OPA can be extended with custom built-in functions and plugins that implement functionality like support for new protocols.

Support for Go plugins was deprecated in OPA v0.14.0. If you want to customize the OPA daemon we recommend you build OPA from source.

This page explains how to customize and extend OPA in different ways.

Custom Built-in Functions in Go

Read this section if you want to extend OPA with custom built-in functions and you are using the github.com/open-policy-agent/opa/rego package to execute policies inside of software written in Go.

OPA supports built-in functions for simple operations like string manipulation and arithmetic as well as more complex operations like JWT verification and executing HTTP requests. If you need to to extend OPA with custom built-in functions for use cases or integrations that are not supported out-of-the-box you can supply the function definitions when you prepare queries.

Using custom built-in functions involves providing a declaration and implementation. The declaration tells OPA the function’s type signature and the implementation provides the callback that OPA can execute during query evaluation.

To get started you need to import three packages:

  1. import "github.com/open-policy-agent/opa/ast"
  2. import "github.com/open-policy-agent/opa/types"
  3. import "github.com/open-policy-agent/opa/rego"

The ast and types packages contain the types for declarations and runtime objects passed to your implementation. Here is a trivial example that shows the process:

  1. r := rego.New(
  2. rego.Query(`x = hello("bob")`),
  3. rego.Function1(
  4. &rego.Function{
  5. Name: "hello",
  6. Decl: types.NewFunction(types.Args(types.S), types.S),
  7. },
  8. func(_ rego.BuiltinContext, a *ast.Term) (*ast.Term, error) {
  9. if str, ok := a.Value.(ast.String); ok {
  10. return ast.StringTerm("hello, " + string(str)), nil
  11. }
  12. return nil, nil
  13. }),
  14. ))
  15. query, err := r.PrepareForEval(ctx)
  16. if err != nil {
  17. // handle error.
  18. }

At this point you can execute the query:

  1. rs, err := query.Eval(ctx)
  2. if err != nil {
  3. // handle error.
  4. }
  5. // Do something with result.
  6. fmt.Println(rs[0].Bindings["x"])

If you executed this code you the output would be:

  1. "hello, bob"

The example above highlights a few important points.

  • The rego package includes variants of rego.Function1 for passing accepting different numbers of operands (e.g., rego.Function2, rego.Function3, etc.)
  • The rego.Function#Name struct field specifies the operator that queries can refer to.
  • The rego.Function#Decl struct field specifies the function’s type signature. In the example above the function accepts a string and returns a string.
  • The function indicates it’s undefined by returning nil for the first return argument.

Let’s look at another exmaple. Imagine you want to expose GitHub repository metadata to your policices. One option is to implement a custom built-in function to fetch the data for specific repositories on-the-fly.

  1. r := rego.New(
  2. rego.Query(`github.repo("open-policy-agent", "opa")`),
  3. rego.Function2(
  4. &rego.Function{
  5. Name: "github.repo",
  6. Decl: types.NewFunction(types.Args(types.S, types.S), types.A),
  7. Memoize: true,
  8. },
  9. func(bctx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {
  10. // see implementation below.
  11. },
  12. ),
  13. )

Built-in function names can included . characters. Consider namespacing your built-in functions to avoid collisions. This declaration indicates the function accepts two strings and returns a value of type any. The any type is the union of all types in Rego.

types.S and types.A are shortcuts for constructing Rego types. If you need to define use-case specific types (e.g., a list of objects that have fields foo, bar, and baz, you will need to construct them using the types packages APIs.)

The declaration also sets rego.Function#Memoize to true to enable memoization across multiple calls in the same query. If your built-in function performs I/O, you should enable memoization as it ensures function evaluation is deterministic.

The implementation wraps the Go standard library to perform HTTP requests to GitHub’s API:

  1. func(bctx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {
  2. var org, repo string
  3. if err := ast.As(a.Value, &org); err != nil {
  4. return nil, err
  5. } else if ast.As(b.Value, &repo); err != nil {
  6. return nil, err
  7. }
  8. req, err := http.NewRequest("GET", fmt.Sprintf("https://api.github.com/repos/%v/%v", org, repo), nil)
  9. if err != nil {
  10. return nil, err
  11. }
  12. resp, err := http.DefaultClient.Do(req.WithContext(bctx.Context))
  13. if err != nil {
  14. return nil, err
  15. }
  16. defer resp.Body.Close()
  17. if resp.StatusCode != http.StatusOK {
  18. return nil, fmt.Errorf(resp.Status)
  19. }
  20. v, err := ast.ValueFromReader(resp.Body)
  21. if err != nil {
  22. return nil, err
  23. }
  24. return ast.NewTerm(v), nil
  25. }

The implementation is careful to use the context passed to the built-in function when executing the HTTP request. See the appendix at the end of this page for the complete example.

Custom Plugins for OPA Daemon

Read this section if you want to customize or extend the OPA daemon.

OPA defines a plugin interface that allows you to customize certain behaviour like decision logging or add new behaviour like different query APIs. To implement a custom plugin you must implement two interfaces:

You can register your factory with OPA by calling github.com/open-policy-agent/opa/runtime#RegisterPlugin inside your main function.

