[any: any]>) output (array<object[any: any], object[any: any]>) output is of the form [query_ast, schema_ast] . If the GraphQL query is valid given the provided schema, then query_ast and schema_ast are objects describing the ASTs for the query and schema. | |
graphql.parse_and_verify |
Returns a boolean indicating success or failure alongside the parsed ASTs for a given GraphQL query and schema after validating the query against the schema. The query and/or schema can be either GraphQL strings or AST objects from the other GraphQL builtin functions. query (any<string, object[any: any]>) schema (any<string, object[any: any]>) output (array<boolean, object[any: any], object[any: any]>) output is of the form [valid, query_ast, schema_ast] . If the query is valid given the provided schema, then valid is true , and query_ast and schema_ast are objects describing the ASTs for the GraphQL query and schema. Otherwise, valid is false and query_ast and schema_ast are {} . | |
graphql.parse_query |
Returns an AST object for a GraphQL query. query (string) output (object[any: any]) AST object for the GraphQL query. | |
graphql.parse_schema |
Returns an AST object for a GraphQL schema. schema (string) output (object[any: any]) AST object for the GraphQL schema. | |
graphql.schema_is_valid |
Checks that the input is a valid GraphQL schema. The schema can be either a GraphQL string or an AST object from the other GraphQL builtin functions. schema (any<string, object[any: any]>) output (boolean) true if the schema is a valid GraphQL schema. false otherwise. |
GraphQL Custom @directive
Example
New @directive
definitions can be defined separately from your schema, so long as you concat
them onto the schema definition before attempting to validate a query/schema using those custom directives.
In the following example, a custom directive is defined, and then used in the schema to annotate an argument on one of the allowed query types.
package graphql_custom_directive_example
custom_directives := `
directive @customDeprecatedArgs(
reason: String
) on ARGUMENT_DEFINITION
`
schema := `
type Query {
foo(name: String! @customDeprecatedArgs(reason: "example reason")): String,
bar: String!
}
`
query := `query { foo(name: "example") }`
p {
graphql.is_valid(query, concat("", [custom_directives, schema]))
}
HTTP
http.send |
Returns a HTTP response to the given HTTP request. request (object[string: any]) response (object[any: any]) |
---|
The request
object parameter may contain the following fields:
Field | Required | Type | Description |
---|---|---|---|
url | yes | string | HTTP URL to specify in the request (e.g., "https://www.openpolicyagent.org" ). |
method | yes | string | HTTP method to specify in request (e.g., "GET" , "POST" , "PUT" , etc.) |
body | no | any | HTTP message body to include in request. The value will be serialized to JSON. |
raw_body | no | string | HTTP message body to include in request. The value WILL NOT be serialized. Use this for non-JSON messages. |
headers | no | object | HTTP headers to include in the request (e.g,. {"X-Opa": "rules"} ). |
enable_redirect | no | boolean | Follow HTTP redirects. Default: false . |
force_json_decode | no | boolean | Decode the HTTP response message body as JSON even if the Content-Type header is missing. Default: false . |
force_yaml_decode | no | boolean | Decode the HTTP response message body as YAML even if the Content-Type header is missing. Default: false . |
tls_use_system_certs | no | boolean | Use the system certificate pool. Default: true when tls_ca_cert , tls_ca_cert_file , tls_ca_cert_env_variable are unset. Ignored on Windows due to the system certificate pool not being accessible in the same way as it is for other platforms. |
tls_ca_cert | no | string | String containing a root certificate in PEM encoded format. |
tls_ca_cert_file | no | string | Path to file containing a root certificate in PEM encoded format. |
tls_ca_cert_env_variable | no | string | Environment variable containing a root certificate in PEM encoded format. |
tls_client_cert | no | string | String containing a client certificate in PEM encoded format. |
tls_client_cert_file | no | string | Path to file containing a client certificate in PEM encoded format. |
tls_client_cert_env_variable | no | string | Environment variable containing a client certificate in PEM encoded format. |
tls_client_key | no | string | String containing a key in PEM encoded format. |
tls_client_key_file | no | string | Path to file containing a key in PEM encoded format. |
tls_client_key_env_variable | no | string | Environment variable containing a client key in PEM encoded format. |
