Documentation
¶
Overview ¶
Package compile collects a specialized interface to package rego, built for compiling policies into filters. It's a combination of simple evals (of any masking rule), and partial eval, equipped with the correct settings for some options; and paired with post-checks that determine if the result of partial evaluation can be translated into filter queries for certain targets/dialects. On success, the PE results are translated into queries, i.e. SQL WHERE clauses or UCAST expressions.
Index ¶
- type Compile
- type CompileOption
- func Mappings(m map[string]any) CompileOption
- func MaskRule(rule ast.Ref) CompileOption
- func Metrics(m metrics.Metrics) CompileOption
- func ParsedQuery(q ast.Body) CompileOption
- func ParsedUnknowns(s ...*ast.Term) CompileOption
- func Rego(o ...func(*rego.Rego)) CompileOption
- func Target(target, dialect string) CompileOption
- type Filter
- type Filters
- type PrepareOption
- type Prepared
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CompileOption ¶
type CompileOption func(*Compile)
func Mappings ¶
func Mappings(m map[string]any) CompileOption
Mappings allows controlling the table and column names of the generated queries, if they don't match what's in the policy's unknowns. These can be simple maps, like
{
fruit: {
$self: "fruit_table",
name: "name_col",
}
}
or per-target/per-dialect,
{
sql: { // per-target
fruit: {
$self: "fruit_table",
name: "name_col",
}
}
}
{
postgresql: { // per-dialect
fruit: {
$self: "fruit_table",
name: "name_col",
}
}
}
func MaskRule ¶
func MaskRule(rule ast.Ref) CompileOption
MaskRule determines which rule of the provided modules is to be evaluated to determine the masking of columns. Applying those masking rules is an out- of-band concern, when processing the results of the query.
func Metrics ¶
func Metrics(m metrics.Metrics) CompileOption
Metrics allows passing the `metrics.Metrics` to use for recording timers. It's passed along to the underlying `rego.Rego` evals, too.
func ParsedQuery ¶
func ParsedQuery(q ast.Body) CompileOption
ParsedQuery lets you pass in the main entrypoint of this filter compilation.
func ParsedUnknowns ¶
func ParsedUnknowns(s ...*ast.Term) CompileOption
ParsedUnknowns lets you pass in the unknowns of this filter compilation.
func Rego ¶
func Rego(o ...func(*rego.Rego)) CompileOption
Rego allows passing through common `*rego.Rego` options
func Target ¶
func Target(target, dialect string) CompileOption
Target lets you control the targets of a filter compilation. If repeated, it'll apply constraints for all the targets simultaneously (i.e. the union of their constraints = the intersection of supported features).
type Filter ¶
Filter represents the result of a policy-to-filter compilation for one specific target/dialect
type Filters ¶
type Filters struct {
// contains filtered or unexported fields
}
Filters represents all the filters compiled from a policy. Can contain `compile.Filter` for various target/dialect combinations.
type PrepareOption ¶
type PrepareOption func(*Prepared)
func RegoPrepareOptions ¶
func RegoPrepareOptions(o ...rego.PrepareOption) PrepareOption
RegoPrepareOptions lets you pass through any `rego.PrepareOption`.
Source Files