google / cel-policy-templates-go Goto Github PK

Fast, templated, policy evaluation for networking, access, and admission control

License: Apache License 2.0

Go 100.00%

cel-policy-templates-go's Introduction

CEL Policy Templates

CEL Policy Templates provide a framework for defining new policy types and evaluating policy instances against many different requests.

There are many more policy admins, people who know the details of the data used to configure policy, than there are policy architects, people who know how the data is evaluated under the covers. This project, much like OPA Gatekeeper is aimed at making it easier for both the architect and admin to create new policy types and policies to match their business needs.

Core Concepts

There are three key components: templates, instances, and evaluators.

Templates

Templates define the shape of the policy. Templates are written in YAML and use Open API Schema v3 terminology. Templates are the interface between policy architects and policy admins.

Instances

Instances are written by policy admins. Instances are collectively applied to and enforced against inputs. The instance content is validated against the template definition.

Evaluators

Evaluators are written by policy architects. An evaluator refers to a template and is written as though it will evaluate a single instance of the template against a single evaluation context. The expressions within the evaluator are written in CEL and are checked for syntactic correctness, cycles, and type-agreement.

Environments

Environments specify an Engine's configuration, and are critical to Evaluator validation. An environment declares the variables and functions available to an Evaluator.

Why CEL Policy Templates?

CEL Policy Templates are based on the Common Expression Language (CEL). CEL is fast, portable, and supports both extension and subsetting. The flexibility of CEL makes it possible to limit the compute and memory impact of a given expression. CEL is non-Turing complete and its performance makes it a suitable choice for all kinds of policies such as admission control, access control, and networking policies. Individual CEL expressions evaluate on the order of nanos to microseconds.

OPA Gatekeeper is another alternative to consider which offers rich audit and analysis tools, but at the expense of performance, typically on the order of milliseconds. OPA offers support for Kubernetes, Istio, and Envoy as plugins. This is a great choice for admission control. CEL on the other hand is a core component of the Google Cloud IAM, Istio Mixer, and Envoy security policies where it is used in latency critical, high throughput operations.

Disclaimer: This is not an officially supported Google product

cel-policy-templates-go's People

Contributors

Stargazers

Watchers

Forkers

briantkennedy tristonianjones jimlarson mtheodorides srihariph jinmmin neotim isgasho adityav-verma hecg119 arjungoogle isabella232 cici37 swansoffie02 jeesmon willbeason rajkrishnamurthy fire-ant ghas-results

cel-policy-templates-go's Issues

YAML timestamp format not supported

Even though there are representations of a timestamps within CPT, the native YAML timestamp type is not supported which can be a gotcha when dealing with generated content.

datetime: "2020-10-31T00:00:00Z"  #supported 
timestamp: 2020-10-31T00:00:00Z  #error

Add support for the YAML timestamp type as well.

Anonymous types in Environment variables don't type-check

When an object type appears within an Env yaml file, the resulting variable reference does not type check unless the custom_type: <type_name> metadata tag is set. The rule schema for a template supports anonymous types by way of dynamically assigning type names derived from context. The same should be true for variable and function declarations within an Env.

Latest version has a breaking change

I have a go progam that uses an older version of cel-policy-templates-go. I am unable to find that version in the repo.
The program I wrote now fails with the latest version giving me this error:
Any guidance on how I could fix this with the latest version?

go: finding module for package github.com/google/cel-policy-templates-go/policy/runtime
go: finding module for package github.com/google/cel-policy-templates-go/policy/model
go: finding module for package github.com/google/cel-policy-templates-go/policy/compiler
go: finding module for package github.com/google/cel-policy-templates-go/policy/parser
go: finding module for package github.com/google/cel-policy-templates-go/policy/limits
C:\Program Files\Go\src\cel-policy-templates-go\policy\engine.go:22:2: no matching versions for query "latest"
C:\Program Files\Go\src\cel-policy-templates-go\policy\engine.go:23:2: no matching versions for query "latest"
C:\Program Files\Go\src\cel-policy-templates-go\policy\engine.go:24:2: no matching versions for query "latest"
C:\Program Files\Go\src\cel-policy-templates-go\policy\engine.go:25:2: no matching versions for query "latest"
C:\Program Files\Go\src\cel-policy-templates-go\policy\engine.go:26:2: no matching versions for query "latest"

It is a pretty simple program:


import(
    "cel-policy-templates-go/policy"
    "fmt"
    "log"
    "github.com/google/cel-go/cel"
    "github.com/google/cel-go/checker/decls"
)


var (
	stdDecls = cel.Declarations(
		decls.NewIdent("ResourceLocaleID", decls.String, nil),
		decls.NewIdent("UserLocation", decls.String, nil),
		decls.NewIdent("UserNationality", decls.String, nil),

		)
	)


func main(){
  env, _ := cel.NewEnv(stdDecls)
    enfOpts := []policy.EngineOption{
                     				policy.SourceFile(policy.EvaluatorFile, fmt.Sprintf("evaluator-economic-sanctions.yaml")),
                     				policy.SourceFile(policy.TemplateFile, fmt.Sprintf("template-economic-sanctions.yaml")),
                     				policy.SourceFile(policy.InstanceFile, fmt.Sprintf("instance-economic-sanctions.yaml")),
                     			}

    enforcer, err := policy.NewEngine(env, enfOpts...)
    			if err != nil {
    				log.Fatalf("Error creating an Engine error: ", err)
    			}


     //in JWT token IF DataAttribute=="Restricted" OR  "ExportAuthorizationRequirements" call the
     //following Esanctions Rule
    decisions, err := enforcer.Evaluate(map[string]interface{}{
                                            "UserNationality": "us",
                                            "UserLocation": "rr",
                                            "ResourceLocaleID": "us",
                                             	})


    			if err != nil {
    				log.Fatalf("Error Evaluating: ", err)
    			}

    declen := len(decisions)
    message := ""
     if declen == 0{
             message = "Policy Decision: Access Denied"
         }else{
              message = "Policy Decision: Access Allowed"
      }
      print(message)

}```

google / cel-policy-templates-go Goto Github PK

cel-policy-templates-go's Introduction

CEL Policy Templates

Core Concepts

Templates

Instances

Evaluators

Environments

Why CEL Policy Templates?

cel-policy-templates-go's People

Contributors

Stargazers

Watchers

Forkers

cel-policy-templates-go's Issues

YAML timestamp format not supported

Anonymous types in Environment variables don't type-check

Latest version has a breaking change

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent