Is it possible to do wildcard matching in CEL e g ```R attr Cerbos Community #help

Is it possible to do wildcard matching in CEL? e.g...

Maggie Walker

09/15/2022, 1:44 PM

Is it possible to do wildcard matching in CEL? e.g:

Copy code

R.attr.account_id in P.attr.tenants.*.subaccount_ids

assuming there were two objects with:

Copy code

P.attr.tenants.3.subaccount_ids
P.attr.tenants.5.subaccount_ids

Charith (Cerbos)

09/15/2022, 1:48 PM

No, there's no wildcard operator. However, if

tenants

is a list, you could use

exists

to iterate through the list until it finds a match.

Maggie Walker

09/15/2022, 1:49 PM

unfortunately tenants is an object, with nested objects that may or may not have a

subaccounts_id

field, for example:

Copy code

Ginger = Principal(
    id="Ginger",
    roles={"user"},
    attr={
        "type": "human",
        "apps": ["Content"],
        "tenants": {
            "3": {
                "account_id": "3",
                "subaccount_ids": ["31", "32"],
                "attachments": {
                    "Label_administrator": {
                        "role": "Label_administrator",
                        "content_types": ["digital_audio"]
                    }
                }
            }
        }
    }
)

Maggie Walker

09/15/2022, 1:49 PM

Copy code

Colin = Principal(
    id="Colin",
    roles={"user"},
    attr={
        "type": "human",
        "apps": ["Content"],
        "tenants": {
            "31": {
                "account_id": "31",
                "attachments": {
                    "Label_user": {
                        "role": "Label_user",
                        "content_types": ["digital_audio"]
                    }
                }
            }
        }
    }
)

Maggie Walker

09/15/2022, 1:50 PM

although we are playing with the shape of the data, so this may not be the final shape

Charith (Cerbos)

09/15/2022, 1:50 PM

I think you could still use

exists

it should work with objects too. I have to double check that.

Maggie Walker

09/15/2022, 1:54 PM

something like this?

Copy code

my_obj.tenants.exists(x, x.matches("subaccount_ids"))

Maggie Walker

09/15/2022, 1:56 PM

I think this won't work because it needs to go a level deeper

Charith (Cerbos)

09/15/2022, 1:56 PM

Copy code

:let tenants = {"3": {"subaccounts": [31, 32]}, "4": {"accounts": [4]}}
tenants.exists(t, 31 in tenants[t].subaccounts)
_ = true

Maggie Walker

09/15/2022, 1:57 PM

ahhhh

Charith (Cerbos)

09/15/2022, 1:58 PM

my_obj.tenants.exists(x, my_obj.tenants[x].matches("subaccount_ids"))

perhaps (untested)

Luis Diaz

09/15/2022, 1:58 PM

@Charith (Cerbos) can this continue to nest? If

tenants[x]

is an object I can perform an exist in it as well?

Charith (Cerbos)

09/15/2022, 1:59 PM

Yes, I think you can. It would be quite difficult to read though 🙂

Maggie Walker

09/15/2022, 1:59 PM

I like your solution- thanks!

Luis Diaz

09/15/2022, 2:00 PM

It would be quite difficult to read though

That’s what I’m known for! Presumably you could assign it to a variable though, then it becomes more manageable?

Charith (Cerbos)

09/15/2022, 2:00 PM

If you mean policy variables, absolutely.

3 Views

Open in Slack

Previous Next