diff --git a/previews/PR10/ast_walker/index.html b/previews/PR10/ast_walker/index.html index 2ca863f..3e2d2d7 100644 --- a/previews/PR10/ast_walker/index.html +++ b/previews/PR10/ast_walker/index.html @@ -35,4 +35,4 @@ # all rows should be included else # `sqlcondition.sql` contains a string with the SQL query condition -end

More details of AST walker, and the included visitors can be found in the reference documentation.

+end

More details of AST walker, and the included visitors can be found in the reference documentation.

diff --git a/previews/PR10/client/index.html b/previews/PR10/client/index.html index 2b426ff..4cabb12 100644 --- a/previews/PR10/client/index.html +++ b/previews/PR10/client/index.html @@ -5,4 +5,4 @@ opa_client, "policies/server/rest/allowed" ); -@test response.result == false

Complete reference is available in the Reference section.

OpenAPI API Documents also give more details on the API methods.

+@test response.result == false

Complete reference is available in the Reference section.

OpenAPI API Documents also give more details on the API methods.

diff --git a/previews/PR10/commandline/index.html b/previews/PR10/commandline/index.html index 68573f0..b6373aa 100644 --- a/previews/PR10/commandline/index.html +++ b/previews/PR10/commandline/index.html @@ -32,4 +32,4 @@ Flags: -h, --help help for opa -Use "opa [command] --help" for more information about a command.

Complete reference is available in the Reference section.

+Use "opa [command] --help" for more information about a command.

Complete reference is available in the Reference section.

diff --git a/previews/PR10/index.html b/previews/PR10/index.html index ea55de4..ae7684a 100644 --- a/previews/PR10/index.html +++ b/previews/PR10/index.html @@ -1,2 +1,2 @@ -Home · OpenPolicyAgent.jl
Edit on GitHub

OpenPolicyAgent.jl

Open Policy Agent (OPA) is an open-source, cloud-native policy engine that allows organizations to declaratively enforce policies across their software stack. It provides a unified, flexible, and efficient way to implement and manage policies for access control, security, and compliance in modern, dynamic environments. OPA excels at decoupling policy decision logic from application code, enabling fine-grained control over authorization, resource validation, and more.

Its expressive policy language, called Rego, allows users to define complex policies in a human-readable format. OPA is widely adopted in cloud-native ecosystems, helping organizations ensure consistent policy enforcement across services, APIs, and infrastructure components, making it a crucial tool for enhancing security and governance in modern software systems.

This package provides a Julia interface to the OPA server, and the client APIs to interact with the server. It also includes a command-line interface to the OPA command-line tool.

+Home · OpenPolicyAgent.jl
Edit on GitHub

OpenPolicyAgent.jl

Open Policy Agent (OPA) is an open-source, cloud-native policy engine that allows organizations to declaratively enforce policies across their software stack. It provides a unified, flexible, and efficient way to implement and manage policies for access control, security, and compliance in modern, dynamic environments. OPA excels at decoupling policy decision logic from application code, enabling fine-grained control over authorization, resource validation, and more.

Its expressive policy language, called Rego, allows users to define complex policies in a human-readable format. OPA is widely adopted in cloud-native ecosystems, helping organizations ensure consistent policy enforcement across services, APIs, and infrastructure components, making it a crucial tool for enhancing security and governance in modern software systems.

This package provides a Julia interface to the OPA server, and the client APIs to interact with the server. It also includes a command-line interface to the OPA command-line tool.

diff --git a/previews/PR10/reference/index.html b/previews/PR10/reference/index.html index 0d76887..d016be2 100644 --- a/previews/PR10/reference/index.html +++ b/previews/PR10/reference/index.html @@ -1,7 +1,7 @@ -Reference · OpenPolicyAgent.jl
Edit on GitHub

API Reference

Client

PolicyApi

OpenPolicyAgent.Client.get_policiesFunction

List policies

This API endpoint responds with a list of all policy modules on the server (result response)

Params:

  • pretty::Bool

Return: GetPolicyListSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.get_policy_moduleFunction

Get a policy module

This API endpoint returns the details of the specified policy module ({id})

Params:

  • id::String (required)
  • pretty::Bool

Return: GetPolicyModuleSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.put_policy_moduleFunction

Create or update a policy module

  • If the policy module does not exist, it is created. - If the policy module already exists, it is replaced. If the policy module isn't correctly defined, a bad request (400) response is returned. ### Example policy module yaml package opa.examples import data.servers import data.networks import data.ports public_servers[server] { some k, m server := servers[_] server.ports[_] == ports[k].id ports[k].networks[_] == networks[m].id networks[m].public == true }

Params:

  • id::String (required)
  • body::String (required)
  • pretty::Bool
  • metrics::Bool

Return: PutPolicySuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.delete_policy_moduleFunction

Delete a policy module

This API endpoint removes an existing policy module from the server

Params:

  • id::String (required)
  • pretty::Bool
  • metrics::Bool

Return: Nothing, OpenAPI.Clients.ApiResponse

source

DataApi

OpenPolicyAgent.Client.get_documentFunction

Get a document

This API endpoint returns the document specified by path. The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404. The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provide the input document but the query has already defined it.

Params:

  • path::String (required)
  • input::Dict{String, Any}
  • pretty::Bool
  • provenance::Bool
  • explain::String
  • metrics::Bool
  • instrument::Bool
  • strictbuiltinerrors::Bool

Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.get_document_with_pathFunction

Get a document that required an input

The request body contains an object that specifies a value for the input document. The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404. The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provided an input document but the query has already defined it.

Params:

  • path::String (required)
  • request_body::Dict{String, Any} (required)
  • pretty::Bool
  • provenance::Bool
  • explain::String
  • metrics::Bool
  • instrument::Bool
  • strictbuiltinerrors::Bool

Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.get_document_from_webhookFunction

Get a document from a webhook.

Use this API if you are enforcing policy decisions via webhooks that have pre-defined request/response formats. Note, the API path prefix is /v0 instead of /v1. The request message body defines the content of the The input Document. The request message body may be empty. The path separator is used to access values inside object and array documents.

Params:

  • path::String (required)
  • request_body::Dict{String, Any} (required)
  • pretty::Bool

Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.create_documentFunction

Create or overwrite a document.

If the path does not refer to an existing document, the server will attempt to create all of the necessary containing documents. This behavior is similar in principle to the Unix command mkdir -p. The server will respect the If-None-Match header if it is set to *. In this case, the server will not overwrite an existing document located at the path.

Params:

  • path::String (required)
  • request_body::Dict{String, Any} (required)
  • metrics::Bool

Return: CreateDocumentSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.patch_documentFunction

Patch a document

Update a document. The patch operation is specified in the request body.

Params:

  • path::String (required)
  • patch_operation::Vector{PatchOperation} (required)

Return: Nothing, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.delete_documentFunction

Delete a document

The server processes the DELETE method as if the client had sent a PATCH request containing a single remove operation.

Params:

  • path::String (required)
  • metrics::Bool

Return: DeleteDocumentSuccessResponse, OpenAPI.Clients.ApiResponse

source

QueryApi

OpenPolicyAgent.Client.query_getFunction

Execute an ad-hoc query and return bindings for variables found in the query.

For queries that have large JSON values it is recommended to use the POST method with the query included as the POST body

Params:

  • q::String (required)
  • pretty::Bool
  • explain::String
  • metrics::Bool

Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.query_postFunction

Execute an ad-hoc query and return bindings for variables found in the query.

Query included as the POST body. E.g.: { "query": "input.servers[i].ports[_] = \"p2\"; input.servers[i].name = name", "input": { "servers": [ ... ], } }

Params:

  • queryparameterpost::QueryParameterPost (required)
  • pretty::Bool
  • explain::String
  • metrics::Bool

Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse

source
OpenPolicyAgent.Client.simple_queryFunction

Execute a simple query.

OPA serves POST requests without a URL path by querying for the document at path /data/system/main. The content of that document defines the response entirely.

Params:

  • request_body::Dict{String, Any} (required)
  • pretty::Bool

Return: Dict{String, Any}, OpenAPI.Clients.ApiResponse

source

CompileApi

OpenPolicyAgent.Client.post_compileFunction

Partially evaluate a query.

The Compile API allows you to partially evaluate Rego queries and obtain a simplified version of the policy. This is most useful when building integrations where policy logic is to be translated and evaluated in another environment. <br/> For example, this post on the OPA blog shows how SQL can be generated based on Compile API output. For more details on Partial Evaluation in OPA, please refer to this blog post. <br/> The example below assumes that OPA has been given the following policy (use PUT /v1/policies/{path}): <br/> <pre> package example allow { input.subject.clearancelevel >= data.reports[].clearancelevel } </pre> <br/> Compile API request body so that it contain the following fields: <br/> <table> <tr><th>Field</th><th>Type</th><th>Required</th><th>Description</th></tr> <tr><td><code>query</code></td><td><code>string</code></td><td>Yes</td><td>The query to partially evaluate and compile.</td></tr> <tr><td><code>input</code></td><td><code>any</code></td><td>No</td><td>The input document to use during partial evaluation (default: undefined).</td></tr> <tr><td><code>options</code></td><td><code>object[string, any]</code></td><td>No</td><td>Additional options to use during partial evaluation. Only <code>disableInlining</code> option is supported. (default: undefined).</td></tr> <tr><td><code>unknowns</code></td><td><code>array[string]</code></td><td>No</td><td>The terms to treat as unknown during partial evaluation (default: <code>["input"]</code>]).</td></tr> </table> <br/> For example: <br/> <code> { "query": "data.example.allow == true", "input": { "subject": { "clearancelevel": 4 } }, "unknowns": [ "data.reports" ] } </code> <br/> <b>Unconditional Results from Partial Evaluation</b> When you partially evaluate a query with the Compile API, OPA returns a new set of queries and supporting policies. However, in some cases, the result of Partial Evaluation is a conclusive, unconditional answer. <br/> See the guidance for details.

Params:

  • pretty::Bool
  • explain::String
  • metrics::Bool
  • instrument::Bool
  • partialqueryschema::PartialQuerySchema

Return: CompileSuccessResponse, OpenAPI.Clients.ApiResponse

source

HealthApi

OpenPolicyAgent.Client.get_healthFunction

Health

This API endpoint verifies that the server is operational. The response from the server is either 200 or 500: - 200 - OPA service is healthy. If bundles is true, then all configured bundles have been activated. If plugins is true, then all plugins are in an 'OK' state. - 500 - OPA service is not healthy. If bundles is true, at least one of configured bundles has not yet been activated. If plugins is true, at least one plugins is in a 'not OK' state. –- Note This check is only for initial bundle activation. Subsequent downloads will not affect the health check. Use the status endpoint (in the (management API)[management.html]) for more fine-grained bundle status monitoring. –-

Params:

  • bundles::Bool
  • plugins::Bool
  • exclude_plugin::String

Return: Nothing, OpenAPI.Clients.ApiResponse

source

ConfigApi

OpenPolicyAgent.Client.get_configFunction

Get configurations

The /config API endpoint returns OPA's active configuration. When the discovery feature is enabled, this API can be used to fetch the discovered configuration in the last evaluated discovery bundle. The credentials field in the Services configuration and the private_key and key fields in the Keys configuration will be omitted from the API response.

Params:

  • pretty::Bool

Return: Dict{String, Any}, OpenAPI.Clients.ApiResponse

source

StatusApi

OpenPolicyAgent.Client.get_statusFunction

Get status

The /status API endpoint returns the status of the OPA server. This includes the status of the bundles and plugins.

Params:

  • pretty::Bool

Return: Dict{String, Any}, OpenAPI.Clients.ApiResponse

source

Server

OpenPolicyAgent.Server.MonitoredOPAServerType
MonitoredOPAServer(configfile::String;
+Reference · OpenPolicyAgent.jl
Edit on GitHub
API Reference
Client
PolicyApi
OpenPolicyAgent.Client.get_policiesFunction
List policies
This API endpoint responds with a list of all policy modules on the server (result response)
Params:
  • pretty::Bool
Return: GetPolicyListSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.get_policy_moduleFunction
Get a policy module
This API endpoint returns the details of the specified policy module ({id})
Params:
  • id::String (required)
  • pretty::Bool
Return: GetPolicyModuleSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.put_policy_moduleFunction
Create or update a policy module
  • If the policy module does not exist, it is created. - If the policy module already exists, it is replaced.  If the policy module isn't correctly defined, a bad request (400) response is returned.  ### Example policy module yaml package opa.examples  import data.servers import data.networks import data.ports  public_servers[server] {   some k, m    server := servers[_]    server.ports[_] == ports[k].id    ports[k].networks[_] == networks[m].id    networks[m].public == true }
Params:
  • id::String (required)
  • body::String (required)
  • pretty::Bool
  • metrics::Bool
Return: PutPolicySuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.delete_policy_moduleFunction
Delete a policy module
This API endpoint removes an existing policy module from the server
Params:
  • id::String (required)
  • pretty::Bool
  • metrics::Bool
Return: Nothing, OpenAPI.Clients.ApiResponse
source
DataApi
OpenPolicyAgent.Client.get_documentFunction
Get a document
This API endpoint returns the document specified by path.  The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404.  The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provide the input document but the query has already defined it.
Params:
  • path::String (required)
  • input::Dict{String, Any}
  • pretty::Bool
  • provenance::Bool
  • explain::String
  • metrics::Bool
  • instrument::Bool
  • strictbuiltinerrors::Bool
Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.get_document_with_pathFunction
Get a document that required an input
The request body contains an object that specifies a value for the input document.  The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404.  The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provided an input document but the query has already defined it.
Params:
  • path::String (required)
  • request_body::Dict{String, Any} (required)
  • pretty::Bool
  • provenance::Bool
  • explain::String
  • metrics::Bool
  • instrument::Bool
  • strictbuiltinerrors::Bool
Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.get_document_from_webhookFunction
Get a document from a webhook.
Use this API if you are enforcing policy decisions via webhooks that have pre-defined request/response formats. Note, the API path prefix is /v0 instead of /v1. The request message body defines the content of the The input Document. The request message body may be empty. The path separator is used to access values inside object and array documents.
Params:
  • path::String (required)
  • request_body::Dict{String, Any} (required)
  • pretty::Bool
Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.create_documentFunction
Create or overwrite a document.
If the path does not refer to an existing document, the server will attempt to create all of the necessary containing documents. This behavior is similar in principle to the Unix command mkdir -p. The server will respect the If-None-Match header if it is set to *. In this case, the server will not overwrite an existing document located at the path.
Params:
  • path::String (required)
  • request_body::Dict{String, Any} (required)
  • metrics::Bool
Return: CreateDocumentSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.patch_documentFunction
Patch a document
Update a document. The patch operation is specified in the request body.
Params:
  • path::String (required)
  • patch_operation::Vector{PatchOperation} (required)
Return: Nothing, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.delete_documentFunction
Delete a document
The server processes the DELETE method as if the client had sent a PATCH request containing a single remove operation.
Params:
  • path::String (required)
  • metrics::Bool
Return: DeleteDocumentSuccessResponse, OpenAPI.Clients.ApiResponse
source
QueryApi
OpenPolicyAgent.Client.query_getFunction
Execute an ad-hoc query and return bindings for variables found in the query.
For queries that have large JSON values it is recommended to use the POST method with the query included as the POST body
Params:
  • q::String (required)
  • pretty::Bool
  • explain::String
  • metrics::Bool
Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.query_postFunction
Execute an ad-hoc query and return bindings for variables found in the query.
Query included as the POST body. E.g.: {   "query": "input.servers[i].ports[_] = \"p2\"; input.servers[i].name = name",   "input": {     "servers": [ ... ],   } }
Params:
  • queryparameterpost::QueryParameterPost (required)
  • pretty::Bool
  • explain::String
  • metrics::Bool
Return: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse
source
OpenPolicyAgent.Client.simple_queryFunction
Execute a simple query.
OPA serves POST requests without a URL path by querying for the document at path /data/system/main. The content of that document defines the response entirely.
Params:
  • request_body::Dict{String, Any} (required)
  • pretty::Bool
Return: Dict{String, Any}, OpenAPI.Clients.ApiResponse
source
CompileApi
OpenPolicyAgent.Client.post_compileFunction
Partially evaluate a query.
The Compile API allows you to partially evaluate Rego queries and obtain a simplified version of the policy. This is most useful when building integrations where policy logic is to be translated and evaluated in another environment. <br/> For example, this post on the OPA blog shows how SQL can be generated based on Compile API output. For more details on Partial Evaluation in OPA, please refer to this blog post. <br/> The example below assumes that OPA has been given the following policy (use PUT /v1/policies/{path}): <br/> <pre> package example allow {   input.subject.clearancelevel >= data.reports[].clearancelevel } </pre> <br/> Compile API request body so that it contain the following fields: <br/> <table> <tr><th>Field</th><th>Type</th><th>Required</th><th>Description</th></tr> <tr><td><code>query</code></td><td><code>string</code></td><td>Yes</td><td>The query to partially evaluate and compile.</td></tr> <tr><td><code>input</code></td><td><code>any</code></td><td>No</td><td>The input document to use during partial evaluation (default: undefined).</td></tr> <tr><td><code>options</code></td><td><code>object[string, any]</code></td><td>No</td><td>Additional options to use during partial evaluation. Only <code>disableInlining</code> option is supported. (default: undefined).</td></tr> <tr><td><code>unknowns</code></td><td><code>array[string]</code></td><td>No</td><td>The terms to treat as unknown during partial evaluation (default: <code>["input"]</code>]).</td></tr> </table> <br/> For example: <br/> <code> {   "query": "data.example.allow == true",   "input": {     "subject": {       "clearancelevel": 4     }   },   "unknowns": [     "data.reports"     ] } </code> <br/> <b>Unconditional Results from Partial Evaluation</b> When you partially evaluate a query with the Compile API, OPA returns a new set of queries and supporting policies. However, in some cases, the result of Partial Evaluation is a conclusive, unconditional answer. <br/> See the guidance for details.
Params:
  • pretty::Bool
  • explain::String
  • metrics::Bool
  • instrument::Bool
  • partialqueryschema::PartialQuerySchema
Return: CompileSuccessResponse, OpenAPI.Clients.ApiResponse
source
HealthApi
OpenPolicyAgent.Client.get_healthFunction
Health
This API endpoint verifies that the server is operational.  The response from the server is either 200 or 500: - 200 - OPA service is healthy. If bundles is true, then all configured bundles have been activated. If plugins is true, then all plugins are in an 'OK' state. - 500 - OPA service is not healthy. If bundles is true, at least one of configured bundles has not yet been activated. If plugins is true, at least one plugins is in a 'not OK' state.  –- Note This check is only for initial bundle activation. Subsequent downloads will not affect the health check.  Use the status endpoint (in the (management API)[management.html]) for more fine-grained bundle status monitoring.  –-
Params:
  • bundles::Bool
  • plugins::Bool
  • exclude_plugin::String
Return: Nothing, OpenAPI.Clients.ApiResponse
source
ConfigApi
OpenPolicyAgent.Client.get_configFunction
Get configurations
The /config API endpoint returns OPA's active configuration. When the discovery feature is enabled, this API can be used to fetch the discovered configuration in the last evaluated discovery bundle. The credentials field in the Services configuration and the private_key and key fields in the Keys configuration will be omitted from the API response.
Params:
  • pretty::Bool
Return: Dict{String, Any}, OpenAPI.Clients.ApiResponse
source
StatusApi
OpenPolicyAgent.Client.get_statusFunction
Get status
The /status API endpoint returns the status of the OPA server. This includes the status of the bundles and plugins.
Params:
  • pretty::Bool
Return: Dict{String, Any}, OpenAPI.Clients.ApiResponse
source
Server
OpenPolicyAgent.Server.MonitoredOPAServerType
MonitoredOPAServer(configfile::String;
     host::String = "localhost",
     port::Int = DEFAULT_PORT,
     stdout = nothing,
     stderr = nothing,
-)
A server that is monitored and restarted if it dies.
Arguments:
  • configfile: The path to the OPA configuration file.
Keyword arguments:
  • host: The host to bind to.
  • port: The port to bind to.
  • stdout: The stream or file to redirect stdout to.
  • stderr: The stream or file to redirect stderr to.
source
OpenPolicyAgent.Server.start!Function
start!(server::MonitoredOPAServer)
Starts the server. If the server is already started, an error is thrown. Monitors the server and restarts it if it dies.
source
CLI
OpenPolicyAgent.CLI.CommandLineType
CommandLine execution context.
exec: a no argument function that provides the base command to execute in a julia do block. cmdopts: keyword arguments that should be used to further customize the Cmd creation pipelineopts: keyword arguments that should be used to further customize the pipeline creation
source
OpenPolicyAgent.CLI.versionFunction
version Run the version subcommand of opa command. Print the version of OPA
Options:
  • check::Bool - Check for latest OPA release
  • help::Bool - Help for version
source
OpenPolicyAgent.CLI.buildFunction
build Run the build subcommand of opa command. Build an OPA bundle
Options:
  • bundle::Bool - Load paths as bundle files or root directories
  • capabilities::AbstractString - Set capabilities.json file path
  • claims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)
  • debug::Bool - Enable debug output
  • entrypoint::AbstractString - Set slash separated entrypoint path
  • excludefilesverify::AbstractString - Set file names to exclude during bundle verification
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • optimize::AbstractString - Set optimization level
  • output::AbstractString - Set the output filename
  • revision::AbstractString - Set output bundle revision
  • scope::AbstractString - Scope to use for bundle signature verification
  • signing_alg::AbstractString - Name of the signing algorithm
  • signing_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)
  • signing_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin
  • target::AbstractString - Set the output bundle target type
  • verification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)
  • verificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification
  • help::Bool - Help for build
source
OpenPolicyAgent.CLI.checkFunction
check Run the check subcommand of opa command. Check Rego source files
Options:
  • bundle::Bool - Load paths as bundle files or root directories
  • capabilities::AbstractString - Set capabilities.json file path
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • max_errors::AbstractString - Set the number of errors to allow before compilation fails early
  • schema::AbstractString - Set schema file path or directory path
  • strict::Bool - Enable compiler strict mode
  • help::Bool - Help for check
source
OpenPolicyAgent.CLI.completionFunction
completion Run the completion subcommand of opa command. Generate the autocompletion script for the specified shell
Options:
  • help::Bool - Help for completion
source
OpenPolicyAgent.CLI.depsFunction
deps Run the deps subcommand of opa command. Analyze Rego query dependencies
Options:
  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • data::AbstractString - Set policy or data file(s). This flag can be repeated
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • help::Bool - Help for deps
source
OpenPolicyAgent.CLI.evalFunction
eval Run the eval subcommand of opa command. Evaluate a Rego query
Options:
  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • capabilities::AbstractString - Set capabilities.json file path
  • count::AbstractString - Number of times to repeat each benchmark
  • coverage::Bool - Report coverage
  • data::AbstractString - Set policy or data file(s). This flag can be repeated
  • disableearlyexit::Bool - Disable 'early exit' optimizations
  • disable_indexing::Bool - Disable indexing optimizations
  • disable_inlining::AbstractString - Set paths of documents to exclude from inlining
  • explain::AbstractString - Enable query explanations
  • fail::Bool - Exits with non-zero exit code on undefined/empty result and errors
  • fail_defined::Bool - Exits with non-zero exit code on defined/non-empty result and errors
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • _import::AbstractString - Set query import(s). This flag can be repeated
  • input::AbstractString - Set input file path
  • instrument::Bool - Enable query instrumentation metrics (implies –metrics)
  • metrics::Bool - Report query performance metrics
  • package::AbstractString - Set query package
  • partial::Bool - Perform partial evaluation
  • pretty_limit::AbstractString - Set limit after which pretty output gets truncated
  • profile::Bool - Perform expression profiling
  • profile_limit::AbstractString - Set number of profiling results to show
  • profile_sort::AbstractString - Set sort order of expression profiler results
  • schema::AbstractString - Set schema file path or directory path
  • shallow_inlining::Bool - Disable inlining of rules that depend on unknowns
  • stdin::Bool - Read query from stdin
  • stdin_input::Bool - Read input document from stdin
  • strictbuiltinerrors::Bool - Treat built-in function errors as fatal
  • target::AbstractString - Set the runtime to exercise
  • timeout::AbstractString - Set eval timeout (default unlimited)
  • unknowns::AbstractString - Set paths to treat as unknown during partial evaluation
  • help::Bool - Help for eval
source
OpenPolicyAgent.CLI.execFunction
exec Run the exec subcommand of opa command. Execute against input files
Options:
  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • config_file::AbstractString - Set path of configuration file
  • decision::AbstractString - Set decision to evaluate
  • format::AbstractString - Set output format
  • log_format::AbstractString - Set log format
  • log_level::AbstractString - Set log level
  • set::AbstractString - Override config values on the command line (use commas to specify multiple values)
  • set_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)
  • help::Bool - Help for exec
source
OpenPolicyAgent.CLI.fmtFunction
fmt Run the fmt subcommand of opa command. Format Rego source files
Options:
  • diff::Bool - Only display a diff of the changes
  • fail::Bool - Non zero exit code on reformat
  • list::Bool - List all files who would change when formatted
  • write::Bool - Overwrite the original source file
  • help::Bool - Help for fmt
source
OpenPolicyAgent.CLI.inspectFunction
inspect Run the inspect subcommand of opa command. Inspect OPA bundle(s)
Options:
  • format::AbstractString - Set output format
  • help::Bool - Help for inspect
source
OpenPolicyAgent.CLI.parseFunction
parse Run the parse subcommand of opa command. Parse Rego source file
Options:
  • format::AbstractString - Set output format
  • help::Bool - Help for parse
source
OpenPolicyAgent.CLI.runFunction
run Run the run subcommand of opa command. Start OPA in interactive or server mode
Options:
  • addr::AbstractString - Set listening address of the server (e.g., [ip]:<port> for TCP, unix://<path> for UNIX domain socket)
  • authentication::AbstractString - Set authentication scheme
  • authorization::AbstractString - Set authorization scheme
  • bundle::Bool - Load paths as bundle files or root directories
  • config_file::AbstractString - Set path of configuration file
  • diagnostic_addr::AbstractString - Set read-only diagnostic listening address of the server for /health and /metric APIs (e.g., [ip]:<port> for TCP, unix://<path> for UNIX domain socket)
  • excludefilesverify::AbstractString - Set file names to exclude during bundle verification
  • format::AbstractString - Set shell output format, i.e, pretty, json
  • h2c::Bool - Enable H2C for HTTP listeners
  • history::AbstractString - Set path of history file
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • log_format::AbstractString - Set log format
  • log_level::AbstractString - Set log level
  • max_errors::AbstractString - Set the number of errors to allow before compilation fails early
  • mintlsversion::AbstractString - Set minimum TLS version to be used by OPA's server
  • pprof::Bool - Enables pprof endpoints
  • ready_timeout::AbstractString - Wait (in seconds) for configured plugins before starting server (value <= 0 disables ready check)
  • scope::AbstractString - Scope to use for bundle signature verification
  • server::Bool - Start the runtime in server mode
  • set::AbstractString - Override config values on the command line (use commas to specify multiple values)
  • set_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)
  • shutdowngraceperiod::AbstractString - Set the time (in seconds) that the server will wait to gracefully shut down
  • shutdownwaitperiod::AbstractString - Set the time (in seconds) that the server will wait before initiating shutdown
  • signing_alg::AbstractString - Name of the signing algorithm
  • skip_verify::Bool - Disables bundle signature verification
  • skipversioncheck::Bool - Disables anonymous version reporting (see: https://openpolicyagent.org/docs/latest/privacy)
  • tlscacert_file::AbstractString - Set path of TLS CA cert file
  • tlscertfile::AbstractString - Set path of TLS certificate file
  • tlscertrefresh_period::AbstractString - Set certificate refresh period
  • tlsprivatekey_file::AbstractString - Set path of TLS private key file
  • verification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)
  • verificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification
  • watch::Bool - Watch command line files for changes
  • help::Bool - Help for run
source
OpenPolicyAgent.CLI.signFunction
sign Run the sign subcommand of opa command. Generate an OPA bundle signature
Options:
  • bundle::Bool - Load paths as bundle files or root directories
  • claims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)
  • outputfilepath::AbstractString - Set the location for the .signatures.json file
  • signing_alg::AbstractString - Name of the signing algorithm
  • signing_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)
  • signing_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin
  • help::Bool - Help for sign
source
OpenPolicyAgent.CLI.testFunction
test Run the test subcommand of opa command. Execute Rego test cases
Options:
  • bench::Bool - Benchmark the unit tests
  • benchmem::Bool - Report memory allocations with benchmark results
  • bundle::Bool - Load paths as bundle files or root directories
  • count::AbstractString - Number of times to repeat each test
  • coverage::Bool - Report coverage (overrides debug tracing)
  • exitzeroon_skipped::Bool - Skipped tests return status 0
  • explain::AbstractString - Enable query explanations
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • max_errors::AbstractString - Set the number of errors to allow before compilation fails early
  • run::AbstractString - Run only test cases matching the regular expression
  • showfailureline::Bool - Show test failure line
  • target::AbstractString - Set the runtime to exercise
  • threshold::AbstractString - Set coverage threshold and exit with non-zero status if coverage is less than threshold %
  • timeout::AbstractString - Set test timeout (default 5s, 30s when benchmarking)
  • verbose::Bool - Set verbose reporting mode
  • help::Bool - Help for test
source
OpenPolicyAgent.CLI.benchFunction
bench Run the bench subcommand of opa command. Benchmark a Rego query
Options:
  • benchmem::Bool - Report memory allocations with benchmark results
  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • count::AbstractString - Number of times to repeat each benchmark
  • data::AbstractString - Set policy or data file(s). This flag can be repeated
  • fail::Bool - Exits with non-zero exit code on undefined/empty result and errors
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • _import::AbstractString - Set query import(s). This flag can be repeated
  • input::AbstractString - Set input file path
  • metrics::Bool - Report query performance metrics
  • package::AbstractString - Set query package
  • partial::Bool - Perform partial evaluation
  • schema::AbstractString - Set schema file path or directory path
  • stdin::Bool - Read query from stdin
  • stdin_input::Bool - Read input document from stdin
  • target::AbstractString - Set the runtime to exercise
  • unknowns::AbstractString - Set paths to treat as unknown during partial evaluation
  • help::Bool - Help for bench
source
AST Walker
Missing docstring.
Missing docstring for OpenPolicyAgent.ASTWalker.Vistor. Check Documenter's build log for details.
OpenPolicyAgent.ASTWalker.walkFunction
walk(visitor, node)
Walks the AST rooted at node using the visitor. Calls before, visit and after methods of the visitor in sequence while walking the tree.
source
OpenPolicyAgent.ASTWalker.beforeFunction
before(visitor, node)
Called before visiting a node. The node that will be visited is passed as the second argument. Any preparatory work that needs to be done before visiting the node can be done here. Return value is ignored.
source
OpenPolicyAgent.ASTWalker.visitFunction
visit(visitor, node)
Called when visiting a node. The node that is being visited is passed as the second argument. The actual action to be performed when visiting a node must be implemented here. The visit method must also call walk on the visitor to visit the children of the node. The result must be stored in the visitor state. Return value is ignored.
source
OpenPolicyAgent.ASTWalker.afterFunction
after(visitor, node)
Called after visiting a node. The node that was visited is passed as the second argument. Any cleanup work that needs to be done after visiting the node can be done here. This is the last method called when visiting a node. Must return the result of visiting the node.
source
Included Visitors
OpenPolicyAgent.ASTWalker.AST.ASTVisitorType
Visitor that converts a partial compile result to a julia based AST. Must be used with ASTWalker.walk, providing the partial compile result as the node argument.
Output:
  • QuerySet: If the partial compile result contains queries, the output is a QuerySet containing the queries.
  • nothing: If the partial compile result does not contain queries, the output is nothing.
The output is returned from the walk method.
source
Missing docstring.
Missing docstring for OpenPolicyAgent.ASTWalker.SQL.SQLVisitor. Check Documenter's build log for details.

+)

A server that is monitored and restarted if it dies.

Arguments:

  • configfile: The path to the OPA configuration file.

Keyword arguments:

  • host: The host to bind to.
  • port: The port to bind to.
  • stdout: The stream or file to redirect stdout to.
  • stderr: The stream or file to redirect stderr to.
source
OpenPolicyAgent.Server.start!Function
start!(server::MonitoredOPAServer)

Starts the server. If the server is already started, an error is thrown. Monitors the server and restarts it if it dies.

source

CLI

OpenPolicyAgent.CLI.CommandLineType

CommandLine execution context.

exec: a no argument function that provides the base command to execute in a julia do block. cmdopts: keyword arguments that should be used to further customize the Cmd creation pipelineopts: keyword arguments that should be used to further customize the pipeline creation

source
OpenPolicyAgent.CLI.versionFunction

version Run the version subcommand of opa command. Print the version of OPA

Options:

  • check::Bool - Check for latest OPA release
  • help::Bool - Help for version
source
OpenPolicyAgent.CLI.buildFunction

build Run the build subcommand of opa command. Build an OPA bundle

Options:

  • bundle::Bool - Load paths as bundle files or root directories
  • capabilities::AbstractString - Set capabilities.json file path
  • claims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)
  • debug::Bool - Enable debug output
  • entrypoint::AbstractString - Set slash separated entrypoint path
  • excludefilesverify::AbstractString - Set file names to exclude during bundle verification
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • optimize::AbstractString - Set optimization level
  • output::AbstractString - Set the output filename
  • revision::AbstractString - Set output bundle revision
  • scope::AbstractString - Scope to use for bundle signature verification
  • signing_alg::AbstractString - Name of the signing algorithm
  • signing_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)
  • signing_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin
  • target::AbstractString - Set the output bundle target type
  • verification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)
  • verificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification
  • help::Bool - Help for build
source
OpenPolicyAgent.CLI.checkFunction

check Run the check subcommand of opa command. Check Rego source files

Options:

  • bundle::Bool - Load paths as bundle files or root directories
  • capabilities::AbstractString - Set capabilities.json file path
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • max_errors::AbstractString - Set the number of errors to allow before compilation fails early
  • schema::AbstractString - Set schema file path or directory path
  • strict::Bool - Enable compiler strict mode
  • help::Bool - Help for check
source
OpenPolicyAgent.CLI.completionFunction

completion Run the completion subcommand of opa command. Generate the autocompletion script for the specified shell

Options:

  • help::Bool - Help for completion
source
OpenPolicyAgent.CLI.depsFunction

deps Run the deps subcommand of opa command. Analyze Rego query dependencies

Options:

  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • data::AbstractString - Set policy or data file(s). This flag can be repeated
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • help::Bool - Help for deps
source
OpenPolicyAgent.CLI.evalFunction

eval Run the eval subcommand of opa command. Evaluate a Rego query

Options:

  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • capabilities::AbstractString - Set capabilities.json file path
  • count::AbstractString - Number of times to repeat each benchmark
  • coverage::Bool - Report coverage
  • data::AbstractString - Set policy or data file(s). This flag can be repeated
  • disableearlyexit::Bool - Disable 'early exit' optimizations
  • disable_indexing::Bool - Disable indexing optimizations
  • disable_inlining::AbstractString - Set paths of documents to exclude from inlining
  • explain::AbstractString - Enable query explanations
  • fail::Bool - Exits with non-zero exit code on undefined/empty result and errors
  • fail_defined::Bool - Exits with non-zero exit code on defined/non-empty result and errors
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • _import::AbstractString - Set query import(s). This flag can be repeated
  • input::AbstractString - Set input file path
  • instrument::Bool - Enable query instrumentation metrics (implies –metrics)
  • metrics::Bool - Report query performance metrics
  • package::AbstractString - Set query package
  • partial::Bool - Perform partial evaluation
  • pretty_limit::AbstractString - Set limit after which pretty output gets truncated
  • profile::Bool - Perform expression profiling
  • profile_limit::AbstractString - Set number of profiling results to show
  • profile_sort::AbstractString - Set sort order of expression profiler results
  • schema::AbstractString - Set schema file path or directory path
  • shallow_inlining::Bool - Disable inlining of rules that depend on unknowns
  • stdin::Bool - Read query from stdin
  • stdin_input::Bool - Read input document from stdin
  • strictbuiltinerrors::Bool - Treat built-in function errors as fatal
  • target::AbstractString - Set the runtime to exercise
  • timeout::AbstractString - Set eval timeout (default unlimited)
  • unknowns::AbstractString - Set paths to treat as unknown during partial evaluation
  • help::Bool - Help for eval
source
OpenPolicyAgent.CLI.execFunction

exec Run the exec subcommand of opa command. Execute against input files

Options:

  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • config_file::AbstractString - Set path of configuration file
  • decision::AbstractString - Set decision to evaluate
  • format::AbstractString - Set output format
  • log_format::AbstractString - Set log format
  • log_level::AbstractString - Set log level
  • set::AbstractString - Override config values on the command line (use commas to specify multiple values)
  • set_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)
  • help::Bool - Help for exec
source
OpenPolicyAgent.CLI.fmtFunction

fmt Run the fmt subcommand of opa command. Format Rego source files

Options:

  • diff::Bool - Only display a diff of the changes
  • fail::Bool - Non zero exit code on reformat
  • list::Bool - List all files who would change when formatted
  • write::Bool - Overwrite the original source file
  • help::Bool - Help for fmt
source
OpenPolicyAgent.CLI.inspectFunction

inspect Run the inspect subcommand of opa command. Inspect OPA bundle(s)

Options:

  • format::AbstractString - Set output format
  • help::Bool - Help for inspect
source
OpenPolicyAgent.CLI.parseFunction

parse Run the parse subcommand of opa command. Parse Rego source file

Options:

  • format::AbstractString - Set output format
  • help::Bool - Help for parse
source
OpenPolicyAgent.CLI.runFunction

run Run the run subcommand of opa command. Start OPA in interactive or server mode

Options:

  • addr::AbstractString - Set listening address of the server (e.g., [ip]:<port> for TCP, unix://<path> for UNIX domain socket)
  • authentication::AbstractString - Set authentication scheme
  • authorization::AbstractString - Set authorization scheme
  • bundle::Bool - Load paths as bundle files or root directories
  • config_file::AbstractString - Set path of configuration file
  • diagnostic_addr::AbstractString - Set read-only diagnostic listening address of the server for /health and /metric APIs (e.g., [ip]:<port> for TCP, unix://<path> for UNIX domain socket)
  • excludefilesverify::AbstractString - Set file names to exclude during bundle verification
  • format::AbstractString - Set shell output format, i.e, pretty, json
  • h2c::Bool - Enable H2C for HTTP listeners
  • history::AbstractString - Set path of history file
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • log_format::AbstractString - Set log format
  • log_level::AbstractString - Set log level
  • max_errors::AbstractString - Set the number of errors to allow before compilation fails early
  • mintlsversion::AbstractString - Set minimum TLS version to be used by OPA's server
  • pprof::Bool - Enables pprof endpoints
  • ready_timeout::AbstractString - Wait (in seconds) for configured plugins before starting server (value <= 0 disables ready check)
  • scope::AbstractString - Scope to use for bundle signature verification
  • server::Bool - Start the runtime in server mode
  • set::AbstractString - Override config values on the command line (use commas to specify multiple values)
  • set_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)
  • shutdowngraceperiod::AbstractString - Set the time (in seconds) that the server will wait to gracefully shut down
  • shutdownwaitperiod::AbstractString - Set the time (in seconds) that the server will wait before initiating shutdown
  • signing_alg::AbstractString - Name of the signing algorithm
  • skip_verify::Bool - Disables bundle signature verification
  • skipversioncheck::Bool - Disables anonymous version reporting (see: https://openpolicyagent.org/docs/latest/privacy)
  • tlscacert_file::AbstractString - Set path of TLS CA cert file
  • tlscertfile::AbstractString - Set path of TLS certificate file
  • tlscertrefresh_period::AbstractString - Set certificate refresh period
  • tlsprivatekey_file::AbstractString - Set path of TLS private key file
  • verification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)
  • verificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification
  • watch::Bool - Watch command line files for changes
  • help::Bool - Help for run
source
OpenPolicyAgent.CLI.signFunction

sign Run the sign subcommand of opa command. Generate an OPA bundle signature

Options:

  • bundle::Bool - Load paths as bundle files or root directories
  • claims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)
  • outputfilepath::AbstractString - Set the location for the .signatures.json file
  • signing_alg::AbstractString - Name of the signing algorithm
  • signing_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)
  • signing_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin
  • help::Bool - Help for sign
source
OpenPolicyAgent.CLI.testFunction

test Run the test subcommand of opa command. Execute Rego test cases

Options:

  • bench::Bool - Benchmark the unit tests
  • benchmem::Bool - Report memory allocations with benchmark results
  • bundle::Bool - Load paths as bundle files or root directories
  • count::AbstractString - Number of times to repeat each test
  • coverage::Bool - Report coverage (overrides debug tracing)
  • exitzeroon_skipped::Bool - Skipped tests return status 0
  • explain::AbstractString - Enable query explanations
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • max_errors::AbstractString - Set the number of errors to allow before compilation fails early
  • run::AbstractString - Run only test cases matching the regular expression
  • showfailureline::Bool - Show test failure line
  • target::AbstractString - Set the runtime to exercise
  • threshold::AbstractString - Set coverage threshold and exit with non-zero status if coverage is less than threshold %
  • timeout::AbstractString - Set test timeout (default 5s, 30s when benchmarking)
  • verbose::Bool - Set verbose reporting mode
  • help::Bool - Help for test
source
OpenPolicyAgent.CLI.benchFunction

bench Run the bench subcommand of opa command. Benchmark a Rego query

Options:

  • benchmem::Bool - Report memory allocations with benchmark results
  • bundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated
  • count::AbstractString - Number of times to repeat each benchmark
  • data::AbstractString - Set policy or data file(s). This flag can be repeated
  • fail::Bool - Exits with non-zero exit code on undefined/empty result and errors
  • format::AbstractString - Set output format
  • ignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)
  • _import::AbstractString - Set query import(s). This flag can be repeated
  • input::AbstractString - Set input file path
  • metrics::Bool - Report query performance metrics
  • package::AbstractString - Set query package
  • partial::Bool - Perform partial evaluation
  • schema::AbstractString - Set schema file path or directory path
  • stdin::Bool - Read query from stdin
  • stdin_input::Bool - Read input document from stdin
  • target::AbstractString - Set the runtime to exercise
  • unknowns::AbstractString - Set paths to treat as unknown during partial evaluation
  • help::Bool - Help for bench
source

AST Walker

Missing docstring.

Missing docstring for OpenPolicyAgent.ASTWalker.Vistor. Check Documenter's build log for details.

OpenPolicyAgent.ASTWalker.walkFunction
walk(visitor, node)

Walks the AST rooted at node using the visitor. Calls before, visit and after methods of the visitor in sequence while walking the tree.

source
OpenPolicyAgent.ASTWalker.beforeFunction
before(visitor, node)

Called before visiting a node. The node that will be visited is passed as the second argument. Any preparatory work that needs to be done before visiting the node can be done here. Return value is ignored.

source
OpenPolicyAgent.ASTWalker.visitFunction
visit(visitor, node)

Called when visiting a node. The node that is being visited is passed as the second argument. The actual action to be performed when visiting a node must be implemented here. The visit method must also call walk on the visitor to visit the children of the node. The result must be stored in the visitor state. Return value is ignored.

source
OpenPolicyAgent.ASTWalker.afterFunction
after(visitor, node)

Called after visiting a node. The node that was visited is passed as the second argument. Any cleanup work that needs to be done after visiting the node can be done here. This is the last method called when visiting a node. Must return the result of visiting the node.

source

Included Visitors

OpenPolicyAgent.ASTWalker.AST.ASTVisitorType

Visitor that converts a partial compile result to a julia based AST. Must be used with ASTWalker.walk, providing the partial compile result as the node argument.

