Lada made this comment more than a year ago:
It depends on how the constraint is written.
If you have e.g.
must "list/non-key-leaf = 42";
then it is sufficient that at least one instance on non-key-leaf exist
non-key-leaf exist with that value. In contrast,
must "not(list/non-key-leaf != 42)";
requires all instances to have that value.
With identityrefs, the outside "not" is possible, but how to negate the
"derived-from-or-self" function?
PS: in case it helps, the 'must' expression only needs to test for "self"
equivalency (i.e., the "derived-from" part is unneeded).
K.
> On Aug 17, 2022, at 5:08 PM, Kent Watsen <[email protected]> wrote:
>
>
> Given a must-expression like this:
>
> uses ts:local-or-truststore-public-keys-grouping {
> refine "local-or-truststore/truststore/truststore-reference" {
> must
> 'derived-from-or-self(deref(.)/../ts:public-key/ts:public-key-format,
> "ct:ssh-public-key-format")';
> }
> }
>
> Where "ts:public-key" is a list, currently the expression evals true if there
> is just one element in the list having
> public-key-format="ct:ssh-public-key-format", but it is needed to eval true
> only when *all* the elements have that value.
>
> Any pro-tips? I think I saw this posted before, but can't find it now...
>
> K.
>
>
> _______________________________________________
> netmod mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/netmod
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod
