Refactor OPA policies, add linter, and update CI.

.github/workflows/opa.yml

@@ -1,5 +1,6 @@
 name: Run OPA Tests
 on: [push, workflow_dispatch]
+
 jobs:
   Run-OPA-Tests:
     runs-on: ubuntu-latest
@@ -12,5 +13,13 @@ jobs:
       with:
         version: latest
 
+    - name: Setup Regal
+      uses: StyraInc/setup-regal@v0.2.0
+      with:
+        version: latest
+
     - name: Run OPA Tests
       run: opa test src -v
+
+    - name: Lint OPA Policies
+      run: regal lint --format github ./src

.regal/config.yaml

@@ -0,0 +1,5 @@
+rules:
+  idiomatic:
+    no-defined-entrypoint:
+      # This repo consists of a set of library functions, which therefore have no entrypoint.
+      level: ignore

src/abbey/functions/expire_after.rego

@@ -1,16 +1,22 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-# Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
-# The `ts` input is a string that can be parsed by Rego's native `time.parse_duration_ns` function.
-# Valid string values are derived from https://pkg.go.dev/time#ParseDuration.
-# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
-# This function compares against data under the `system.abbey.target` namespace.
+# METADATA
+# title: Expire After
+# description: |
+#  Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
+#  The `ts` input is a string that can be parsed by Rego's native `time.parse_duration_ns` function.
+#  Valid string values are derived from https://pkg.go.dev/time#ParseDuration.
+#  Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+#  This function compares against data under the `system.abbey.target` namespace.
+# related_resources:
+# - ref: https://docs.abbey.io/use-cases/time-based-access/expire-after-a-duration
+# entrypoint: false
 expire_after(ts) := live if {
 	expires_after := time.parse_duration_ns(ts)
 	approved_at := time.parse_rfc3339_ns(data.system.abbey.target.grant.approved_at)
 	expires_at := approved_at + expires_after
 	now := time.now_ns()
 	live := (now - expires_at) < 0
-}
+}

src/abbey/functions/expire_after_test.rego

@@ -1,18 +1,18 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-test_expired if {
-    not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672534900000000000
+test_after_expired_duration if {
+	not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672534900000000000
 }
 
-test_expired if {
-    not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672534860000000000
+test_at_expired_duration if {
+	not expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672534860000000000
 }
 
-test_not_expired if {
-    expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 0
+test_before_expired_duration if {
+	expire_after("1m") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 0
 }

src/abbey/functions/expire_at.rego

@@ -1,10 +1,16 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-# Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
-# The `ts` input is a string representing the RFC 3339 date time format.
-# This function compares against data under the `system.abbey.target` namespace.
+# METADATA
+# title: Expire At
+# description: |
+#  Function that checks if the time at `ts` has expired, relative to the time at `approved_at`.
+#  The `ts` input is a string representing the RFC 3339 date time format.
+#  This function compares against data under the `system.abbey.target` namespace.
+# related_resources:
+# - ref: https://docs.abbey.io/use-cases/time-based-access/expire-at-a-specific-time
+# entrypoint: false
 expire_at(ts) := live if {
 	expires_at := time.parse_rfc3339_ns(ts)
 	now := time.now_ns()

src/abbey/functions/expire_at_test.rego

@@ -1,18 +1,18 @@
-package abbey.functions
+package abbey.functions_test
 
 import future.keywords.if
 
-test_expired if {
-    not expire_at("2023-01-01T02:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672538500000000000
+test_after_expired_at_threshold if {
+	not expire_at("2023-01-01T02:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672538500000000000
 }
 
-test_expired if {
-    not expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 1672538400000000000
+test_on_expired_at_threshold if {
+	not expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 1672538400000000000
 }
 
-test_not_expired if {
-    expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
-        with time.now_ns as 0
-}
+test_before_expired_at_threshold if {
+	expire_at("2023-01-01T01:00:00Z") with data.system.abbey.target.grant.approved_at as "2023-01-01T01:00:00Z"
+		with time.now_ns as 0
+}