►
From YouTube: /lgtm with OpenPolicyAgent by @rawkode
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Oh
hello
and
welcome
to
lgtm
I
am
your
host
david
flanagan.
You
may
know
me
better
as
rock
code
on
the
interwebs
and
twitter
before
we
get
started
today.
Please
remember
this
is
an
official
cncf
event
and
as
such
as
subject
to
the
cncf
code
of
conduct,
please
do
not
add
anything
to
the
chat
or
questions
that
would
be
in
violation
of
that
code
of
conduct,
basically
just
be
respectful
of
the
fellow
participants
and
presenters.
A
B
B
A
B
Yeah,
it's
been
it's
been,
it's
been
a
pretty
exciting
ride,
especially
the
last
couple
years
end
user
adoption
has
has
grown
quite
quickly
and
just
the
the
sheer
number
of
use
cases.
I
think
that
we
see
people
leveraging
it,
for
you
know
not
just
kubernetes
emission
control,
which
is
one
of
the
really
popular
use
cases
from
from
back
in
the
day,
but
all
kinds
of
things.
B
You
know:
cicd
enforcement,
terraform
enforcement,
microservice,
api
authorization,
all
kinds
of
stuff,
there's
just
a
really
cool
long
tail
of
these
cases,
and
I
personally
find
that
really
satisfying
to
see.
A
My
next
question
was
going
to
be:
what
is
it?
I
think
you
just
kind
of
covered
that
all
right.
Well,
I'm
looking
forward
to
this
I'm
going
to
pop
my
screen
share
up
and
what
we
have
here
is
the
open
pause
agent
repository.
So
it's
available
at
github.compa.
A
We
are
going
to
be
taking
a
look
at
the
directory
structure
and
giving
you
a
high
level
overview
of
where
all
the
code
lives,
as
well
as
a
few
other
tidbits
to
help
you
contribute
to
open
policy
agent
in
your
own
time.
Tauren.
You
are
our
guide
for
today.
So
where
would
you
like
to
start
in
our
wild
journey.
E
C
B
The
project's
been
around
for
many
for
several
years
and
it's
it's
grown
so
so
this
is
gonna
be
fun.
Why
don't
we?
Why
don't
we
just
go
up
one
one
level
on
github
to
the
to
the
organization
first
and
then
we'll
we'll
come
back
down
in
a
second.
So
so,
like
you
mentioned
david,
you
can
get
to
the
the
repo
the
organization
on
github.
B
One
thing
to
keep
in
mind
is
that
open
policy
agent
is,
is
a
project
that's
sort
of
intended
to
enable
policy
enforcement
across
a
wide
range
of
different
technology.
So
kubernetes,
you
know
cscd
systems,
you
name
it
right,
and
so,
as
a
result,
we
have
a
bunch
of
different
sub
projects
that
enable
that,
because
opa
on
its
own
can't
really
do
much
in
the
world,
it's
just
a
it's
just
a
language
and
an
engine
for
executing
that
language,
and
so
what
we
need.
F
B
Integrations
that
hook
take
oppa
and
hook
it
up
to
pieces
of
software
and
make
it
do
cool
things,
and
so.
B
Bit
with
these
pin
repositories,
there's
a
bunch
of
other
repos
that
exists,
there's
the
gatekeeper
repository.
So
that's
our
kubernetes
admission
controller
integration.
There's
the
conf
test
repository
that's
for
using
opa
to
enforce
policies
on
the
command
line
like
inside
of
a
ci
cd
pipeline.
You
can
really
easily
take
your
regular.
B
Run
them
against
config
files,
whether
those
are
kubernetes,
manifests
or
potentially
like
terraform
modules
or
even
docker
files.
You
know
npm
package,
json
files,
you
know
you
name
it
right,
any
kind
of
config
that
you
want
to
express
guard
rails
against.
You
can
use
conf
test
to
do
that
very
nicely,
then
there's
the
the
envoy
plugin,
so
that
allows
us
to
enforce
api
authorization
policies.
For
example,
inside
of
a
service
mesh
by
hooking
up
to
envoys
z,
framework.
B
There's
some
ide
plugins
there,
so
those
are
those
are
basically
improving.
The
authoring
experience
for
working
with
oppo
working
with
rego
inside
of
vs
code.
D
F
C
B
To
just
call
this
out
is
that
one
of
the
areas
where
I
see
people
be
most
productive
when
they
start
contributing
opa
is
within
these
integrations.
So
if
you,
you
know,
have
a
need
around.
You
know:
policy
enforcement
inside
of
cicd
check
out
conf
test.
If
you
are
looking
at
microservice
api
authorization
check
out
the
envoy
plugin
if
you're
like,
if
you're
kind
of
running
kubernetes
and
you
want
to
go
to
mission
control,
check
out
gatekeeper
and
so.
C
B
And
so
there's
there's
a
whole
bunch
of
different
ways
you
can
contribute.
It
doesn't
have
to
just
be
inside
of
the
core
repository
but
yeah.
So
I
just
wanted
to
call
that
out.
So,
let's,
let's
dive
back
in
though
now
into
the
open
repo.
I
guess
this
is,
I
guess,
the
oldest
repo
in
the
in
the
organization
and
so
there's.
B
F
B
Policy
language,
that's
sort
of
like
the
parser
and
the
compiler
and
the
evaluator,
and
then
on
top
of
that
there
is
a
bunch
of
tooling
like
command
line
tooling,
so
that
you
can
interact
with
with
policies.
