OPA List of objects - Finding two values in multiples objects within list

Question

Due to limitations, I am using if/else blocks within OPA. I am writing control rules where it will fail all conditions and pass the remaining. I have a list of extensions (objects) where each object represents one extension available on your device in the input data. I am trying to analyze to see whether 2 different extensions are available. The idea is if jamf.jamf_details.operatingSystem.extensionAttributes[_].name == SW-agent-SYSX (co.systemextension) then in the same object, within the same object jamf.jamf_details.operatingSystem.extensionAttributes[_].values should NOT be empty to pass. The sample input below should reach the bottom of my Rego rule and pass but it keeps returning fail.

Here is the sample input:

input.json

{
    "jamf": {
        "isManaged": true,
        "jamf_details": {
            "operatingSystem": {
                "extensionAttributes": [
                    {
                        "values": [1,2,3,4
                        ],
                        "dataType": "STRING",
                        "name": "SW-agent-SYSX (co.systemextension)",
                        "options": [],
                        "description": "Reports",
                        "inputType": "SCRIPT",
                        "multiValue": false,
                        "enabled": true,
                        "definitionId": "84"
                    },
                    {
                        "dataType": "INTEGER",
                        "values": [],
                        "name": "OS-Uptime Days",
                        "options": [],
                        "description": "12345",
                        "inputType": "SCRIPT",
                        "multiValue": false,
                        "enabled": true,
                        "definitionId": "10"
                    }
                ]
            }
        }
    },
    "asset": {
        "name": "Mac",
        "id": "190",
        "type": "workstation",
        "category": "infrastructure"
    },
    "user": {
        "roles": "Principal",
        "email": "test@test.co"
    }
}

Here is my rego rule:

ccm_wks_jmf_2 = exception {
    input.exception
    exception := {eval_doc_xcloud("pass", data.control.ccm_wks_jmf_2, input)}
}

else := disallow {
    itema := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itema.name == "SW-agent-SYSX (co.systemextension)"
    a := itema.values
    count(a) < 1
    itemb := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itemb.name == "SW esensor-SYSX (com.systemextension)"
    b := itemb.values
    count(b) < 1
    input.jamf.isManaged == true
    input.user.email
    disallow := {eval_doc_xcloud("fail", data.control.ccm_wks_jmf_2, input)}
}

else := disallow {
    itema := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itema.name == "SW-agent-SYSX (co.systemextension)"
    a := itema.values
    count(a) < 1
    itemb := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itemb.name != "SW esensor-SYSX (com.systemextension)"
    input.jamf.isManaged == true
    input.user.email
    disallow := {eval_doc_xcloud("fail", data.control.ccm_wks_jmf_2, input)}
}

else := disallow {
    itemb := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itemb.name == "SW esensor-SYSX (com.systemextension)"
    b := itemb.values
    count(b) < 1
    itema := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itema.name != "SW-agent-SYSX (co.systemextension)"
    input.jamf.isManaged == true
    input.user.email
    disallow := {eval_doc_xcloud("fail", data.control.ccm_wks_jmf_2, input)}
}

else := disallow {
    itema := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itema.name != "SW-agent-SYSX (co.systemextension)"
    itemb := input.jamf.jamf_details.operatingSystem.extensionAttributes[_]
    itemb.name != "SW esensor-SYSX (com.systemextension)"
    input.jamf.isManaged == true
    input.user.email
    disallow := {eval_doc_xcloud("fail", data.control.ccm_wks_jmf_2, input)}
}

else := allow {
    allow := {eval_doc_xcloud("pass", data.control.ccm_wks_jmf_2, input)}
}

Any idea what I'm doing wrong?

In the sample input, I am expecting it to pass since values array is not null and extension name SW-agent-SYSX (co.systemextension) exists. You can see that I'm also looking for the possibility of another extension. Same idea where either or extension exist, the values should not be empty to pass.

Passing input

                "extensionAttributes": [
                    {
                        "values": [1,2,3,4
                        ],
                        "dataType": "STRING",
                        "name": "SW-agent-SYSX (co.systemextension)",

Failing input

                "extensionAttributes": [
                    {
                        "values": [
                        ],
                        "dataType": "STRING",
                        "name": "SW-agent-SYSX (co.systemextension)",

or another failing input (since values is empty for each extension that we're looking for)

                "extensionAttributes": [
                    {
                        "values": [
                        ],
                        "dataType": "STRING",
                        "name": "SW-agent-SYSX (co.systemextension)"
                    },
                    {
                        "values": [
                        ],
                        "dataType": "STRING",
                        "name": "SW esensor-SYSX (com.systemextension)"
                    }

OPA List of objects - Finding two values in multiples objects within list

0 Answers0