CEL expression extensions

The CEL expression is configured to expose parts of the request, and some customfunctions to make matching easier.

In addition to the custom function extension listed below, you can craft anyvalid CEL expression as defined by thecel-spec language definition

Notes on numbers in CEL expressions

One thing to be aware of is how numeric values are treated in CEL expressions,JSON numbers are decoded toCEL doublevalues.

For example:

  1. {
  2.   "count": 2,
  3.   "measure": 1.7
  4. }

In the JSON above, both numbers are parsed as floating point values.

This means that if you want to do integer arithmetic, you’ll need touse explicit conversion functions.

From the CEL specification:

Note that currently there are no automatic arithmetic conversions for the numeric types (int, uint, and double).

You can either explicitly convert the number, or add another double value e.g.

  1. interceptors:
  2.   - cel:
  3.       overlays:
  4.         - key: count_plus_1
  5.           expression: "body.count + 1.0"
  6.         - key: count_plus_2
  7.           expression: "int(body.count) + 2"
  8.         - key: measure_times_3
  9.           expression: "body.measure * 3.0"

These will be serialised back to JSON appropriately:

  1. {
  2.   "count_plus_1": 2,
  3.   "count_plus_2": 3,
  4.   "measure_times_3": 5.1
  5. }

Error messages in conversions

The following example will generate an error with the JSON example.

  1. interceptors:
  2.   - cel:
  3.       overlays:
  4.         - key: bad_measure_times_3
  5.           expression: "body.measure * 3"

bad_measure_times_3 will fail withfailed to evaluate overlay expression 'body.measure * 3': no such overloadbecause there’s no automatic conversion.

List of extensions

The body from the http.Request value is decoded to JSON and exposed, and theheaders are also available.

Symbol Type Description Example
body map(string, dynamic) This is the decoded JSON body from the incoming http.Request exposed as a map of string keys to any value types. 
  1. body.value == 'test'
header map(string, list(string)) This is the request Header. 
  1. header['X-Test'][0] == 'test-value'

NOTE: The header value is a Go http.Header, which isdefined as:

  1. type Header map[string][]string

i.e. the header is a mapping of strings, to arrays of strings, see the matchfunction on headers below for an extension that makes looking up headers easier.

List of extension functions

This lists custom functions that can be used from CEL expressions in the CELinterceptor.

Symbol Type Description Example
match header.match(string, string) -> bool Uses the canonical header matching from Go's http.Request to match the header against the value. 
  1. header.match('x-test', 'test-value')
truncate truncate(string, uint) -> string Truncates a string to no more than the specified length. 
  1. truncate(body.commit.sha, 5)
split split(string, string) -> string(dyn) Splits a string on the provided separator value. 
  1. split(body.ref, '/')
canonical header.canonical(string) -> string Uses the canonical header matching from Go's http.Request to get the provided header name. 
  1. header.canonical('x-test')
decodeb64 (string) -> string Decodes a base64 encoded string. 
  1. decodeb64(body.message.data)
compareSecret string.compareSecret(string, string, string) -> bool Constant-time comparison of strings against secrets, this will fetch the secret using the combination of namespace/name and compare the token key to the string using a cryptographic constant-time comparison.. The event-listener service account must have access to the secret. 
  1. header.canonical('X-Secret-Token').compareSecret('', 'secret-name', 'namespace')
compareSecret string.compareSecret(string, string) -> bool This is almost identical to the version above, but only requires two arguments, the namespace is assumed to be the namespace for the event-listener. 
  1. header.canonical('X-Secret-Token').compareSecret('key', 'secret-name')