I'm trying to have a policy pass if a value in input_set matches a value in allow_values
The below policy example is also here if you'd like to modify it easier - https://play.openpolicyagent.org/
I'm sure that I'm not understanding the use of some but at this point I'm just a bit too turned around and there is probably a better way to have a check like this.
package sometesting
import future.keywords
# Check these values against `allow_values`
input_set := {"b-phone", "a-pad", "a-car"}
# If these values are in the set - don't fail the policy
allow_values := {"b-phone", "a-pad"}
# I can check the values individually like below
policy_1[result] {
not "b-phone" in input_set
not "a-pad" in input_set
true
result := "policy_failed"
}
# However when I try to use some, it doesn't seem to pass the policy when they match
policy_2[result] {
some value in input_set
not value in allow_values
# I thought this should return :
# true
# false
# false
true
result := "policy_failed"
}
# I was expecting it to essentially end up like this and fail if one item in the some statement was false, however I seem to be a bit confused on this.
policy_3[result] {
true
false
false
true
result := "policy_failed"
}
I think this will work ( I don't have enough rep to add the answer )
policy_2[result] {
in_allowed_values
true
result := "policy_failed"
}
in_allowed_values := false {
contains(allow_values[_], input_values[_])
} else = true
I think that set intersection would be the best way to do this:
package sometesting
import future.keywords
input_set := {"b-phone", "a-pad", "a-car"}
allow_values := {"b-phone", "a-pad"}
policy contains result if {
input_set & allow_values == set()
result := "policy_failed"
}
Here we test if the input set and the allow_values have any elements in common by computing the intersection. If this set of common elements is empty, then it's a policy violation.