Write allow and deny rules

[gituserjava]

What is the best practice to write deny rules along with allow rules? I have a use-case where I need to deny all the requests for a POST endpoint. I can write allow rules with a negation on request header but it is getting complicated. Please advise.

Question: If the deny rule evaluates to true, will the allow rule be executed and what will be the overall result?

deny {
       input.attributes.request.http.method == POST
}

allow {
       input.attributes.request.http.method == GET
}

[anderseknert]

Which rules are executed depends on which rule is queried. If you'd want both the deny and allow rule to be evaluated you'd normally have a third rule which invoked both and aggregated the result. Perhaps something like:

deny {
       input.attributes.request.http.method == POST
}

allow {
       input.attributes.request.http.method == GET
}

decision := {
    "alllow": allow,
    "deny": deny,
}