我的书签
添加书签
移除书签Read this section if you want to extend OPA with custom built-in functions.
OPA supports built-in functions for simple operations like string manipulation and arithmetic as well as more complex operations like JWT verification and executing HTTP requests. If you need to to extend OPA with custom built-in functions for use cases or integrations that are not supported out-of-the-box you can supply the function definitions when you prepare queries.
Using custom built-in functions involves providing a declaration and implementation. The declaration tells OPA the function’s type signature and the implementation provides the callback that OPA can execute during query evaluation.
To get started you need to import three packages:
The ast and types packages contain the types for declarations and runtime objects passed to your implementation. Here is a trivial example that shows the process:
r := rego.New(rego.Query(`x = hello("bob")`),rego.Function1(®o.Function{Name: "hello",Decl: types.NewFunction(types.Args(types.S), types.S),},func(_ rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {if str, ok := a.Value.(ast.String); ok {return ast.StringTerm("hello, " + string(str)), nil}return nil, nil}),))query, err := r.PrepareForEval(ctx)if err != nil {// handle error.}
At this point you can execute the query:
rs, err := query.Eval(ctx)if err != nil {// handle error.}// Do something with result.fmt.Println(rs[0].Bindings["x"])
If you executed this code you the output would be:
"hello, bob"
The example above highlights a few important points.
- The
regopackage includes variants ofrego.Function1for accepting different numbers of operands (e.g.,rego.Function2,rego.Function3, etc.) - The
rego.Function#Namestruct field specifies the operator that queries can refer to. - The
rego.Function#Declstruct field specifies the function’s type signature. In the example above the function accepts a string and returns a string. - The function indicates it’s undefined by returning
nilfor the first return argument.
Let’s look at another example. Imagine you want to expose GitHub repository metadata to your policies. One option is to implement a custom built-in function to fetch the data for specific repositories on-the-fly.
r := rego.New(rego.Query(`github.repo("open-policy-agent", "opa")`),rego.Function2(®o.Function{Name: "github.repo",Decl: types.NewFunction(types.Args(types.S, types.S), types.A),Memoize: true,},func(bctx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {// see implementation below.},),)
The declaration also sets rego.Function#Memoize to true to enable memoization across multiple calls in the same query. If your built-in function performs I/O, you should enable memoization as it ensures function evaluation is deterministic.
The implementation wraps the Go standard library to perform HTTP requests to GitHub’s API:
The implementation is careful to use the context passed to the built-in function when executing the HTTP request. See the appendix at the end of this page for the complete example.
Read this section if you want to customize or extend the OPA runtime/executable with custom behaviour.
OPA defines a plugin interface that allows you to customize certain behaviour like decision logging or add new behaviour like different query APIs. To implement a custom plugin you must implement two interfaces:
- github.com/open-policy-agent/opa/plugins#Factory to instantiate your plugin.
- to provide your plugin behavior.
You can register your factory with OPA by calling github.com/open-policy-agent/opa/runtime#RegisterPlugin inside your main function.
The plugin may (optionally) report its current status to the plugin Manager via the plugins.Manager#UpdatePluginStatus API.
Typically the plugin should report StatusNotReady at creation time and update to StatusOK (or StatusErr) when appropriate.
import ("encoding/json""github.com/open-policy-agent/opa/plugins/logs")const PluginName = "println_decision_logger"type Config struct {Stderr bool `json:"stderr"` // false => stdout, true => stderr}type PrintlnLogger struct {mtx sync.Mutexconfig Config}p.manager.UpdatePluginStatus(PluginName, &plugins.Status{State: plugins.StateOK})return nil}func (p *PrintlnLogger) Stop(ctx context.Context) {p.manager.UpdatePluginStatus(PluginName, &plugins.Status{State: plugins.StateNotReady})}func (p *PrintlnLogger) Reconfigure(ctx context.Context, config interface{}) {p.mtx.Lock()defer p.mtx.Unlock()p.config = config.(Config)}// Log is called by the decision logger when a record (event) should be emitted. The logs.EventV1 fields// map 1:1 to those described in https://www.openpolicyagent.org/docs/latest/management-decision-logsfunc (p *PrintlnLogger) Log(ctx context.Context, event logs.EventV1) error {p.mtx.Lock()defer p.mtx.Unlock()w := os.Stdoutif p.config.Stderr {w = os.Stderr}bs, err := json.Marshal(event)if err != nil {p.manager.UpdatePluginStatus(PluginName, &plugins.Status{State: plugins.StateErr})return nil}_, err = fmt.Fprintln(w, string(bs))if err != nil {p.manager.UpdatePluginStatus(PluginName, &plugins.Status{State: plugins.StateErr})}return nil}
Next, implement a factory function that instantiates your plugin:
import ("github.com/open-policy-agent/opa/plugins""github.com/open-policy-agent/opa/util")type Factory struct{}func (Factory) New(m *plugins.Manager, config interface{}) plugins.Plugin {m.UpdatePluginStatus(PluginName, &plugins.Status{State: plugins.StateNotReady})return &PrintlnLogger{manager: m,config: config.(Config),}}func (Factory) Validate(_ *plugins.Manager, config []byte) (interface{}, error) {parsedConfig := Config{}return parsedConfig, util.Unmarshal(config, &parsedConfig)}
Finally, register your factory with OPA and call cmd.RootCommand.Execute. The latter starts OPA and does not return.
import ("github.com/open-policy-agent/opa/cmd""github.com/open-policy-agent/opa/runtime")func main() {runtime.RegisterPlugin(PluginName, Factory{})if err := cmd.RootCommand.Execute(); err != nil {fmt.Println(err)os.Exit(1)}}
At this point you can build an OPA executable including your plugin.
go build -o opa++
Define an OPA configuration file that will use your plugin:
config.yaml:
Start OPA with the configuration file:
./opa++ run --server --config-file config.yaml
Exercise the plugin via the OPA API:
If everything worked you will see the Go struct representation of the decision log event written to stdout.
The source code for this example can be found .
These values can be set on the command-line when building OPA from source:
go build -o opa++ -ldflags "-X github.com/open-policy-agent/opa/version.Version=MY_VERSION" main.go
package mainimport ("context""encoding/json""fmt""log""net/http""github.com/open-policy-agent/opa/ast""github.com/open-policy-agent/opa/rego""github.com/open-policy-agent/opa/types")func main() {r := rego.New(rego.Query(`github.repo("open-policy-agent", "opa")`),rego.Function2(®o.Function{Name: "github.repo",Decl: types.NewFunction(types.Args(types.S, types.S), types.A),Memoize: true,},func(bctx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {var org, repo stringif err := ast.As(a.Value, &org); err != nil {return nil, err} else if ast.As(b.Value, &repo); err != nil {return nil, err}req, err := http.NewRequest("GET", fmt.Sprintf("https://api.github.com/repos/%v/%v", org, repo), nil)if err != nil {return nil, err}resp, err := http.DefaultClient.Do(req.WithContext(bctx.Context))if err != nil {return nil, err}defer resp.Body.Close()if resp.StatusCode != http.StatusOK {return nil, fmt.Errorf(resp.Status)}v, err := ast.ValueFromReader(resp.Body)if err != nil {return nil, err}return ast.NewTerm(v), nil},),)rs, err := r.Eval(context.Background())if err != nil {log.Fatal(err)} else if len(rs) == 0 {fmt.Println("undefined")} else {bs, _ := json.MarshalIndent(rs[0].Expressions[0].Value, "", " ")fmt.Println(string(bs))}}
