Support for typename import aliases in policy compiler

l46kok · copybara-github · commit 3d5cfd6f8032 · 2025-07-29T14:48:29.000-07:00
PiperOrigin-RevId: 786809539
diff --git a/checker/src/main/java/dev/cel/checker/CelCheckerBuilder.java b/checker/src/main/java/dev/cel/checker/CelCheckerBuilder.java
@@ -49,6 +49,9 @@ public interface CelCheckerBuilder {
   @CanIgnoreReturnValue
   CelCheckerBuilder setContainer(CelContainer container);
 
+  /** Retrieves the currently configured {@link CelContainer} in the builder. */
+  CelContainer container();
+
   /** Add variable and function {@code declarations} to the CEL environment. */
   @CanIgnoreReturnValue
   CelCheckerBuilder addDeclarations(Decl... declarations);
diff --git a/checker/src/main/java/dev/cel/checker/CelCheckerLegacyImpl.java b/checker/src/main/java/dev/cel/checker/CelCheckerLegacyImpl.java
@@ -210,6 +210,11 @@ public CelCheckerBuilder setContainer(CelContainer container) {
       return this;
     }
 
+    @Override
+    public CelContainer container() {
+      return this.container;
+    }
+
     @Override
     public CelCheckerBuilder addDeclarations(Decl... declarations) {
       checkNotNull(declarations);
diff --git a/common/src/main/java/dev/cel/common/CelContainer.java b/common/src/main/java/dev/cel/common/CelContainer.java
@@ -108,6 +108,8 @@ public Builder addAbbreviations(String... qualifiedNames) {
      * <p>If there is ever a case where an identifier could be in both the container and as an
      * abbreviation, the abbreviation wins as this will ensure that the meaning of a program is
      * preserved between compilations even as the container evolves.
+     *
+     * @throws IllegalArgumentException If qualifiedName is invalid per above specification.
      */
     @CanIgnoreReturnValue
     public Builder addAbbreviations(ImmutableSet<String> qualifiedNames) {
@@ -250,6 +252,8 @@ public ImmutableSet<String> resolveCandidateNames(String typeName) {
     return candidates.add(typeName).build();
   }
 
+  public abstract Builder toBuilder();
+
   public static Builder newBuilder() {
     return new AutoValue_CelContainer.Builder().setName("");
   }
diff --git a/policy/src/main/java/dev/cel/policy/BUILD.bazel b/policy/src/main/java/dev/cel/policy/BUILD.bazel
@@ -206,6 +206,7 @@ java_library(
         "//common:cel_ast",
         "//common:cel_source",
         "//common:compiler_common",
+        "//common:container",
         "//common:source_location",
         "//common/ast",
         "//common/formats:value_string",
diff --git a/policy/src/main/java/dev/cel/policy/CelPolicy.java b/policy/src/main/java/dev/cel/policy/CelPolicy.java
@@ -46,6 +46,8 @@ public abstract class CelPolicy {
 
   public abstract ImmutableMap<String, Object> metadata();
 
+  public abstract ImmutableList<Import> imports();
+
   /** Creates a new builder to construct a {@link CelPolicy} instance. */
   public static Builder newBuilder() {
     return new AutoValue_CelPolicy.Builder()
@@ -74,6 +76,16 @@ public abstract static class Builder {
 
     public abstract Builder setMetadata(ImmutableMap<String, Object> value);
 
