0

有没有办法在 OPA 返回的决策的 json 响应中测试键/属性的值。(返回的响应不是是/否,而是带有键的 json 允许决定决策)例如:

test_get_user_allowed_for_admin {
        decision["allow"] with input as {"path": ["users", "kate"], "method": "GET", "user_id": "bob"}
}

假设评估的策略是以下形式:

get_user_info = decision{
    decision := {
      "allow": input.user_id == "bob", "user_id": input.user_id,
  }
}

目前我收到一个var decision is unsafe错误,因为没有在中定义决定,test_get_user_allowed_for_admin但这只是一个填充物

4

1 回答 1

1

您的测试可以get_user_info像检查任何其他值(例如,input局部变量等)一样检查规则生成的值。

例如:

test_get_user_allowed_for_admin {
  in := {
    "path": ["users", "kate"],
    "method": "GET",
    "user_id": "bob"
  }

  result := get_user_info with input as in
  result.allow == true
  result.user_id == "bob"
}

# OR

test_get_user_allowed_for_admin_alt {
  in := {
    "path": ["users", "kate"],
    "method": "GET",
    "user_id": "bob"
  }
  result := get_user_info with input as in
  result == {"allow": true, "user_id": "bob"}
}

从技术上讲,您不必分配由get_user_info变量生成的值:

test_get_user_allowed_for_admin_oneline {
  in := {
    "path": ["users", "kate"],
    "method": "GET",
    "user_id": "bob"
  }
  get_user_info.allow with input as in
}
于 2019-12-01T17:58:07.260 回答