Polar Language Reference

Reference guides for the Polar policy language.

Polar Syntax

A brief description of the core syntax elements of Polar.

JavaScript Types in Polar
Working with JavaScript Types Oso’s Node.js authorization library allows you to write policy rules over JavaScript types directly. This document explains how different types of JavaScript values can be used in Oso policies. Note More detailed examples of working with application objects can be found in our Guides. Objects You can pass any JavaScript object into Oso and access its properties from your policy (see Application Types). Class Instances Any new-able JavaScript object (including ES6-style classes) can be constructed from inside an Oso policy using Polar’s new operator if the constructor (a class or function that responds to JavaScript’s new operator) has been registered using the oso.registerClass() method. An example of this can be found here. Numbers and Booleans Polar supports integer and floating point real numbers, as well as booleans (see Primitive Types). Strings JavaScript strings are mapped to Polar strings. JavaScript’s string methods may be called in policies: allow(actor, action, resource) if actor.username.endsWith("example.com"); class User { constructor(username) { this.username = username; } } const user = new User("alice@example.com"); oso.isAllowed(user, "foo", "bar").then(assert); Warning Polar does not support methods that mutate strings in place. Lists JavaScript Arrays are mapped to Polar lists. JavaScript’s Array methods may be called in policies: allow(actor, action, resource) if actor.groups.includes("HR"); class User { constructor(groups) { this.groups = groups; } } const user = new User(["HR", "payroll"]); oso.isAllowed(user, "foo", "bar").then(assert); Warning Polar does not support methods that mutate lists in place unless the list is also returned from the method. Likewise, lists constructed in Polar may be passed into JavaScript methods: allow(actor, action, resource) if actor.hasGroups(["HR", "payroll"]); class User { constructor(groups) { this.groups = groups; } hasGroups(other) { return other.every((group) => this.groups.includes(group)); } } const user = new User(["HR", "payroll"]); oso.isAllowed(user, "foo", "bar").then(assert); There is currently no syntax for random access to a list element within a policy; i.e., there is no Polar equivalent of the JavaScript expression user.groups[1]. To access the elements of a list, you may iterate over it with the in operator or destructure it with pattern matching. Iterables You may iterate over any synchronous or asynchronous) JavaScript iterables using Polar’s in operator: allow(actor, action, resource) if "payroll" in actor.getGroups(); class User { getGroups() { return ["HR", "payroll"]; } } const user = new User(); oso.isAllowed(user, "foo", "bar").then(assert); Promises Oso will await any Promise and then use the resolved value during evaluation of a policy. null The JavaScript null value is registered as the Polar constant nil. If a JavaScript function can return null, you may want to compare the result to nil: allow(actor, action, resource) if actor.getOptional() != nil; class User { getOptional() { return someCondition() ? someThing : null; } } JavaScript → Polar Types Summary JavaScript type Polar type number (integer) Integer number (float) Float boolean Boolean Array List string String

Tell our engineers what it's like