Issue-6559 Add ability to create decision labels within a policy

ast/builtins.go

@@ -243,6 +243,9 @@ var DefaultBuiltins = [...]*Builtin{
 	// HTTP
 	HTTPSend,
 
+	// Decision Labels
+	DecisionLabelAdd,
+
 	// GraphQL
 	GraphQLParse,
 	GraphQLParseAndVerify,
@@ -2701,6 +2704,24 @@ var HTTPSend = &Builtin{
 	Nondeterministic: true,
 }
 
+/**
+ * Decision Labels
+ */
+
+// DecisionLabelAdd takes in Policy result data and adds it to the Decision Label property
+var DecisionLabelAdd = &Builtin{
+	Name:        "decision.label.add",
+	Description: "adds Policy results to the Decision Label Property",
+	Decl: types.NewFunction(
+		types.Args(
+			types.Named("label", types.S).Description("string label of the tag"),
+			types.Named("value", types.A).Description("string value of the tag"),
+		),
+		types.Named("labels", types.NewObject(nil, types.NewDynamicProperty(types.S, types.A))),
+	),
+	Nondeterministic: true,
+}
+
 /**
  * GraphQL
  */

builtin_metadata.json

@@ -49,6 +49,9 @@
       "crypto.x509.parse_keypair",
       "crypto.x509.parse_rsa_private_key"
     ],
+    "decision": [
+      "decision.label.add"
+    ],
     "encoding": [
       "base64.decode",
       "base64.encode",
@@ -4822,6 +4825,30 @@
     },
     "wasm": false
   },
+  "decision.label.add": {
+    "args": [
+      {
+        "description": "string label of the tag",
+        "name": "label",
+        "type": "string"
+      },
+      {
+        "description": "string value of the tag",
+        "name": "value",
+        "type": "any"
+      }
+    ],
+    "available": [
+      "edge"
+    ],
+    "description": "adds Policy results to the Decision Label Property",
+    "introduced": "edge",
+    "result": {
+      "name": "labels",
+      "type": "object[string: any]"
+    },
+    "wasm": false
+  },
   "div": {
     "args": [
       {

capabilities.json

@@ -895,6 +895,32 @@
         "type": "function"
       }
     },
+    {
+      "name": "decision.label.add",
+      "decl": {
+        "args": [
+          {
+            "type": "string"
+          },
+          {
+            "type": "any"
+          }
+        ],
+        "result": {
+          "dynamic": {
+            "key": {
+              "type": "string"
+            },
+            "value": {
+              "type": "any"
+            }
+          },
+          "type": "object"
+        },
+        "type": "function"
+      },
+      "nondeterministic": true
+    },
     {
       "name": "div",
       "decl": {

plugins/logs/plugin.go

@@ -57,6 +57,7 @@ type EventV1 struct {
 	Result         *interface{}            `json:"result,omitempty"`
 	MappedResult   *interface{}            `json:"mapped_result,omitempty"`
 	NDBuiltinCache *interface{}            `json:"nd_builtin_cache,omitempty"`
+	DecisionLabel  *interface{}            `json:"decision_label,omitempty"`
 	Erased         []string                `json:"erased,omitempty"`
 	Masked         []string                `json:"masked,omitempty"`
 	Error          error                   `json:"error,omitempty"`
@@ -93,6 +94,7 @@ var inputKey = ast.StringTerm("input")
 var resultKey = ast.StringTerm("result")
 var mappedResultKey = ast.StringTerm("mapped_result")
 var ndBuiltinCacheKey = ast.StringTerm("nd_builtin_cache")
+var decisionLabelKey = ast.StringTerm("decision_label")
 var erasedKey = ast.StringTerm("erased")
 var maskedKey = ast.StringTerm("masked")
 var errorKey = ast.StringTerm("error")
@@ -174,6 +176,14 @@ func (e *EventV1) AST() (ast.Value, error) {
 		event.Insert(ndBuiltinCacheKey, ast.NewTerm(ndbCache))
 	}
 
+	if e.DecisionLabel != nil {
+		decisionLabel, err := roundtripJSONToAST(e.DecisionLabel)
+		if err != nil {
+			return nil, err
+		}
+		event.Insert(decisionLabelKey, ast.NewTerm(decisionLabel))
+	}
+
 	if len(e.Erased) > 0 {
 		erased := make([]*ast.Term, len(e.Erased))
 		for i, v := range e.Erased {
@@ -609,6 +619,7 @@ func (p *Plugin) Log(ctx context.Context, decision *server.Info) error {
 		Result:         decision.Results,
 		MappedResult:   decision.MappedResults,
 		NDBuiltinCache: decision.NDBuiltinCache,
+		DecisionLabel:  decision.DecisionLabel,
 		RequestedBy:    decision.RemoteAddr,
 		Timestamp:      decision.Timestamp,
 		RequestID:      decision.RequestID,

plugins/logs/plugin_test.go

@@ -2502,6 +2502,10 @@ func TestEventV1ToAST(t *testing.T) {
 		}),
 	}.AsValue())
 
