Rego Built-in Function: regex.globs_match
regex.globs_match() is a less commonly used built-in function that checks if two patterns
overlap. This can be useful when using patterns to define permissions or access control
rules. The function returns true if the two patterns overlap and false otherwise.
Examples
Pattern based access
This example demonstrates using regex.globs_match in Rego to ensure actions are
allowed only if the user's permissions overlap with the required permissions for
the action. The user's permissions are defined by patterns, as are the
permissions required by any given action.
# policy.rego
user_roles := data.user_roles[input.user_id]
action_requirements := data.action_requirements[input.action]
permission_patterns contains pattern if {
some role in user_roles
some pattern in data.role_permissions[role]
}
default allow := false
allow if {
every requirement in action_requirements {
some pattern in permission_patterns
regex.globs_match(pattern, requirement)
}
}
# input.json
{
"user_id": "c2655539-8422-476d-9430-a26a4efa51b2",
"action": "tenant.create",
"props": {
"name": "my-new-tenant"
}
}
# data.json
{
"user_roles": {
"c2655539-8422-476d-9430-a26a4efa51b2": [
"developer"
]
},
"role_permissions": {
"developer": [
"dns.*",
"compute.*"
]
},
"action_requirements": {
"tenant.create": [
"dns.records.create",
"compute.containers.create",
"compute.containers.scale.*"
]
}
}
| Rule | Output Value | Notes |
|---|---|---|
| allow | true | The has user broad access and the permissions needed for the action overlap. |