So
there's
like
a
test
runner,
there's
a
rebel
there,
there's
a
benchmarking
tool,
there's
all
kinds
of
stuff
there
and
then
on
top
of
the
tooling
there's
also,
you
know
the
everything
that
makes
the
server
work
right.
B
D
B
Code
there's
a
lot
of
different
areas
that
are
covered
inside
of
this
repository
and
we
can
kind
of
like
start
going
through
that
I
guess
yeah
or
or
maybe
maybe
if
we
go
down
to
the
readme.
Maybe
there's
there's
some
examples
that
we
can
just
kind
of
talk
through
yeah.
D
Yeah
so.
B
C
B
Into
into
like
a
program
written
in,
go,
that's
a
that's
a
really
good
reference,
there's
a
bunch
of
examples
in
the
go
doc
that
show
how
you
can
take
opa
and
hook
it
up
to
or
how
you
can
call
it,
how
you
can
invoke
it
basically
for
go.
The
rest
api
is
similar,
it's
sort
of
like
if
you
want
to
integrate
with
opa
from
another
language.
B
You
know
the
best
way
to
do
that
is
by
interacting
with
the
http
api
and
so
that
api
reference
is
there
for
people
and
then
below
for
contributing
to
open
itself.
We
have
kind
of
like
two
kind
of
like
jumping
off
points:
there's
the
development
md
file
and
the
contributing
md
file
and
those
those
serve
slightly
different
purposes.
So
the
the
contributing
md
file
kind
of
explains,
like
the
overall
process
that
you
can
expect
when
you
want
to
contribute
to
opa.
B
B
What
you're,
what
you're,
what
you're
interested
in
or
what
you're
proposing
right?
If
it's
a
it's
a
small
feature
or
a
small
fix
like
go
ahead
and
open
a
pr!
You
know
it's
not
no
big
deal.
But
if
you
want
to
do
something
more
substantial,
then
we
recommend
you
know,
opening
an
issue
and
then
we
can
have
a
discussion
and
we
can
talk
about
different
options,
because
sometimes
people
don't
realize
all
the
options
that
are
available.
And
so
we
find
it's
like
useful
to
have
that
kind
of
conversation
on
issues.
A
I
think
that's
really
important.
You
know
you
don't
want
to
invest
too
much
time,
contributing
a
new
feature
that
you
think
is
the
best
thing
ever
and
is
really
nice
you're
only
targeted
to
your
individual
use
case
like
it's
always
better
to
have
that
issue,
open
a
dialogue
with
the
maintainers
and
the
contributors
and
even
other
end
users
to
make
sure
that
yeah
people
actually
want
this
feature.
A
B
B
B
What
we'd
like
to
see
from
from
from
from
contributions?
You
know
one
of
the
what
I
like,
the
the
development
philosophies
that
we've
applied
since
the
very
beginning
is
like
this
idea
of
like
documentation
driven
development.
So
we
we
try
as
much
as
possible
to
make
sure
that,
like
all
features
that
go
in
all
pr's
that
go
in
have
docs
changes
accompanying
them.
If
they
don't.
B
That's
like
that,
that's
almost
like
a
I'm,
not
a
red
flag,
but
it's
like
why
not
you
know
like.
What's
the
reason
for
that,
because
at
the
end
of
the
day
you
know
if
you're,
if
there
isn't,
if
there
aren't
any
docs
for
the
thing
that
you're,
adding
like
no
one's
gonna
use
it,
and
you
don't
want
that.
So
you
know
we
recommend,
you
know,
think
about
the
docs
changes
that
you'll
want
to
want
to
contribute.
B
And
then
obviously
we
need
to
make
sure
that
there's
tests
for
everything.
So
we
kind
of
talk
about
that,
and
there
are
a
few
other
kind
of
considerations
we
have.
One
of
them
is
that
you
know
it's
a
fairly
like
large
project,
and
so
one
of
the
the
challenges
we
have
is
just
ensuring
stability
and
backwards
compatibility
for
our
for
our
users.
There's
a
lot
of
people
that
are
embedding
opa
as
a
library
inside
of
their
own
projects.
B
So
we
don't
always
know
what
features
of
opa
they're
going
to
use,
and
so
we
recommend,
for
example,
just
by
convention
putting
code
under
the
internal
package
if
possible
and
not
exporting
it
from
the
opa
project.
So
that
way
it
can
be
used
inside
of
open.
It
can
be
shared
inside
of
opa,
but
it
won't
be
accessed
by
by
by
people
that
are
embedding
open
inside
of
their
own
programs,
and
that
way
like
it's
just
it's
just
it's.
E
B
Really
nice,
it's
like
a
kind
of
like
a
little
kind
of
like
safeguard
that
you
have.
You
know
when
you're
six
months
later,
when
you
need
to
do
some
refactoring,
you
don't
have
to
worry
about
breaking
a
bunch
of
people,
because
you've
decided
to
change
some
internal
api.
I've.
A
Never
really
considered
it
that
way
before,
but
it
makes
a
lot
more
sense.
I
don't
know
why
I
never
thought
of
internal
as
a
way
just
to
kind
of
experiment
and
add
new
features,
and
then,
when
you're
like,
when
they
aren't
stable,
you
could
actually
build
like
you
could
expose
them
via
public
apis
instead
of
having
them
by
public
by
default.
B
Yeah
yeah,
I
actually
didn't
even
realize
I
didn't.
I
wasn't
aware
of
internal
when
we
started
the
project,
so
a
lot
of
the
code
kind
of
started
off
being
exported
and
then,
when
I
learned
about
internal
I
was
I
was
so
happy
and
it's
funny
like
it's
a
it's
a
it's
kind
of
like
a
matter
of
taste
like
some
people.
I've
had
conversations
with
some
people
and
they're
like
oh.
No.
I
don't
want
to
do
that.
I
want
my
code
to
be
used
by
as
many
people
as
possible.
I'm
like
okay,.
B
I
want
to
expose
the
minimum
possible
api,
but
I
I
get
it
so,
but
yeah
I
I
love
the
internal
packaging,
though
it's
such
a
nice
simple
way
of
like
organizing
your
code
and
and
it's
it's
just
like
I'm
always
always
happy
when
I,
when
I
go
to
make
a
change
inside
of
one
of
the
internal
packages,
because
I
know
I'm
not
gonna
break
anybody.
Yeah.
A
A
B
Future
use
is
thinking
for
yeah
one
of
the
other
things
we
also
try
to
well.
One
of
the
things
we
try
to
do
is
avoid
pulling
in
like
large
third-party
dependencies
and
and
so
and
this
this
actually
applies
to
built-in
functions,
which
is
one
of
the
things
we're
going
to
look
at
today.
B
We
we
try
to
keep
opa
like
the
implementation
to
be
sort
of
as
lightweight
and
easily
embeddable
as
possible,
and
so
you
know
that's
really
nice
for
some
people
because
they
can
kind
of
get
they
can
they
can
embed
open
their
projects
super
easily,
and
we
don't
have
to
worry
about.
You
know,
dependency
conflicts
basically,
and
so
so
we
we
talked
about
that
as
well.
B
B
Or
maybe
maybe
we
can
re-implement?
You
know
this
this
particular
feature
or
maybe
we
could
just
vendor
vendor
the
code
differently.
So
yeah.
A
B
Yeah
we
use
gobot,
we
just
yeah,
we're
always
wondering
about
like
the
stability
and
the
backwards
compatibility
question
like
I
feel
like
these
days
like
I,
I
worry
about
like
scalability
issues
and
backwards
compatibility.
Those
are
the
only
two
things
but
yeah.
So
it's
always
like
a
question
of
like.
Are
these
dependencies
that
we're
pulling
in
going
to
be
stable
and
reliable?
Are
we
gonna
have
to
like
you
know?
Are
we
gonna?
Are
we
gonna
run
into
package
conflicts
with
with
users
and
so
on?
If
we
pull
in
some
library?
So
it's.
A
A
it's
an
interesting
balance
for
sure
yeah,
it's
nice
that
someone's
worrying
about
that.
I
know.
There's
I
probably
don't
pay
enough
attention
to
those
things,
as
I
should
on
my
own
projects,
at
least
not
until
they
bite
me
on
the
ass
and
then
I'm
like
all
right.
You
said
there
was
this
other
guy
here,
so
this
is
the
development
one
which
is
just
telling
us
how
to
build
the
project.
B
That's
right,
yeah!
I
I
don't
know
who
like
invented
this,
like
distinction
originally
but
yeah.
There
is
this,
like
idea
of,
like
the
contributing
on
md,
is
sort
of
like
the
process
and
the
work
like
the
for
interacting
with
the
project,
and
then
the
development
nd
is
more
like
the
mechanics
for
interacting
with
the
actual
code
right.
So
this.
C
Is
a
good
a
guide,
especially
if
you're,
not
if
you're
kind
of.
B
Like
new
to
go,
then
I
I
recommend
this
one,
because
it
it
was
sort
of
written
without
that
persona
in
mind
like
if
you
haven't
never
written
any
go
code.
This
is
like
probably
a
decent
place
to
get
started,
contributing
to
opa,
because
it'll
it'll
it'll
it
doesn't
make
any
assumptions
about.
Doesn't.
F
B
Go
through
a
bunch
of
the
different
considerations
here
like
how
you
can
vendor
new
dependencies
where
the
tests
are
located
and
we
actually
explained
kind
of
like
roughly
the
the
the
pull
request
workflow
as
well.
We
just
wanted
this
to
be
as
kind
of
self-contained
as
possible.
You
know
not
not.
Everybody
is
familiar
with
contributing
to
projects
on
github
right.
B
If
you,
if
you
don't
work
on
open
source
or
projects,
you
know
for
your
for
your
day-to-day
job
or
you
know
you
don't
contribute
on
your
spare
time,
which
is
totally
reasonable
thing
to
do.
Then
you
know
it's
nice
to
have
a
little
bit
of
a
guide,
because.
B
A
B
Feel
free,
that's
one
of
the
great
parts
of
open
source
projects,
one
of
the
things
that
I
think
is
actually
pretty
cool
here.
We
added
this
a
while
ago
down
at
the
bottom.
This
is
when
we
switched
over
from
we,
so
we
originally
used
travis
ci
for
our
for
our
our
all
of.
C
E
B
B
All
of
the,
I
guess
what
you
could
think
of
as
like
options
or
parameters
that
are
like
kind
of
like
dependent
on
external
systems.
So
you
know,
for
example,
there's
a
docker
image
that
we
build,
and
you
know
where
that
document
gets
pushed
to
might
be
different.
If
you're
building
this
for
your
internal
company
or,
if
you're,
trying
to
build
a
fork
of
oppa
or
something
like
that.
