Ways to programmatically analyze rego files

[vivekmenon222]

Here is my use case

Someone will create a rego policy. At runtime I need to read that policy and create a json of what is required to pass that policy.

For example consider this input

{
  "name": "jack",
  "age": 21,
  "ssn": "2365",
  "license": "xyz"
}

Now suppose someone wrote a rego file for this input that says name is mandatory and if age is below 21, SSN or license is mandatory.

I want a way to read that policy file and generate something like this

{
  "fields": {
    "name": {
      "required": true,
      "condition": "Always required"
    },
    "age": {
      "required": true,
      "condition": "Always required for logic evaluation"
    },
    "ssn": {
      "required": false,
      "condition": "Required if age < 21 and license is not provided or empty"
    },
    "license": {
      "required": false,
      "condition": "Required if age < 21 and ssn is not provided or empty"
    }
  }
}

Is there a way to programmatically read a policy file and create a json like this, that indicates what input is required from the user before his application can be processed?

[charlieegan3]

Hey, some of what you are looking to do is almost the default behavior with Rego's json.match_schema function: https://www.openpolicyagent.org/docs/latest/policy-reference/#builtin-object-jsonmatch_schema

However, as you point out with the example this will not work for more complex files with more conditionals etc. I think it'd be best to have a series of rules that perform the check for which you also have an 'index' of their human/user facing description and if they're required.

Generally, I'd look to avoid showing generated explanations of policies to users for security reasons anyway, but this is also something we don't really support in Rego/OPA today.