On 18/08/2022 01:08, Kent Watsen wrote:
Lada made this comment more than a year ago:
It depends on how the constraint is written.
If you have e.g.
must "list/non-key-leaf = 42";
then it is sufficient that at least one instance on non-key-leaf exist
non-key-leaf exist with that value. In contrast,
must "not(list/non-key-leaf != 42)";
requires all instances to have that value.
With identityrefs, the outside "not" is possible, but how to negate
the "derived-from-or-self" function?
Lada's second example selects everything that does not match a condition
then states such a selection should return nothing:
not(deref(.)/../ts:public-key/ts:public-key-format[not(derived-from-or-self(.,
"ct:ssh-public-key-format"))])
Check if the corner cases work out for your needs, however. Returns
true() for an empty list, for example.
Jernej
PS: in case it helps, the 'must' expression only needs to test for
"self" equivalency (i.e., the "derived-from" part is unneeded).
K.
On Aug 17, 2022, at 5:08 PM, Kent Watsen <kent+i...@watsen.net> wrote:
Given a must-expression like this:
uses ts:local-or-truststore-public-keys-grouping {
refine "local-or-truststore/truststore/truststore-reference" {
must
'derived-from-or-self(deref(.)/../ts:public-key/ts:public-key-format,
"ct:ssh-public-key-format")';
}
}
Where "ts:public-key" is a list, currently the expression evals true
if there is just one element in the list having
public-key-format="ct:ssh-public-key-format", but it is needed to
eval true only when *all* the elements have that value.
Any pro-tips? I think I saw this posted before, but can't find it now...
K.
_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