+	var decisionLabel interface{} = builtins.DecisionLabel{
+		"foo": "bar",
+	}
+
 	cases := []struct {
 		note  string
 		event EventV1
@@ -2639,6 +2643,25 @@ func TestEventV1ToAST(t *testing.T) {
 				NDBuiltinCache: &ndbCacheExample,
 			},
 		},
+		{
+			note: "event with decision_label",
+			event: EventV1{
+				Labels:     map[string]string{"foo": "1", "bar": "2"},
+				DecisionID: "1234567890",
+				Bundles: map[string]BundleInfoV1{
+					"b1": {"revision7"},
+					"b2": {"0"},
+					"b3": {},
+				},
+				Input:         &goInput,
+				Path:          "/http/authz/allow",
+				RequestedBy:   "[::1]:59943",
+				Result:        &result,
+				Timestamp:     time.Now(),
+				inputAST:      astInput,
+				DecisionLabel: &decisionLabel,
+			},
+		},
 		{
 			note: "event with req id",
 			event: EventV1{

rego/rego.go

@@ -118,6 +118,7 @@ type EvalContext struct {
 	earlyExit              bool
 	interQueryBuiltinCache cache.InterQueryCache
 	ndBuiltinCache         builtins.NDBCache
+	decisionLabel          builtins.DecisionLabel
 	resolvers              []refResolver
 	sortSets               bool
 	copyMaps               bool
@@ -382,6 +383,7 @@ func (pq preparedQuery) newEvalContext(ctx context.Context, options []EvalOption
 		printHook:           pq.r.printHook,
 		capabilities:        pq.r.capabilities,
 		strictBuiltinErrors: pq.r.strictBuiltinErrors,
+		decisionLabel:       pq.r.decisionLabel,
 	}
 
 	for _, o := range options {
@@ -580,6 +582,7 @@ type Rego struct {
 	skipBundleVerification bool
 	interQueryBuiltinCache cache.InterQueryCache
 	ndBuiltinCache         builtins.NDBCache
+	decisionLabel          builtins.DecisionLabel
 	strictBuiltinErrors    bool
 	builtinErrorList       *[]topdown.Error
 	resolvers              []refResolver
@@ -1112,6 +1115,13 @@ func NDBuiltinCache(c builtins.NDBCache) func(r *Rego) {
 	}
 }
 
+// DecisionLabel sets the Policy result data.
+func DecisionLabel(dl builtins.DecisionLabel) func(r *Rego) {
+	return func(r *Rego) {
+		r.decisionLabel = dl
+	}
+}
+
 // StrictBuiltinErrors tells the evaluator to treat all built-in function errors as fatal errors.
 func StrictBuiltinErrors(yes bool) func(r *Rego) {
 	return func(r *Rego) {
@@ -2085,7 +2095,8 @@ func (r *Rego) eval(ctx context.Context, ectx *EvalContext) (ResultSet, error) {
 		WithBuiltinErrorList(r.builtinErrorList).
 		WithSeed(ectx.seed).
 		WithPrintHook(ectx.printHook).
-		WithDistributedTracingOpts(r.distributedTacingOpts)
+		WithDistributedTracingOpts(r.distributedTacingOpts).
+		WithDecisionLabel(r.decisionLabel)
 
 	if !ectx.time.IsZero() {
 		q = q.WithTime(ectx.time)

rego/rego_test.go

@@ -2574,6 +2574,21 @@ func TestNDBCacheMarshalUnmarshalJSON(t *testing.T) {
 	}
 }
 
+func TestEvalWithDecisionLabel(t *testing.T) {
+
+	query := "decision.label.add(\"foo\", \"bar\")"
+
+	decisionLabel := builtins.DecisionLabel{"foo": "bar"}
+
+	ctx := context.Background()
+
+	_, err := New(Query(query), DecisionLabel(decisionLabel)).Eval(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+}
+
 func TestStrictBuiltinErrors(t *testing.T) {
 	_, err := New(Query("1/0"), StrictBuiltinErrors(true)).Eval(context.Background())
 	if err == nil {

sdk/opa.go

@@ -261,6 +261,8 @@ func (opa *OPA) Decision(ctx context.Context, options DecisionOptions) (*Decisio
 		}
 	}
 
