`anyLike`/`allLike` operators

[masp]

Category

Cedar language or syntax features/changes

Describe the feature you'd like to request

I would like 2 new operators similar to like for operating on sets of strings. We group our services in a text-based hierarchy and want to match using like, but there can be more than group so we need some way to iterate over all of them:

permit(principal, action, resource) when {
       // True if matches any permission starting with admin.
       principal.groups anyLike "admin.*"
}

permit(principal, action, resource) when {
       // True if matches all permissions starting with admin.
       principal.groups allLike "admin.*"
}

There was an RFC proposal for a more general concept, but this would be just for sets of strings matching against a single string pattern. RFC

Describe alternatives you've considered

We can (and will) implement some code before calling Cedar and parse the text structure to create the hierarchy and use the in operator instead, but our users use the text format and are more familiar with it.

permit(principal, resource, action) when {
      principal in Group::"admin" // If we get "admin.service1" and "admin.service2", we'd create a tree with "admin" at the root and the services as children
}

While the text structure is a convention, it is not enforced anywhere else so us parsing it like this is forcing a behavior onto our users that they don't necessarily follow.

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[john-h-kastner-aws]

In case you missed it, the like specialization for any and all is explicitly called out as something we might support if there's enough demand cedar-policy/rfcs#21 (comment)

This is the first request we've had for this specific version of any/all, so we won't be rushing to add this, but we'll definitely be looking at it