F
B
This
this
section
just
gives
like
a
little
table
of
all
the
options
you
can
control
on
the
build,
and
so
I
think
it's
pretty
much.
It
should
be
possible
right
now.
I
haven't
tested
this
lately,
but
it
should
be
possible
to
like
fork
opa
set
these
secrets
to
your
own
kind
of
like
values
and
then
for
it
to
just
work.
Basically,
so
you
can
basically
clone
opus
ci
into
your
own
github
actions,
environment
and
have
have
it
just
work.
B
So
if
you
wanted
to
take
up
and
create
a
full
fork
of
oppa,
you
could
do
that.
Hopefully,.
A
All
right,
let's,
I
think
that
those
those
two
guys
are
great
and
I
hope
that
our
audience
today
gets
a
lot
of
value
of
that
and
I'm
sure
they
will.
Let's
talk
about,
someone
has
came
along
and
they've
read
the
talk.
So,
okay,
I
feel
like
I'm
prepared
to
start
making
a
contribution.
A
B
Yeah,
so
the
the
the
thing
that
the
sort
of
convention
we
follow
is
that
issues
that
are
there's
a
label.
Basically,
so
I
think
it's
it
used
to
be
called
hanging
fruit,
but
we
renamed
it
recently
to
good
first
issue:
yeah,
that's
the
one.
D
B
Yeah
I
like
low-hanging
fruit.
It
had
this
like
kind
of
like
ring
to
it,
but
I
think
that
that's
not
it's
not
the
most
well
understood
term
and
it's
kind
of
like
idiomatic
for
english
speakers.
So
this
is
definitely
better
but
yeah.
B
So
what
we
do
when
we're
kind
of
like
triaging
issues
that
come
into
the
project,
is
that
we
look
at
them
and
we
kind
of
make
a
decision
about
whether
or
not
we
think
that
somebody
without
any
context
for
opa
really
could
could
make
a
contribution,
and
if
we
do
think
that
they
can
make
your
contribution,
then
we
tag
it
with
that
good
first
issue
label,
and
so
you
usually,
what
that
means.
Is
that
the
like
the
the
implementation
required
for
this?
This
bug
fix
or
this
feature
is-
is
pretty
well
understood.
B
It's
understood
the
point
where,
like
I
could
write
down,
you
know
in
a
bulleted
list
or
in
a
numbered
list
like
these.
Are
the
files
you'll
have
to
change?
These
are
the
lines
you'll
have
to
change,
and
maybe
I
could
go
to
that
myself,
but
like
this
kind
of
gives
people
like
an
opportunity
to
get
started
in
a
safe
way
where
they
don't
end
up
going
down
a
path
that
is
unproductive,
so
they
can
at
least
feel
the
enjoyment
of
making
a
contribution.
B
So
these
are
definitely
the
best
ones
to
look
at
a
lot
of
the
time.
These
are.
These
are
features
kind
of
like
at
the
exterior,
so
they're
they're
things
like
built-in
functions
that
allow
you
to,
like.
You
know,
access
some
functionality
in
the
go
standard,
library
or
their
feature,
their
changes
in
the
documentation
which
has
its
own
separate
kind
of
system,
which
I
don't
think
we'll
really
get
into
that
today.
But
we've
got
quite
an
elaborate
documentation.
E
B
Opa
and
deploying
it
there
are
things
you
need
to
think
about
like
where
policies
are
going
to
get
pulled
from,
and
you
know
where
decisions
are
going
to
get
logged
to
and
all
that
kind
of
stuff
and
there's.
B
Of
contribution
in
the
past,
from
users
of
opa
around
those
areas,
so,
for
example,
when
it
comes
to
distributing
policies
to
europas,
there's
a
bunch
of
different
ways,
you
can
do
that.
You
could
like
put
them
on
the
file
system.
You
can
put
them
on
s3,
you
can
put
them
in
gcs,
you
can
put
them
on
azure
and
then
oppo
like
when
it's
pulling
from
s3
or
from
gcs.
B
It
needs
to
be
able
to
authenticate
with
like
aws
apis
or
gcs
apis
in
order
to
pull
down
those
those
policies,
and
so
we
have
like,
I
think,
13
different
ways
of
authenticating
with
different
cloud
service
providers,
and
so
all
of
those
like
authentication
methods
have
been
contributed
by
users.
So
we.
B
People
making
initial
contributions
for
features
that
help
operationalize
opa
inside
of
their
environments,
with
their
kind
of
like
unique
tech
stack.
Basically
right,
like
some
companies,
just
have
very
like
a
very
specific
authentication.
F
B
They're
using-
and
you
know
it's
not
necessarily
supported
out
of
the
box,
but
they
can,
they
can
kind
of
make
that
contribution
relatively
easily.
So
that's.
C
B
Kind
of
another
area
where
we
see
a
lot
of
contributes
coming
in.
A
Awesome
very
helpful.
Thank
you
all
right.
Let's
move
on
to
the
the
fun
bit
then,
shall
we
we
are
going
to
contribute
our
own
function
to
the
the.
B
You're
gonna
you're
gonna
contribute
a
function
to
the
open
language,
open
language,
the
regular
language,
yeah,
yeah,
you're
gonna
have
to
extend
the
language,
so
this
will
be
fun
so
yeah,
there's,
there's
two
main
main
directories
that
are
involved
in
this.