timeout | no | string or number | Timeout for the HTTP request with a default of 5 seconds (5s ). Numbers provided are in nanoseconds. Strings must be a valid duration string where a duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”. A zero timeout means no timeout. |
tls_insecure_skip_verify | no | bool | Allows for skipping TLS verification when calling a network endpoint. Not recommended for production. |
tls_server_name | no | string | Sets the hostname that is sent in the client Server Name Indication and that be will be used for server certificate validation. If this is not set, the value of the Host header (if present) will be used. If neither are set, the host name from the requested URL is used. |
cache | no | boolean | Cache HTTP response across OPA queries. Default: false . |
force_cache | no | boolean | Cache HTTP response across OPA queries and override cache directives defined by the server. Default: false . |
force_cache_duration_seconds | no | number | If force_cache is set, this field specifies the duration in seconds for the freshness of a cached response. |
caching_mode | no | string | Controls the format in which items are inserted into the inter-query cache. Allowed modes are serialized and deserialized . In the serialized mode, items will be serialized before inserting into the cache. This mode is helpful if memory conservation is preferred over higher latency during cache lookup. This is the default mode. In the deserialized mode, an item will be inserted in the cache without any serialization. This means when items are fetched from the cache, there won’t be a need to decode them. This mode helps to make the cache lookup faster at the expense of more memory consumption. If this mode is enabled, the configured caching.inter_query_builtin_cache.max_size_bytes value will be ignored. This means an unlimited cache size will be assumed. |
raise_error | no | bool | If raise_error is set, http.send will return an error that can halt policy evaluation when used in conjunction with the strict-builtin-errors option. Default: true . |
max_retry_attempts | no | number | Number of times to retry a HTTP request when a network error is encountered. If provided, retries are performed with an exponential backoff delay. Default: 0 . |
If the Host
header is included in headers
, its value will be used as the Host
header of the request. The url
parameter will continue to specify the server to connect to.
When sending HTTPS requests with client certificates at least one the following combinations must be included
tls_client_cert
andtls_client_key
tls_client_cert_file
andtls_client_key_file
tls_client_cert_env_variable
andtls_client_key_env_variable
The response
object parameter will contain the following fields:
Field | Type | Description |
---|---|---|
status | string | HTTP status message (e.g., "200 OK" ). |
status_code | number | HTTP status code (e.g., 200 ). If raise_error is false , this field will be set to 0 if http.send encounters an error. |
body | any | Any value. If the HTTP response message body was not deserialized from JSON or YAML (by force or via the expected Content-Type headers application/json ; or application/yaml or application/x-yaml ), this field is set to null . |
raw_body | string | The entire raw HTTP response message body represented as a string. |
headers | object | An object containing the response headers. The values will be an array of strings, repeated headers are grouped under the same keys with all values in the array. |
error | object | If raise_error is false , this field will represent the error encountered while running http.send . The error object contains a message key which holds the actual error message and a code key which represents if the error was caused due to a network issue or during policy evaluation. |
By default, an error returned by http.send
halts the policy evaluation when used in conjunction with the strict-builtin-errors
option that can be set when running evaluation.
This behaviour can be altered such that instead of halting evaluation, if http.send
encounters an error, it can return a response
object with status_code
set to 0
and error
describing the actual error. This can be activated by setting the raise_error
field
in the request
object to false
. Note that if the strict-builtin-errors
option is not specified and raise_error
field is true
(which is the default), an error returned by http.send
will generate an undefined result.
If the cache
field in the request
object is true
, http.send
will return a cached response after it checks its
freshness and validity.
http.send
uses the Cache-Control
and Expires
response headers to check the freshness of the cached response.
Specifically if the max-age Cache-Control
directive is set, http.send
will use it to determine if the cached response is fresh or not. If max-age
is not set, the Expires
header will be used instead.
If the cached response is stale, http.send
uses the Etag
and Last-Modified
response headers to check with the server if the
cached response is in fact still fresh. If the server responds with a 200
(OK
) response, http.send
will update the cache
with the new response. On a 304
(Not Modified
) server response, http.send
will update the headers in cached response with
their corresponding values in the 304
response.
The force_cache
field can be used to override the cache directives defined by the server. This field is used in
conjunction with the force_cache_duration_seconds
field. If force_cache
is true
, then force_cache_duration_seconds
must be specified and http.send
will use this value to check the freshness of the cached response.
Also, if force_cache
is true
, it overrides the cache
field.
http.send
only caches responses with the following HTTP status codes: 200
, 203
, 204
, 206
, 300
, 301
,
404
, 405
, 410
, 414
, and 501
. This is behavior is as per https://www.rfc-editor.org/rfc/rfc7231#section-6.1 and
is enforced when caching responses within a single query or across queries via the cache
and force_cache
request fields.
The table below shows examples of calling http.send
:
Example | Comments |
---|---|
Accessing Google using System Cert Pool | http.send({"method": "get", "url": "https://www.google.com", "tls_use_system_certs": true }) |
Files containing TLS material | http.send({"method": "get", "url": "https://127.0.0.1:65331", "tls_ca_cert_file": "testdata/ca.pem", "tls_client_cert_file": "testdata/client-cert.pem", "tls_client_key_file": "testdata/client-key.pem"}) |
Environment variables containing TLS material | http.send({"method": "get", "url": "https://127.0.0.1:65360", "tls_ca_cert_env_variable": "CLIENT_CA_ENV", "tls_client_cert_env_variable": "CLIENT_CERT_ENV", "tls_client_key_env_variable": "CLIENT_KEY_ENV"}) |
Unix Socket URL Format | http.send({"method": "get", "url": "unix://localhost/?socket=%F2path%F2file.socket"}) |
AWS
providers.aws.sign_req |
Signs an HTTP request object for Amazon Web Services. Currently implements AWS Signature Version 4 request signing by the request (object[string: any]) aws_config (object[string: any]) time_ns (number) signed_request (object[any: any]) |
---|
The AWS Request Signing builtin in OPA implements the header-based auth,
single-chunk method described in the AWS SigV4 docs.
It will default to signing the payload when present, configurable via aws_config
, and will sign most user-provided
headers for the request, to ensure their integrity.
The request
object parameter may contain any and all of the same fields as for http.send
.
The following fields will have effects on the output Authorization
header signature:
Field | Required | Type | Description |
---|---|---|---|
url | yes | string | HTTP URL to specify in the request. Used in the signature. |
method | yes | string | HTTP method to specify in request. Used in the signature. |
body | no | any | HTTP message body. The JSON serialized version of this value will be used for the payload portion of the signature if present. |
raw_body | no | string | HTTP message body. This will be used for the payload portion of the signature if present. |
headers | no | object | HTTP headers to include in the request. These will be added to the list of headers to sign. |
The aws_config
object parameter may contain the following fields:
Field | Required | Type | Description |
---|---|---|---|
aws_access_key | yes | string | AWS access key. |
aws_secret_access_key | yes | string | AWS secret access key. Used in generating the signing key for the request. |
aws_service | yes | string | AWS service the request will be valid for. (e.g. "s3" ) |
aws_region | yes | string | AWS region for the request. (e.g. "us-east-1" ) |
aws_session_token | no | string | AWS security token. Used for the x-amz-security-token request header. |
disable_payload_signing | no | boolean | When true an UNSIGNED-PAYLOAD value will be used for calculating the x-amz-content-sha256 header during signing, and will be returned in the response. Applicable only for s3 and glacier service. Default: false . |
AWS Request Signing Examples
Basic Request Signing Example
The example below shows using hard-coded AWS credentials for signing the request
object for http.send
.
