cel

package

v1.1.1 Latest Latest Go to latest Published: Mar 17, 2026 License: Apache-2.0 Imports: 32 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/carabiner-dev/ampel

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type CelEvaluatorImplementation
type EvaluationError
- func (ee *EvaluationError) Error() string
type Evaluator
- func New(funcs ...options.OptFunc) (*Evaluator, error)
- func NewWithOptions(opts *options.EvaluatorOptions) (*Evaluator, error)
type Plugin
type PredicateVal
- func NewPredicateVal(sv *structpb.Value, pred attestation.Predicate) *PredicateVal
type VerificationTypeAdapter
- func (VerificationTypeAdapter) NativeToValue(value any) ref.Val
type VerificationVal
- func NewVerificationVal(pred attestation.Predicate) *VerificationVal

Constants ¶

View Source

const (
	VarNamePredicate  = "predicate"
	VarNamePredicates = "predicates"
	VarNameContext    = "context"
	VarNameOutputs    = "outputs"
	VarNameSubject    = "subject"
)

Variables ¶

View Source

var Class = class.Class("cel@v0")

View Source

var PredicateValType = cel.ObjectType("predicateVal", traits.IndexerType)

PredicateValType is the CEL object type for predicate wrapper values.

View Source

var VerificationType = cel.ObjectType("verification", traits.ReceiverType, traits.IndexerType)

VerificationType is the CEL object type for verification values.

Functions ¶

This section is empty.

Types ¶

type CelEvaluatorImplementation ¶

type CelEvaluatorImplementation interface {
	CompileCode(*cel.Env, string) (*cel.Ast, error)
	CreateEnvironment(*options.EvaluatorOptions, map[string]Plugin) (*cel.Env, error)
	BuildVariables(*options.EvaluatorOptions, map[string]Plugin, *papi.Tenet, *evalcontext.EvaluationContext, []attestation.Predicate) (*map[string]any, error)
	EnsurePredicates(*papi.Tenet, *map[string]any) (*papi.EvalResult, error)
	EvaluateOutputs(*cel.Env, map[string]*cel.Ast, *map[string]any) (map[string]any, error)
	Evaluate(*cel.Env, *cel.Ast, *map[string]any) (*papi.EvalResult, error)
	Assert(*papi.ResultSet) bool
	BuildSelectorVariables(*options.EvaluatorOptions, map[string]Plugin, *evalcontext.EvaluationContext, *papi.Policy, attestation.Subject, *papi.ChainedPredicate, attestation.Predicate) (*map[string]any, error)
	EvaluateChainedSelector(*cel.Env, *cel.Ast, *map[string]any) ([]attestation.Subject, error)
}

type EvaluationError ¶

type EvaluationError struct {
	Message   string
	EvalError error
}

EvaluationError captures error details when executing CEL code

func (*EvaluationError) Error ¶

func (ee *EvaluationError) Error() string

type Evaluator ¶

type Evaluator struct {
	Environment *cel.Env
	Plugins     map[string]Plugin
	// contains filtered or unexported fields
}

Evaluator implements the evaluator.Evaluator interface to evaluate CEL code

func New ¶

func New(funcs ...options.OptFunc) (*Evaluator, error)

New creates a new CEL evaluator with the default options

func NewWithOptions ¶

func NewWithOptions(opts *options.EvaluatorOptions) (*Evaluator, error)

func (*Evaluator) ExecChainedSelector ¶

func (e *Evaluator) ExecChainedSelector(
	ctx context.Context, opts *options.EvaluatorOptions, chained *papi.ChainedPredicate, predicate attestation.Predicate,
) ([]attestation.Subject, error)

func (*Evaluator) ExecTenet ¶

func (e *Evaluator) ExecTenet(
	ctx context.Context, opts *options.EvaluatorOptions, tenet *papi.Tenet, predicates []attestation.Predicate,
) (*papi.EvalResult, error)

