open-policy-agent · charlieegan3 · Jun 12, 2025 · Jun 11, 2025 · Jun 11, 2025 · Jun 11, 2025
diff --git a/docs/docs/policy-reference/_examples/graphs/reachable/config.json b/docs/docs/policy-reference/_examples/graphs/reachable/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.graph_reachable_example.result"
+}
diff --git a/docs/docs/policy-reference/_examples/graphs/reachable/policy.rego b/docs/docs/policy-reference/_examples/graphs/reachable/policy.rego
@@ -0,0 +1,21 @@
+package graph_reachable_example
+
+org_chart_data := {
+        "ceo": {},
+        "human_resources": {"owner": "ceo", "access": ["salaries", "complaints"]},
+        "staffing": {"owner": "human_resources", "access": ["interviews"]},
+        "internships": {"owner": "staffing", "access": ["blog"]},
+}
+
+org_chart_graph[entity_name] := edges if {
+        org_chart_data[entity_name]
+        edges := {neighbor | org_chart_data[neighbor].owner == entity_name}
+}
+
+org_chart_permissions[entity_name] := access if {
+        org_chart_data[entity_name]
+        reachable := graph.reachable(org_chart_graph, {entity_name})
+        access := {item | reachable[k]; item := org_chart_data[k].access[_]}
+}
+
+result contains org_chart_permissions[entity_name]
diff --git a/docs/docs/policy-reference/_examples/graphs/reachable_paths/config.json b/docs/docs/policy-reference/_examples/graphs/reachable_paths/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.graph_reachable_paths_example.result"
+}
diff --git a/docs/docs/policy-reference/_examples/graphs/reachable_paths/policy.rego b/docs/docs/policy-reference/_examples/graphs/reachable_paths/policy.rego
@@ -0,0 +1,15 @@
+package graph_reachable_paths_example
+
+path_data := {
+        "aTop": [],
+        "cMiddle": ["aTop"],
+        "bBottom": ["cMiddle"],
+        "dIgnored": [],
+}
+
+all_paths[root] := paths if {
+        path_data[root]
+        paths := graph.reachable_paths(path_data, {root})
+}
+
+result contains all_paths[entity_name]
diff --git a/docs/docs/policy-reference/_examples/net/cdir_contains2/data.json b/docs/docs/policy-reference/_examples/net/cdir_contains2/data.json
diff --git a/docs/docs/policy-reference/_examples/net/cdir_contains2/input.json b/docs/docs/policy-reference/_examples/net/cdir_contains2/input.json
diff --git a/docs/docs/policy-reference/_examples/net/cdir_contains3/data.json b/docs/docs/policy-reference/_examples/net/cdir_contains3/data.json
diff --git a/docs/docs/policy-reference/_examples/net/cdir_contains3/input.json b/docs/docs/policy-reference/_examples/net/cdir_contains3/input.json
diff --git a/docs/docs/policy-reference/_examples/net/cdir_contains4/data.json b/docs/docs/policy-reference/_examples/net/cdir_contains4/data.json
diff --git a/docs/docs/policy-reference/_examples/net/cdir_contains4/input.json b/docs/docs/policy-reference/_examples/net/cdir_contains4/input.json
diff --git a/docs/docs/policy-reference/_examples/rego/rule_metadata/config.json b/docs/docs/policy-reference/_examples/rego/rule_metadata/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": true,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.example"
+}
diff --git a/docs/docs/policy-reference/_examples/rego/rule_metadata/input.json b/docs/docs/policy-reference/_examples/rego/rule_metadata/input.json
@@ -0,0 +1,7 @@
+{
+    "number": 11,
+    "subject": {
+        "name": "John doe",
+        "role": "customer"
+    }
+}
diff --git a/docs/docs/policy-reference/_examples/rego/rule_metadata/policy.rego b/docs/docs/policy-reference/_examples/rego/rule_metadata/policy.rego
@@ -0,0 +1,21 @@
+package example
+
+# METADATA
+# title: Deny invalid numbers
+# description: Numbers may not be higher than 5
+# custom:
+#  severity: MEDIUM
+deny contains format(rego.metadata.rule()) if {
+        input.number > 5
+}
+
+# METADATA
+# title: Deny non-admin subjects
+# description: Subject must have the 'admin' role
+# custom:
+#  severity: HIGH
+deny contains format(rego.metadata.rule()) if {
+        input.subject.role != "admin"
+}
+
+format(meta) := {"severity": meta.custom.severity, "reason": meta.description}
diff --git a/docs/docs/policy-reference/_examples/semver/isvalid/config.json b/docs/docs/policy-reference/_examples/semver/isvalid/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.semverisvalid"
+}
diff --git a/docs/docs/policy-reference/_examples/semver/isvalid/policy.rego b/docs/docs/policy-reference/_examples/semver/isvalid/policy.rego
@@ -0,0 +1,5 @@
+package semverisvalid
+
+leadingV := semver.is_valid("v1.1.12-rc1+foo")
+
+valid := semver.is_valid("1.1.12-rc1+foo")
diff --git a/docs/docs/policy-reference/_examples/time/time_format/config.json b/docs/docs/policy-reference/_examples/time/time_format/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.time_format"
+}
diff --git a/docs/docs/policy-reference/_examples/time/time_format/policy.rego b/docs/docs/policy-reference/_examples/time/time_format/policy.rego
@@ -0,0 +1,4 @@
+package time_format
+
+ts := "1985-10-27"
+result := time.parse_ns("2006-01-02", ts)
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/empty_json/config.json b/docs/docs/policy-reference/_examples/tokens/sign/empty_json/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.jwt.result"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/empty_json/policy.rego b/docs/docs/policy-reference/_examples/tokens/sign/empty_json/policy.rego
@@ -0,0 +1,9 @@
+package jwt
+
+result := io.jwt.encode_sign({
+    "typ": "JWT",
+    "alg": "HS256"},
+    {}, {
+    "kty": "oct",
+    "k": "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
+})
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/hmac/config.json b/docs/docs/policy-reference/_examples/tokens/sign/hmac/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.jwt.result"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/hmac/policy.rego b/docs/docs/policy-reference/_examples/tokens/sign/hmac/policy.rego
@@ -0,0 +1,18 @@
+package jwt
+
+result := io.jwt.encode_sign({
+    "typ": "JWT",
+    "alg": "HS256"
+}, {
+    "iss": "joe",
+    "exp": 1300819380,
+    "aud": ["bob", "saul"],
+    "http://example.com/is_root": true,
+    "privateParams": {
+        "private_one": "one",
+        "private_two": "two"
+    }
+}, {
+    "kty": "oct",
+    "k": "AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"
+})
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/rsa/config.json b/docs/docs/policy-reference/_examples/tokens/sign/rsa/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.jwt.result"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/rsa/policy.rego b/docs/docs/policy-reference/_examples/tokens/sign/rsa/policy.rego
@@ -0,0 +1,25 @@
+package jwt
+
+result := io.jwt.encode_sign({
+    "alg": "RS256"
+}, {
+    "iss": "joe",
+    "exp": 1300819380,
+    "aud": ["bob", "saul"],
+    "http://example.com/is_root": true,
+    "privateParams": {
+        "private_one": "one",
+        "private_two": "two"
+    }
+},
+{
+    "kty": "RSA",
+    "n": "ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddxHmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMsD1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSHSXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ",
+    "e": "AQAB",
+    "d": "Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97IjlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYTCBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLhBOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ",
+    "p": "4BzEEOtIpmVdVEZNCqS7baC4crd0pqnRH_5IB3jw3bcxGn6QLvnEtfdUdiYrqBdss1l58BQ3KhooKeQTa9AB0Hw_Py5PJdTJNPY8cQn7ouZ2KKDcmnPGBY5t7yLc1QlQ5xHdwW1VhvKn-nXqhJTBgIPgtldC-KDV5z-y2XDwGUc",
+    "q": "uQPEfgmVtjL0Uyyx88GZFF1fOunH3-7cepKmtH4pxhtCoHqpWmT8YAmZxaewHgHAjLYsp1ZSe7zFYHj7C6ul7TjeLQeZD_YwD66t62wDmpe_HlB-TnBA-njbglfIsRLtXlnDzQkv5dTltRJ11BKBBypeeF6689rjcJIDEz9RWdc",
+    "dp": "BwKfV3Akq5_MFZDFZCnW-wzl-CCo83WoZvnLQwCTeDv8uzluRSnm71I3QCLdhrqE2e9YkxvuxdBfpT_PI7Yz-FOKnu1R6HsJeDCjn12Sk3vmAktV2zb34MCdy7cpdTh_YVr7tss2u6vneTwrA86rZtu5Mbr1C1XsmvkxHQAdYo0",
+    "dq": "h_96-mK1R_7glhsum81dZxjTnYynPbZpHziZjeeHcXYsXaaMwkOlODsWa7I9xXDoRwbKgB719rrmI2oKr6N3Do9U0ajaHF-NKJnwgjMd2w9cjz3_-kyNlxAr2v4IKhGNpmM5iIgOS1VZnOZ68m6_pbLBSp3nssTdlqvd0tIiTHU",
+    "qi": "IYd7DHOhrWvxkwPQsRM2tOgrjbcrfvtQJipd-DlcxyVuuM9sQLdgjVk2oy26F0EmpScGLq2MowX7fhd_QJQ3ydy5cY7YIBi87w93IKLEdfnbJtoOPLUW0ITrJReOgo1cq9SbsxYawBgfp_gh6A5603k2-ZQwVK0JKSHuLFkuQ3U"
+})
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/sign_raw/config.json b/docs/docs/policy-reference/_examples/tokens/sign/sign_raw/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.jwt.result"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/sign/sign_raw/policy.rego b/docs/docs/policy-reference/_examples/tokens/sign/sign_raw/policy.rego
@@ -0,0 +1,7 @@
+package jwt
+
+result := io.jwt.encode_sign_raw(
+    `{"typ":"JWT","alg":"HS256"}`,
+     `{"iss":"joe","exp":1300819380,"http://example.com/is_root":true}`,
+    `{"kty":"oct","k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow"}`
+)
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/cert/config.json b/docs/docs/policy-reference/_examples/tokens/verify/cert/config.json
@@ -0,0 +1,7 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"showPlayground": false,
+	"command": "data.jwt"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/cert/policy.rego b/docs/docs/policy-reference/_examples/tokens/verify/cert/policy.rego
@@ -0,0 +1,5 @@
+package jwt
+
+result.verify := io.jwt.verify_es256(es256_token, cert) # Verify the token with the certificate
+result.payload := io.jwt.decode(es256_token)            # Decode the token
+result.check := result.payload[1].iss == "xxx"          # Ensure the issuer (`iss`) claim is the expected value
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/cert_single/config.json b/docs/docs/policy-reference/_examples/tokens/verify/cert_single/config.json
@@ -0,0 +1,7 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"showPlayground": false,
+	"command": "data.jwt"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/cert_single/policy.rego b/docs/docs/policy-reference/_examples/tokens/verify/cert_single/policy.rego
@@ -0,0 +1,8 @@
+package jwt
+
+result := [valid, header, payload] if {
+  [valid, header, payload] := io.jwt.decode_verify(es256_token, {
+      "cert": cert,
+      "iss": "xxx",
+  })
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/jwks/config.json b/docs/docs/policy-reference/_examples/tokens/verify/jwks/config.json
@@ -0,0 +1,7 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"showPlayground": false,
+	"command": "data.jwt"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/jwks/policy.rego b/docs/docs/policy-reference/_examples/tokens/verify/jwks/policy.rego
@@ -0,0 +1,5 @@
+package jwt
+
+result.verify := io.jwt.verify_es256(es256_token, jwks) # Verify the token with the JWKS
+result.payload := io.jwt.decode(es256_token)            # Decode the token
+result.check := result.payload[1].iss == "xxx"          # Ensure the issuer (`iss`) claim is the expected value
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/jwks_single/config.json b/docs/docs/policy-reference/_examples/tokens/verify/jwks_single/config.json
@@ -0,0 +1,7 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"showPlayground": false,
+	"command": "data.jwt"
+}
diff --git a/...ce/_examples/net/cdir_contains1/data.json → ...mples/tokens/verify/jwks_single/data.json b/...ce/_examples/net/cdir_contains1/data.json → ...mples/tokens/verify/jwks_single/data.json
diff --git a/...e/_examples/net/cdir_contains1/input.json → ...ples/tokens/verify/jwks_single/input.json b/...e/_examples/net/cdir_contains1/input.json → ...ples/tokens/verify/jwks_single/input.json
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/jwks_single/policy.rego b/docs/docs/policy-reference/_examples/tokens/verify/jwks_single/policy.rego
@@ -0,0 +1,8 @@
+package jwt
+
+result := [valid, header, payload] if {
+  [valid, header, payload] := io.jwt.decode_verify(es256_token, {
+      "cert": jwks,
+      "iss": "xxx",
+  })
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/sign/config.json b/docs/docs/policy-reference/_examples/tokens/verify/sign/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.jwt"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/sign/policy.rego b/docs/docs/policy-reference/_examples/tokens/verify/sign/policy.rego
@@ -0,0 +1,17 @@
+package jwt
+
+result_hs256 := io.jwt.encode_sign(
+    {
+        "alg":"HS256",
+        "typ":"JWT"
+    },
+    {},
+    {
+        "kty":"oct",
+        "k":"Zm9v"
+    }
+)
+
+# Important! - Use the un-encoded plain text secret to verify and decode
+result_parts_hs256 := io.jwt.decode_verify(result_hs256, {"secret": "foo"})
+result_valid_hs256 := io.jwt.verify_hs256(result_hs256, "foo")
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/sign_raw/config.json b/docs/docs/policy-reference/_examples/tokens/verify/sign_raw/config.json
@@ -0,0 +1,6 @@
+{
+	"showInput": false,
+	"showData":  false,
+	"showTitles": false,
+	"command": "data.jwt"
+}
diff --git a/docs/docs/policy-reference/_examples/tokens/verify/sign_raw/policy.rego b/docs/docs/policy-reference/_examples/tokens/verify/sign_raw/policy.rego
@@ -0,0 +1,11 @@
+package jwt
+
+raw_result_hs256 := io.jwt.encode_sign_raw(
+    `{"alg":"HS256","typ":"JWT"}`,
+    `{}`,
+    `{"kty":"oct","k":"Zm9v"}`  	# "Zm9v" == base64url.encode_no_pad("foo")
+)
+
+# Important! - Use the un-encoded plain text secret to verify and decode
+raw_result_valid_hs256 := io.jwt.verify_hs256(raw_result_hs256, "foo")
+raw_result_parts_hs256 := io.jwt.decode_verify(raw_result_hs256, {"secret": "foo"})