req := {"method": "get", "url": "https://examplebucket.s3.amazonaws.com/data"}
aws_config := {
"aws_access_key": "MYAWSACCESSKEYGOESHERE",
"aws_secret_access_key": "MYAWSSECRETACCESSKEYGOESHERE",
"aws_service": "s3",
"aws_region": "us-east-1",
}
example_verify_resource {
resp := http.send(providers.aws.sign_req(req, aws_config, time.now_ns()))
# process response from AWS ...
}
Unsigned Payload Request Signing Example
The AWS S3 request signing API supports unsigned payload signing option. This example below shows s3 request signing with payload signing disabled.
req := {"method": "get", "url": "https://examplebucket.s3.amazonaws.com/data"}
aws_config := {
"aws_access_key": "MYAWSACCESSKEYGOESHERE",
"aws_secret_access_key": "MYAWSSECRETACCESSKEYGOESHERE",
"aws_service": "s3",
"aws_region": "us-east-1",
"disable_payload_signing": true,
}
example_verify_resource {
resp := http.send(providers.aws.sign_req(req, aws_config, time.now_ns()))
# process response from AWS ...
}
Pre-Signed Request Example
The AWS S3 request signing API supports pre-signing requests, so that they will only be valid at a future date. To do this in OPA, simply adjust the time parameter:
env := opa.runtime().env
req := {"method": "get", "url": "https://examplebucket.s3.amazonaws.com/data"}
aws_config := {
"aws_access_key": env["AWS_ACCESS_KEY"],
"aws_secret_access_key": env["AWS_SECRET_ACCESS_KEY"],
"aws_service": "s3",
"aws_region": env["AWS_REGION"],
}
# Request will become valid 2 days from now.
signing_time := time.add_date(time.now_ns(), 0, 0, 2)
pre_signed_req := providers.aws.sign_req(req, aws_config, signing_time))
Net
net.cidr_contains |
Checks if a CIDR or IP is contained within another CIDR. cidr (string) cidr_or_ip (string) result (boolean) | |
---|---|---|
net.cidr_contains_matches |
Checks if collections of cidrs or ips are contained within another collection of cidrs and returns matches. This function is similar to cidrs (any<string, array[any<string, array[any]>], object[string: any<string, array[any]>], set[any<string, array[any]>]>) cidrs_or_ips (any<string, array[any<string, array[any]>], object[string: any<string, array[any]>], set[any<string, array[any]>]>) output (set[array<any, any>]) tuples identifying matches where cidrs_or_ips are contained within cidrs | |
net.cidr_expand |
Expands CIDR to set of hosts (e.g., cidr (string) hosts (set[string]) set of IP addresses the CIDR cidr expands to | |
net.cidr_intersects |
Checks if a CIDR intersects with another CIDR (e.g. cidr1 (string) cidr2 (string) result (boolean) | |
net.cidr_is_valid |
Parses an IPv4/IPv6 CIDR and returns a boolean indicating if the provided CIDR is valid. cidr (string) result (boolean) | |
net.cidr_merge |
Merges IP addresses and subnets into the smallest possible list of CIDRs (e.g., addrs (any<array[any<string>], set[string]>) CIDRs or IP addresses output (set[string]) smallest possible set of CIDRs obtained after merging the provided list of IP addresses and subnets in addrs | |
net.lookup_ip_addr |
Returns the set of IP addresses (both v4 and v6) that the passed-in name (string) domain name to resolve addrs (set[string]) IP addresses (v4 and v6) that name resolves to |
Notes on Name Resolution (net.lookup_ip_addr
)
The lookup mechanism uses either the pure-Go, or the cgo-based resolver, depending on the operating system and availability of cgo.
The latter depends on flags that can be provided when building OPA as a Go library, and can be adjusted at runtime via the GODEBUG environment variable.
See these docs on the net
package for details.
Note that the cgo-based resolver is often preferable: It will take advantage of host-based DNS caching in place. This built-in function only caches DNS lookups within a single policy evaluation.
Examples of net.cidr_contains_matches
The output := net.cidr_contains_matches(a, b)
function allows callers to supply
strings, arrays, sets, or objects for either a
or b
. The output
value in
all cases is a set of tuples (2-element arrays) that identify matches, i.e.,
elements of b
contained by elements of a
. The first tuple element refers to
the match in a
and the second tuple element refers to the match in b
.
