4

I want to use an OR operation to combine the following conditions:

  • the count of my arr is not equal to 0
  • my email does not contain "test.com"

Currently I am using the built-in function any():

any([count(arr) != 0, not contains(email, "test.com")])

However my rule is producing an error.

How can I achieve and improve this in one line?

hc_dev
  • 8,389
  • 1
  • 26
  • 38
jrchew
  • 205
  • 2
  • 9
  • See also the related [issue #3239](https://github.com/open-policy-agent/opa/issues/3239) which suggests alternatives to `any()`. – hc_dev Oct 19 '22 at 19:18

2 Answers2

8

More generally, Rego does not allow OR-ing statements in the same function. Using any() works well for simple cases, but can become unwieldy for complex ones so it is considered an antipattern.

Instead, Rego uses incremental rules, where every statement within each Rule is AND-ed together, and rules of the same name are OR-ed together.

Consider the following deny rule. In short, it says that we will deny the request if at least one of:

  1. The user is not an admin, or
  2. Today is Sunday.
deny {
    input.role != "admin"
}

deny {
    time.weekday(time.now_ns()) == "Sunday"
}

This would only allow requests to the admin role on days other than Sunday. If instead we said:

deny {
    input.role != "admin"
    time.weekday(time.now_ns()) == "Sunday"
}

We would then only deny requests from non-admin roles on Sunday. Requests from admin would always be allowed.

Will Beason
  • 3,417
  • 2
  • 28
  • 46
3

The not keyword is a bit of a special case in that it can't be used inside of many contexts such as the array of your example. I believe this could be improved in OPA, but until then you can trivially avoid it for at most cases, like the one you provided:

any([count(arr) != 0, contains(email, "test.com") == false])
Devoops
  • 2,018
  • 8
  • 21