+    abstract ImmutableList.Builder<Import> importsBuilder();
+
+    abstract Builder setImports(ImmutableList<Import> value);
+
+    @CanIgnoreReturnValue
+    public Builder addImport(Import value) {
+      importsBuilder().add(value);
+      return this;
+    }
+
     @CanIgnoreReturnValue
     public Builder putMetadata(String key, Object value) {
       metadataBuilder().put(key, value);
@@ -278,4 +290,16 @@ public static Builder newBuilder() {
       return new AutoValue_CelPolicy_Variable.Builder();
     }
   }
+
+  /** Import represents an imported type name which is aliased within CEL expressions. */
+  @AutoValue
+  public abstract static class Import {
+    public abstract long id();
+
+    public abstract ValueString name();
+
+    public static Import create(long id, ValueString name) {
+      return new AutoValue_CelPolicy_Import(id, name);
+    }
+  }
 }
diff --git a/policy/src/main/java/dev/cel/policy/CelPolicyCompilerImpl.java b/policy/src/main/java/dev/cel/policy/CelPolicyCompilerImpl.java
@@ -21,6 +21,7 @@
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import dev.cel.bundle.Cel;
 import dev.cel.common.CelAbstractSyntaxTree;
+import dev.cel.common.CelContainer;
 import dev.cel.common.CelIssue;
 import dev.cel.common.CelSource;
 import dev.cel.common.CelSourceLocation;
@@ -39,6 +40,7 @@
 import dev.cel.policy.CelCompiledRule.CelCompiledMatch.Result;
 import dev.cel.policy.CelCompiledRule.CelCompiledMatch.Result.Kind;
 import dev.cel.policy.CelCompiledRule.CelCompiledVariable;
+import dev.cel.policy.CelPolicy.Import;
 import dev.cel.policy.CelPolicy.Match;
 import dev.cel.policy.CelPolicy.Variable;
 import dev.cel.policy.RuleComposer.RuleCompositionException;
@@ -63,7 +65,28 @@ final class CelPolicyCompilerImpl implements CelPolicyCompiler {
   @Override
   public CelCompiledRule compileRule(CelPolicy policy) throws CelPolicyValidationException {
     CompilerContext compilerContext = new CompilerContext(policy.policySource());
-    CelCompiledRule compiledRule = compileRuleImpl(policy.rule(), cel, compilerContext);
+
+    Cel extendedCel = this.cel;
+
+    if (!policy.imports().isEmpty()) {
+      CelContainer.Builder containerBuilder =
+          extendedCel.toCheckerBuilder().container().toBuilder();
+
+      for (Import imp : policy.imports()) {
+        try {
+          containerBuilder.addAbbreviations(imp.name().value());
+        } catch (IllegalArgumentException e) {
+          compilerContext.addIssue(
+              imp.id(),
+              CelIssue.formatError(
+                  1, 0, String.format("Error configuring import: %s", e.getMessage())));
+        }
+      }
+
+      extendedCel = extendedCel.toCelBuilder().setContainer(containerBuilder.build()).build();
+    }
+
+    CelCompiledRule compiledRule = compileRuleImpl(policy.rule(), extendedCel, compilerContext);
     if (compilerContext.hasError()) {
       throw new CelPolicyValidationException(compilerContext.getIssueString());
     }
diff --git a/policy/src/main/java/dev/cel/policy/CelPolicyYamlParser.java b/policy/src/main/java/dev/cel/policy/CelPolicyYamlParser.java
@@ -27,6 +27,7 @@
 import dev.cel.common.formats.YamlHelper.YamlNodeType;
 import dev.cel.common.formats.YamlParserContextImpl;
 import dev.cel.common.internal.CelCodePointArray;
+import dev.cel.policy.CelPolicy.Import;
 import dev.cel.policy.CelPolicy.Match;
 import dev.cel.policy.CelPolicy.Match.Result;
 import dev.cel.policy.CelPolicy.Variable;
@@ -118,6 +119,9 @@ public CelPolicy parsePolicy(PolicyParserContext<Node> ctx, Node node) {
         Node valueNode = nodeTuple.getValueNode();
         String fieldName = ((ScalarNode) keyNode).getValue();
         switch (fieldName) {
+          case "imports":
+            parseImports(policyBuilder, ctx, valueNode);
+            break;
           case "name":
             policyBuilder.setName(ctx.newValueString(valueNode));
             break;
@@ -141,6 +145,51 @@ public CelPolicy parsePolicy(PolicyParserContext<Node> ctx, Node node) {
           .build();
     }
 