Output:

  • QuerySet: If the partial compile result contains queries, the output is a QuerySet containing the queries.
  • nothing: If the partial compile result does not contain queries, the output is nothing.

The output is returned from the walk method.

source
OpenPolicyAgent.ASTWalker.SQL.SQLVisitorType
SQLVisitor

Visitor that converts an OPA partial compile AST to a SQL condition.

It requires two dictionaries to be passed in the constructor:

  • schema_map: maps OPA package names to database schema names
  • table_map: maps OPA rule names to database table names

Input to the visitor must be a partial compile result from OPA already converted to a julia representation using ASTWalker.AST.ASTVisitor. Walking the AST using this visitor will result in a SQL condition that can be appended to a SQL query using a where clause. Output, that is returned from the walk method, is an AbstractSQLCondition. It can be one of:

  • SQLCondition: represents a SQL condition. Contains the SQL string that represents the condition that can be used in the query with a "where" clause.
  • UnconditionalInclude: represents an unconditional include condition. Which means that the SQL query should return all rows.
  • UnconditionalExclude: represents an unconditional exclude condition. Which means that the SQL query should not return any rows.
source
diff --git a/previews/PR10/search/index.html b/previews/PR10/search/index.html index 60541eb..3bd8cbc 100644 --- a/previews/PR10/search/index.html +++ b/previews/PR10/search/index.html @@ -1,2 +1,2 @@ -Search · OpenPolicyAgent.jl

Loading search...

    +Search · OpenPolicyAgent.jl

    Loading search...

      diff --git a/previews/PR10/search_index.js b/previews/PR10/search_index.js index 013b6f6..84a05db 100644 --- a/previews/PR10/search_index.js +++ b/previews/PR10/search_index.js @@ -1,3 +1,3 @@ var documenterSearchIndex = {"docs": -[{"location":"ast_walker/#AST-Walker","page":"AST Walker","title":"AST Walker","text":"","category":"section"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"OPA has a feature called partial evaluation which has several interesting applications. With partial evaluation, callers specify that certain inputs or pieces of data are unknown. OPA evaluates as much of the policy as possible without touching parts that depend on unknown values. The result of partial evaluation is a new policy that can be evaluated more efficiently than the original. The new policy is returned to the caller as an AST.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"The returned AST thus represents a strategy, rather than a result. It may be cached and reused. It may also be converted to other forms, e.g. a SQL query condition, or elastic search query.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"The ASTWalker module provides a framework to traverse the AST returned from a partial evaluattion. It specifies a Visitor interface that callers can implement to perform custom operations on the AST. The ASTWalker module also provides a default implementation of the Visitor interface that can be used to perform common operations on the AST.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"Included in the ASTWalker module are implementations of the Visitor interface that can be used to:","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"Create a easy to use Julia representation of the AST. This is provided by the ASTWalker.AST.ASTVisitor type.\nCreate a SQL query condition from the Julia representation of the AST. This is provided by the ASTWalker.SQL.SQLVisitor type.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"An example of how it can be used is shown below:","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"import OpenPolicyAgent: ASTWalker\nimport OpenPolicyAgent.ASTWalker: AST, SQL\nimport OpenPolicyAgent.ASTWalker.AST: ASTVisitor\nimport OpenPolicyAgent.ASTWalker.SQL: SQLVisitor, SQLCondition, UnconditionalInclude, UnconditionalExclude\n\n# invoke the partial evaluation endpoint\npartial_query_schema = OpenPolicyAgent.Client.PartialQuerySchema(; ...)\nresponse, _http_resp = OpenPolicyAgent.Client.post_compile(\n compile_client;\n partial_query_schema = partial_query_schema,\n)\n\n# crete a Julia representation of the AST\nast = OpenPolicyAgent.ASTWalker.walk(ASTVisitor(), result)\n\n# Provide a mapping of schema names and table names that can be used to convert policy paths to SQL table names\nconst SCHEMA_MAP = Dict{String, String}(\n \"data\" => \"public\",\n \"public\" => \"public\",\n)\n\nconst TABLE_MAP = Dict{String, String}(\n \"reports\" => \"juliahub_reports\",\n)\n\n# create a SQL query condition from the AST\nsqlvisitor = SQLVisitor(SCHEMA_MAP, TABLE_MAP)\nsqlcondition = OpenPolicyAgent.ASTWalker.walk(sqlvisitor, ast)\n\n# sql condition should be a SQLCondition object\nif isa(sqlcondition, UnconditionalExclude)\n # all rows should be excluded\nelseif isa(sqlcondition, UnconditionalInclude)\n # all rows should be included\nelse\n # `sqlcondition.sql` contains a string with the SQL query condition\nend","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"More details of AST walker, and the included visitors can be found in the reference documentation.","category":"page"},{"location":"client/#OPA-Client","page":"Client","title":"OPA Client","text":"","category":"section"},{"location":"client/","page":"Client","title":"Client","text":"OPA exposes domain-agnostic APIs that your service can call to manage and enforce policies. Read this page if you want to integrate an application, service, or tool with OPA. The REST APIs are grouped into the following categories:","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"Policy API - manage policy loaded into the OPA instance.\nData API - evaluate rules and retrieve data.\nQuery API - execute adhoc queries.\nCompile API - access Rego’s Partial Evaluation functionality.\nHealth API - access instance operational health information.\nConfig API - view instance configuration.\nStatus API - view instance status state.","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"The OpenPolicyAgent.Client module includes methods to help interact with the OPA server using the OpenAPI client.","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"opa_client = OpenPolicyAgent.Client.DataApi(openapi_client)\n\nresponse, _http_resp = OpenPolicyAgent.Client.get_document(\n opa_client,\n \"policies/server/rest/allowed\"\n);\n@test response.result == false","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"Complete reference is available in the Reference section.","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"OpenAPI API Documents also give more details on the API methods.","category":"page"},{"location":"server/#OPA-Server","page":"Server","title":"OPA Server","text":"","category":"section"},{"location":"server/","page":"Server","title":"Server","text":"The OPA (Open Policy Agent) server is a critical component of the OPA ecosystem, serving as a central policy decision point. It's a standalone service that evaluates policies written in the Rego language and makes access control decisions based on those policies. The OPA server allows for efficient policy enforcement across various parts of a software stack, including microservices, APIs, and cloud infrastructure. It receives policy queries, typically in the form of JSON or structured data, and returns decisions, enabling fine-grained control over authorization and compliance. With its ability to scale and distribute policy evaluations, the OPA server plays a crucial role in ensuring consistent and dynamic policy enforcement in complex, modern, and cloud-native environments, enhancing security and governance across the entire system.","category":"page"},{"location":"server/","page":"Server","title":"Server","text":"The OpenPolicyAgent.Server module includes methods to help start the OPA server, monitor it for failures, and restart when required.","category":"page"},{"location":"server/","page":"Server","title":"Server","text":"function start_opa_server(root_path)\n opa_server = OpenPolicyAgent.Server.MonitoredOPAServer(\n joinpath(root_path, \"config.yaml\"),\n stdout = joinpath(root_path, \"server.stdout\"),\n stderr = joinpath(root_path, \"server.stderr\"),\n )\n OpenPolicyAgent.Server.start!(opa_server)\n return opa_server\nend\n\nstart_opa_server(\"/tmp/opaserver\")","category":"page"},{"location":"server/","page":"Server","title":"Server","text":"Complete reference is available in the Reference section.","category":"page"},{"location":"reference/","page":"Reference","title":"Reference","text":"Pages = [\"reference.md\"]\nDepth = 3","category":"page"},{"location":"reference/","page":"Reference","title":"Reference","text":"CurrentModule = OpenPolicyAgent","category":"page"},{"location":"reference/#API-Reference","page":"Reference","title":"API Reference","text":"","category":"section"},{"location":"reference/#Client","page":"Reference","title":"Client","text":"","category":"section"},{"location":"reference/#PolicyApi","page":"Reference","title":"PolicyApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_policies\nOpenPolicyAgent.Client.get_policy_module\nOpenPolicyAgent.Client.put_policy_module\nOpenPolicyAgent.Client.delete_policy_module","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_policies","page":"Reference","title":"OpenPolicyAgent.Client.get_policies","text":"List policies\n\nThis API endpoint responds with a list of all policy modules on the server (result response)\n\nParams:\n\npretty::Bool\n\nReturn: GetPolicyListSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.get_policy_module","page":"Reference","title":"OpenPolicyAgent.Client.get_policy_module","text":"Get a policy module\n\nThis API endpoint returns the details of the specified policy module ({id})\n\nParams:\n\nid::String (required)\npretty::Bool\n\nReturn: GetPolicyModuleSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.put_policy_module","page":"Reference","title":"OpenPolicyAgent.Client.put_policy_module","text":"Create or update a policy module\n\nIf the policy module does not exist, it is created. - If the policy module already exists, it is replaced. If the policy module isn't correctly defined, a bad request (400) response is returned. ### Example policy module yaml package opa.examples import data.servers import data.networks import data.ports public_servers[server] { some k, m server := servers[_] server.ports[_] == ports[k].id ports[k].networks[_] == networks[m].id networks[m].public == true }\n\nParams:\n\nid::String (required)\nbody::String (required)\npretty::Bool\nmetrics::Bool\n\nReturn: PutPolicySuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.delete_policy_module","page":"Reference","title":"OpenPolicyAgent.Client.delete_policy_module","text":"Delete a policy module\n\nThis API endpoint removes an existing policy module from the server\n\nParams:\n\nid::String (required)\npretty::Bool\nmetrics::Bool\n\nReturn: Nothing, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#DataApi","page":"Reference","title":"DataApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_document\nOpenPolicyAgent.Client.get_document_with_path\nOpenPolicyAgent.Client.get_document_from_webhook\nOpenPolicyAgent.Client.create_document\nOpenPolicyAgent.Client.patch_document\nOpenPolicyAgent.Client.delete_document","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_document","page":"Reference","title":"OpenPolicyAgent.Client.get_document","text":"Get a document\n\nThis API endpoint returns the document specified by path. The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404. The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provide the input document but the query has already defined it.\n\nParams:\n\npath::String (required)\ninput::Dict{String, Any}\npretty::Bool\nprovenance::Bool\nexplain::String\nmetrics::Bool\ninstrument::Bool\nstrictbuiltinerrors::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.get_document_with_path","page":"Reference","title":"OpenPolicyAgent.Client.get_document_with_path","text":"Get a document that required an input\n\nThe request body contains an object that specifies a value for the input document. The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404. The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provided an input document but the query has already defined it.\n\nParams:\n\npath::String (required)\nrequest_body::Dict{String, Any} (required)\npretty::Bool\nprovenance::Bool\nexplain::String\nmetrics::Bool\ninstrument::Bool\nstrictbuiltinerrors::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.get_document_from_webhook","page":"Reference","title":"OpenPolicyAgent.Client.get_document_from_webhook","text":"Get a document from a webhook.\n\nUse this API if you are enforcing policy decisions via webhooks that have pre-defined request/response formats. Note, the API path prefix is /v0 instead of /v1. The request message body defines the content of the The input Document. The request message body may be empty. The path separator is used to access values inside object and array documents.\n\nParams:\n\npath::String (required)\nrequest_body::Dict{String, Any} (required)\npretty::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.create_document","page":"Reference","title":"OpenPolicyAgent.Client.create_document","text":"Create or overwrite a document.\n\nIf the path does not refer to an existing document, the server will attempt to create all of the necessary containing documents. This behavior is similar in principle to the Unix command mkdir -p. The server will respect the If-None-Match header if it is set to *. In this case, the server will not overwrite an existing document located at the path.\n\nParams:\n\npath::String (required)\nrequest_body::Dict{String, Any} (required)\nmetrics::Bool\n\nReturn: CreateDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.patch_document","page":"Reference","title":"OpenPolicyAgent.Client.patch_document","text":"Patch a document\n\nUpdate a document. The patch operation is specified in the request body.\n\nParams:\n\npath::String (required)\npatch_operation::Vector{PatchOperation} (required)\n\nReturn: Nothing, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.delete_document","page":"Reference","title":"OpenPolicyAgent.Client.delete_document","text":"Delete a document\n\nThe server processes the DELETE method as if the client had sent a PATCH request containing a single remove operation.\n\nParams:\n\npath::String (required)\nmetrics::Bool\n\nReturn: DeleteDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#QueryApi","page":"Reference","title":"QueryApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.query_get\nOpenPolicyAgent.Client.query_post\nOpenPolicyAgent.Client.simple_query","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.query_get","page":"Reference","title":"OpenPolicyAgent.Client.query_get","text":"Execute an ad-hoc query and return bindings for variables found in the query.\n\nFor queries that have large JSON values it is recommended to use the POST method with the query included as the POST body\n\nParams:\n\nq::String (required)\npretty::Bool\nexplain::String\nmetrics::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.query_post","page":"Reference","title":"OpenPolicyAgent.Client.query_post","text":"Execute an ad-hoc query and return bindings for variables found in the query.\n\nQuery included as the POST body. E.g.: { \"query\": \"input.servers[i].ports[_] = \\\"p2\\\"; input.servers[i].name = name\", \"input\": { \"servers\": [ ... ], } }\n\nParams:\n\nqueryparameterpost::QueryParameterPost (required)\npretty::Bool\nexplain::String\nmetrics::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.simple_query","page":"Reference","title":"OpenPolicyAgent.Client.simple_query","text":"Execute a simple query.\n\nOPA serves POST requests without a URL path by querying for the document at path /data/system/main. The content of that document defines the response entirely.\n\nParams:\n\nrequest_body::Dict{String, Any} (required)\npretty::Bool\n\nReturn: Dict{String, Any}, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#CompileApi","page":"Reference","title":"CompileApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.post_compile","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.post_compile","page":"Reference","title":"OpenPolicyAgent.Client.post_compile","text":"Partially evaluate a query.\n\nThe Compile API allows you to partially evaluate Rego queries and obtain a simplified version of the policy. This is most useful when building integrations where policy logic is to be translated and evaluated in another environment.
      For example, this post on the OPA blog shows how SQL can be generated based on Compile API output. For more details on Partial Evaluation in OPA, please refer to this blog post.
      The example below assumes that OPA has been given the following policy (use PUT /v1/policies/{path}): 
       package example allow {   input.subject.clearancelevel >= data.reports[].clearancelevel }

      Compile API request body so that it contain the following fields:
      FieldTypeRequiredDescription
      querystringYesThe query to partially evaluate and compile.
      inputanyNoThe input document to use during partial evaluation (default: undefined).
      optionsobject[string, any]NoAdditional options to use during partial evaluation. Only disableInlining option is supported. (default: undefined).
      unknownsarray[string]NoThe terms to treat as unknown during partial evaluation (default: [\"input\"]]).

      For example:
      { \"query\": \"data.example.allow == true\", \"input\": { \"subject\": { \"clearancelevel\": 4 } }, \"unknowns\": [ \"data.reports\" ] }
      Unconditional Results from Partial Evaluation When you partially evaluate a query with the Compile API, OPA returns a new set of queries and supporting policies. However, in some cases, the result of Partial Evaluation is a conclusive, unconditional answer.
      See the guidance for details.\n\nParams:\n\npretty::Bool\nexplain::String\nmetrics::Bool\ninstrument::Bool\npartialqueryschema::PartialQuerySchema\n\nReturn: CompileSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#HealthApi","page":"Reference","title":"HealthApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_health","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_health","page":"Reference","title":"OpenPolicyAgent.Client.get_health","text":"Health\n\nThis API endpoint verifies that the server is operational. The response from the server is either 200 or 500: - 200 - OPA service is healthy. If bundles is true, then all configured bundles have been activated. If plugins is true, then all plugins are in an 'OK' state. - 500 - OPA service is not healthy. If bundles is true, at least one of configured bundles has not yet been activated. If plugins is true, at least one plugins is in a 'not OK' state. –- Note This check is only for initial bundle activation. Subsequent downloads will not affect the health check. Use the status endpoint (in the (management API)[management.html]) for more fine-grained bundle status monitoring. –-\n\nParams:\n\nbundles::Bool\nplugins::Bool\nexclude_plugin::String\n\nReturn: Nothing, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#ConfigApi","page":"Reference","title":"ConfigApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_config","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_config","page":"Reference","title":"OpenPolicyAgent.Client.get_config","text":"Get configurations\n\nThe /config API endpoint returns OPA's active configuration. When the discovery feature is enabled, this API can be used to fetch the discovered configuration in the last evaluated discovery bundle. The credentials field in the Services configuration and the private_key and key fields in the Keys configuration will be omitted from the API response.\n\nParams:\n\npretty::Bool\n\nReturn: Dict{String, Any}, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#StatusApi","page":"Reference","title":"StatusApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_status","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_status","page":"Reference","title":"OpenPolicyAgent.Client.get_status","text":"Get status\n\nThe /status API endpoint returns the status of the OPA server. This includes the status of the bundles and plugins.\n\nParams:\n\npretty::Bool\n\nReturn: Dict{String, Any}, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#Server","page":"Reference","title":"Server","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Server.MonitoredOPAServer\nOpenPolicyAgent.Server.start!\nOpenPolicyAgent.Server.stop!","category":"page"},{"location":"reference/#OpenPolicyAgent.Server.MonitoredOPAServer","page":"Reference","title":"OpenPolicyAgent.Server.MonitoredOPAServer","text":"MonitoredOPAServer(configfile::String;\n host::String = \"localhost\",\n port::Int = DEFAULT_PORT,\n stdout = nothing,\n stderr = nothing,\n)\n\nA server that is monitored and restarted if it dies.\n\nArguments:\n\nconfigfile: The path to the OPA configuration file.\n\nKeyword arguments:\n\nhost: The host to bind to.\nport: The port to bind to.\nstdout: The stream or file to redirect stdout to.\nstderr: The stream or file to redirect stderr to.\n\n\n\n\n\n","category":"type"},{"location":"reference/#OpenPolicyAgent.Server.start!","page":"Reference","title":"OpenPolicyAgent.Server.start!","text":"start!(server::MonitoredOPAServer)\n\nStarts the server. If the server is already started, an error is thrown. Monitors the server and restarts it if it dies.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Server.stop!","page":"Reference","title":"OpenPolicyAgent.Server.stop!","text":"stop!(server::MonitoredOPAServer)\n\nStops the server. If the server is not started, an error is thrown.\n\n\n\n\n\n","category":"function"},{"location":"reference/#CLI","page":"Reference","title":"CLI","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.CLI.CommandLine\nOpenPolicyAgent.CLI.opa\nOpenPolicyAgent.CLI.help\nOpenPolicyAgent.CLI.version\nOpenPolicyAgent.CLI.build\nOpenPolicyAgent.CLI.check\nOpenPolicyAgent.CLI.completion\nOpenPolicyAgent.CLI.deps\nOpenPolicyAgent.CLI.eval\nOpenPolicyAgent.CLI.exec\nOpenPolicyAgent.CLI.fmt\nOpenPolicyAgent.CLI.inspect\nOpenPolicyAgent.CLI.parse\nOpenPolicyAgent.CLI.run\nOpenPolicyAgent.CLI.sign\nOpenPolicyAgent.CLI.test\nOpenPolicyAgent.CLI.bench","category":"page"},{"location":"reference/#OpenPolicyAgent.CLI.CommandLine","page":"Reference","title":"OpenPolicyAgent.CLI.CommandLine","text":"CommandLine execution context.\n\nexec: a no argument function that provides the base command to execute in a julia do block. cmdopts: keyword arguments that should be used to further customize the Cmd creation pipelineopts: keyword arguments that should be used to further customize the pipeline creation\n\n\n\n\n\n","category":"type"},{"location":"reference/#OpenPolicyAgent.CLI.opa","page":"Reference","title":"OpenPolicyAgent.CLI.opa","text":"opa Run the opa command. Open Policy Agent (OPA)\n\nOptions:\n\nhelp::Bool - Help for opa\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.help","page":"Reference","title":"OpenPolicyAgent.CLI.help","text":"help Run the help subcommand of opa command. Help about any command\n\nOptions:\n\nhelp::Bool - Help for help\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.version","page":"Reference","title":"OpenPolicyAgent.CLI.version","text":"version Run the version subcommand of opa command. Print the version of OPA\n\nOptions:\n\ncheck::Bool - Check for latest OPA release\nhelp::Bool - Help for version\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.build","page":"Reference","title":"OpenPolicyAgent.CLI.build","text":"build Run the build subcommand of opa command. Build an OPA bundle\n\nOptions:\n\nbundle::Bool - Load paths as bundle files or root directories\ncapabilities::AbstractString - Set capabilities.json file path\nclaims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)\ndebug::Bool - Enable debug output\nentrypoint::AbstractString - Set slash separated entrypoint path\nexcludefilesverify::AbstractString - Set file names to exclude during bundle verification\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\noptimize::AbstractString - Set optimization level\noutput::AbstractString - Set the output filename\nrevision::AbstractString - Set output bundle revision\nscope::AbstractString - Scope to use for bundle signature verification\nsigning_alg::AbstractString - Name of the signing algorithm\nsigning_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)\nsigning_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin\ntarget::AbstractString - Set the output bundle target type\nverification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)\nverificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification\nhelp::Bool - Help for build\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.check","page":"Reference","title":"OpenPolicyAgent.CLI.check","text":"check Run the check subcommand of opa command. Check Rego source files\n\nOptions:\n\nbundle::Bool - Load paths as bundle files or root directories\ncapabilities::AbstractString - Set capabilities.json file path\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nmax_errors::AbstractString - Set the number of errors to allow before compilation fails early\nschema::AbstractString - Set schema file path or directory path\nstrict::Bool - Enable compiler strict mode\nhelp::Bool - Help for check\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.completion","page":"Reference","title":"OpenPolicyAgent.CLI.completion","text":"completion Run the completion subcommand of opa command. Generate the autocompletion script for the specified shell\n\nOptions:\n\nhelp::Bool - Help for completion\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.deps","page":"Reference","title":"OpenPolicyAgent.CLI.deps","text":"deps Run the deps subcommand of opa command. Analyze Rego query dependencies\n\nOptions:\n\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\ndata::AbstractString - Set policy or data file(s). This flag can be repeated\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nhelp::Bool - Help for deps\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.eval","page":"Reference","title":"OpenPolicyAgent.CLI.eval","text":"eval Run the eval subcommand of opa command. Evaluate a Rego query\n\nOptions:\n\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\ncapabilities::AbstractString - Set capabilities.json file path\ncount::AbstractString - Number of times to repeat each benchmark\ncoverage::Bool - Report coverage\ndata::AbstractString - Set policy or data file(s). This flag can be repeated\ndisableearlyexit::Bool - Disable 'early exit' optimizations\ndisable_indexing::Bool - Disable indexing optimizations\ndisable_inlining::AbstractString - Set paths of documents to exclude from inlining\nexplain::AbstractString - Enable query explanations\nfail::Bool - Exits with non-zero exit code on undefined/empty result and errors\nfail_defined::Bool - Exits with non-zero exit code on defined/non-empty result and errors\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\n_import::AbstractString - Set query import(s). This flag can be repeated\ninput::AbstractString - Set input file path\ninstrument::Bool - Enable query instrumentation metrics (implies –metrics)\nmetrics::Bool - Report query performance metrics\npackage::AbstractString - Set query package\npartial::Bool - Perform partial evaluation\npretty_limit::AbstractString - Set limit after which pretty output gets truncated\nprofile::Bool - Perform expression profiling\nprofile_limit::AbstractString - Set number of profiling results to show\nprofile_sort::AbstractString - Set sort order of expression profiler results\nschema::AbstractString - Set schema file path or directory path\nshallow_inlining::Bool - Disable inlining of rules that depend on unknowns\nstdin::Bool - Read query from stdin\nstdin_input::Bool - Read input document from stdin\nstrictbuiltinerrors::Bool - Treat built-in function errors as fatal\ntarget::AbstractString - Set the runtime to exercise\ntimeout::AbstractString - Set eval timeout (default unlimited)\nunknowns::AbstractString - Set paths to treat as unknown during partial evaluation\nhelp::Bool - Help for eval\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.exec","page":"Reference","title":"OpenPolicyAgent.CLI.exec","text":"exec Run the exec subcommand of opa command. Execute against input files\n\nOptions:\n\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\nconfig_file::AbstractString - Set path of configuration file\ndecision::AbstractString - Set decision to evaluate\nformat::AbstractString - Set output format\nlog_format::AbstractString - Set log format\nlog_level::AbstractString - Set log level\nset::AbstractString - Override config values on the command line (use commas to specify multiple values)\nset_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)\nhelp::Bool - Help for exec\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.fmt","page":"Reference","title":"OpenPolicyAgent.CLI.fmt","text":"fmt Run the fmt subcommand of opa command. Format Rego source files\n\nOptions:\n\ndiff::Bool - Only display a diff of the changes\nfail::Bool - Non zero exit code on reformat\nlist::Bool - List all files who would change when formatted\nwrite::Bool - Overwrite the original source file\nhelp::Bool - Help for fmt\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.inspect","page":"Reference","title":"OpenPolicyAgent.CLI.inspect","text":"inspect Run the inspect subcommand of opa command. Inspect OPA bundle(s)\n\nOptions:\n\nformat::AbstractString - Set output format\nhelp::Bool - Help for inspect\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.parse","page":"Reference","title":"OpenPolicyAgent.CLI.parse","text":"parse Run the parse subcommand of opa command. Parse Rego source file\n\nOptions:\n\nformat::AbstractString - Set output format\nhelp::Bool - Help for parse\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.run","page":"Reference","title":"OpenPolicyAgent.CLI.run","text":"run Run the run subcommand of opa command. Start OPA in interactive or server mode\n\nOptions:\n\naddr::AbstractString - Set listening address of the server (e.g., [ip]: for TCP, unix:// for UNIX domain socket)\nauthentication::AbstractString - Set authentication scheme\nauthorization::AbstractString - Set authorization scheme\nbundle::Bool - Load paths as bundle files or root directories\nconfig_file::AbstractString - Set path of configuration file\ndiagnostic_addr::AbstractString - Set read-only diagnostic listening address of the server for /health and /metric APIs (e.g., [ip]: for TCP, unix:// for UNIX domain socket)\nexcludefilesverify::AbstractString - Set file names to exclude during bundle verification\nformat::AbstractString - Set shell output format, i.e, pretty, json\nh2c::Bool - Enable H2C for HTTP listeners\nhistory::AbstractString - Set path of history file\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nlog_format::AbstractString - Set log format\nlog_level::AbstractString - Set log level\nmax_errors::AbstractString - Set the number of errors to allow before compilation fails early\nmintlsversion::AbstractString - Set minimum TLS version to be used by OPA's server\npprof::Bool - Enables pprof endpoints\nready_timeout::AbstractString - Wait (in seconds) for configured plugins before starting server (value <= 0 disables ready check)\nscope::AbstractString - Scope to use for bundle signature verification\nserver::Bool - Start the runtime in server mode\nset::AbstractString - Override config values on the command line (use commas to specify multiple values)\nset_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)\nshutdowngraceperiod::AbstractString - Set the time (in seconds) that the server will wait to gracefully shut down\nshutdownwaitperiod::AbstractString - Set the time (in seconds) that the server will wait before initiating shutdown\nsigning_alg::AbstractString - Name of the signing algorithm\nskip_verify::Bool - Disables bundle signature verification\nskipversioncheck::Bool - Disables anonymous version reporting (see: https://openpolicyagent.org/docs/latest/privacy)\ntlscacert_file::AbstractString - Set path of TLS CA cert file\ntlscertfile::AbstractString - Set path of TLS certificate file\ntlscertrefresh_period::AbstractString - Set certificate refresh period\ntlsprivatekey_file::AbstractString - Set path of TLS private key file\nverification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)\nverificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification\nwatch::Bool - Watch command line files for changes\nhelp::Bool - Help for run\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.sign","page":"Reference","title":"OpenPolicyAgent.CLI.sign","text":"sign Run the sign subcommand of opa command. Generate an OPA bundle signature\n\nOptions:\n\nbundle::Bool - Load paths as bundle files or root directories\nclaims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)\noutputfilepath::AbstractString - Set the location for the .signatures.json file\nsigning_alg::AbstractString - Name of the signing algorithm\nsigning_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)\nsigning_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin\nhelp::Bool - Help for sign\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.test","page":"Reference","title":"OpenPolicyAgent.CLI.test","text":"test Run the test subcommand of opa command. Execute Rego test cases\n\nOptions:\n\nbench::Bool - Benchmark the unit tests\nbenchmem::Bool - Report memory allocations with benchmark results\nbundle::Bool - Load paths as bundle files or root directories\ncount::AbstractString - Number of times to repeat each test\ncoverage::Bool - Report coverage (overrides debug tracing)\nexitzeroon_skipped::Bool - Skipped tests return status 0\nexplain::AbstractString - Enable query explanations\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nmax_errors::AbstractString - Set the number of errors to allow before compilation fails early\nrun::AbstractString - Run only test cases matching the regular expression\nshowfailureline::Bool - Show test failure line\ntarget::AbstractString - Set the runtime to exercise\nthreshold::AbstractString - Set coverage threshold and exit with non-zero status if coverage is less than threshold %\ntimeout::AbstractString - Set test timeout (default 5s, 30s when benchmarking)\nverbose::Bool - Set verbose reporting mode\nhelp::Bool - Help for test\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.bench","page":"Reference","title":"OpenPolicyAgent.CLI.bench","text":"bench Run the bench subcommand of opa command. Benchmark a Rego query\n\nOptions:\n\nbenchmem::Bool - Report memory allocations with benchmark results\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\ncount::AbstractString - Number of times to repeat each benchmark\ndata::AbstractString - Set policy or data file(s). This flag can be repeated\nfail::Bool - Exits with non-zero exit code on undefined/empty result and errors\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\n_import::AbstractString - Set query import(s). This flag can be repeated\ninput::AbstractString - Set input file path\nmetrics::Bool - Report query performance metrics\npackage::AbstractString - Set query package\npartial::Bool - Perform partial evaluation\nschema::AbstractString - Set schema file path or directory path\nstdin::Bool - Read query from stdin\nstdin_input::Bool - Read input document from stdin\ntarget::AbstractString - Set the runtime to exercise\nunknowns::AbstractString - Set paths to treat as unknown during partial evaluation\nhelp::Bool - Help for bench\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#AST-Walker","page":"Reference","title":"AST Walker","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.ASTWalker.Vistor\nOpenPolicyAgent.ASTWalker.walk\nOpenPolicyAgent.ASTWalker.before\nOpenPolicyAgent.ASTWalker.visit\nOpenPolicyAgent.ASTWalker.after","category":"page"},{"location":"reference/#OpenPolicyAgent.ASTWalker.walk","page":"Reference","title":"OpenPolicyAgent.ASTWalker.walk","text":"walk(visitor, node)\n\nWalks the AST rooted at node using the visitor. Calls before, visit and after methods of the visitor in sequence while walking the tree.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.ASTWalker.before","page":"Reference","title":"OpenPolicyAgent.ASTWalker.before","text":"before(visitor, node)\n\nCalled before visiting a node. The node that will be visited is passed as the second argument. Any preparatory work that needs to be done before visiting the node can be done here. Return value is ignored.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.ASTWalker.visit","page":"Reference","title":"OpenPolicyAgent.ASTWalker.visit","text":"visit(visitor, node)\n\nCalled when visiting a node. The node that is being visited is passed as the second argument. The actual action to be performed when visiting a node must be implemented here. The visit method must also call walk on the visitor to visit the children of the node. The result must be stored in the visitor state. Return value is ignored.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.ASTWalker.after","page":"Reference","title":"OpenPolicyAgent.ASTWalker.after","text":"after(visitor, node)\n\nCalled after visiting a node. The node that was visited is passed as the second argument. Any cleanup work that needs to be done after visiting the node can be done here. This is the last method called when visiting a node. Must return the result of visiting the node.