v0.42.0
This release contains a number of fixes and enhancements.
New built-in function: object.subset
This function checks if a collection is a subset of another collection. It works on objects, sets, and arrays.
If both arguments are objects, then the operation is recursive, e.g. {"c": {"x": {10, 15, 20}}
is considered a subset of {"a": "b", "c": {"x": {10, 15, 20, 25}, "y": "z"}
.
See the built-in functions docs for all details
This implementation fixes #4358 and was authored by @charlesdaniels
.
New keywords: "contains" and "if"
These new keywords let you increase the expressiveness of your policy code:
Before
package authz
allow { not denied } # `denied` left out for presentation purposes
deny[msg] {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}
After
package authz
import future.keywords
allow if not denied # one expression only => no { ... } needed!
deny contains msg if {
count(violations) > 0
msg := sprintf("there are %d violations", [count(violations)])
}
Note that rule bodies containing only one expression can be abbreviated when using if
.
To use the new keywords, use import future.keywords.contains
and import future.keywords.if
; or import all of them at once via import future.keywords
. When these future imports are present, the pretty printer (opa fmt
) will introduce contains
and if
where applicable.
if
is allowed in all places to separate the rule head from the body, like
</tr></table>
... (truncated)