Define multiple rules

[gituserjava]

I have a use-case where I need to implement multiple rules in the Rego file to validate GET, POST endpoints with different x-incoming-flow custom header. For example in the example below; my intension is to allow HR applications (indicated by request hr-flow) to retrieve basic demographic information. Similarly allow finance applications (indicated by finance-flow) to update finance information. The headers are passed by consuming applications.

In this use-case, what is the best practice to prepare the rules? Do I need to write multiple allow blocks or is there a better way to write them in a single allow block. Please advise

package demo
import input.attributes.request.http as http_request
default allow = false

allow {
        #Allow GET:/api/v1/employees/demographics if it has x-incoming-flow as `hr-flow`
        http_request.method="GET"
        http_request.path == "/api/v1/employees/demographics"
        http_request.headers["x-incoming-flow"] == "hr-flow"
}

allow {
        #Allow POST:/api/v1/employees/salaries if it has x-incoming-flow as `finance-flow`
        http_request.method="POST"
        http_request.path == "/api/v1/employees/salaries"
        http_request.headers["x-incoming-flow"] == "finance-flow"
}

Input 1: -- Output should be true

{
  "attributes": {
    "request": {
      "http": {
        "method": "GET",
        "path": "/api/v1/employees/demographics",
        "headers": {
          "x-incoming-flow": "hr-flow"
        }
      }
    }
  }
}

Input 2: -- Output should be false

{
  "attributes": {
    "request": {
      "http": {
        "method": "GET",
        "path": "/api/v1/employees/demographics",
        "headers": {
          "x-incoming-flow": "deparments-flow"
        }
      }
    }
  }
}

Input 3: -- Output should be true

{
  "attributes": {
    "request": {
      "http": {
        "method": "POST",
        "path": "/api/v1/employees/finance",
        "headers": {
          "x-incoming-flow": "finance-flow"
        }
      }
    }
  }
}

[anderseknert]

Hi @gituserjava 👋

Yes, the way you've done it with multiple allow rules is the idiomatic way of doing it. If there are a lot of lines being repeated you could move those to a separate helper rule, but in your case it seems the conditions are unique for each allow rule, so that's the best way of doing it.

[gituserjava]

Thanks @anderseknert ! One more question, as the rules get increased the rego file gets huge. Are there any validator tools (lint tools) to validate the syntax of the allows statements? As theses are hand-written there is a high possibility of human errors.

[anderseknert]

If the format of the input and/or data is known, you could use the type checking capabilities with JSON schema in order to make typos compile time errors. Another, simpler, thing that might help is to use helper rules for common conditions such as:

allow {
    is_get_request
    is_finance_flow
    # more conditions here
}

is_get_request {
    http_request.method == "GET"
}

is_finance_flow {
    http_request.headers["x-incoming-flow"] == "finance-flow"
}

If you make a typo in one of the allow rules now the compiler would rightly complain that the "is_het_request" (or whatever) is an undefined rule.

[gituserjava]

Thank you