Modernize Rego syntax

Open Policy Agent v0.59 introduced a new directive (`import rego.v1`) that ensures that the file is compatible with OPA v1 (to be released in the future). Add this directive to all Rego files and update the syntax accordingly. Which involves the following: * Rewrite all rules to use the `if` keyword, which is now mandatory. * Where appropriate, use the `in` keyword, which is now available without a future import. It's not mandatory, but it looks much nicer. In addition, update Regal to the latest version, which now enforces the use of `import rego.v1` by default.
cvat-ai · Apr 29, 2024 · cd515f4 · cd515f4
1 parent ab8674c
commit cd515f4
Show file tree

Hide file tree

Showing 39 changed files with 565 additions and 491 deletions.
diff --git a/.github/workflows/regallint.yml b/.github/workflows/regallint.yml
@@ -6,7 +6,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Setup Regal
-        uses: StyraInc/setup-regal@v0.2.0
+        uses: StyraInc/setup-regal@v1
         with:
-          version: v0.11.0
+          version: v0.21.3
       - run: regal lint --format=github cvat/apps/*/rules
diff --git a/cvat/apps/analytics_report/rules/analytics_reports.rego b/cvat/apps/analytics_report/rules/analytics_reports.rego
@@ -1,5 +1,7 @@
 package analytics_reports
 
+import rego.v1
+
 import data.utils
 import data.organizations
 
@@ -24,11 +26,11 @@ import data.organizations
 
 default allow := false
 
-allow {
+allow if {
     utils.is_admin
 }
 
-allow {
+allow if {
     input.scope == utils.LIST
     utils.has_perm(utils.WORKER)
 }
diff --git a/cvat/apps/engine/rules/annotationguides.rego b/cvat/apps/engine/rules/annotationguides.rego
@@ -1,5 +1,7 @@
 package annotationguides
 
+import rego.v1
+
 import data.utils
 import data.organizations
 
@@ -31,72 +33,72 @@ import data.organizations
 #     }
 # }
 
-is_target_owner {
+is_target_owner if {
     input.resource.target.owner.id == input.auth.user.id
 }
 
-is_target_assignee {
+is_target_assignee if {
     input.resource.target.assignee.id == input.auth.user.id
 }
 
-is_target_staff {
+is_target_staff if {
     is_target_owner
 }
 
-is_target_staff {
+is_target_staff if {
     is_target_assignee
 }
 
 default allow := false
 
-allow {
+allow if {
     utils.is_admin
 }
 
-allow {
+allow if {
     input.scope == utils.VIEW
     utils.is_sandbox
     utils.has_perm(utils.WORKER)
     input.resource.target.is_job_staff
 }
 
-allow {
+allow if {
     input.scope == utils.VIEW
     utils.is_sandbox
     utils.has_perm(utils.WORKER)
     is_target_staff
 }
 
-allow {
-    { utils.CREATE, utils.DELETE, utils.UPDATE }[input.scope]
+allow if {
+    input.scope in {utils.CREATE, utils.DELETE, utils.UPDATE}
     utils.is_sandbox
     utils.has_perm(utils.USER)
     is_target_staff
 }
 
-allow {
-    { utils.CREATE, utils.DELETE, utils.UPDATE, utils.VIEW }[input.scope]
+allow if {
+    input.scope in {utils.CREATE, utils.DELETE, utils.UPDATE, utils.VIEW}
     input.auth.organization.id == input.resource.organization.id
     utils.has_perm(utils.USER)
     organizations.has_perm(organizations.MAINTAINER)
 }
 
-allow {
-    { utils.CREATE, utils.DELETE, utils.UPDATE }[input.scope]
+allow if {
+    input.scope in {utils.CREATE, utils.DELETE, utils.UPDATE}
     input.auth.organization.id == input.resource.organization.id
     organizations.is_member
     utils.has_perm(utils.USER)
     is_target_staff
 }
 
-allow {
+allow if {
     input.scope == utils.VIEW
     input.auth.organization.id == input.resource.organization.id
     organizations.is_member
     is_target_staff
 }
 
-allow {
+allow if {
     input.scope == utils.VIEW
     input.auth.organization.id == input.resource.organization.id
     organizations.is_member

diff --git a/cvat/apps/engine/rules/cloudstorages.rego b/cvat/apps/engine/rules/cloudstorages.rego
@@ -1,4 +1,7 @@
 package cloudstorages
+
+import rego.v1
+
 import data.utils
 import data.organizations
 
@@ -29,89 +32,89 @@ import data.organizations
 default allow := false
 
 # Admin has no restrictions
-allow {
+allow if {
     utils.is_admin
 }
 
-allow {
+allow if {
     input.scope == utils.CREATE
     utils.has_perm(utils.USER)
     utils.is_sandbox
 }
 
-allow {
+allow if {
     input.scope == utils.CREATE
     input.auth.organization.id == input.resource.organization.id
     utils.has_perm(utils.USER)
     organizations.has_perm(organizations.MAINTAINER)
 }
 
-allow {
+allow if {
     input.scope == utils.LIST
     utils.is_sandbox
 }
 
-allow {
+allow if {
     input.scope == utils.LIST
     organizations.is_member
 }
 
-filter := [] { # Django Q object to filter list of entries
+filter := [] if { # Django Q object to filter list of entries
     utils.is_admin
     utils.is_sandbox
-} else := qobject {
+} else := qobject if {
     utils.is_admin
     qobject := [ {"organization": input.auth.organization.id} ]
-} else := qobject {
+} else := qobject if {
     utils.has_perm(utils.USER)
     organizations.has_perm(organizations.SUPERVISOR)
     qobject := [ {"organization": input.auth.organization.id} ]
-} else := qobject {
+} else := qobject if {
     utils.is_sandbox
     qobject := [ {"owner": input.auth.user.id} ]
-} else := qobject {
+} else := qobject if {
     utils.is_organization
     qobject := [ {"owner": input.auth.user.id}, {"organization": input.auth.organization.id}, "&" ]
 }
 
-allow {
-    { utils.VIEW, utils.LIST_CONTENT }[input.scope]
+allow if {
+    input.scope in {utils.VIEW, utils.LIST_CONTENT}
     utils.is_sandbox
     utils.is_resource_owner
 }
 
-allow {
-    { utils.VIEW, utils.LIST_CONTENT }[input.scope]
+allow if {
+    input.scope in {utils.VIEW, utils.LIST_CONTENT}
     input.auth.organization.id == input.resource.organization.id
     organizations.is_member
     utils.is_resource_owner
 }
 
-allow {
-    { utils.VIEW, utils.LIST_CONTENT }[input.scope]
+allow if {
+    input.scope in {utils.VIEW, utils.LIST_CONTENT}
     input.auth.organization.id == input.resource.organization.id
     utils.has_perm(utils.USER)
     organizations.has_perm(organizations.SUPERVISOR)
 }
 
-allow {
-    { utils.UPDATE, utils.DELETE }[input.scope]
+allow if {
+    input.scope in {utils.UPDATE, utils.DELETE}
     utils.is_sandbox
     utils.has_perm(utils.WORKER)
     utils.is_resource_owner
 }
 
-allow {
-    { utils.UPDATE, utils.DELETE }[input.scope]
+allow if {
+    input.scope in {utils.UPDATE, utils.DELETE}
     input.auth.organization.id == input.resource.organization.id
     organizations.is_member
     utils.has_perm(utils.WORKER)
     utils.is_resource_owner
 }
 
 
-allow {
-    { utils.UPDATE, utils.DELETE }[input.scope]
+allow if {
+    input.scope in {utils.UPDATE, utils.DELETE}
     input.auth.organization.id == input.resource.organization.id
     utils.has_perm(utils.USER)
     organizations.has_perm(organizations.MAINTAINER)