How to return a response object based on OR criteria in Open Policy Agent (OPA). Getting error complete rules must not produce multiple outputs?

Question

I am trying to return a response object in OPA policy based on the conditions that triggered that rule but gives the error "Error Evaluating policy.rego:11: eval_conflict_error: complete rules must not produce multiple outputs" since both the OR conditions are evaluating to true.

For example, here is a sample OPA policy:

package play

allow = response {
    mainRule
    OptionalRule
    response := {
     "field": OptionalRule.field
    }
}

OptionalRule = resp {
 input.a == "01"
 input.b == "C"
    resp := {
     "field": "OptionalRule1"
    }
}

OptionalRule = resp {
input.c != 3
    resp := {
     "field": "OptionalRule2"
    }
}

mainRule {
    input.d > 50
    input.e < 5
}

With following Input:

{
    "a": "01",
    "b": "C",
    "c": 4,
    "d": 55,
    "e": 1
}

Here, I am trying to implement OptionalRule as OR condition and trying to return which optionalRule conditions triggered it but it given the above error. Any idea on how this can be implemented?

Answer 1

You can leverage rules with incremental definitions to implement your policy. For example,

package authz

allow = response {
    mainRule
    response := {
        "field": OptionalRule
    }
}

OptionalRule[resp] {
    input.a == "01"
    input.b == "C"
    resp := "OptionalRule1"
}

OptionalRule[resp] {
    input.c != 3
    resp := "OptionalRule2"
}

mainRule {
    input.d > 50
    input.e < 5
}

Now with an input like { "a": "01", "b": "C", "c": 4, "d": 55, "e": 1 }, the allow rule would return

{
    "field": [
        "OptionalRule2",
        "OptionalRule1"
    ]
}

Similarly for the input { "a": "01", "b": "C", "c": 3, "d": 55, "e": 1 }, the allow rule would return

{
    "field": [
        "OptionalRule1"
    ]
}