Rego Examples
Overview
We will walkthrough examples for following rego items.
- Input, Output
- Rule, Document and Undefined
- Default keyword and Assignment
- Complete or Incremental Rule Definition
- Helper Rule
Input, Policy & Output
Example 1
In below rego rule, document v is true if the equality expression is true. The content of document v is defined by the rule.
v if input.message == "world"(Note: Rule definitions can be more expressive when using the future keywords contains and if. But these keywords are optional)
In OPA playground, when we query the document by clicking the “evaluate” button, the output is undefined, since we don’t have any input.
When we add default value for v using assignment, we get the default value in the output.
default v:= false
Let’s query/evaluate with below input.
{
"message": "world"
}Now document v is true.
Example 2
We can break up a policy with small helper rules to reuse logic and improve overall readability.
Rego supports so-called complete definitions of any type of document. Documents produced by rules with complete definitions can only have one value at a time.
package playimport future.keywords.if
import future.keywords.ineligible_groups := ["grp1","grp2"]# This rule uses a helper rule
group_roles := my_roles if {
my_group := input.group
my_group in eligible_groups
my_roles := {"group": my_group, "location": input.location, "roles": lookup_roles}
}# Helper rule, complete definitions
lookup_roles := role_record if {
input.location == "east"
role_record := ["admin", "ops", "reader"]
}# Helper rule, complete definitions
lookup_roles := role_record if {
input.location == "west"
role_record := ["ops", "reader"]
}# Helper rule, complete definitions
lookup_roles := role_record if {
input.location == "mountain"
role_record := ["reader"]
}
Here is the use case for above example, the group is in eligible group list, and the group is associated with different roles based on group’s location.
input #1
{
“group”: “grp3”,
“location”: “west”
}
With above input, the query returns undefined, since grp3 is not eligible.
input #2
{
“group”: “grp1”,
“location”: “west”
}
The query returns both ops and reader roles.
"group_roles": {
"group": "grp1",
"location": "west",
"roles": [
"ops",
"reader"
]
}{
“group”: “grp1”,
“location”: “east”
}
input #3
{
“group”: “grp2”,
“location”: “east”
}
The query returns all three roles.
"group_roles": {
"group": "grp2",
"location": "east",
"roles": [
"admin",
"ops",
"reader"
]
}Here is another way to write the helper rule.
A rule may be defined multiple times with the same name. When a rule is defined this way, we refer to the rule definition as incremental because each definition is additive. The document produced by incrementally defined rules is the union of the documents produced by each individual rule.
package playimport future.keywords.if
import future.keywords.in
import future.keywords.containseligible_groups := ["grp1","grp2"]
admin_locations := ["east"]
ops_locations := ["east", "west"]
reader_locations := ["east", "west", "mountain"]group_roles := my_roles if {
my_group := input.group
my_group in eligible_groups
my_roles := {"group": my_group, "location": input.location, "roles": lookup_roles}
}lookup_roles contains role_record if {
input.location in admin_locations
role_record := "admin"
}lookup_roles contains role_record if {
input.location in ops_locations
role_record := "ops"
}lookup_roles contains role_record if {
input.location in reader_locations
role_record := "reader"
}
Depends on the group location, the helper rules (lookup_roles) can return multiple values. For example, a group in west location is associated with both ops and reader roles.
References
The Rego Playground (openpolicyagent.org)
Rego Cheat Sheet. Contributors: Shubhi Agarwal & Ravi… | by Shubhi Agarwal | Medium