Input Type | Output Type |
---|---|
string | string |
array | array index |
set | set element |
object | object key |
If both operands are string values the function is similar to net.cidr_contains
.
net.cidr_contains_matches("1.1.1.0/24", "1.1.1.128")
[
[
"1.1.1.0/24",
"1.1.1.128"
]
]
Either (or both) operand(s) may be an array, set, or object.
net.cidr_contains_matches(["1.1.1.0/24", "1.1.2.0/24"], "1.1.1.128")
[
[
0,
"1.1.1.128"
]
]
The array/set/object elements may be arrays. In that case, the first element must be a valid CIDR/IP.
net.cidr_contains_matches([["1.1.0.0/16", "foo"], "1.1.2.0/24"], ["1.1.1.128", ["1.1.254.254", "bar"]])
[
[
0,
0
],
[
0,
1
]
]
If the operand is a set, the outputs are matching elements. If the operand is an object, the outputs are matching keys.
net.cidr_contains_matches({["1.1.0.0/16", "foo"], "1.1.2.0/24"}, {"x": "1.1.1.128", "y": ["1.1.254.254", "bar"]})
[
[
[
"1.1.0.0/16",
"foo"
],
"x"
],
[
[
"1.1.0.0/16",
"foo"
],
"y"
]
]
UUID
uuid.parse |
Parses the string value as an UUID and returns an object with the well-defined fields of the UUID if valid. uuid (string) result (object[string: any]) Properties of UUID if valid (version, variant, etc). Undefined otherwise. | |
---|---|---|
uuid.rfc4122 |
Returns a new UUIDv4. k (string) output (string) a version 4 UUID; for any given k , the output will be consistent throughout a query evaluation |
Semantic Versions
semver.compare |
Compares valid SemVer formatted version strings. a (string) b (string) result (number) -1 if a < b ; 1 if a > b ; 0 if a == b | |
---|---|---|
semver.is_valid |
Validates that the input is a valid SemVer string. vsn (any) result (boolean) true if vsn is a valid SemVer; false otherwise |
Example of semver.is_valid
The result := semver.is_valid(vsn)
function checks to see if a version
string is of the form: MAJOR.MINOR.PATCH[-PRERELEASE][+METADATA]
, where
items in square braces are optional elements.
When working with Go-style semantic versions, remember to remove the
leading v
character, or the semver string will be marked as invalid!
semver.is_valid("v1.1.12-rc1+foo")
false
semver.is_valid("1.1.12-rc1+foo")
true
Rego
rego.metadata.chain |
Returns the chain of metadata for the active rule. Ordered starting at the active rule, going outward to the most distant node in its package ancestry. A chain entry is a JSON document with two members: “path”, an array representing the path of the node; and “annotations”, a JSON document containing the annotations declared for the node. The first entry in the chain always points to the active rule, even if it has no declared annotations (in which case the “annotations” member is not present). chain (array[any]) each array entry represents a node in the path ancestry (chain) of the active rule that also has declared annotations | |
---|---|---|
rego.metadata.rule |
Returns annotations declared for the active rule and using the rule scope. output (any) “rule” scope annotations for this rule; empty object if no annotations exist | |
rego.parse_module |
Parses the input Rego string and returns an object representation of the AST. filename (string) file name to attach to AST nodes’ locations rego (string) Rego module output (object[string: any]) |
Example
Given the input document
{
"number": 11,
"subject": {
"name": "John doe",
"role": "customer"
}
}
the following policy
package example
# METADATA
# title: Deny invalid numbers
# description: Numbers may not be higher than 5
# custom:
# severity: MEDIUM
deny[format(rego.metadata.rule())] {
input.number > 5
}
# METADATA
# title: Deny non-admin subjects
# description: Subject must have the 'admin' role
# custom:
# severity: HIGH
deny[format(rego.metadata.rule())] {
input.subject.role != "admin"
}
format(meta) := {"severity": meta.custom.severity, "reason": meta.description}
will output
deny
[
{
"reason": "Numbers may not be higher than 5",
"severity": "MEDIUM"
},
{
"reason": "Subject must have the 'admin' role",
"severity": "HIGH"
}
]
Metadata Merge strategies
When multiple annotations are declared along the path ancestry (chain) for a rule, how any given annotation should be selected, inherited or merged depends on the semantics of the annotation, the context of the rule, and the preferences of the developer. OPA doesn’t presume what merge strategy is appropriate; instead, this lies in the hands of the developer. The following example demonstrates how some string and list type annotations in a metadata chain can be merged into a single metadata object.
