OPA/rego 即使比较结果为假,结果也为真

OPA/rego result is true even if a comparison evaluates to false

我刚开始用OPA,所以很有可能是我做错了什么。

我有以下输入:

{
  "request": {
    "principalId": "user1",
    "scope": "/workspaces/1/environments/dev/deployments/123",
    "requiredPermissions": [
      "Deployments.ReadWrite",
      "Foo.Bar"
    ]
  }
}

我想确认一下,用户拥有所有必需的权限。我已经有了所需的变量:

#// this is opa/rego value

"principal_roles_at_requested_scope": [
              "Deployments.Read",
              "Deployments.ReadWrite",
              "WorkspaceEnvironments.Read",
              "Workspaces.Read"
            ]

这应该将 allow 设置为 false,因为 Foo.Bar 不在 principal_roles_at_requested_scope 集合中,但它被评估为 true:

allow {
    some i
    input.request.requiredPermissions[i] in principal_roles_at_requested_scope
}

另一方面这行得通,但显然不能使用:

allow {
    input.request.requiredPermissions[0] in principal_roles_at_requested_scope
    input.request.requiredPermissions[1] in principal_roles_at_requested_scope
}

好的,

多亏了这个this我弄明白了。

就是这样解决的:

any_missing_permissions {
    some v in input.request.requiredPermissions
    not v in principal_roles_at_requested_scope
}

allow {
    #// Each permission required in the request has to be available
    #// at the requested scope
    not any_missing_permissions
}