What
the
first
directory
is
the
ast
directory
that
you
see
at
the
top
there,
so
the
asd
directory
has
like
the
implementation
of
the
the
parser
and
the
compiler
for
radio.
So
it's
all
the
code
that
takes
radio
source
files
and
then.
B
Be
executed
or
evaluated
and
kind
of
like
validates
that
it's
valid
or
it
validates
that
it's
correct.
One
part
of
the
the
asd
package
is
that
built-ins.go
file
that
you
see
there
at
the
top,
so
the
built-ins.go
file
is
basically
a
list
of
declarations
for
all
the
functions
that
are
natively
available
inside
reagan.
So.
B
Of
the
functions
that
are
kind
of
registered
statically
and
you
can
see
that
there's
functions
for
like
string,
manipulation
and,
like
you
know,
regex
and
all
kinds
of
other
things
like
working
with
json.
C
B
B
A
B
Yeah
yeah,
you
can
you
make
an
http
request,
that's
actually
probably
the
most
complicated
built-in
function
in
the
library,
yeah.
There's
things
for
checking
like
the
two
network.
Seeders
overlap,
you
know.
Maybe
that's
maybe
that's
interesting
if
you're
writing
policies
over
firewall
rules
and
things
like
that.
B
F
B
Yeah
so
yeah,
so
there's
no
string
reversal
though
so
that's
that's
interesting.
Maybe
we
need
that.
So
that's!
This
is
the
list
of
functions
that
are
registered
if
you
scroll
down
further
in
this
file,
what
you'll
see
are
some
some
variables
basically
global
variables
that
are
declared
and
you'll
notice,
there's
basically
one
for
each
built-in
function
in
the
language,
so
maybe
scroll
down
a
little
bit.
Let's
find
it.
Let's
find
one.
That's
not
super
generic
any
of.
D
B
Divide
and
multiply
yeah,
so
this
is
basically
like
the
declaration
of
the
multiplication
operator
or
function
inside
of
rego.
So
what
you
see
here
is
just
like
a
structure,
that's
being
being
created
and
there's
some
metadata
for
on
that
structure,
like
the
name
of
the
built-in
function
in
this
case,
like
multiply,
is
kind
of
special
because
we
have
a
an
infix
operator
for
multiply
right.
So
you
say
you
know
x,
asterisk
y,
that's
x,
times
y
right,
so
there's
an
infix
operator
for
the
one
we're
going
to
do
today.
B
We
won't
have
an
interface
operator,
but
but
if
you're
adding
a
new
function
that
has
an
infix
operator,
you
can
set
that
there
and
then
there's
the
actual
function
declaration
itself,
so
that
that
function
declaration
is
basically
like
the
signature
for
the
function
and
so
we're
basically
creating
a
new
function.
Declaration
that
says
that
the
multiply
function
takes
two
arguments
which
happen
to
be
of
type
number,
both
both
of
the
operands
or
numbers
and
then
the
result.
C
F
B
In
this
file,
I
don't
know
it's
a
few
thousand
life
long.
It's
like
1500
lines,
long
or
something
it'll
be
one
of
these
declarations
for
every
single
built-in
function.
That's
natively
available
inside
of
opa,
and
so,
when
you
want
to
add
a
new
built-in
function.
B
It's
worth
mentioning
that
you
can
also
add
built-in
functions
from
outside
of
opa
so
like
if
you're,
if
you
are
embedding
open
as
a
library-
and
you
want
to
extend
it
with
your
own
custom
built-in
functions,
you
can
totally
do
that.
You
don't
have
to
like
contribute
them
upstream.
There's
a
there's,
a
set
there's.
B
On
the
website
that
show
how
to
do
that
and
and
so
on,
but
for
this
purposes
you
know
we're
gonna
we're
gonna
get
a
new
building
function
into
open,
it's
gonna
be
upstream,
so
it's
gonna
be.
C
A
B
It's
it's
the
name
of
the
algorithm,
that's
used
for
evaluating
the
policies,
yeah
and
so
inside
of
the
top-down
package.
There
are
a
bunch
of
files,
you'll
notice.
They
have
names
that
kind
of
look,
maybe
kind
of
familiar.
You
see,
regex,
you
see
strings,
you
see
time,
you
see
numbers
and
json.
So
most
of
these
files
contain
the
implementations
of
those
built-in
functions
right.
B
Or
the
declaration,
what
we're
going
to
look
at
now
is
the
definition
right,
the
implementation
of
that
built-in
function
and
so,
for
example,
yeah
so
you're
you're
in
the
numbers.go
file
right
now.
So
this
has
a
bunch
of
built-in
functions
for
just
kind
of
different
numeric
operations,
not
multiple
kit,
not
arithmetic,
but
there's
yeah.
You
can
open
up
arithmetic.
B
Yeah
so
there's
there's
the
there's
sort
of
the
the
implementation
for
multiply.
It's
a
little
bit
abstracted
actually
because
yeah,
if
you
go
down.
B
B
Well,
they're,
fine,
okay,
so
the
way
that
these
have
been
organized
is
that
we've
tried
to
avoid
repeating
ourselves
a
bunch.
So
we
have
built-in
functions
for
like
arithmetic
functions
that
take
one
argument
and
then
build
in
functions
that
take
two
arguments
and
so
on,
and
then
they
do
a
little
bit
of.
B
Yeah,
there's
nothing
to
replace
there.
We
go
okay,
there
we
go
there,
we
go
now
we're
now
we're
clicking
okay.