+    private void parseImports(
+        CelPolicy.Builder policyBuilder, PolicyParserContext<Node> ctx, Node node) {
+      long id = ctx.collectMetadata(node);
+      if (!assertYamlType(ctx, id, node, YamlNodeType.LIST)) {
+        return;
+      }
+
+      SequenceNode importListNode = (SequenceNode) node;
+      for (Node importNode : importListNode.getValue()) {
+        parseImport(policyBuilder, ctx, importNode);
+      }
+    }
+
+    private void parseImport(
+        CelPolicy.Builder policyBuilder, PolicyParserContext<Node> ctx, Node node) {
+      long importId = ctx.collectMetadata(node);
+      if (!assertYamlType(ctx, importId, node, YamlNodeType.MAP)) {
+        return;
+      }
+
+      MappingNode mappingNode = (MappingNode) node;
+      for (NodeTuple nodeTuple : mappingNode.getValue()) {
+        Node key = nodeTuple.getKeyNode();
+        long keyId = ctx.collectMetadata(key);
+        if (!assertYamlType(ctx, keyId, key, YamlNodeType.STRING, YamlNodeType.TEXT)) {
+          continue;
+        }
+
+        String fieldName = ((ScalarNode) key).getValue();
+        if (!fieldName.equals("name")) {
+          ctx.reportError(
+              keyId, String.format("Invalid import key: %s, expected 'name'", fieldName));
+          continue;
+        }
+
+        Node value = nodeTuple.getValueNode();
+        long valueId = ctx.collectMetadata(value);
+        if (!assertYamlType(ctx, valueId, value, YamlNodeType.STRING, YamlNodeType.TEXT)) {
+          continue;
+        }
+
+        policyBuilder.addImport(Import.create(valueId, ctx.newValueString(value)));
+      }
+    }
+
     @Override
     public CelPolicy.Rule parseRule(
         PolicyParserContext<Node> ctx, CelPolicy.Builder policyBuilder, Node node) {
diff --git a/policy/src/test/java/dev/cel/policy/BUILD.bazel b/policy/src/test/java/dev/cel/policy/BUILD.bazel
@@ -19,6 +19,7 @@ java_library(
         "//common:options",
         "//common/formats:value_string",
         "//common/internal",
+        "//common/resources/testdata/proto3:standalone_global_enum_java_proto",
         "//compiler",
         "//extensions:optional_library",
         "//parser:macro",
diff --git a/policy/src/test/java/dev/cel/policy/CelPolicyCompilerImplTest.java b/policy/src/test/java/dev/cel/policy/CelPolicyCompilerImplTest.java
@@ -43,6 +43,7 @@
 import dev.cel.policy.PolicyTestHelper.TestYamlPolicy;
 import dev.cel.runtime.CelFunctionBinding;
 import dev.cel.runtime.CelLateFunctionBindings;
+import dev.cel.testing.testdata.proto3.StandaloneGlobalEnum;
 import java.io.IOException;
 import java.util.Map;
 import java.util.Optional;
@@ -290,6 +291,7 @@ private static Cel newCel() {
         .setStandardMacros(CelStandardMacro.STANDARD_MACROS)
         .addCompilerLibraries(CelOptionalLibrary.INSTANCE)
         .addRuntimeLibraries(CelOptionalLibrary.INSTANCE)
+        .addFileTypes(StandaloneGlobalEnum.getDescriptor().getFile())
         .addMessageTypes(TestAllTypes.getDescriptor())
         .setOptions(CEL_OPTIONS)
         .addFunctionBindings(
diff --git a/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java b/policy/src/test/java/dev/cel/policy/PolicyTestHelper.java
@@ -106,8 +106,13 @@ enum TestYamlPolicy {
     PB(
         "pb",
         true,
-        "(spec.single_int32 > 10) ? optional.of(\"invalid spec, got single_int32=\" +"
-            + " string(spec.single_int32) + \", wanted <= 10\") : optional.none()"),
+        "(spec.single_int32 > TestAllTypes{single_int64: 10}.single_int64) ? optional.of(\"invalid"
+            + " spec, got single_int32=\" + string(spec.single_int32) + \", wanted <= 10\") :"
+            + " ((spec.standalone_enum == cel.expr.conformance.proto3.TestAllTypes.NestedEnum.BAR"
+            + " || dev.cel.testing.testdata.proto3.StandaloneGlobalEnum.SGAR =="
+            + " dev.cel.testing.testdata.proto3.StandaloneGlobalEnum.SGOO) ? optional.of(\"invalid"
+            + " spec, neither nested nor imported enums may refer to BAR or SBAR\") :"
+            + " optional.none())"),
     LIMITS(
         "limits",
         true,
diff --git a/testing/src/test/resources/policy/compile_errors/expected_errors.baseline b/testing/src/test/resources/policy/compile_errors/expected_errors.baseline
@@ -1,24 +1,30 @@
-ERROR: compile_errors/policy.yaml:19:19: undeclared reference to 'spec' (in container '')
+ERROR: compile_errors/policy.yaml:19:5: Error configuring import: invalid qualified name: punc.Import!, wanted name of the form 'qualified.name'
+ |     punc.Import!
+ | ....^
+ERROR: compile_errors/policy.yaml:20:10: Error configuring import: invalid qualified name: bad import, wanted name of the form 'qualified.name'
+ | - name: "bad import"
+ | .........^
+ERROR: compile_errors/policy.yaml:24:19: undeclared reference to 'spec' (in container '')
  |       expression: spec.labels
  | ..................^
-ERROR: compile_errors/policy.yaml:21:50: mismatched input 'resource' expecting {'==', '!=', 'in', '<', '<=', '>=', '>', '&&', '||', '[', ')', '.', '-', '?', '+', '*', '/', '%%'}
+ERROR: compile_errors/policy.yaml:26:50: mismatched input 'resource' expecting {'==', '!=', 'in', '<', '<=', '>=', '>', '&&', '||', '[', ')', '.', '-', '?', '+', '*', '/', '%%'}
  |       expression: variables.want.filter(l, !(lin resource.labels))
  | .................................................^
-ERROR: compile_errors/policy.yaml:21:66: extraneous input ')' expecting <EOF>
+ERROR: compile_errors/policy.yaml:26:66: extraneous input ')' expecting <EOF>
  |       expression: variables.want.filter(l, !(lin resource.labels))
  | .................................................................^
-ERROR: compile_errors/policy.yaml:23:27: mismatched input '2' expecting {'}', ','}
+ERROR: compile_errors/policy.yaml:28:27: mismatched input '2' expecting {'}', ','}
  |       expression: "{1:305 2:569}"
  | ..........................^
-ERROR: compile_errors/policy.yaml:31:75: extraneous input ']' expecting ')'
+ERROR: compile_errors/policy.yaml:36:75: extraneous input ']' expecting ')'
  |         "missing one or more required labels: %s".format(variables.missing])
  | ..........................................................................^
-ERROR: compile_errors/policy.yaml:34:67: undeclared reference to 'format' (in container '')
+ERROR: compile_errors/policy.yaml:39:67: undeclared reference to 'format' (in container '')
  |         "invalid values provided on one or more labels: %s".format([variables.invalid])
  | ..................................................................^
-ERROR: compile_errors/policy.yaml:35:19: condition must produce a boolean output.
+ERROR: compile_errors/policy.yaml:40:19: condition must produce a boolean output.
  |     - condition: '1'
  | ..................^
-ERROR: compile_errors/policy.yaml:38:24: found no matching overload for '_==_' applied to '(bool, string)' (candidates: (%A0, %A0))
+ERROR: compile_errors/policy.yaml:43:24: found no matching overload for '_==_' applied to '(bool, string)' (candidates: (%A0, %A0))
  |     - condition: false == "0"
  | .......................^
diff --git a/testing/src/test/resources/policy/compile_errors/policy.yaml b/testing/src/test/resources/policy/compile_errors/policy.yaml
@@ -13,6 +13,11 @@
 # limitations under the License.
 
