Rego 对象匹配和比较
Rego Object matching and comparison
我正在尝试从给定的输入中匹配域密钥(“域”:“example.com”),如果值不相同,return 会出现错误。到目前为止,这是我的想法,但我似乎无法匹配域密钥,因此测试失败了。如有任何建议,我们将不胜感激。
OPA 政策:
package main
import data.config
default warning_mode = []
warning_mode = config.warn_mode { config.warn_mode }
array_contains(arr, elem) {
arr[_] = elem
}
exception[rules] {
rules := config.exceptions.rules
}
deny_missing_config[msg] {
not config
msg := "Missing configuration file"
}
## Main
aws_ses_dkim[a] {
a := input.resource_changes[_]
a.type == "aws_ses_domain_dkim"
}
aws_ses_domain[e] {
e := input.resource_changes[_]
e.type == "aws_ses_domain_identity"
}
ses_missing_dkim[msg] {
a := aws_ses_dkim[_]
e := aws_ses_domain[_]
walk(a, [["values", "domain"], x])
walk(e, [["values", "domain"], y])
err := x - y
not err == set()
msg := sprintf("Placeholder error", [err, a.address, e.address])
}
## Test Cases
deny_ses_missing_dkim[msg]{
not array_contains(warning_mode, "ses_missing_dkim")
ses_missing_dkim[_] != []
msg := ses_missing_dkim[_]
}
warn_ses_missing_dkim[msg]{
array_contains(warning_mode, "ses_missing_dkim")
ses_missing_dkim[_] != []
msg := ses_missing_dkim[_]
}
test_ses_missing_dkim_invalid {
i := data.mock.invalid_ses_dkim
r1 := warn_ses_missing_dkim with input as i with data.config.warn_mode as []
count(r1) == 0
r2 := warn_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
count(r2) == 1
r3 := deny_ses_missing_dkim with input as i with data.config.warn_mode as []
count(r3) == 1
r4 := deny_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
count(r4) == 0
count(r1) + count(r2) == 1
count(r3) + count(r4) == 1
}
test_ses_missing_dkim_valid {
i := data.mock.ses_dkim
r1 := warn_ses_missing_dkim with input as i with data.config.warn_mode as []
r2 := warn_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
r3 := deny_ses_missing_dkim with input as i with data.config.warn_mode as []
r4 := deny_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
count(r1) + count(r2) + count(r3) + count(r4) == 0
}
输入(Terraform JSON):
"resource_changes":[
{
"address":"aws_ses_domain_dkim.example",
"mode":"managed",
"type":"aws_ses_domain_dkim",
"name":"example",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"domain":"example.com"
},
"sensitive_values":{
"dkim_tokens":[
]
}
},
{
"address":"aws_ses_domain_identity.example",
"mode":"managed",
"type":"aws_ses_domain_identity",
"name":"example",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"domain":"example.com"
},
"sensitive_values":{
}
}
]
walk 函数检索到的 x 和 y 值将是字符串,因此 err := x - s 将不起作用。如果你想要一组值,你可以将 walk 调用包装在一个集合理解中以获得一组所有值:
ses_missing_dkim[msg] {
a := aws_ses_dkim[_]
e := aws_ses_domain[_]
xs := {x | walk(a, [["values", "domain"], x])}
ys := {y | walk(e, [["values", "domain"], y])}
err := xs - ys
not err == set()
msg := sprintf("Placeholder error", [err, a.address, e.address])
}
你可能不需要 walk 这里,因为值总是在已知路径上。
我正在尝试从给定的输入中匹配域密钥(“域”:“example.com”),如果值不相同,return 会出现错误。到目前为止,这是我的想法,但我似乎无法匹配域密钥,因此测试失败了。如有任何建议,我们将不胜感激。
OPA 政策:
package main
import data.config
default warning_mode = []
warning_mode = config.warn_mode { config.warn_mode }
array_contains(arr, elem) {
arr[_] = elem
}
exception[rules] {
rules := config.exceptions.rules
}
deny_missing_config[msg] {
not config
msg := "Missing configuration file"
}
## Main
aws_ses_dkim[a] {
a := input.resource_changes[_]
a.type == "aws_ses_domain_dkim"
}
aws_ses_domain[e] {
e := input.resource_changes[_]
e.type == "aws_ses_domain_identity"
}
ses_missing_dkim[msg] {
a := aws_ses_dkim[_]
e := aws_ses_domain[_]
walk(a, [["values", "domain"], x])
walk(e, [["values", "domain"], y])
err := x - y
not err == set()
msg := sprintf("Placeholder error", [err, a.address, e.address])
}
## Test Cases
deny_ses_missing_dkim[msg]{
not array_contains(warning_mode, "ses_missing_dkim")
ses_missing_dkim[_] != []
msg := ses_missing_dkim[_]
}
warn_ses_missing_dkim[msg]{
array_contains(warning_mode, "ses_missing_dkim")
ses_missing_dkim[_] != []
msg := ses_missing_dkim[_]
}
test_ses_missing_dkim_invalid {
i := data.mock.invalid_ses_dkim
r1 := warn_ses_missing_dkim with input as i with data.config.warn_mode as []
count(r1) == 0
r2 := warn_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
count(r2) == 1
r3 := deny_ses_missing_dkim with input as i with data.config.warn_mode as []
count(r3) == 1
r4 := deny_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
count(r4) == 0
count(r1) + count(r2) == 1
count(r3) + count(r4) == 1
}
test_ses_missing_dkim_valid {
i := data.mock.ses_dkim
r1 := warn_ses_missing_dkim with input as i with data.config.warn_mode as []
r2 := warn_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
r3 := deny_ses_missing_dkim with input as i with data.config.warn_mode as []
r4 := deny_ses_missing_dkim with input as i with data.config.warn_mode as ["ses_missing_dkim"]
count(r1) + count(r2) + count(r3) + count(r4) == 0
}
输入(Terraform JSON):
"resource_changes":[
{
"address":"aws_ses_domain_dkim.example",
"mode":"managed",
"type":"aws_ses_domain_dkim",
"name":"example",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"domain":"example.com"
},
"sensitive_values":{
"dkim_tokens":[
]
}
},
{
"address":"aws_ses_domain_identity.example",
"mode":"managed",
"type":"aws_ses_domain_identity",
"name":"example",
"provider_name":"registry.terraform.io/hashicorp/aws",
"schema_version":0,
"values":{
"domain":"example.com"
},
"sensitive_values":{
}
}
]
walk 函数检索到的 x 和 y 值将是字符串,因此 err := x - s 将不起作用。如果你想要一组值,你可以将 walk 调用包装在一个集合理解中以获得一组所有值:
ses_missing_dkim[msg] {
a := aws_ses_dkim[_]
e := aws_ses_domain[_]
xs := {x | walk(a, [["values", "domain"], x])}
ys := {y | walk(e, [["values", "domain"], y])}
err := xs - ys
not err == set()
msg := sprintf("Placeholder error", [err, a.address, e.address])
}
你可能不需要 walk 这里,因为值总是在已知路径上。