So
this
is
like
the
implementation
for
the
replay,
the
replace
built-in
function,
and
so
what
replace
does
is
it
takes
a
string
and
it
takes
two
strings
and
then
a
number,
and
so
the
first
string
is
the
string
you
want
to
replace
inside
of
and
then
the
second
string
is
the
thing
you
want
to
replace
two.
I
guess.
B
Oh
no,
sorry,
it's
just
three
strings,
the
the
string
that
you
want
to
replace
inside
of
the
original
value
and
the
new
value
so.
B
Right
yeah,
so
this
this
built-in,
the
built-in
replace,
takes
three
arguments
abc
and
they're
all
of
type
ast
values.
So
ast
value
is
like
an
interface.
It's
a
generic
type
for
data
inside
of
inside
of
open
instead
of
rego,
and
so
that
underlying
the
underlying
values
for
that
are
scalars
like
booleans
and
numbers
and
strings
as
well
as
com,
like
collection,
values,
like
arrays
objects
and
sets,
and.
B
And
collections,
arrays
objects
and
sets,
and
so
in
this
case
the
string
replace
function.
Just
it
basically
expects
three
strings,
and
so
what
we
do
is
we
take
those
operands
and
we
just
convert
them
into.
We
basically
get
the
underlying
string
back
from
them,
and
so
that's
what
that
built-ins
package
exposes
is
a
bunch
of
helper
functions
for
for
doing
those
kinds
of
conversions
and
what.
B
B
So
basically
we
convert
those
three
operands
into
strings
and
then
what
we
do
is
we
just
kind
of
defer
the
actual
implementation
to
the
goku
standard
libraries,
the
go
standard
library
has
a
strings
package
and
inside
that
strings
package,
there's
a
replace
function,
and
so
we
just
pass
in
the
three
operands
as
go
strings,
and
then
we
take
the
result,
which
is
itself
a
go
string
and
we
kind
of
convert
that
into
a
we
call
it
opa
string
or
an
ast
string,
and
we
return
that.
B
So
that's
one
of
the.
I
guess
one
of
the
that's
probably
the
most.
I
mean
that's
sort
of
the
most
fundamental
thing
that
has
to
happen
with
these
built-in
functions.
Is
that
like
opa's
implemented
in
terms
of
its
own
value
type,
so
opa
has
its
own
type
for
string
and
number
and
so
on,
and
so,
whenever
we're
implementing
a
built-in
function,
unless
we're
doing
it
natively.
A
B
At
the
tests-
and
we
can
look
at
the
docs
before
we
get
started-
okay
yeah,
so
the
the
the
documentation
is
under
the
docs
directory,
surprise,
surprise
under
content,
and
this
is
the
documentation
for
the
openpolicyunder.org
website
right.
So
when
you
go
to
open
open.
B
And
you
click
on
the
documentation.
This
is
where
it's
all
built
from
each
one
of
these
files,
roughly
correspond
basically
corresponds
to
a
page
on
the
website,
and
so,
if
you
go
to
the
policy
reference
one,
this
is
the
place
where
basically,
all
of
the
built-in
functions
are
are
listed,
and
so,
if
you
keep
scrolling,
there's
a
little
cheat
sheet
at
the
top
here
that
you're
going
through
right
now.
B
If
you
keep
going
down,
you
have
built-in
functions
so
then
you
see
basically
a
list
of
all
the
built-in
functions
in
the
language
and
explanation
kind
of
what
they
do
and
so
we'll
add
a
new
one.
Here,
we'll
add
a
new
line
to
this
table,
we'll
call
it
strings.replace
or.
B
I'm
sorry
and
yeah:
that's
really
all
you
have
to
do
so,
we'll
just
edit
that
file
at
the
end
not
much
to
call
in
here.
We
can
just
explain
what
it
does
that
little
column
on
the
right.
That
is,
that
indicates
whether
or
not
the
built-in
function
is
supported
in
our
webassembly.
B
We're
not
gonna
get
into
today,
but
yeah.
We
have
a
whole
thing
for
that,
and
so
those
little
check
marks
indicate
that
they're
that
it's
available
out
of
the
box
with
webassembly,
which
this
one
will
not
be
because
we're
not
going
to
have
you
write
some
c
code
for
us
today.
A
Is
contributing
on
the
website
exactly
there
we
go
okay,
so
I've
got
my
local
clone
here.
I'm
assuming
we
want
to
start
off
by
creating
a
branch
sure
strings.
You.
A
A
B
And
just
paste
it
down
just
create
another
one
down
beneath
it.
Call
it
repeat:
let's
do
do
you
want
to
do
reverse
or
repeat.
A
B
And
that
seems
that
seems
good
to
me.
The
only
thing
I
would
say
is
one
of
one
of
the
one
of
the
one
of
the
things
we've
learned
over
time
is
that
it's
better
to
like
name
space.
These
functions
so
you'll
see
like
strings
dot,
replace
n.
That's
like
a
more
recent
one.
We
try
to
name
space
all
of
them
now,
so,
let's,
let's
call
it
string,
stop
repeat
to
be
consistent
with.
D
F
A
A
C
B
Dependent
capital
sdk.
B
And
so
yeah,
actually
maybe
I
can
show
you
a
neat
anything.
I.
C
B
One
of
the
cool
things
that
we
do
is
that
we
have
the
website
automatically
built
for
pull
requests.
