https://cerbos.dev logo
Powered by
Title
m

Maggie Walker

09/15/2022, 1:44 PM
Is it possible to do wildcard matching in CEL? e.g: 
R.attr.account_id in P.attr.tenants.*.subaccount_ids
assuming there were two objects with: 
P.attr.tenants.3.subaccount_ids
P.attr.tenants.5.subaccount_ids
c

Charith (Cerbos)

09/15/2022, 1:48 PM
No, there's no wildcard operator. However, if 
tenants
is a list, you could use 
exists
to iterate through the list until it finds a match.
m

Maggie Walker

09/15/2022, 1:49 PM
unfortunately tenants is an object, with nested objects that may or may not have a 
subaccounts_id
field, for example: 
Ginger = Principal(
    id="Ginger",
    roles={"user"},
    attr={
        "type": "human",
        "apps": ["Content"],
        "tenants": {
            "3": {
                "account_id": "3",
                "subaccount_ids": ["31", "32"],
                "attachments": {
                    "Label_administrator": {
                        "role": "Label_administrator",
                        "content_types": ["digital_audio"]
                    }
                }
            }
        }
    }
)
or 
Colin = Principal(
    id="Colin",
    roles={"user"},
    attr={
        "type": "human",
        "apps": ["Content"],
        "tenants": {
            "31": {
                "account_id": "31",
                "attachments": {
                    "Label_user": {
                        "role": "Label_user",
                        "content_types": ["digital_audio"]
                    }
                }
            }
        }
    }
)
although we are playing with the shape of the data, so this may not be the final shape
c

Charith (Cerbos)

09/15/2022, 1:50 PM
I think you could still use 
exists
it should work with objects too. I have to double check that.
m

Maggie Walker

09/15/2022, 1:54 PM
something like this? 
my_obj.tenants.exists(x, x.matches("subaccount_ids"))
I think this won't work because it needs to go a level deeper
c

Charith (Cerbos)

09/15/2022, 1:56 PM
:let tenants = {"3": {"subaccounts": [31, 32]}, "4": {"accounts": [4]}}
tenants.exists(t, 31 in tenants[t].subaccounts)
_ = true
m

Maggie Walker

09/15/2022, 1:57 PM
ahhhh
c

Charith (Cerbos)

09/15/2022, 1:58 PM
So 
my_obj.tenants.exists(x, my_obj.tenants[x].matches("subaccount_ids"))
perhaps (untested)
l

Luis Diaz

09/15/2022, 1:58 PM
@Charith (Cerbos) can this continue to nest? If 
tenants[x]
is an object I can perform an exist in it as well?
c

Charith (Cerbos)

09/15/2022, 1:59 PM
Yes, I think you can. It would be quite difficult to read though 🙂
m

Maggie Walker

09/15/2022, 1:59 PM
I like your solution- thanks!
l

Luis Diaz

09/15/2022, 2:00 PM
It would be quite difficult to read though
That’s what I’m known for! Presumably you could assign it to a variable though, then it becomes more manageable?
c

Charith (Cerbos)

09/15/2022, 2:00 PM
If you mean policy variables, absolutely.
3 Views
#helpJoin Slack
Powered by