cel

package
v1.0.0-beta.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 20, 2026 License: AGPL-3.0 Imports: 12 Imported by: 0

Documentation

Overview

Package cel provides a CEL-based policy expression evaluator.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildUniversalActivation 

func BuildUniversalActivation(evalCtx policy.EvaluationContext) map[string]any

BuildUniversalActivation creates a CEL activation map from an EvaluationContext. It populates all backward-compatible, universal, and destination variables. Default filling is applied for empty universal fields.

func NewPolicyEnvironment 

func NewPolicyEnvironment() (*cel.Env, error)

NewPolicyEnvironment creates a CEL environment configured for policy evaluation. It delegates to NewUniversalPolicyEnvironment() which includes all universal variables and custom functions, maintaining backward compatibility with existing callers.

func NewUniversalPolicyEnvironment 

func NewUniversalPolicyEnvironment() (*cel.Env, error)

NewUniversalPolicyEnvironment creates a CEL environment with all universal variables and custom functions for cross-protocol policy evaluation. It includes:

  • Backward-compatible variables: tool_name, tool_args, user_roles, session_id, identity_id, identity_name, request_time
  • Universal variables: action_type, action_name, protocol, framework, gateway, arguments, identity_roles
  • Destination variables: dest_url, dest_domain, dest_ip, dest_port, dest_scheme, dest_path, dest_command
  • Custom functions: glob, dest_ip_in_cidr, dest_domain_matches, action_arg, action_arg_contains

Types

type Evaluator 

type Evaluator struct {
	// contains filtered or unexported fields
}

Evaluator compiles and evaluates CEL expressions for policy rules.

func NewEvaluator 

func NewEvaluator() (*Evaluator, error)

NewEvaluator creates a new CEL evaluator with the policy environment.

func (*Evaluator) Compile 

func (e *Evaluator) Compile(expression string) (cel.Program, error)

Compile parses and type-checks a CEL expression, returning a compiled program.

func (*Evaluator) Evaluate 

func (e *Evaluator) Evaluate(prg cel.Program, evalCtx policy.EvaluationContext) (bool, error)

Evaluate runs a compiled CEL program against the given evaluation context. Returns true if the expression evaluates to true, false otherwise. Uses BuildUniversalActivation to populate all variables (backward-compatible, universal, and destination) and ContextEval with a timeout to prevent indefinite evaluation hangs (HARDEN-02).

func (*Evaluator) ValidateExpression 

func (e *Evaluator) ValidateExpression(expr string) error

ValidateExpression checks that a CEL expression is syntactically valid and safe for policy evaluation (SECU-05, HARDEN-02). It performs compile-time validation and enforces safety limits (expression length, nesting depth).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.