Rego 验证数组比较

Question

我是 Rego 的新人，我正在尝试编写策略以检查是否已在某些 Azure NSG 上创建了一组规则。

输入测试：

{
  "name": "<name>",
  "id": "<id>",
  "etag": "<etag>",
  "type": "<resourcetype>",
  "location": "<location>",
  "properties":
  {
    "provisioningState": "Succeeded",
    "resourceGuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "securityRules":
    [
      {
        "name": "<rule name>",
        "id": "<id>",
        "etag": "<etag",
        "type": "<type>",
        "properties":
        {
          "provisioningState": "Succeeded",
          "description": "....",
          "protocol": "*",
          "sourcePortRange": "*",
          "destinationPortRange": "53",
          "sourceAddressPrefix": "*",
          "access": "Allow",
          "priority": 1,
          "direction": "Outbound",
          "sourcePortRanges": [],
          "destinationPortRanges": [],
          "sourceAddressPrefixes": [],
          "destinationAddressPrefixes":
          [
            "10.0.0.1",
            "10.0.0.2",
            "10.0.0.3"
          ]
        }
      }
    ]
  {
}

我写了一个自定义函数来检查值。下面是我在 The Rego Playground

中测试的代码

existRule(rule) = true
{
    input.properties.securityRules[i].name == rule.name
    input.properties.securityRules[i].properties.provisioningState == rule.provisioningState
    input.properties.securityRules[i].properties.description == rule.description
    input.properties.securityRules[i].properties.protocol == rule.protocol
    input.properties.securityRules[i].properties.access == rule.access
    input.properties.securityRules[i].properties.priority == rule.priority
    input.properties.securityRules[i].properties.direction == rule.direction
}
rule = {
            "name": "name",
            "provisioningState": "Succeeded",
            "description": "description",
            "protocol": "*",
            "sourcePortRange": "*",
            "destinationPortRange": "1",
            "sourceAddressPrefix": "*",
            "access": "Allow",
            "priority": 1,
            "direction": "Outbound",
            "destinationAddressPrefix": "",
            "sourcePortRanges": [],
            "destinationPortRanges": [],
            "sourceAddressPrefixes": [],
            "destinationAddressPrefixes": [
                "10.0.0.1",
                "10.0.0.2",
                "10.0.0.3",
                "10.0.0.4"
            ]
        }

rules
{
    existRule(rule)
}

适用于我在上面定义的属性，但是我在尝试比较数组时遇到问题，特别是在这个示例中 destinationAddressPrefixes 我尝试了以下方法：

test1 { input.properties.securityRules[i].properties.destinationAddressPrefixes == rule.destinationAddressPrefixes }

始终return为假

通过以下行，我可以根据特定 ip 检查输入中的一个目标地址，但是我无法将所有输入地址与示例中定义的规则地址进行比较

onerule {input.properties.securityRules[i].properties.destinationAddressPrefixes[_] == "10.0.0.1"}
test2 {input.properties.securityRules[i].properties.destinationAddressPrefixes[_] == rule.destinationAddressPrefixes[j]}
test3 {input.properties.securityRules[i].properties.destinationAddressPrefixes[j] == rule.destinationAddressPrefixes[k]}

test2 和 test3 始终 return 为真，即使输入中没有规则。我也试过和array difference

x := input.properties.securityRules[i].properties.destinationAddressPrefixes - rule.destinationAddressPrefixes

但我收到以下错误：

rego_type_error: minus: invalid argument(s) have: (any, array<string, string, string, string, string, string, string, string, string, string, string, string, string, string>, ???) want: (any<number, set[any]>, any<number, set[any]>, any<number, set[any]>)

你知道实现我想要的是否可行吗？或者是否有不同的方法来查看数组并逐个比较值？

Answer 1

rule3400.destinationAddressPrefixes 是什么样子的？

如果您想比较两个数组之间的精确相等性，== 就足够了。

如果已知所有元素都是唯一的并且顺序无关紧要（在您的示例中似乎就是这种情况），您可以使用 set comprehension 将数组转换为集合。这使得从一个集合中减去另一个集合成为可能，就像您尝试直接对数组做的那样。

to_set(arr) = {x | x := arr[_]}

input_prefixes := to_set(input.properties.securityRules[i].properties.destinationAddressPrefixes)

destination_prefixes := to_set(rule3400.destinationAddressPrefixes)

x := input_prefixes - destination_prefixes