问题描述
在阅读了几次 Open Policy Agent 介绍文档后,我在编写规则时遇到了麻烦,该规则断言对于集合中的每个元素,指定的对象都有一个关联的键。
这是我目前正在尝试的一个简化示例
https://play.openpolicyagent.org/p/oWBumjRkWX
package example
my_object = {
"lemon": ""
}
fruits = {
"orange","lemon","banana"
}
has_key(x,k) { _ = x[k] }
default has_lemon = false
has_lemon = has_key(my_object,"lemon") # this works as you'd expect
default all_fruits_have_entries_in_my_object = false
all_fruits_have_entries_in_my_object { # this is never false for some reason
some fruit
fruits[fruit]
has_key(my_object,fruit) # each fruit have a key in the my_object object
}
据我所知,当 has_lemon 不包含 fruits 元素时,"lemon" 应该是假的,并且我已经测试过这是有效的。但是,我还认为 all_fruits_have_entries_in_my_object 规则应该在这里评估为 false,因为 my_object 缺少 "orange" 和 "banana" 的键。我是不是在做傻事?
解决方法
Rego 是存在量化的。这意味着规则被声明为检查是否存在作为对象键的一些水果。
解决问题的一种方法:可以先使用推导式收集所有意外的键,然后计算结果:
package example
my_object = {
"lemon": ""
}
fruits = {
"orange","lemon","banana"
}
has_key(x,k) { _ = x[k] }
default has_lemon = false
has_lemon = has_key(my_object,"lemon") # this works as you'd expect
default all_fruits_have_entries_in_my_object = false
all_fruits_have_entries_in_my_object { # this is never false for some reason
non_fruit_keys := { key | my_object[key]; !fruits[key] }
count(non_fruit_keys) > 0
}
您可以在 Rego Playground 中评估此示例。
的文档