# METADATA
# title: My Example Package
# description: A set of rules illustrating how metadata annotations can be merged.
# authors:
# - John Doe <john@example.com>
# organizations:
# - Acme Corp.
package example
import rego.v1
# METADATA
# scope: document
# description: A rule that merges metadata annotations in various ways.
# METADATA
# title: My Allow Rule
# authors:
# - Jane Doe <jane@example.com>
allow if {
meta := merge(rego.metadata.chain())
meta.title == "My Allow Rule" # 'title' pulled from 'rule' scope
meta.description == "A rule that merges metadata annotations in various ways." # 'description' pulled from 'document' scope
meta.authors == {
{"email": "jane@example.com", "name": "Jane Doe"}, # 'authors' joined from 'package' and 'rule' scopes
{"email": "john@example.com", "name": "John Doe"},
}
meta.organizations == {"Acme Corp."} # 'organizations' pulled from 'package' scope
}
allow if {
meta := merge(rego.metadata.chain())
meta.title == null # No 'title' present in 'rule' or 'document' scopes
meta.description == "A rule that merges metadata annotations in various ways." # 'description' pulled from 'document' scope
meta.authors == { # 'authors' pulled from 'package' scope
{"email": "john@example.com", "name": "John Doe"}
}
meta.organizations == {"Acme Corp."} # 'organizations' pulled from 'package' scope
}
merge(chain) := meta if {
ruleAndDoc := ["rule", "document"]
meta := {
"title": override_annot(chain, "title", ruleAndDoc), # looks for 'title' in 'rule' scope, then 'document' scope
"description": override_annot(chain, "description", ruleAndDoc), # looks for 'description' in 'rule' scope, then 'document' scope
"related_resources": override_annot(chain, "related_resources", ruleAndDoc), # looks for 'related_resources' in 'rule' scope, then 'document' scope
"authors": merge_annot(chain, "authors"), # merges all 'authors' across all scopes
"organizations": merge_annot(chain, "organizations"), # merges all 'organizations' across all scopes
}
}
override_annot(chain, name, scopes) := val if {
val := [v |
link := chain[_]
link.annotations.scope in scopes
v := link.annotations[name]
][0]
} else := null
merge_annot(chain, name) := val if {
val := {v |
v := chain[_].annotations[name][_]
}
} else := null
OPA
opa.runtime |
Returns an object that describes the runtime environment where OPA is deployed. output (object[string: any]) includes a config key if OPA was started with a configuration file; an env key containing the environment variables that the OPA process was started with; includes version and commit keys containing the version and build commit of OPA. |
---|
Debugging
Built-in | Description | Details |
---|---|---|
print(...) | print is used to output the values of variables for debugging purposes. print calls have no effect on the result of queries or rules. All variables passed to print must be assigned inside of the query or rule. If any of the print arguments are undefined, their values are represented as <undefined> in the output stream. Because policies can be invoked via different interfaces (e.g., CLI, HTTP API, etc.) the exact output format differs. See the table below for details. |
API | Output | Memo |
---|---|---|
opa eval | stderr | |
opa run (REPL) | stderr | |
opa test | stdout | Specify -v to see output for passing tests. Output for failing tests is displayed automatically. |
opa run -s (server) | stderr | Specify --log-level=info (default) or higher. Output is sent to the log stream. Use --log-format=text for pretty output. |
Go (library) | io.Writer | https://pkg.go.dev/github.com/open-policy-agent/opa/rego#example-Rego-Print_statements |