Exec executes each tenet and returns the combined results

func (*Evaluator) RegisterPlugin ¶

func (e *Evaluator) RegisterPlugin(plugin api.Plugin) error

RegisterPlugin registers a plugin expanding the CEL API available at eval time

type Plugin ¶

type Plugin interface {
	// CanRegisterDataFor implements the plugin api function that flags if
	// the plugin is compatible with a class of evaluator
	CanRegisterFor(class.Class) bool

	// EnvVariables returns the data (as a cel.Variable list) that will be
	// registered as global variables in the evaluation environment
	Library() cel.EnvOption

	// VarValues returns the values of the variables handled by the plugin
	VarValues(*papi.Policy, attestation.Subject, []attestation.Predicate) map[string]any
}

type PredicateVal ¶ added in v1.1.1

type PredicateVal struct {
	// contains filtered or unexported fields
}

PredicateVal wraps a CEL predicate (structpb map) and intercepts access to the "verification" key to return a VerificationVal that supports matchesId.

func NewPredicateVal ¶ added in v1.1.1

func NewPredicateVal(sv *structpb.Value, pred attestation.Predicate) *PredicateVal

NewPredicateVal creates a PredicateVal from a structpb value and a predicate. The structpb value backs field access for data/predicate_type; the predicate provides verification data for the VerificationVal.

func (*PredicateVal) ConvertToNative ¶ added in v1.1.1

func (p *PredicateVal) ConvertToNative(_ reflect.Type) (any, error)

func (*PredicateVal) ConvertToType ¶ added in v1.1.1

func (p *PredicateVal) ConvertToType(typeVal ref.Type) ref.Val

func (*PredicateVal) Equal ¶ added in v1.1.1

func (p *PredicateVal) Equal(_ ref.Val) ref.Val

func (*PredicateVal) Get ¶ added in v1.1.1

func (p *PredicateVal) Get(index ref.Val) ref.Val

Get implements traits.Indexer. Access to "verification" returns the VerificationVal (which supports matchesId); all other keys delegate to the underlying structpb map.

func (*PredicateVal) Type ¶ added in v1.1.1

func (p *PredicateVal) Type() ref.Type

func (*PredicateVal) Value ¶ added in v1.1.1

func (p *PredicateVal) Value() any

type VerificationTypeAdapter ¶ added in v1.1.1

type VerificationTypeAdapter struct{}

VerificationTypeAdapter adapts VerificationVal for the CEL runtime.

func (VerificationTypeAdapter) NativeToValue ¶ added in v1.1.1

func (VerificationTypeAdapter) NativeToValue(value any) ref.Val

NativeToValue implements the cel.TypeAdapter interface.

type VerificationVal ¶ added in v1.1.1

type VerificationVal struct {
	// contains filtered or unexported fields
}

VerificationVal wraps signer verification data as a CEL value. It exposes field access (.verified, .identities) via an embedded structpb CEL map and provides a matchesId member function for identity matching.

func NewVerificationVal ¶ added in v1.1.1

func NewVerificationVal(pred attestation.Predicate) *VerificationVal

NewVerificationVal creates a VerificationVal from a predicate. If the predicate is nil or has no verification, a default (unverified, no identities) value is returned.

func (*VerificationVal) ConvertToNative ¶ added in v1.1.1

func (v *VerificationVal) ConvertToNative(_ reflect.Type) (any, error)

func (*VerificationVal) ConvertToType ¶ added in v1.1.1

func (v *VerificationVal) ConvertToType(typeVal ref.Type) ref.Val

func (*VerificationVal) Equal ¶ added in v1.1.1

func (v *VerificationVal) Equal(_ ref.Val) ref.Val

func (*VerificationVal) Get ¶ added in v1.1.1

func (v *VerificationVal) Get(index ref.Val) ref.Val

Get implements traits.Indexer, delegating field access to the underlying structpb map so that .verified and .identities work.

func (*VerificationVal) Type ¶ added in v1.1.1

func (v *VerificationVal) Type() ref.Type

func (*VerificationVal) Value ¶ added in v1.1.1

func (v *VerificationVal) Value() any

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL