open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

https://www.openpolicyagent.org

Apache License 2.0

9.32k stars 1.29k forks source link

Improve rule indexer to support multiple expressions #642

Open tsandall opened 6 years ago

tsandall commented 6 years ago

Currently, rule index lookups only support static expressions of the form <ref> = <constant> where the <ref> typically refers to an input value. In many cases, it would be advantageous if rule index lookups could resolve more dynamic expressions in the context of queries like...

x = input.method
y = upper(x)
y = "GET"

To achieve this, the rule index construction will need to be more intelligent and lookups may need to perform evaluation (recursively).

srenatus commented 1 year ago

4894 revealed that "naked refs" (for the lack of a better term) also aren't considered for indexing.

E.g.

allow {
  input.just_be_present
}

whereas something like this is,

allow {
  input.just_be_present != false
}

through the ordinary rewriting to an equal expression, and that being indexed.