0

I have the following Rego policy:

package authz

import future.keywords.in

# The permissions the user has for each property
permissions[property_id][permission] {
    some property_id, property_roles in input.subject.property_roles
    some permission, roles in data.common.permissions_roles
    property_roles == roles
}

The following input:

{
    "subject": {
        "property_roles": {
            "K1": [
                "R1"
            ]
        }
    }
}

and the following data:

{
    "common": {
        "permissions_roles": {
            "property.create": [
                "R0"
            ],
            "service.read": [
                "R1"
            ],
            "service.modify": [
                "R1"
            ]
        }
    }
}

The playground can be found here.

The goal is to build a dictionary with a string as a key and an array of strings as value, something like:

{
    "permissions": {
        "K1": ["service.modify", "service.read"]
    }
}

So far, I can get this:

{
    "permissions": {
        "K1": {
            "service.modify": true,
            "service.read": true
        }
    }
}

I also tried to use permissions[property_id] = [permission] which is what I would have expected to do, but then I get the following error:

policy.rego:6: eval_conflict_error: object keys must be unique

I hope somebody can suggest a better way to achieve the goal!

Improve this question
0

1 Answer 1

Reset to default
0

You can achieve the desired output by importing the future.keywords.contains and then changing the rule header to use contains:

package authz

import future.keywords.contains
import future.keywords.in

# The permissions the user has for each property
permissions[property_id] contains permission {
    some property_id, property_roles in input.subject.property_roles
    some permission, roles in data.common.permissions_roles
    property_roles == roles
}

Some reference reading can be found here:

  • The error you encountered eval_conflict_error: object keys must be unique is documented here
  • Referenced documentation for solution is here (see Leaf entries can be partial sets in module example)
  • Rego playground ref
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.