0

I'm trying to have a policy pass if a value in input_set matches a value in allow_values

The below policy example is also here if you'd like to modify it easier - https://play.openpolicyagent.org/

I'm sure that I'm not understanding the use of some but at this point I'm just a bit too turned around and there is probably a better way to have a check like this.

package sometesting
import future.keywords

# Check these values against `allow_values`
input_set := {"b-phone", "a-pad", "a-car"}

# If these values are in the set - don't fail the policy
allow_values := {"b-phone", "a-pad"}

# I can check the values individually like below
policy_1[result] {

    not "b-phone" in input_set
    not "a-pad" in input_set

    true
    
    result := "policy_failed"
}

# However when I try to use some, it doesn't seem to pass the policy when they match
policy_2[result] {

    some value in input_set
    not value in allow_values
    # I thought this should return : 
    # true
    # false
    # false

    true
    
    result := "policy_failed"
}

# I was expecting it to essentially end up like this and fail if one item in the some statement was false, however I seem to be a bit confused on this.
policy_3[result] {


    true
    false
    false

    true
    
    result := "policy_failed"
}

EDIT

I think this will work ( I don't have enough rep to add the answer )

policy_2[result] {

    in_allowed_values

    true
    
    result := "policy_failed"
}


in_allowed_values := false {
    contains(allow_values[_], input_values[_])
} else = true
Improve this question
0

1 Answer 1

Reset to default
0

I think that set intersection would be the best way to do this:

package sometesting

import future.keywords

input_set := {"b-phone", "a-pad", "a-car"}

allow_values := {"b-phone", "a-pad"}

policy contains result if {
    input_set & allow_values == set()

    result := "policy_failed"
}

Here we test if the input set and the allow_values have any elements in common by computing the intersection. If this set of common elements is empty, then it's a policy violation.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks! Is there any benefit to doing it this way as opposed to the way I figured out? ( that may or may not work with more testing... contains(allow_values[_], input_set[_])
I'd expect that set intersection should be more performant but I don't have the data to hand. It'd also count as more idiomatic. foo[_] style is discouraged, for example: docs.styra.com/regal/rules/idiomatic/use-in-operator
I appreciate the help here and I've created a separate question that's a bit more refined as to what I'm trying to accomplish. stackoverflow.com/questions/78162514/… If you have time I'd really appreciate a quick review of that. I have a 'working' solution but it's probably done in a rough way.
Hey, I am out for the rest of the week. You might want to try this one in the OPA slack! slack.openpolicyagent.org

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.