\n\n\n\n\n\n","category":"function"},{"location":"reference/#Included-Visitors","page":"Reference","title":"Included Visitors","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.ASTWalker.AST.ASTVisitor\nOpenPolicyAgent.ASTWalker.SQL.SQLVisitor","category":"page"},{"location":"reference/#OpenPolicyAgent.ASTWalker.AST.ASTVisitor","page":"Reference","title":"OpenPolicyAgent.ASTWalker.AST.ASTVisitor","text":"Visitor that converts a partial compile result to a julia based AST. Must be used with ASTWalker.walk, providing the partial compile result as the node argument.\n\nOutput:\n\nQuerySet: If the partial compile result contains queries, the output is a QuerySet containing the queries.\nnothing: If the partial compile result does not contain queries, the output is nothing.\n\nThe output is returned from the walk method.\n\n\n\n\n\n","category":"type"},{"location":"commandline/#OPA-Command-Line","page":"Command Line","title":"OPA Command Line","text":"","category":"section"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"The OPA (Open Policy Agent) command-line tool is a versatile utility that empowers users to interact with and manage OPA policies and data. It allows users to perform various tasks, such as evaluating policies, testing Rego expressions, and querying data, all from the command line. This tool is invaluable for policy development, debugging, and troubleshooting, providing an accessible way to work with OPA without the need for complex integration. It's an essential companion for developers and administrators working with OPA, simplifying the process of authoring, testing, and refining policies to ensure robust and consistent policy enforcement across software systems.","category":"page"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"The OPA command line is made available in the OpenPolicyAgent.CLI module. To use, import the module. E.g.:","category":"page"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"julia> using OpenPolicyAgent\n\njulia> import OpenPolicyAgent: CLI\n\njulia> ctx = CLI.CommandLine();\n\njulia> CLI.opa(ctx; help=true);\nAn open source project to policy-enable your service.\n\nUsage:\n opa [command]\n\nAvailable Commands:\n bench Benchmark a Rego query\n build Build an OPA bundle\n capabilities Print the capabilities of OPA\n check Check Rego source files\n completion Generate the autocompletion script for the specified shell\n deps Analyze Rego query dependencies\n eval Evaluate a Rego query\n exec Execute against input files\n fmt Format Rego source files\n help Help about any command\n inspect Inspect OPA bundle(s)\n parse Parse Rego source file\n run Start OPA in interactive or server mode\n sign Generate an OPA bundle signature\n test Execute Rego test cases\n version Print the version of OPA\n\nFlags:\n -h, --help help for opa\n\nUse \"opa [command] --help\" for more information about a command.","category":"page"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"Complete reference is available in the Reference section.","category":"page"},{"location":"#OpenPolicyAgent.jl","page":"Home","title":"OpenPolicyAgent.jl","text":"","category":"section"},{"location":"","page":"Home","title":"Home","text":"Open Policy Agent (OPA) is an open-source, cloud-native policy engine that allows organizations to declaratively enforce policies across their software stack. It provides a unified, flexible, and efficient way to implement and manage policies for access control, security, and compliance in modern, dynamic environments. OPA excels at decoupling policy decision logic from application code, enabling fine-grained control over authorization, resource validation, and more.","category":"page"},{"location":"","page":"Home","title":"Home","text":"Its expressive policy language, called Rego, allows users to define complex policies in a human-readable format. OPA is widely adopted in cloud-native ecosystems, helping organizations ensure consistent policy enforcement across services, APIs, and infrastructure components, making it a crucial tool for enhancing security and governance in modern software systems.","category":"page"},{"location":"","page":"Home","title":"Home","text":"This package provides a Julia interface to the OPA server, and the client APIs to interact with the server. It also includes a command-line interface to the OPA command-line tool.","category":"page"}] +[{"location":"ast_walker/#AST-Walker","page":"AST Walker","title":"AST Walker","text":"","category":"section"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"OPA has a feature called partial evaluation which has several interesting applications. With partial evaluation, callers specify that certain inputs or pieces of data are unknown. OPA evaluates as much of the policy as possible without touching parts that depend on unknown values. The result of partial evaluation is a new policy that can be evaluated more efficiently than the original. The new policy is returned to the caller as an AST.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"The returned AST thus represents a strategy, rather than a result. It may be cached and reused. It may also be converted to other forms, e.g. a SQL query condition, or elastic search query.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"The ASTWalker module provides a framework to traverse the AST returned from a partial evaluattion. It specifies a Visitor interface that callers can implement to perform custom operations on the AST. The ASTWalker module also provides a default implementation of the Visitor interface that can be used to perform common operations on the AST.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"Included in the ASTWalker module are implementations of the Visitor interface that can be used to:","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"Create a easy to use Julia representation of the AST. This is provided by the ASTWalker.AST.ASTVisitor type.\nCreate a SQL query condition from the Julia representation of the AST. This is provided by the ASTWalker.SQL.SQLVisitor type.","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"An example of how it can be used is shown below:","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"import OpenPolicyAgent: ASTWalker\nimport OpenPolicyAgent.ASTWalker: AST, SQL\nimport OpenPolicyAgent.ASTWalker.AST: ASTVisitor\nimport OpenPolicyAgent.ASTWalker.SQL: SQLVisitor, SQLCondition, UnconditionalInclude, UnconditionalExclude\n\n# invoke the partial evaluation endpoint\npartial_query_schema = OpenPolicyAgent.Client.PartialQuerySchema(; ...)\nresponse, _http_resp = OpenPolicyAgent.Client.post_compile(\n compile_client;\n partial_query_schema = partial_query_schema,\n)\n\n# crete a Julia representation of the AST\nast = OpenPolicyAgent.ASTWalker.walk(ASTVisitor(), result)\n\n# Provide a mapping of schema names and table names that can be used to convert policy paths to SQL table names\nconst SCHEMA_MAP = Dict{String, String}(\n \"data\" => \"public\",\n \"public\" => \"public\",\n)\n\nconst TABLE_MAP = Dict{String, String}(\n \"reports\" => \"juliahub_reports\",\n)\n\n# create a SQL query condition from the AST\nsqlvisitor = SQLVisitor(SCHEMA_MAP, TABLE_MAP)\nsqlcondition = OpenPolicyAgent.ASTWalker.walk(sqlvisitor, ast)\n\n# sql condition should be a SQLCondition object\nif isa(sqlcondition, UnconditionalExclude)\n # all rows should be excluded\nelseif isa(sqlcondition, UnconditionalInclude)\n # all rows should be included\nelse\n # `sqlcondition.sql` contains a string with the SQL query condition\nend","category":"page"},{"location":"ast_walker/","page":"AST Walker","title":"AST Walker","text":"More details of AST walker, and the included visitors can be found in the reference documentation.","category":"page"},{"location":"client/#OPA-Client","page":"Client","title":"OPA Client","text":"","category":"section"},{"location":"client/","page":"Client","title":"Client","text":"OPA exposes domain-agnostic APIs that your service can call to manage and enforce policies. Read this page if you want to integrate an application, service, or tool with OPA. The REST APIs are grouped into the following categories:","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"Policy API - manage policy loaded into the OPA instance.\nData API - evaluate rules and retrieve data.\nQuery API - execute adhoc queries.\nCompile API - access Rego’s Partial Evaluation functionality.\nHealth API - access instance operational health information.\nConfig API - view instance configuration.\nStatus API - view instance status state.","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"The OpenPolicyAgent.Client module includes methods to help interact with the OPA server using the OpenAPI client.","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"opa_client = OpenPolicyAgent.Client.DataApi(openapi_client)\n\nresponse, _http_resp = OpenPolicyAgent.Client.get_document(\n opa_client,\n \"policies/server/rest/allowed\"\n);\n@test response.result == false","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"Complete reference is available in the Reference section.","category":"page"},{"location":"client/","page":"Client","title":"Client","text":"OpenAPI API Documents also give more details on the API methods.","category":"page"},{"location":"server/#OPA-Server","page":"Server","title":"OPA Server","text":"","category":"section"},{"location":"server/","page":"Server","title":"Server","text":"The OPA (Open Policy Agent) server is a critical component of the OPA ecosystem, serving as a central policy decision point. It's a standalone service that evaluates policies written in the Rego language and makes access control decisions based on those policies. The OPA server allows for efficient policy enforcement across various parts of a software stack, including microservices, APIs, and cloud infrastructure. It receives policy queries, typically in the form of JSON or structured data, and returns decisions, enabling fine-grained control over authorization and compliance. With its ability to scale and distribute policy evaluations, the OPA server plays a crucial role in ensuring consistent and dynamic policy enforcement in complex, modern, and cloud-native environments, enhancing security and governance across the entire system.","category":"page"},{"location":"server/","page":"Server","title":"Server","text":"The OpenPolicyAgent.Server module includes methods to help start the OPA server, monitor it for failures, and restart when required.","category":"page"},{"location":"server/","page":"Server","title":"Server","text":"function start_opa_server(root_path)\n opa_server = OpenPolicyAgent.Server.MonitoredOPAServer(\n joinpath(root_path, \"config.yaml\"),\n stdout = joinpath(root_path, \"server.stdout\"),\n stderr = joinpath(root_path, \"server.stderr\"),\n )\n OpenPolicyAgent.Server.start!(opa_server)\n return opa_server\nend\n\nstart_opa_server(\"/tmp/opaserver\")","category":"page"},{"location":"server/","page":"Server","title":"Server","text":"Complete reference is available in the Reference section.","category":"page"},{"location":"reference/","page":"Reference","title":"Reference","text":"Pages = [\"reference.md\"]\nDepth = 3","category":"page"},{"location":"reference/","page":"Reference","title":"Reference","text":"CurrentModule = OpenPolicyAgent","category":"page"},{"location":"reference/#API-Reference","page":"Reference","title":"API Reference","text":"","category":"section"},{"location":"reference/#Client","page":"Reference","title":"Client","text":"","category":"section"},{"location":"reference/#PolicyApi","page":"Reference","title":"PolicyApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_policies\nOpenPolicyAgent.Client.get_policy_module\nOpenPolicyAgent.Client.put_policy_module\nOpenPolicyAgent.Client.delete_policy_module","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_policies","page":"Reference","title":"OpenPolicyAgent.Client.get_policies","text":"List policies\n\nThis API endpoint responds with a list of all policy modules on the server (result response)\n\nParams:\n\npretty::Bool\n\nReturn: GetPolicyListSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.get_policy_module","page":"Reference","title":"OpenPolicyAgent.Client.get_policy_module","text":"Get a policy module\n\nThis API endpoint returns the details of the specified policy module ({id})\n\nParams:\n\nid::String (required)\npretty::Bool\n\nReturn: GetPolicyModuleSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.put_policy_module","page":"Reference","title":"OpenPolicyAgent.Client.put_policy_module","text":"Create or update a policy module\n\nIf the policy module does not exist, it is created. - If the policy module already exists, it is replaced. If the policy module isn't correctly defined, a bad request (400) response is returned. ### Example policy module yaml package opa.examples import data.servers import data.networks import data.ports public_servers[server] { some k, m server := servers[_] server.ports[_] == ports[k].id ports[k].networks[_] == networks[m].id networks[m].public == true }\n\nParams:\n\nid::String (required)\nbody::String (required)\npretty::Bool\nmetrics::Bool\n\nReturn: PutPolicySuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.delete_policy_module","page":"Reference","title":"OpenPolicyAgent.Client.delete_policy_module","text":"Delete a policy module\n\nThis API endpoint removes an existing policy module from the server\n\nParams:\n\nid::String (required)\npretty::Bool\nmetrics::Bool\n\nReturn: Nothing, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#DataApi","page":"Reference","title":"DataApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_document\nOpenPolicyAgent.Client.get_document_with_path\nOpenPolicyAgent.Client.get_document_from_webhook\nOpenPolicyAgent.Client.create_document\nOpenPolicyAgent.Client.patch_document\nOpenPolicyAgent.Client.delete_document","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_document","page":"Reference","title":"OpenPolicyAgent.Client.get_document","text":"Get a document\n\nThis API endpoint returns the document specified by path. The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404. The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provide the input document but the query has already defined it.\n\nParams:\n\npath::String (required)\ninput::Dict{String, Any}\npretty::Bool\nprovenance::Bool\nexplain::String\nmetrics::Bool\ninstrument::Bool\nstrictbuiltinerrors::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.get_document_with_path","page":"Reference","title":"OpenPolicyAgent.Client.get_document_with_path","text":"Get a document that required an input\n\nThe request body contains an object that specifies a value for the input document. The path separator is used to access values inside object and array documents. If the path indexes into an array, the server will attempt to convert the array index to an integer. If the path element cannot be converted to an integer, the server will respond with 404. The server will return a bad request (400) response if either: - The query requires an input document and you do not provide it - You provided an input document but the query has already defined it.\n\nParams:\n\npath::String (required)\nrequest_body::Dict{String, Any} (required)\npretty::Bool\nprovenance::Bool\nexplain::String\nmetrics::Bool\ninstrument::Bool\nstrictbuiltinerrors::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.get_document_from_webhook","page":"Reference","title":"OpenPolicyAgent.Client.get_document_from_webhook","text":"Get a document from a webhook.\n\nUse this API if you are enforcing policy decisions via webhooks that have pre-defined request/response formats. Note, the API path prefix is /v0 instead of /v1. The request message body defines the content of the The input Document. The request message body may be empty. The path separator is used to access values inside object and array documents.\n\nParams:\n\npath::String (required)\nrequest_body::Dict{String, Any} (required)\npretty::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.create_document","page":"Reference","title":"OpenPolicyAgent.Client.create_document","text":"Create or overwrite a document.\n\nIf the path does not refer to an existing document, the server will attempt to create all of the necessary containing documents. This behavior is similar in principle to the Unix command mkdir -p. The server will respect the If-None-Match header if it is set to *. In this case, the server will not overwrite an existing document located at the path.\n\nParams:\n\npath::String (required)\nrequest_body::Dict{String, Any} (required)\nmetrics::Bool\n\nReturn: CreateDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.patch_document","page":"Reference","title":"OpenPolicyAgent.Client.patch_document","text":"Patch a document\n\nUpdate a document. The patch operation is specified in the request body.\n\nParams:\n\npath::String (required)\npatch_operation::Vector{PatchOperation} (required)\n\nReturn: Nothing, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.delete_document","page":"Reference","title":"OpenPolicyAgent.Client.delete_document","text":"Delete a document\n\nThe server processes the DELETE method as if the client had sent a PATCH request containing a single remove operation.\n\nParams:\n\npath::String (required)\nmetrics::Bool\n\nReturn: DeleteDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#QueryApi","page":"Reference","title":"QueryApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.query_get\nOpenPolicyAgent.Client.query_post\nOpenPolicyAgent.Client.simple_query","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.query_get","page":"Reference","title":"OpenPolicyAgent.Client.query_get","text":"Execute an ad-hoc query and return bindings for variables found in the query.\n\nFor queries that have large JSON values it is recommended to use the POST method with the query included as the POST body\n\nParams:\n\nq::String (required)\npretty::Bool\nexplain::String\nmetrics::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.query_post","page":"Reference","title":"OpenPolicyAgent.Client.query_post","text":"Execute an ad-hoc query and return bindings for variables found in the query.\n\nQuery included as the POST body. E.g.: { \"query\": \"input.servers[i].ports[_] = \\\"p2\\\"; input.servers[i].name = name\", \"input\": { \"servers\": [ ... ], } }\n\nParams:\n\nqueryparameterpost::QueryParameterPost (required)\npretty::Bool\nexplain::String\nmetrics::Bool\n\nReturn: GetDocumentSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Client.simple_query","page":"Reference","title":"OpenPolicyAgent.Client.simple_query","text":"Execute a simple query.\n\nOPA serves POST requests without a URL path by querying for the document at path /data/system/main. The content of that document defines the response entirely.\n\nParams:\n\nrequest_body::Dict{String, Any} (required)\npretty::Bool\n\nReturn: Dict{String, Any}, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#CompileApi","page":"Reference","title":"CompileApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.post_compile","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.post_compile","page":"Reference","title":"OpenPolicyAgent.Client.post_compile","text":"Partially evaluate a query.\n\nThe Compile API allows you to partially evaluate Rego queries and obtain a simplified version of the policy. This is most useful when building integrations where policy logic is to be translated and evaluated in another environment.
      For example, this post on the OPA blog shows how SQL can be generated based on Compile API output. For more details on Partial Evaluation in OPA, please refer to this blog post.
      The example below assumes that OPA has been given the following policy (use PUT /v1/policies/{path}): 
       package example allow {   input.subject.clearancelevel >= data.reports[].clearancelevel }

