OPA/Rego 对数组的每个元素执行 function

Question

我是 OPA/Rego 的新手，我正在尝试编写一个策略来检查 Azure 网络安全组是否包含我在数组上定义的所有规则

package sample
default compliant = false
toSet(arr) = {x | x := arr[_]}
checkProperty(rule, index, propertySingular, propertyPlural) = true
{
    object.get(input.properties.securityRules[index].properties, propertySingular, "") == object.get(rule, propertySingular, "")
    count(toSet(object.get(input.properties.securityRules[index].properties, propertyPlural, [])) - toSet(object.get(rule, propertyPlural, []))) == 0
}
existRule(rule) = true
{
    input.properties.securityRules[i].name == rule.name
    input.properties.securityRules[i].properties.provisioningState == rule.provisioningState
    input.properties.securityRules[i].properties.description == rule.description
    input.properties.securityRules[i].properties.protocol == rule.protocol
    checkProperty(rule, i, "sourcePortRange", "sourcePortRanges")
    checkProperty(rule, i, "destinationPortRange", "destinationPortRanges")
    checkProperty(rule, i, "sourceAddressPrefix", "sourceAddressPrefixes")
    checkProperty(rule, i, "destinationAddressPrefix", "destinationAddressPrefixes")
    input.properties.securityRules[i].properties.access == rule.access
    input.properties.securityRules[i].properties.priority == rule.priority
    input.properties.securityRules[i].properties.direction == rule.direction
}
compliant
{
    rules := [
            {
                "name": "name1",
                "provisioningState": "Succeeded",
                "description": "description1",
                "protocol": "*",
                "sourcePortRange": "*",
                "destinationPortRange": "53",
                "destinationAddressPrefix": "*",
                "access": "Allow",
                "priority": 1,
                "direction": "Inbound",
                "sourceAddressPrefixes":
                [
                    "xx.xx.xx.xx",
                    "xx.xx.xx.xx",
                    "xx.xx.xx.xx"
                ],
            },
            {
                "name": "name2",
                "provisioningState": "Succeeded",
                "description": "description2",
                "protocol": "*",
                "sourcePortRange": "*",
                "destinationPortRange": "54",
                "sourceAddressPrefix": "*",
                "access": "Allow",
                "priority": 2,
                "direction": "Outbound",
                "destinationAddressPrefixes":
                [
                    "xx.xx.xx.xx",
                    "xx.xx.xx.xx",
                    "xx.xx.xx.xx"
                ]
            }
        ]
    #checks
    existRule(rules[i])
}

问题似乎是，当执行existRule(rules[i])时，如果其中一个规则匹配它返回true，如果其他规则不匹配，请不要考虑如果我用existRule(rules[i]) existRule(rules[0])或existRule(rules[1]) ，它返回true或false取决于position上的规则是否匹配。

有什么方法可以获取数组所有元素的existRule(rules[i])执行结果吗？

我已经尝试过result:= [existRule(rules[i])]但它只返回一个具有 true 的元素

Answer 1

当然，使用列表理解并在其中调用 function。 然后将结果的大小与您以前的大小进行比较，以您的示例为例，您可以用以下内容替换existRule(rules[i]) ：

compliantRules := [rule | rule := rules[_]
                          existRule(rule)]
                              
count(compliantRules) == count(rules)