nicholasjackson/opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.

1.19x

Quality

Pending

Does it follow best practices?

Impact

99%

1.19x

Average score across 31 eval scenarios

Securityby

Pending

The risk profile of this skill

Overview

Eval results

Files

Regal: Membership and Operators

Name: nicholasjackson/opa-rego-language
Rating: 0.99 (1 reviews)
Author: nicholasjackson

Rule: `use-in-operator`

Use the in keyword to check set/array membership — do not iterate and compare. Regal use-in-operator.

# Wrong — iterates to check membership
"admin" == input.user.roles[_]

# Correct — in operator
"admin" in input.user.roles

Rule: `use-assignment-operator`

Use := for assignment, never =. The = operator is unification (pattern matching) — using it for assignment is misleading and error-prone. Regal use-assignment-operator.

# Wrong
user = input.user

# Correct
user := input.user

Rule: `yoda-condition`

Write the variable on the left, the literal on the right — not the other way around. Regal yoda-condition.

# Wrong — yoda condition
"admin" == input.user.role

# Correct
input.user.role == "admin"

Rule: `prefer-equals-comparison`

Use == for equality comparison, not =. Regal prefer-equals-comparison.

Full Example

# METADATA
# title: Department-Based API Access Control
# description: Allows access to endpoints based on user department membership
# authors:
# - API Security Team <api-security@example.com>
# custom:
#   category: http-authorization
package httpapi.authz

import rego.v1

default allow := false

# METADATA
# title: Allow department access
# description: Permits requests when the user's department is in the allowed set for the path
# entrypoint: true
# custom:
#   severity: HIGH
allow if {
    allowed_departments := data.endpoint_access[input.path]
    input.user.department in allowed_departments
}

Data (data.endpoint_access):

{
    "/api/reports": ["engineering", "finance", "management"],
    "/api/admin": ["management"]
}

Input:

{
    "method": "GET",
    "path": "/api/reports",
    "user": {"department": "engineering"}
}

Result: allow == true — "engineering" in ["engineering", "finance", "management"]

Testing

# authz_test.rego
package httpapi.authz_test

import rego.v1
import data.httpapi.authz

access := {"/api/reports": ["engineering", "finance"], "/api/admin": ["management"]}

test_allowed_department if {
    authz.allow with input as {"path": "/api/reports", "user": {"department": "engineering"}}
               with data.endpoint_access as access
}

test_denied_department if {
    not authz.allow with input as {"path": "/api/reports", "user": {"department": "hr"}}
                   with data.endpoint_access as access
}

test_denied_wrong_path if {
    not authz.allow with input as {"path": "/api/admin", "user": {"department": "engineering"}}
                   with data.endpoint_access as access
}