m

    Maggie Walker

    1 week ago
    Is it possible to do wildcard matching in CEL? e.g:
    R.attr.account_id in P.attr.tenants.*.subaccount_ids
    assuming there were two objects with:
    P.attr.tenants.3.subaccount_ids
    P.attr.tenants.5.subaccount_ids
    Charith (Cerbos)

    Charith (Cerbos)

    1 week ago
    No, there's no wildcard operator. However, if
    tenants
    is a list, you could use
    exists
    to iterate through the list until it finds a match.
    m

    Maggie Walker

    1 week ago
    unfortunately tenants is an object, with nested objects that may or may not have a
    subaccounts_id
    field, for example:
    Ginger = Principal(
        id="Ginger",
        roles={"user"},
        attr={
            "type": "human",
            "apps": ["Content"],
            "tenants": {
                "3": {
                    "account_id": "3",
                    "subaccount_ids": ["31", "32"],
                    "attachments": {
                        "Label_administrator": {
                            "role": "Label_administrator",
                            "content_types": ["digital_audio"]
                        }
                    }
                }
            }
        }
    )
    or
    Colin = Principal(
        id="Colin",
        roles={"user"},
        attr={
            "type": "human",
            "apps": ["Content"],
            "tenants": {
                "31": {
                    "account_id": "31",
                    "attachments": {
                        "Label_user": {
                            "role": "Label_user",
                            "content_types": ["digital_audio"]
                        }
                    }
                }
            }
        }
    )
    although we are playing with the shape of the data, so this may not be the final shape
    Charith (Cerbos)

    Charith (Cerbos)

    1 week ago
    I think you could still use
    exists
    it should work with objects too. I have to double check that.
    m

    Maggie Walker

    1 week ago
    something like this?
    my_obj.tenants.exists(x, x.matches("subaccount_ids"))
    I think this won't work because it needs to go a level deeper
    Charith (Cerbos)

    Charith (Cerbos)

    1 week ago
    :let tenants = {"3": {"subaccounts": [31, 32]}, "4": {"accounts": [4]}}
    tenants.exists(t, 31 in tenants[t].subaccounts)
    _ = true
    m

    Maggie Walker

    1 week ago
    ahhhh
    Charith (Cerbos)

    Charith (Cerbos)

    1 week ago
    So
    my_obj.tenants.exists(x, my_obj.tenants[x].matches("subaccount_ids"))
    perhaps (untested)
    Luis Diaz

    Luis Diaz

    1 week ago
    @Charith (Cerbos) can this continue to nest? If
    tenants[x]
    is an object I can perform an exist in it as well?
    Charith (Cerbos)

    Charith (Cerbos)

    1 week ago
    Yes, I think you can. It would be quite difficult to read though 🙂
    m

    Maggie Walker

    1 week ago
    I like your solution- thanks!
    Luis Diaz

    Luis Diaz

    1 week ago
    It would be quite difficult to read though
    That’s what I’m known for! Presumably you could assign it to a variable though, then it becomes more manageable?
    Charith (Cerbos)

    Charith (Cerbos)

    1 week ago
    If you mean policy variables, absolutely.