Putting It Together

The example below shows how you can implement a custom Decision Logger that writes events to a stream (e.g., stdout/stderr).

  1. import (
  2. "github.com/open-policy-agent/opa/plugins/logs"
  3. )
  4. type Config struct {
  5. Stderr bool `json:"stderr"` // false => stdout, true => stderr
  6. }
  7. type PrintlnLogger struct {
  8. mtx sync.Mutex
  9. config Config
  10. }
  11. func (p *PrintlnLogger) Start(ctx context.Context) error {
  12. // No-op.
  13. return nil
  14. }
  15. func (p *PrintlnLogger) Stop(ctx context.Context) {
  16. // No-op.
  17. }
  18. func (p *PrintlnLogger) Reconfigure(ctx context.Context, config interface{}) {
  19. p.mtx.Lock()
  20. defer p.mtx.Unlock()
  21. p.config = config.(Config)
  22. }
  23. func (p *PrintlnLogger) Log(ctx context.Context, event logs.EventV1) error {
  24. p.mtx.Lock()
  25. defer p.mtx.Unlock()
  26. w := os.Stdout
  27. if p.config.Stderr {
  28. w = os.Stderr
  29. }
  30. fmt.Fprintln(w, event) // ignoring errors!
  31. return nil
  32. }

Next, implement a factory function that instantiates your plugin:

  1. import (
  2. "github.com/open-policy-agent/opa/plugins"
  3. "github.com/open-policy-agent/opa/util"
  4. )
  5. type Factory struct{}
  6. func (Factory) New(_ *plugins.Manager, config interface{}) plugins.Plugin {
  7. return &PrintlnLogger{
  8. config: config.(Config),
  9. }
  10. }
  11. func (Factory) Validate(_ *plugins.Manager, config []byte) (interface{}, error) {
  12. parsedConfig := Config{}
  13. return parsedConfig, util.Unmarshal(config, &parsedConfig)
  14. }

Finally, register your factory with OPA and call cmd.RootCommand.Execute. The latter starts OPA and does not return.

  1. import (
  2. "github.com/open-policy-agent/opa/cmd"
  3. "github.com/open-policy-agent/opa/runtime"
  4. )
  5. func main() {
  6. runtime.RegisterPlugin("println_decision_logger", Factory{})
  7. if err := cmd.RootCommand.Execute(); err != nil {
  8. fmt.Println(err)
  9. os.Exit(1)
  10. }
  11. }

At this point you can build an OPA executable including your plugin.

  1. go build -o opa++

Define an OPA configuration file that will use your plugin:

config.yaml:

  1. decision_logs:
  2. plugin: println_decision_logger
  3. plugins:
  4. println_decision_logger:
  5. stderr: false

Start OPA with the configuration file:

  1. ./opa++ run --server --config-file config.yaml

Exercise the plugin via the OPA API:

  1. curl localhost:8181/v1/data

If everything worked you will see the Go struct representation of the decision log event written to stdout.

The source code for this example can be found here.

If there is a mask policy set (see Decision Logger for details) the Event received by the demo plugin will potentially be different than the example documented.

Appendix

Custom Built-in Function in Go

  1. package main
  2. import (
  3. "context"
  4. "encoding/json"
  5. "fmt"
  6. "log"
  7. "net/http"
  8. "github.com/open-policy-agent/opa/ast"
  9. "github.com/open-policy-agent/opa/rego"
  10. "github.com/open-policy-agent/opa/types"
  11. )
  12. func main() {
  13. r := rego.New(
  14. rego.Query(`github.repo("open-policy-agent", "opa")`),
  15. rego.Function2(
  16. &rego.Function{
  17. Name: "github.repo",
  18. Decl: types.NewFunction(types.Args(types.S, types.S), types.A),
  19. Memoize: true,
  20. },
  21. func(bctx rego.BuiltinContext, a, b *ast.Term) (*ast.Term, error) {
  22. var org, repo string
  23. if err := ast.As(a.Value, &org); err != nil {
  24. return nil, err
  25. } else if ast.As(b.Value, &repo); err != nil {
  26. return nil, err
  27. }
  28. req, err := http.NewRequest("GET", fmt.Sprintf("https://api.github.com/repos/%v/%v", org, repo), nil)
  29. if err != nil {
  30. return nil, err
  31. }
  32. resp, err := http.DefaultClient.Do(req.WithContext(bctx.Context))
  33. if err != nil {
  34. return nil, err
  35. }
  36. defer resp.Body.Close()
  37. if resp.StatusCode != http.StatusOK {
  38. return nil, fmt.Errorf(resp.Status)
  39. }
  40. v, err := ast.ValueFromReader(resp.Body)
  41. if err != nil {
  42. return nil, err
  43. }
  44. return ast.NewTerm(v), nil
  45. },
  46. ),
  47. )
  48. rs, err := r.Eval(context.Background())
  49. if err != nil {
  50. log.Fatal(err)
  51. } else if len(rs) == 0 {
  52. fmt.Println("undefined")
  53. } else {
  54. bs, _ := json.MarshalIndent(rs[0].Expressions[0].Value, "", " ")
  55. fmt.Println(string(bs))
  56. }
  57. }