3

我是 OPA 和 rego 文件的新手。我创建了一个这样的 rego 文件:

package sample.access
import data.myaccess

default allow = false
allow = true {
    myaccess.is_user_allowed(input.user)
}

而且,我创建了这样的测试 rego 文件:

package sample.access

test_allow_positive{
    allow with input as {
        "user": "user1"
    } with data.myaccess as {
        {
            {"user": "user1"},
            {"user": "user2"}
        }
            
    }
}

当我运行这个测试用例时,我收到类似"rego_type_error: undefined function data.myaccess.is_user_allowed"的错误。帮我解决这个问题。谢谢

4

1 回答 1

1

我认为这就是你想要做的:

创建一个规则 ,allow它返回trueifinput.user来自调用时传递的一组用户。为此,您可以使用以下规则:

package sample.access

allow {
    data.allowed[input.user]
}

对应的单元测试:

package sample.access

test_allow {
    allow with input as {
        "user": "user1"
    } with data.allowed as {"user1", "user2"}
}

test_deny {
    not allow with input as {
        "user": "user3"
    } with data.allowed as {"user1", "user2"}
}

请注意,您不需要显式导入将在运行时传递的参数。

如果您的输入数据需要采用 列表的形式{"user": "id"},那么您应该使用集合推导

package sample.access

allow {
    is_user_allowed = {user | user = data.allowed[_].user}

    is_user_allowed[input.user]
}

然后,您的单元测试需要进行如下修改:

package sample.access

test_allow {
    allow with input as {
        "user": "user1"
    } with data.allowed as {
        {"user": "user1"},
        {"user": "user2"}
    }
}

test_deny {
    not allow with input as {
        "user": "user3"
    } with data.allowed as {
         {"user": "user1"},
         {"user": "user2"}
    }
}
于 2021-05-11T19:32:52.270 回答