object.subset: allow super to be array, and sub to be set

[anderseknert]

Currently, both arguments to object.subset must be of the same type. This makes sense, but there's one exception I think should be allowed. If the superset is an array, the subset should be allowed to be a set, meaning "if all items in sub are in super, with no consideration of ordering". This is a IMHO a nice construct:

allow if object.subset(input.user.roles, {"developer", "logs-reader"})

You can of course achieve this today by first converting input.user.roles to a set, but if we can remove an extra step for the likely most common operation, let's do it.

For anyone who wants to work on this, these are the steps I imagine would be needed:

1. Allow first argument provided to be of type array, and the second argument to be of type set.
2. Add a few test cases to assert this works as described above.
3. Update the docs to reflect this.

Join the #development channel on the OPA Slack if you'd like to discuss the approach while working on this.

[charlesdaniels]

Breadcrumbs:

• You should only need to modify https://github.com/open-policy-agent/opa/blob/main/topdown/subset.go
• Add a new helper method like arraySet(), based on the existing bothObjects(), bothArrays(), and bothSets() code
• Add a new helper method like arraySetSubset(super *ast.Array, sub *ast.Set)
• Finally, add a new case to builtinObjectSubset()

We are getting enough cases it might be worth trying to refactor builtinObjectSubset to use a switch/case rather than a bunch of ifs.