Open
Description
In some cases it's necessary to compare two versions of an object to determine if there's a policy violation (e.g., old and new.) Policy authors may want to say something like "user X can change fields a.b.c and x.y.z but nothing else."
While it's possible to do this in pure Rego today, a built-in function that generates a JSON Patch-esque diff between two values would be useful and avoid duplication.
For example:
diff(1, 2, [{op: replace, path: /, value: 2}])
diff({"x": 1}, {"x": 2}, [{op: replace, path: /x, value: 2}])
diff({"x": 1}, {}, [{op: remove, path: /x}])
I think there's still some design work to do to figure out how to represent diff operations on sets. We should also review the JSON Patch RFC to identify potential corner cases.