2

I just started to use OPA, so there is a high chance I'm doing something wrong.

I have the following input:

{
  "request": {
    "principalId": "user1",
    "scope": "/workspaces/1/environments/dev/deployments/123",
    "requiredPermissions": [
      "Deployments.ReadWrite",
      "Foo.Bar"
    ]
  }
}

I want to make sure, the user has all requiredPermissions. I already have the required variable:

#// this is opa/rego value

"principal_roles_at_requested_scope": [
              "Deployments.Read",
              "Deployments.ReadWrite",
              "WorkspaceEnvironments.Read",
              "Workspaces.Read"
            ]

This should set allow to false, as Foo.Bar is not in the principal_roles_at_requested_scope set, but it gets evaluated to true:

allow {
    some i
    input.request.requiredPermissions[i] in principal_roles_at_requested_scope
}

This on the other hand works, but can't be used obviously:

allow {
    input.request.requiredPermissions[0] in principal_roles_at_requested_scope
    input.request.requiredPermissions[1] in principal_roles_at_requested_scope
}
tiwood
  • 41
  • 5

1 Answers1

2

OK,

thanks to this this I've figured it out.

That's how solved it:

any_missing_permissions {
    some v in input.request.requiredPermissions
    not v in principal_roles_at_requested_scope
}

allow {
    #// Each permission required in the request has to be available
    #// at the requested scope
    not any_missing_permissions
}
tiwood
  • 41
  • 5
  • 1
    Nice! The next version of OPA will feature an "every" keyword that will simplify this type of check :) – Devoops Jan 21 '22 at 22:19