Tracing
trace |
Emits note (string) the note to include result (boolean) always true |
---|
By default, explanations are disabled. The following table summarizes how you can enable tracing:
API | Parameter | Example |
---|---|---|
CLI | --explain | opa eval --explain=notes --format=pretty 'trace("hello world")' |
HTTP | explain=notes | curl localhost:8181/v1/data/example/allow?explain=notes&pretty |
REPL | n/a | trace notes |
Reserved Names
The following words are reserved and cannot be used as variable names, rule names, or dot-access style reference arguments:
as
contains
data
default
else
every
false
if
in
import
input
package
not
null
some
true
with
Grammar
Rego’s syntax is defined by the following grammar:
module = package { import } policy
package = "package" ref
import = "import" ref [ "as" var ]
policy = { rule }
rule = [ "default" ] rule-head { rule-body }
rule-head = ( ref | var ) ( rule-head-set | rule-head-obj | rule-head-func | rule-head-comp )
rule-head-comp = [ assign-operator term ] [ "if" ]
rule-head-obj = "[" term "]" [ assign-operator term ] [ "if" ]
rule-head-func = "(" rule-args ")" [ assign-operator term ] [ "if" ]
rule-head-set = "contains" term [ "if" ] | "[" term "]"
rule-args = term { "," term }
rule-body = [ "else" [ assign-operator term ] [ "if" ] ] ( "{" query "}" ) | literal
query = literal { ( ";" | ( [CR] LF ) ) literal }
literal = ( some-decl | expr | "not" expr ) { with-modifier }
with-modifier = "with" term "as" term
some-decl = "some" term { "," term } { "in" expr }
expr = term | expr-call | expr-infix | expr-every | expr-parens | unary-expr
expr-call = var [ "." var ] "(" [ expr { "," expr } ] ")"
expr-infix = expr infix-operator expr
expr-every = "every" var { "," var } "in" ( term | expr-call | expr-infix ) "{" query "}"
expr-parens = "(" expr ")"
unary-expr = "-" expr
membership = term [ "," term ] "in" term
term = ref | var | scalar | array | object | set | membership | array-compr | object-compr | set-compr
array-compr = "[" term "|" query "]"
set-compr = "{" term "|" query "}"
object-compr = "{" object-item "|" query "}"
infix-operator = assign-operator | bool-operator | arith-operator | bin-operator
bool-operator = "==" | "!=" | "<" | ">" | ">=" | "<="
arith-operator = "+" | "-" | "*" | "/"
bin-operator = "&" | "|"
assign-operator = ":=" | "="
ref = ( var | array | object | set | array-compr | object-compr | set-compr | expr-call ) { ref-arg }
ref-arg = ref-arg-dot | ref-arg-brack
ref-arg-brack = "[" ( scalar | var | array | object | set | "_" ) "]"
ref-arg-dot = "." var
var = ( ALPHA | "_" ) { ALPHA | DIGIT | "_" }
scalar = string | NUMBER | TRUE | FALSE | NULL
string = STRING | raw-string
raw-string = "`" { CHAR-"`" } "`"
array = "[" term { "," term } "]"
object = "{" object-item { "," object-item } "}"
object-item = ( scalar | ref | var ) ":" term
set = empty-set | non-empty-set
non-empty-set = "{" term { "," term } "}"
empty-set = "set(" ")"
Note that the grammar corresponds to Rego with rego.v1
enabled (See (OPA v1.0 for more info).
The grammar defined above makes use of the following syntax. See the Wikipedia page on EBNF for more details:
[] optional (zero or one instances)
{} repetition (zero or more instances)
| alternation (one of the instances)
() grouping (order of expansion)
STRING JSON string
NUMBER JSON number
TRUE JSON true
FALSE JSON false
NULL JSON null
CHAR Unicode character
ALPHA ASCII characters A-Z and a-z
DIGIT ASCII characters 0-9
CR Carriage Return
LF Line Feed
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.