So
if
you
want,
you
can
just
commit
this
right
now
push
it
up
open
a
pr,
and
then
we
can
see
it
on
the
website
and
then
we
can.
While
that's
building,
we
can.
B
I
am
very
picky
about
commit
messages.
I
think
that
there's
a
ton
of
value
in
my
messages,
but
for
and
and
actually
we
mentioned
some
of
that
in
the
in
the
contributing.md
file-
let's
save
ourselves
some
pain
and,
and
just
just
just
just
just
yolo
it
just
just
just
work-
whip
hack
fix
me
whatever.
Let's
just
I
understand
we're
busy,
we
need
to
get
features
committed.
We
don't
have
time
to
to
explain
why
we're
having
this.
A
F
A
Here
we
go
you've
done
this
before
I
have
a
dude
porsche
release,
never
just
force
for
anyone
watching.
Oh.
B
A
B
Yeah
and
so
if
you
scroll
down
so
there's
a
bunch
of
things,
they're
gonna
take
off
on
this,
it's
gonna
run
tests
which
should
just
pass,
but.
C
Oh,
it's
not.
There.
B
D
B
A
Yes,
you've
got
the
new
fancy
github
thing
that
stops
the
crypto
miners
abusing
the
actions.
Oh.
C
A
B
C
B
B
F
C
B
B
A
B
No,
we
don't
so.
The
repeat
function
is
going
to
take
a
string
and
a
number,
so
these
arguments
need
to
be
changed
basically,
so
this,
I
guess
this.
This
was
a
function
that
took
an
object.
So
instead
of
that
yeah,
so
we're
going
to
take
a
string,
I
think,
and
a
number
in
that
order
and.
A
B
Okay,
so
that's
cool,
so
now
it's
declared.
So
actually
what
we
could
do
now
is
build
opa
and
we
should
be
able
to
basically
the
the
police
like
if
you
write
a
policy
that
calls
strings
dot.
Repeat
it
should
compile
but
it'll.
It
won't
evaluate,
be
an
error
during
evaluation.
B
So
so,
let's,
let's
do
that.
So,
let's
get
it
building
and
then
we
can
just.
B
Yeah,
you
can
use
a
big
target,
so
if
you
do
a
make
build,
that's
what
I
usually
do.
That'll
that'll
produce
a
little
binary
locally
for
you
and
so
yeah.
Okay,
so
you
don't
have
docker
installed,
which
means
we're
just
gonna
skip
all
the
wasm
stuff
automatically.
C
B
B
C
B
And
so,
if
you
do
like
a
version
on
that,
ship
should
have
your
commit.
Yes,
it's
got
the
command
of
the
docs
change.
I
think,
and
then
it
just
says
dirty
because
there's
the
uncommitted
built-in
declaration
change
so
yeah.
So
now
we
can
just
do
an
open
run
on
that
yeah
and.
C
B
You
just
like
execute
policy,
queries
and
and
kind
of
experiment
with
them.
So
if
you
type
like
one
plus
one
it'll
return,
two
just
like
a
standard
rebel.
So
now
you
should
be
able
to
call
your
string
dot
repeat
and
you
give
it
a
string
and
a
number
and
regular
type
error.
Undefined
function.
A
F
B
That
there's
a
type
error
it
like
didn't
know
about
that
function.
The
second
error
is
saying
that
there's.
B
B
Normally
because
we
don't
obviously
allow
people
to
just
commit
declarations,
but
we
can
see
now
that
it's
compiled
or
it's
compiling
at
least,
and
so,
if
you,
if
you
call
that
with
like
flip
those
flip,
those
operands
around
pass
in
the
number
first
and
the
string.
Second.
B
So
you
see
you
get
like
a
type
error
back
now
right,
so
it's
telling
those
invalid
arguments.
It
was
expecting
basically
a
string,
a
number
and
it
would
return
a
string.
That's
what
that
third
operand
indicates.
C
B
So
cool
so
we've
got
our
declaration
in
let's
go
ahead
and
do
the
implementation.
B
Yeah
we'll
talk
about
the
testing.
I
guess
afterwards,
it's
going
to
be
yeah
it'll
be
it'll.
It's
it's
data
driven,
so
it
requires
a
little
bit
of
explanation,
but.
B
I
haven't
tried
it
on
hobo.
I
I
want
to
do
that.
I
want
to
see
it
all
right,
yeah
so
delete
that.
Well.
F
B
A
C
Is
the
yeah
yeah
yeah,
okay,
and
that.
A
B
B
Versions
of
this
function
for
different
arities
so
like.
If
you
take
one
argument
or
two
or
three.
B
B
Yeah
and
then
it'll
be
a
functionality
just
functional
yeah.
A
C
B
B
B
C
Yeah
webassembly
won't.
B
C
A
C
C
All
software
okay,
so
so
we
just
have
to
check
for
negative
negative
integers.
A
Okay,
so
we're
going
to
say
here
that
if
it
can't
convert
or
if
type,
oh
thank
you
copilot
return,
they're
going
to
give
me
an
error
message:
yeah!
Oh,
oh,
okay!
This
isn't!
This
is
insane
you're.
Just
like.
Are
you
working
for
github
now
dude?
A
F
A
C
B
Yeah
so
for
testing,
we
have
sort
of
like
a
data-driven
approach
for
for
these,
especially
for
these
built-in
functions
under
the
test
directory
at
the
top
level.
B
Cases
yeah
yeah
yeah,
so
each
one
of
these
directories
maps
to
like
a
category
of
tests.
