Where is the AND

[chippyash]

Very new to OPA, but hit my first stumbling block.

I am assuming as a declarative language based around truthiness then the last value emitted is the answer. However, I can't find an AND .

Consider this code, that nearly works:

default allow := false
allow if {
    # split the permission
    perm_parts := split(input.permission, ":")
    # parse the action
    action := perm_parts[2]
    # parse the resource
    resource := concat(":", array.slice(perm_parts,0,2))
    print("Query User:", input.user, "Resource:", resource, "Action:", action)
    # lookup the list of roles for the user
    roles := user_roles[input.user]
    # for each role in that list
    r := roles[_]
        print("Checking Role:", r)
        # lookup the permissions list for role r
        permissions := role_permissions[r]
        # for each permission
        p := permissions[_]
            # check if the permission granted to r matches the user's request
            print("Evaluating:", p)
            bits.and(to_number(glob.match(p.resource, [], resource)), to_number(glob.match(p.action, [], action)))
            # p == {"action": action, "resource": resource}
}

I have to go through machinations (despite the globbing not working, subject of another call for help!)

What I'd like to be able to write is something similar to

glob.match(p.resource, [], resource) AND glob.match(p.action, [], action)

or

glob.match(p.resource, [], resource) && (glob.match(p.action, [], action)

but it appears that logical operators are not supported. Or is there some incantation I can use?

Kind regards
Ashley

[charlieegan3]

How about something like this:

https://play.openpolicyagent.org/p/jN8d4Qocvq

The code isn't ideal, but I didn't want to change it beyond recognition.

package play

import rego.v1

default allow := false

user_roles := {"charlie": ["admin"]}

role_permissions := {"admin": [{"action": "read", "resource": "foo:bar"}]}

allow if {
	# split the permission
	perm_parts := split(input.permission, ":")

	# parse the action
	action := perm_parts[2]

	# parse the resource
	resource := concat(":", array.slice(perm_parts, 0, 2))
	print("Query User:", input.user, "Resource:", resource, "Action:", action)

	# lookup the list of roles for the user
	roles := user_roles[input.user]

	# for each role in that list
	some r in roles
	print("Checking Role:", r)

	# lookup the permissions list for role r
	permissions := role_permissions[r]

	# for each permission
	some p in permissions

	# check if the permission granted to r matches the user's request
	print("Evaluating:", p)

	glob.match(p.resource, [":"], resource)

	glob.match(p.action, [":"], action)
}

In rego, each new line is like an AND. So in this simple example

allow if {
  input.user.admin == true
  input.user.age > 18
}

This means the user is over 18 and they are an admin.

[anderseknert]

Adding to what Charlie said, this blog on how to express OR (which I'm sure you'll run into next 😄) starts out with an explanation of AND https://www.styra.com/blog/how-to-express-or-in-rego/

[anderseknert]

And by the way, welcome to the OPA community! Good to have you here 😃

[chippyash]

Thanks @anderseknert and @charlieegan3 . I'll take a look into this. Am I clear?

the statements :

	glob.match(p.resource, [":"], resource)

	glob.match(p.action, [":"], action)

effectively implies an AND

It's been a while since I did declarative!

Cheers chaps.

[charlieegan3]

Yeah that's correct. You can read a line between each line in a rule.

e.g.

allow if {
  true
  # and
  false
}

# or between rules.

allow if {
  true
  # and
  true
}

This case, allow is true because of the second rule. tl;dr, and inside the rule, or between the different rule heads.