      Compile API request body so that it contain the following fields:
      FieldTypeRequiredDescription
      querystringYesThe query to partially evaluate and compile.
      inputanyNoThe input document to use during partial evaluation (default: undefined).
      optionsobject[string, any]NoAdditional options to use during partial evaluation. Only disableInlining option is supported. (default: undefined).
      unknownsarray[string]NoThe terms to treat as unknown during partial evaluation (default: [\"input\"]]).

      For example:
      { \"query\": \"data.example.allow == true\", \"input\": { \"subject\": { \"clearancelevel\": 4 } }, \"unknowns\": [ \"data.reports\" ] }
      Unconditional Results from Partial Evaluation When you partially evaluate a query with the Compile API, OPA returns a new set of queries and supporting policies. However, in some cases, the result of Partial Evaluation is a conclusive, unconditional answer.
      See the guidance for details.\n\nParams:\n\npretty::Bool\nexplain::String\nmetrics::Bool\ninstrument::Bool\npartialqueryschema::PartialQuerySchema\n\nReturn: CompileSuccessResponse, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#HealthApi","page":"Reference","title":"HealthApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_health","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_health","page":"Reference","title":"OpenPolicyAgent.Client.get_health","text":"Health\n\nThis API endpoint verifies that the server is operational. The response from the server is either 200 or 500: - 200 - OPA service is healthy. If bundles is true, then all configured bundles have been activated. If plugins is true, then all plugins are in an 'OK' state. - 500 - OPA service is not healthy. If bundles is true, at least one of configured bundles has not yet been activated. If plugins is true, at least one plugins is in a 'not OK' state. –- Note This check is only for initial bundle activation. Subsequent downloads will not affect the health check. Use the status endpoint (in the (management API)[management.html]) for more fine-grained bundle status monitoring. –-\n\nParams:\n\nbundles::Bool\nplugins::Bool\nexclude_plugin::String\n\nReturn: Nothing, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#ConfigApi","page":"Reference","title":"ConfigApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_config","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_config","page":"Reference","title":"OpenPolicyAgent.Client.get_config","text":"Get configurations\n\nThe /config API endpoint returns OPA's active configuration. When the discovery feature is enabled, this API can be used to fetch the discovered configuration in the last evaluated discovery bundle. The credentials field in the Services configuration and the private_key and key fields in the Keys configuration will be omitted from the API response.\n\nParams:\n\npretty::Bool\n\nReturn: Dict{String, Any}, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#StatusApi","page":"Reference","title":"StatusApi","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Client.get_status","category":"page"},{"location":"reference/#OpenPolicyAgent.Client.get_status","page":"Reference","title":"OpenPolicyAgent.Client.get_status","text":"Get status\n\nThe /status API endpoint returns the status of the OPA server. This includes the status of the bundles and plugins.\n\nParams:\n\npretty::Bool\n\nReturn: Dict{String, Any}, OpenAPI.Clients.ApiResponse\n\n\n\n\n\n","category":"function"},{"location":"reference/#Server","page":"Reference","title":"Server","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.Server.MonitoredOPAServer\nOpenPolicyAgent.Server.start!\nOpenPolicyAgent.Server.stop!","category":"page"},{"location":"reference/#OpenPolicyAgent.Server.MonitoredOPAServer","page":"Reference","title":"OpenPolicyAgent.Server.MonitoredOPAServer","text":"MonitoredOPAServer(configfile::String;\n host::String = \"localhost\",\n port::Int = DEFAULT_PORT,\n stdout = nothing,\n stderr = nothing,\n)\n\nA server that is monitored and restarted if it dies.\n\nArguments:\n\nconfigfile: The path to the OPA configuration file.\n\nKeyword arguments:\n\nhost: The host to bind to.\nport: The port to bind to.\nstdout: The stream or file to redirect stdout to.\nstderr: The stream or file to redirect stderr to.\n\n\n\n\n\n","category":"type"},{"location":"reference/#OpenPolicyAgent.Server.start!","page":"Reference","title":"OpenPolicyAgent.Server.start!","text":"start!(server::MonitoredOPAServer)\n\nStarts the server. If the server is already started, an error is thrown. Monitors the server and restarts it if it dies.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.Server.stop!","page":"Reference","title":"OpenPolicyAgent.Server.stop!","text":"stop!(server::MonitoredOPAServer)\n\nStops the server. If the server is not started, an error is thrown.\n\n\n\n\n\n","category":"function"},{"location":"reference/#CLI","page":"Reference","title":"CLI","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.CLI.CommandLine\nOpenPolicyAgent.CLI.opa\nOpenPolicyAgent.CLI.help\nOpenPolicyAgent.CLI.version\nOpenPolicyAgent.CLI.build\nOpenPolicyAgent.CLI.check\nOpenPolicyAgent.CLI.completion\nOpenPolicyAgent.CLI.deps\nOpenPolicyAgent.CLI.eval\nOpenPolicyAgent.CLI.exec\nOpenPolicyAgent.CLI.fmt\nOpenPolicyAgent.CLI.inspect\nOpenPolicyAgent.CLI.parse\nOpenPolicyAgent.CLI.run\nOpenPolicyAgent.CLI.sign\nOpenPolicyAgent.CLI.test\nOpenPolicyAgent.CLI.bench","category":"page"},{"location":"reference/#OpenPolicyAgent.CLI.CommandLine","page":"Reference","title":"OpenPolicyAgent.CLI.CommandLine","text":"CommandLine execution context.\n\nexec: a no argument function that provides the base command to execute in a julia do block. cmdopts: keyword arguments that should be used to further customize the Cmd creation pipelineopts: keyword arguments that should be used to further customize the pipeline creation\n\n\n\n\n\n","category":"type"},{"location":"reference/#OpenPolicyAgent.CLI.opa","page":"Reference","title":"OpenPolicyAgent.CLI.opa","text":"opa Run the opa command. Open Policy Agent (OPA)\n\nOptions:\n\nhelp::Bool - Help for opa\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.help","page":"Reference","title":"OpenPolicyAgent.CLI.help","text":"help Run the help subcommand of opa command. Help about any command\n\nOptions:\n\nhelp::Bool - Help for help\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.version","page":"Reference","title":"OpenPolicyAgent.CLI.version","text":"version Run the version subcommand of opa command. Print the version of OPA\n\nOptions:\n\ncheck::Bool - Check for latest OPA release\nhelp::Bool - Help for version\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.build","page":"Reference","title":"OpenPolicyAgent.CLI.build","text":"build Run the build subcommand of opa command. Build an OPA bundle\n\nOptions:\n\nbundle::Bool - Load paths as bundle files or root directories\ncapabilities::AbstractString - Set capabilities.json file path\nclaims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)\ndebug::Bool - Enable debug output\nentrypoint::AbstractString - Set slash separated entrypoint path\nexcludefilesverify::AbstractString - Set file names to exclude during bundle verification\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\noptimize::AbstractString - Set optimization level\noutput::AbstractString - Set the output filename\nrevision::AbstractString - Set output bundle revision\nscope::AbstractString - Scope to use for bundle signature verification\nsigning_alg::AbstractString - Name of the signing algorithm\nsigning_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)\nsigning_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin\ntarget::AbstractString - Set the output bundle target type\nverification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)\nverificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification\nhelp::Bool - Help for build\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.check","page":"Reference","title":"OpenPolicyAgent.CLI.check","text":"check Run the check subcommand of opa command. Check Rego source files\n\nOptions:\n\nbundle::Bool - Load paths as bundle files or root directories\ncapabilities::AbstractString - Set capabilities.json file path\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nmax_errors::AbstractString - Set the number of errors to allow before compilation fails early\nschema::AbstractString - Set schema file path or directory path\nstrict::Bool - Enable compiler strict mode\nhelp::Bool - Help for check\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.completion","page":"Reference","title":"OpenPolicyAgent.CLI.completion","text":"completion Run the completion subcommand of opa command. Generate the autocompletion script for the specified shell\n\nOptions:\n\nhelp::Bool - Help for completion\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.deps","page":"Reference","title":"OpenPolicyAgent.CLI.deps","text":"deps Run the deps subcommand of opa command. Analyze Rego query dependencies\n\nOptions:\n\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\ndata::AbstractString - Set policy or data file(s). This flag can be repeated\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nhelp::Bool - Help for deps\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.eval","page":"Reference","title":"OpenPolicyAgent.CLI.eval","text":"eval Run the eval subcommand of opa command. Evaluate a Rego query\n\nOptions:\n\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\ncapabilities::AbstractString - Set capabilities.json file path\ncount::AbstractString - Number of times to repeat each benchmark\ncoverage::Bool - Report coverage\ndata::AbstractString - Set policy or data file(s). This flag can be repeated\ndisableearlyexit::Bool - Disable 'early exit' optimizations\ndisable_indexing::Bool - Disable indexing optimizations\ndisable_inlining::AbstractString - Set paths of documents to exclude from inlining\nexplain::AbstractString - Enable query explanations\nfail::Bool - Exits with non-zero exit code on undefined/empty result and errors\nfail_defined::Bool - Exits with non-zero exit code on defined/non-empty result and errors\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\n_import::AbstractString - Set query import(s). This flag can be repeated\ninput::AbstractString - Set input file path\ninstrument::Bool - Enable query instrumentation metrics (implies –metrics)\nmetrics::Bool - Report query performance metrics\npackage::AbstractString - Set query package\npartial::Bool - Perform partial evaluation\npretty_limit::AbstractString - Set limit after which pretty output gets truncated\nprofile::Bool - Perform expression profiling\nprofile_limit::AbstractString - Set number of profiling results to show\nprofile_sort::AbstractString - Set sort order of expression profiler results\nschema::AbstractString - Set schema file path or directory path\nshallow_inlining::Bool - Disable inlining of rules that depend on unknowns\nstdin::Bool - Read query from stdin\nstdin_input::Bool - Read input document from stdin\nstrictbuiltinerrors::Bool - Treat built-in function errors as fatal\ntarget::AbstractString - Set the runtime to exercise\ntimeout::AbstractString - Set eval timeout (default unlimited)\nunknowns::AbstractString - Set paths to treat as unknown during partial evaluation\nhelp::Bool - Help for eval\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.exec","page":"Reference","title":"OpenPolicyAgent.CLI.exec","text":"exec Run the exec subcommand of opa command. Execute against input files\n\nOptions:\n\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\nconfig_file::AbstractString - Set path of configuration file\ndecision::AbstractString - Set decision to evaluate\nformat::AbstractString - Set output format\nlog_format::AbstractString - Set log format\nlog_level::AbstractString - Set log level\nset::AbstractString - Override config values on the command line (use commas to specify multiple values)\nset_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)\nhelp::Bool - Help for exec\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.fmt","page":"Reference","title":"OpenPolicyAgent.CLI.fmt","text":"fmt Run the fmt subcommand of opa command. Format Rego source files\n\nOptions:\n\ndiff::Bool - Only display a diff of the changes\nfail::Bool - Non zero exit code on reformat\nlist::Bool - List all files who would change when formatted\nwrite::Bool - Overwrite the original source file\nhelp::Bool - Help for fmt\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.inspect","page":"Reference","title":"OpenPolicyAgent.CLI.inspect","text":"inspect Run the inspect subcommand of opa command. Inspect OPA bundle(s)\n\nOptions:\n\nformat::AbstractString - Set output format\nhelp::Bool - Help for inspect\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.parse","page":"Reference","title":"OpenPolicyAgent.CLI.parse","text":"parse Run the parse subcommand of opa command. Parse Rego source file\n\nOptions:\n\nformat::AbstractString - Set output format\nhelp::Bool - Help for parse\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.run","page":"Reference","title":"OpenPolicyAgent.CLI.run","text":"run Run the run subcommand of opa command. Start OPA in interactive or server mode\n\nOptions:\n\naddr::AbstractString - Set listening address of the server (e.g., [ip]: for TCP, unix:// for UNIX domain socket)\nauthentication::AbstractString - Set authentication scheme\nauthorization::AbstractString - Set authorization scheme\nbundle::Bool - Load paths as bundle files or root directories\nconfig_file::AbstractString - Set path of configuration file\ndiagnostic_addr::AbstractString - Set read-only diagnostic listening address of the server for /health and /metric APIs (e.g., [ip]: for TCP, unix:// for UNIX domain socket)\nexcludefilesverify::AbstractString - Set file names to exclude during bundle verification\nformat::AbstractString - Set shell output format, i.e, pretty, json\nh2c::Bool - Enable H2C for HTTP listeners\nhistory::AbstractString - Set path of history file\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nlog_format::AbstractString - Set log format\nlog_level::AbstractString - Set log level\nmax_errors::AbstractString - Set the number of errors to allow before compilation fails early\nmintlsversion::AbstractString - Set minimum TLS version to be used by OPA's server\npprof::Bool - Enables pprof endpoints\nready_timeout::AbstractString - Wait (in seconds) for configured plugins before starting server (value <= 0 disables ready check)\nscope::AbstractString - Scope to use for bundle signature verification\nserver::Bool - Start the runtime in server mode\nset::AbstractString - Override config values on the command line (use commas to specify multiple values)\nset_file::AbstractString - Override config values with files on the command line (use commas to specify multiple values)\nshutdowngraceperiod::AbstractString - Set the time (in seconds) that the server will wait to gracefully shut down\nshutdownwaitperiod::AbstractString - Set the time (in seconds) that the server will wait before initiating shutdown\nsigning_alg::AbstractString - Name of the signing algorithm\nskip_verify::Bool - Disables bundle signature verification\nskipversioncheck::Bool - Disables anonymous version reporting (see: https://openpolicyagent.org/docs/latest/privacy)\ntlscacert_file::AbstractString - Set path of TLS CA cert file\ntlscertfile::AbstractString - Set path of TLS certificate file\ntlscertrefresh_period::AbstractString - Set certificate refresh period\ntlsprivatekey_file::AbstractString - Set path of TLS private key file\nverification_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the public key (RSA and ECDSA)\nverificationkeyid::AbstractString - Name assigned to the verification key used for bundle verification\nwatch::Bool - Watch command line files for changes\nhelp::Bool - Help for run\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.sign","page":"Reference","title":"OpenPolicyAgent.CLI.sign","text":"sign Run the sign subcommand of opa command. Generate an OPA bundle signature\n\nOptions:\n\nbundle::Bool - Load paths as bundle files or root directories\nclaims_file::AbstractString - Set path of JSON file containing optional claims (see: https://openpolicyagent.org/docs/latest/management/#signature-format)\noutputfilepath::AbstractString - Set the location for the .signatures.json file\nsigning_alg::AbstractString - Name of the signing algorithm\nsigning_key::AbstractString - Set the secret (HMAC) or path of the PEM file containing the private key (RSA and ECDSA)\nsigning_plugin::AbstractString - Name of the plugin to use for signing/verification (see https://openpolicyagent.org/docs/latest/management/#signature-plugin\nhelp::Bool - Help for sign\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.test","page":"Reference","title":"OpenPolicyAgent.CLI.test","text":"test Run the test subcommand of opa command. Execute Rego test cases\n\nOptions:\n\nbench::Bool - Benchmark the unit tests\nbenchmem::Bool - Report memory allocations with benchmark results\nbundle::Bool - Load paths as bundle files or root directories\ncount::AbstractString - Number of times to repeat each test\ncoverage::Bool - Report coverage (overrides debug tracing)\nexitzeroon_skipped::Bool - Skipped tests return status 0\nexplain::AbstractString - Enable query explanations\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\nmax_errors::AbstractString - Set the number of errors to allow before compilation fails early\nrun::AbstractString - Run only test cases matching the regular expression\nshowfailureline::Bool - Show test failure line\ntarget::AbstractString - Set the runtime to exercise\nthreshold::AbstractString - Set coverage threshold and exit with non-zero status if coverage is less than threshold %\ntimeout::AbstractString - Set test timeout (default 5s, 30s when benchmarking)\nverbose::Bool - Set verbose reporting mode\nhelp::Bool - Help for test\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.CLI.bench","page":"Reference","title":"OpenPolicyAgent.CLI.bench","text":"bench Run the bench subcommand of opa command. Benchmark a Rego query\n\nOptions:\n\nbenchmem::Bool - Report memory allocations with benchmark results\nbundle::AbstractString - Set bundle file(s) or directory path(s). This flag can be repeated\ncount::AbstractString - Number of times to repeat each benchmark\ndata::AbstractString - Set policy or data file(s). This flag can be repeated\nfail::Bool - Exits with non-zero exit code on undefined/empty result and errors\nformat::AbstractString - Set output format\nignore::AbstractString - Set file and directory names to ignore during loading (e.g., '.*' excludes hidden files)\n_import::AbstractString - Set query import(s). This flag can be repeated\ninput::AbstractString - Set input file path\nmetrics::Bool - Report query performance metrics\npackage::AbstractString - Set query package\npartial::Bool - Perform partial evaluation\nschema::AbstractString - Set schema file path or directory path\nstdin::Bool - Read query from stdin\nstdin_input::Bool - Read input document from stdin\ntarget::AbstractString - Set the runtime to exercise\nunknowns::AbstractString - Set paths to treat as unknown during partial evaluation\nhelp::Bool - Help for bench\n\n\n\n\n\n\n\n","category":"function"},{"location":"reference/#AST-Walker","page":"Reference","title":"AST Walker","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.ASTWalker.Vistor\nOpenPolicyAgent.ASTWalker.walk\nOpenPolicyAgent.ASTWalker.before\nOpenPolicyAgent.ASTWalker.visit\nOpenPolicyAgent.ASTWalker.after","category":"page"},{"location":"reference/#OpenPolicyAgent.ASTWalker.walk","page":"Reference","title":"OpenPolicyAgent.ASTWalker.walk","text":"walk(visitor, node)\n\nWalks the AST rooted at node using the visitor. Calls before, visit and after methods of the visitor in sequence while walking the tree.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.ASTWalker.before","page":"Reference","title":"OpenPolicyAgent.ASTWalker.before","text":"before(visitor, node)\n\nCalled before visiting a node. The node that will be visited is passed as the second argument. Any preparatory work that needs to be done before visiting the node can be done here. Return value is ignored.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.ASTWalker.visit","page":"Reference","title":"OpenPolicyAgent.ASTWalker.visit","text":"visit(visitor, node)\n\nCalled when visiting a node. The node that is being visited is passed as the second argument. The actual action to be performed when visiting a node must be implemented here. The visit method must also call walk on the visitor to visit the children of the node. The result must be stored in the visitor state. Return value is ignored.\n\n\n\n\n\n","category":"function"},{"location":"reference/#OpenPolicyAgent.ASTWalker.after","page":"Reference","title":"OpenPolicyAgent.ASTWalker.after","text":"after(visitor, node)\n\nCalled after visiting a node. The node that was visited is passed as the second argument. Any cleanup work that needs to be done after visiting the node can be done here. This is the last method called when visiting a node. Must return the result of visiting the node.\n\n\n\n\n\n","category":"function"},{"location":"reference/#Included-Visitors","page":"Reference","title":"Included Visitors","text":"","category":"section"},{"location":"reference/","page":"Reference","title":"Reference","text":"OpenPolicyAgent.ASTWalker.AST.ASTVisitor\nOpenPolicyAgent.ASTWalker.SQL.SQLVisitor","category":"page"},{"location":"reference/#OpenPolicyAgent.ASTWalker.AST.ASTVisitor","page":"Reference","title":"OpenPolicyAgent.ASTWalker.AST.ASTVisitor","text":"Visitor that converts a partial compile result to a julia based AST. Must be used with ASTWalker.walk, providing the partial compile result as the node argument.\n\nOutput:\n\nQuerySet: If the partial compile result contains queries, the output is a QuerySet containing the queries.\nnothing: If the partial compile result does not contain queries, the output is nothing.\n\nThe output is returned from the walk method.\n\n\n\n\n\n","category":"type"},{"location":"reference/#OpenPolicyAgent.ASTWalker.SQL.SQLVisitor","page":"Reference","title":"OpenPolicyAgent.ASTWalker.SQL.SQLVisitor","text":"SQLVisitor\n\nVisitor that converts an OPA partial compile AST to a SQL condition.\n\nIt requires two dictionaries to be passed in the constructor:\n\nschema_map: maps OPA package names to database schema names\ntable_map: maps OPA rule names to database table names\n\nInput to the visitor must be a partial compile result from OPA already converted to a julia representation using ASTWalker.AST.ASTVisitor. Walking the AST using this visitor will result in a SQL condition that can be appended to a SQL query using a where clause. Output, that is returned from the walk method, is an AbstractSQLCondition. It can be one of:\n\nSQLCondition: represents a SQL condition. Contains the SQL string that represents the condition that can be used in the query with a \"where\" clause.\nUnconditionalInclude: represents an unconditional include condition. Which means that the SQL query should return all rows.\nUnconditionalExclude: represents an unconditional exclude condition. Which means that the SQL query should not return any rows.\n\n\n\n\n\n","category":"type"},{"location":"commandline/#OPA-Command-Line","page":"Command Line","title":"OPA Command Line","text":"","category":"section"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"The OPA (Open Policy Agent) command-line tool is a versatile utility that empowers users to interact with and manage OPA policies and data. It allows users to perform various tasks, such as evaluating policies, testing Rego expressions, and querying data, all from the command line. This tool is invaluable for policy development, debugging, and troubleshooting, providing an accessible way to work with OPA without the need for complex integration. It's an essential companion for developers and administrators working with OPA, simplifying the process of authoring, testing, and refining policies to ensure robust and consistent policy enforcement across software systems.","category":"page"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"The OPA command line is made available in the OpenPolicyAgent.CLI module. To use, import the module. E.g.:","category":"page"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"julia> using OpenPolicyAgent\n\njulia> import OpenPolicyAgent: CLI\n\njulia> ctx = CLI.CommandLine();\n\njulia> CLI.opa(ctx; help=true);\nAn open source project to policy-enable your service.\n\nUsage:\n opa [command]\n\nAvailable Commands:\n bench Benchmark a Rego query\n build Build an OPA bundle\n capabilities Print the capabilities of OPA\n check Check Rego source files\n completion Generate the autocompletion script for the specified shell\n deps Analyze Rego query dependencies\n eval Evaluate a Rego query\n exec Execute against input files\n fmt Format Rego source files\n help Help about any command\n inspect Inspect OPA bundle(s)\n parse Parse Rego source file\n run Start OPA in interactive or server mode\n sign Generate an OPA bundle signature\n test Execute Rego test cases\n version Print the version of OPA\n\nFlags:\n -h, --help help for opa\n\nUse \"opa [command] --help\" for more information about a command.","category":"page"},{"location":"commandline/","page":"Command Line","title":"Command Line","text":"Complete reference is available in the Reference section.","category":"page"},{"location":"#OpenPolicyAgent.jl","page":"Home","title":"OpenPolicyAgent.jl","text":"","category":"section"},{"location":"","page":"Home","title":"Home","text":"Open Policy Agent (OPA) is an open-source, cloud-native policy engine that allows organizations to declaratively enforce policies across their software stack. It provides a unified, flexible, and efficient way to implement and manage policies for access control, security, and compliance in modern, dynamic environments. OPA excels at decoupling policy decision logic from application code, enabling fine-grained control over authorization, resource validation, and more.","category":"page"},{"location":"","page":"Home","title":"Home","text":"Its expressive policy language, called Rego, allows users to define complex policies in a human-readable format. OPA is widely adopted in cloud-native ecosystems, helping organizations ensure consistent policy enforcement across services, APIs, and infrastructure components, making it a crucial tool for enhancing security and governance in modern software systems.","category":"page"},{"location":"","page":"Home","title":"Home","text":"This package provides a Julia interface to the OPA server, and the client APIs to interact with the server. It also includes a command-line interface to the OPA command-line tool.","category":"page"}] } diff --git a/previews/PR10/server/index.html b/previews/PR10/server/index.html index 8d67fc2..f15dadf 100644 --- a/previews/PR10/server/index.html +++ b/previews/PR10/server/index.html @@ -9,4 +9,4 @@ return opa_server end -start_opa_server("/tmp/opaserver")

      Complete reference is available in the Reference section.

      +start_opa_server("/tmp/opaserver")

      Complete reference is available in the Reference section.