Basically,
there
should
be
one
called
strings
yeah.
These
have
horrible
names
because
they
were
generated
from
go
code
originally,
so
we
like
we
yeah
anyway.
This
whole
thing
so.
B
B
B
Data
in
here
because
they
were
jet
auto
generated,
but
we
can
just
copy
that
whole
thing
actually.
B
That
up
and
then
we
can
like
call
it
at
that
point
so
yeah.
So,
let's
just
add
a
test
strings
dot
repeat.
B
And
so,
let's
repeat
a
string,
oh
yeah,
it
says
interesting.
Okay,
I
think
someone
tried
to
do
this
a
little
while
ago.
They
tried
to
contribute
this
and
they
ran
into
like
unicode
problems
and
someone
rejected
it.
So
we
might,
I
might
have
picked
a
bad
one
because
we
might
get
our
pr
rejected
by
stefan.
B
There's
a
the
module
is
like
a
regular
file.
Okay,
so
this
is
like
a
just
like
a
kind
of
like
a
test
fixture
right.
So
it's
just
like
a
it's
like
a
rego
file
for
test
purposes,
and
so
all
we're
saying
here
is
there's
a
rule
called
the
p.
The
letter
p
and
we
say
p-
is
equal
to
x.
If
and
then
it's
just
saying
like
strings.repeat
lgtm2
and
what
we'll
want
to
do
is
assign
x
inside
of
that
that
rule.
So
we
want
to
say,
like
x,
equals
strings,
dot
repeat
on
line
seven.
B
Otherwise
x
will
not
be
safe
and
we'll
get
a
compiler
yeah
that'll.
Do
it.
B
If
you
go
back
into
your
terminal,
if
you
do
make
test
it's
going
to
run
all
of
the
tests
and
so
that'll
take
probably
longer
than
we
want,
I
think
so.
What
you
could
do
instead
is
just
go
test
on
the
pop-down.
B
F
F
B
The
tests
passed
took
four
seconds.
What
we
need
to
do
is
get
the
name
of
this
test,
so
we
can
just
kind
of
like
look
at
it.
Oh
okay,
yeah
you
just
re-run
them
all.
B
Yeah,
no,
no,
that's
perfect!
So
then,
so
what
I
would
do
at
this
point
basically
is.
I
would
take
that
test,
so
you
can
see
the
name
of
the
test
there,
so
you
can
see
like
testrego
strings,
repeat
normal
case,
so
you
can
just
run
that
specifically,
if
you
want
so
you
can
say,
go
test,
dash,
run
or
top
down
run,
doesn't
matter
and
then.
F
B
Yeah,
so
the
the
negative,
what
that,
what
that's
going
to
do
basically
is
like,
if
you
call
it
with
a
negative
value,
it's
just
going
to
be
undefined,
so
it'll
have
no
value
right.
So
the
what
we're
going
to
want
here.
B
C
B
So
what
we're
gonna
want
is
basically
an
empty
list.
I
think
I
can't
remember
the.
B
D
B
B
C
A
B
C
B
When
you
yeah
now,
let's
go
ahead
and
connect
that.
F
B
Yeah
I.
D
A
B
It's
like
a
a
data
file
that
has
a
list
of
all
those
built-in
functions
in
json,
and
so
that's
a
feature
in
opa
where
you
can
kind
of
like
restrict
what
functions
are
available.
We
publish
that
so
it's
available,
there's
a
directory
called
capabilities
in
the
repo
that
has
for
every
version
of
opa
like
what
what
language
capabilities
are
available.
Basically,
so
now
it's
it's
rebuilding
again,
but
I
actually
got
on
there
before
it
started
rebuilding,
and
I
grabbed
the
link
to
that
before.
I
feed
you,
so
I'm
gonna.
B
She's
she's,
watching
okay
bobcatfish
is,
is
one
of
the
techton
co-creators.
C
A
So
this
is
the
documentation
that
was
built
as
yeah
because
of
our
yeah.
B
A
Perfect,
that
was
very
cool.
We
have
clue
and
oppa
built
it
tested.
It
used
a
ripple
added
a
function
added
a
test
miraculously
got
the
undefined
yeah.
I
don't
know
how
you
pulled
that
out
of
your
head
or
you
looked
up,
but
all
good
and
the
pull
request
is
pending.
Now,
I'm
sure
we
can
clean
this
up
get
a
proper
review
into
stuff
later,
but
that
was
that
was
a
great
introduction
to
contributing
to
oppa.
Thank
you
so
much,
sir.
B
Thanks
david,
it
was
a
pleasure.
We're
gonna
have
to
have
you
back
to
write
some
c
code
for
us,
because
we
need
built-in
functions.
A
All
right
we're
going
to
be
doing
lgtm,
wasm
oppa
edition
soon.
I
am
sure
I
can't
wait
all
right.
Thank
you
again.
That
was
an
absolute
pleasure.
I
hope
the
people
watching
got
a
lot
of
value
out
of
this.
Please
check
out
oppa
contribute,
get
those
pull
requests
and,
and
any
last
words
from
utorrent
before
we
wrap
up
for
today.
B
Nope
I'll
just
say
that
we're
always
looking
for
contributions.
So
if
you're
interested
in
the
project
check
out
those
good
first
issues
or
check
out
some
of
the
integrations
like
gatekeeper
and
conf
test
and
the
envoy
plug-in
or
if
you
have
ideas.