+	dl := builtins.DecisionLabel{}
+
 	result, err := opa.executeTransaction(
 		ctx,
 		&record,
@@ -273,6 +275,7 @@ func (opa *OPA) Decision(ctx context.Context, options DecisionOptions) (*Decisio
 				queryCache:          s.queryCache,
 				interQueryCache:     s.interQueryBuiltinCache,
 				ndbcache:            ndbc,
+				decisionLabel:       dl,
 				txn:                 record.Txn,
 				now:                 record.Timestamp,
 				path:                record.Path,
@@ -506,6 +509,7 @@ type evalArgs struct {
 	path                string
 	input               interface{}
 	ndbcache            builtins.NDBCache
+	decisionLabel       builtins.DecisionLabel
 	m                   metrics.Metrics
 	strictBuiltinErrors bool
 	tracer              topdown.QueryTracer
@@ -548,6 +552,7 @@ func evaluate(ctx context.Context, args evalArgs) (interface{}, types.Provenance
 			rego.PrintHook(args.printHook),
 			rego.StrictBuiltinErrors(args.strictBuiltinErrors),
 			rego.Instrument(args.instrument),
+			rego.DecisionLabel(args.decisionLabel),
 			rego.Runtime(args.runtime)).PrepareForEval(ctx)
 		if err != nil {
 			return nil, err

server/buffer.go

@@ -30,6 +30,7 @@ type Info struct {
 	Results        *interface{}
 	MappedResults  *interface{}
 	NDBuiltinCache *interface{}
+	DecisionLabel  *interface{}
 	Error          error
 	Metrics        metrics.Metrics
 	Trace          []*topdown.Event

topdown/builtins.go

@@ -35,24 +35,25 @@ type (
 	// BuiltinContext contains context from the evaluator that may be used by
 	// built-in functions.
 	BuiltinContext struct {
-		Context                context.Context       // request context that was passed when query started
-		Metrics                metrics.Metrics       // metrics registry for recording built-in specific metrics
-		Seed                   io.Reader             // randomization source
-		Time                   *ast.Term             // wall clock time
-		Cancel                 Cancel                // atomic value that signals evaluation to halt
-		Runtime                *ast.Term             // runtime information on the OPA instance
-		Cache                  builtins.Cache        // built-in function state cache
-		InterQueryBuiltinCache cache.InterQueryCache // cross-query built-in function state cache
-		NDBuiltinCache         builtins.NDBCache     // cache for non-deterministic built-in state
-		Location               *ast.Location         // location of built-in call
-		Tracers                []Tracer              // Deprecated: Use QueryTracers instead
-		QueryTracers           []QueryTracer         // tracer objects for trace() built-in function
-		TraceEnabled           bool                  // indicates whether tracing is enabled for the evaluation
-		QueryID                uint64                // identifies query being evaluated
-		ParentID               uint64                // identifies parent of query being evaluated
-		PrintHook              print.Hook            // provides callback function to use for printing
-		DistributedTracingOpts tracing.Options       // options to be used by distributed tracing.
-		rand                   *rand.Rand            // randomization source for non-security-sensitive operations
+		Context                context.Context        // request context that was passed when query started
+		Metrics                metrics.Metrics        // metrics registry for recording built-in specific metrics
+		Seed                   io.Reader              // randomization source
+		Time                   *ast.Term              // wall clock time
+		Cancel                 Cancel                 // atomic value that signals evaluation to halt
+		Runtime                *ast.Term              // runtime information on the OPA instance
+		Cache                  builtins.Cache         // built-in function state cache
+		InterQueryBuiltinCache cache.InterQueryCache  // cross-query built-in function state cache
+		NDBuiltinCache         builtins.NDBCache      // cache for non-deterministic built-in state
+		DecisionLabel          builtins.DecisionLabel // map of non-deterministic Policy result data
+		Location               *ast.Location          // location of built-in call
+		Tracers                []Tracer               // Deprecated: Use QueryTracers instead
+		QueryTracers           []QueryTracer          // tracer objects for trace() built-in function
+		TraceEnabled           bool                   // indicates whether tracing is enabled for the evaluation
+		QueryID                uint64                 // identifies query being evaluated
+		ParentID               uint64                 // identifies parent of query being evaluated
+		PrintHook              print.Hook             // provides callback function to use for printing
+		DistributedTracingOpts tracing.Options        // options to be used by distributed tracing.
+		rand                   *rand.Rand             // randomization source for non-security-sensitive operations
 		Capabilities           *ast.Capabilities
 	}
 

topdown/builtins/builtins.go

@@ -109,6 +109,20 @@ func (c *NDBCache) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+// DecisionLabel contains the Policy result data. The expected
+// inputs will be Strings, with the value representing a JSON
+// message body.
+type DecisionLabel map[ast.String]ast.String
+
+func (dl DecisionLabel) Add(k ast.String, v ast.String) {
+	dl[k] = v
+} // end Add function
+
+func (dl DecisionLabel) Get(k ast.String) (ast.String, bool) {
+	v, ok := dl[k]
+	return v, ok
+} // end Get function
+
 // ErrOperand represents an invalid operand has been passed to a built-in
 // function. Built-ins should return ErrOperand to indicate a type error has
 // occurred.