 name: "errors"
+imports:
+- name: " untrimmed.Import1  "
+- name: >
+    punc.Import!
+- name: "bad import"
 rule:
   variables:
     - name: want
diff --git a/testing/src/test/resources/policy/pb/policy.yaml b/testing/src/test/resources/policy/pb/policy.yaml
@@ -13,8 +13,24 @@
 # limitations under the License.
 
 name: "pb"
+
+imports:
+- name: cel.expr.conformance.proto3.TestAllTypes
+- name: cel.expr.conformance.proto3.TestAllTypes.NestedEnum
+  # Note: Following enum is CEL-Java only.
+- name: |
+    dev.cel.testing.testdata.proto3.StandaloneGlobalEnum
+
 rule:
   match:
-  - condition: spec.single_int32 > 10
+  - condition: >
+      spec.single_int32 > TestAllTypes{single_int64: 10}.single_int64
     output: |
       "invalid spec, got single_int32=" + string(spec.single_int32) + ", wanted <= 10"
+#       TODO: replace when string.format is available
+#      "invalid spec, got single_int32=%d, wanted <= 10".format([spec.single_int32])
+  - condition: >
+      spec.standalone_enum == NestedEnum.BAR ||
+      StandaloneGlobalEnum.SGAR == StandaloneGlobalEnum.SGOO
+    output: |
+      "invalid spec, neither nested nor imported enums may refer to BAR or SBAR"
