nicholasjackson/opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.

1.19x

Quality

Pending

Does it follow best practices?

Impact

99%

1.19x

Average score across 31 eval scenarios

Securityby

Pending

The risk profile of this skill

Overview

Eval results

Files

Regal: Default Rules and Fallback Values

Name: nicholasjackson/opa-rego-language
Rating: 0.99 (1 reviews)
Author: nicholasjackson

This document covers Regal rules related to how default values are declared and used.

Relevant Regal rules:

default-over-else — use default rule := value instead of an else branch for fallback values
default-over-not — use default rule := false instead of rule := false if { not other_rule }
trailing-default-rule — place default declarations at the top of the rule group, not at the bottom

Pattern: `default rule := value`

Use default to declare fallback values. Declare the default before the conditional rules in the file.

package rate.limiting
import rego.v1

# CORRECT: default at top, conditional overrides below
default user_limit := 10

user_limit := 1000 if data.user_tiers[input.user] == "premium"
user_limit := 100  if data.user_tiers[input.user] == "standard"

# WRONG: trailing default (trailing-default-rule violation)
user_limit := 1000 if data.user_tiers[input.user] == "premium"
user_limit := 100  if data.user_tiers[input.user] == "standard"
default user_limit := 10

Pattern: `default` instead of `else`

Prefer default rule := false over an else branch for simple fallbacks.

# CORRECT: use default
default allow := false

allow if {
    input.role == "admin"
}

# WRONG: else branch for fallback (default-over-else violation)
allow if {
    input.role == "admin"
} else := false

Pattern: `default` instead of negation

Prefer default rule := false over explicitly checking not other_rule.

# CORRECT: use default
default allow := false

allow if input.role == "admin"

# WRONG: negation to set false (default-over-not violation)
allow if input.role == "admin"
allow := false if not allow

Multiple Tiered Defaults

When a rule has multiple conditional values and a fallback, the default is always the fallback:

package api.limits
import rego.v1

# Fallback declared first
default max_requests := 100

# Overrides for specific tiers
max_requests := 10000 if data.tiers[input.user_id] == "enterprise"
max_requests := 1000  if data.tiers[input.user_id] == "pro"

Testing Default Rules

Test both the default case and each override:

package api.limits_test
import rego.v1
import data.api.limits

test_default_limit if {
    limits.max_requests == 100 with data.tiers as {}
}

test_pro_limit if {
    limits.max_requests == 1000 with input as {"user_id": "alice"}
                                with data.tiers as {"alice": "pro"}
}

test_enterprise_limit if {
    limits.max_requests == 10000 with input as {"user_id": "corp"}
                                 with data.tiers as {"corp": "enterprise"}
}