有没有办法在OPA返回的决策的json响应中测试键/属性的值。返回的响应不是是/否,而是带有密钥允许的 json,它决定了决定( 例如:
test_get_user_allowed_for_admin {
decision["allow"] with input as {"path": ["users", "kate"], "method": "GET", "user_id": "bob"}
}
假设评估的策略采用以下形式:
get_user_info = decision{
decision := {
"allow": input.user_id == "bob", "user_id": input.user_id,
}
}
目前我收到一个var decision is unsafe
错误,因为test_get_user_allowed_for_admin
中没有定义决策,但这只是一个填充物
您的测试可以像检查任何其他值(例如,input
、局部变量等(一样检查规则get_user_info
生成的值。
例如:
test_get_user_allowed_for_admin {
in := {
"path": ["users", "kate"],
"method": "GET",
"user_id": "bob"
}
result := get_user_info with input as in
result.allow == true
result.user_id == "bob"
}
# OR
test_get_user_allowed_for_admin_alt {
in := {
"path": ["users", "kate"],
"method": "GET",
"user_id": "bob"
}
result := get_user_info with input as in
result == {"allow": true, "user_id": "bob"}
}
从技术上讲,您不必分配由get_user_info
变量生成的值:
test_get_user_allowed_for_admin_oneline {
in := {
"path": ["users", "kate"],
"method": "GET",
"user_id": "bob"
}
get_user_info.allow with input as in
}