@@ -127,6 +127,23 @@ EachQueryLoop:
127127 pa .subjectInput , pa .subjectAction , pa .subjectResourceType , nil )
128128}
129129
130+ // Precompiled values to be reused for each Prepare call.
131+ // These values are static and do not change.
132+ var (
133+ // unknownTerms are the unknown values in the rego input.
134+ // These values are pre-parsed to prevent reparsing on every Prepare call.
135+ unknownTerms = []* ast.Term {
136+ ast .MustParseTerm ("input.object.id" ),
137+ ast .MustParseTerm ("input.object.owner" ),
138+ ast .MustParseTerm ("input.object.org_owner" ),
139+ ast .MustParseTerm ("input.object.acl_user_list" ),
140+ ast .MustParseTerm ("input.object.acl_group_list" ),
141+ }
142+
143+ partialQuery = ast .MustParseBody ("data.authz.allow = true" )
144+ policyModule = ast .MustParseModule (policy )
145+ )
146+
130147func newPartialAuthorizer (ctx context.Context , subject Subject , action Action , objectType string ) (* PartialAuthorizer , error ) {
131148 if subject .Roles == nil {
132149 return nil , xerrors .Errorf ("subject must have roles" )
@@ -143,15 +160,9 @@ func newPartialAuthorizer(ctx context.Context, subject Subject, action Action, o
143160 // Run the rego policy with a few unknown fields. This should simplify our
144161 // policy to a set of queries.
145162 partialQueries , err := rego .New (
146- rego .Query ("data.authz.allow = true" ),
147- rego .Module ("policy.rego" , policy ),
148- rego .Unknowns ([]string {
149- "input.object.id" ,
150- "input.object.owner" ,
151- "input.object.org_owner" ,
152- "input.object.acl_user_list" ,
153- "input.object.acl_group_list" ,
154- }),
163+ rego .ParsedQuery (partialQuery ),
164+ rego .ParsedModule (policyModule ),
165+ rego .ParsedUnknowns (unknownTerms ),
155166 rego .ParsedInput (input ),
156167 ).Partial (ctx )
157168 if err != nil {
0 commit comments