1

在阅读了几次 Open Policy Agent 介绍文档之后,我在编写一条规则时遇到了麻烦,该规则断言对于集合中的每个元素,指定的对象都有一个关联的键。

这是我目前正在尝试的一个简化示例

https://play.openpolicyagent.org/p/oWBumjRkWX

package example

my_object = {
  "lemon": ""
}

fruits = {
  "orange",
  "lemon",
  "banana"
}

has_key(x, k) { _ = x[k] }

default has_lemon = false
has_lemon = has_key(my_object, "lemon") # this works as you'd expect

default all_fruits_have_entries_in_my_object = false
all_fruits_have_entries_in_my_object { # this is never false for some reason
  some fruit
  fruits[fruit]
  has_key(my_object, fruit) # each fruit have a key in the my_object object
}

据我了解,当不包含该元素并且我已经测试它是否有效has_lemon时应该是错误的。但是,我也认为该规则应该评估到这里,因为缺少and的键。我在这里做傻事吗?fruits"lemon"all_fruits_have_entries_in_my_objectfalsemy_object"orange""banana"

4

1 回答 1

3

Rego是存在量化的。这意味着声明规则以检查是否存在作为对象键的某些水果。

解决问题的一种方法:您可以首先使用推导收集所有意外的键,然后计算结果:

package example

my_object = {
  "lemon": ""
}

fruits = {
  "orange",
  "lemon",
  "banana"
}

has_key(x, k) { _ = x[k] }

default has_lemon = false
has_lemon = has_key(my_object, "lemon") # this works as you'd expect

default all_fruits_have_entries_in_my_object = false
all_fruits_have_entries_in_my_object { # this is never false for some reason
  non_fruit_keys := { key | my_object[key]; !fruits[key] }
  count(non_fruit_keys) > 0
}

您可以在Rego Playground中评估此示例。

另请参阅有关Rego 中的 Universal Quantification的文档

于 2021-01-07T16:52:04.563 回答