corpus update

Signed-off-by: Phil Hassey <phil@strongdm.com>

Author: philhassey

Makefile

@@ -9,8 +9,7 @@ linters:
 	golangci-lint run
 	go run github.com/alecthomas/go-check-sumtype/cmd/go-check-sumtype@latest -default-signifies-exhaustive=false ./...
 	go test -coverprofile=coverage.out ./...
-	sed -i '' '/^github.com\/cedar-policy\/cedar-go\/internal\/schema\/parser\/cedarschema.go/d' coverage.out
-	go tool cover -func=coverage.out | sed 's/%$$//' | awk '$$2 == "isCedarType" { next } $$2 == "Entity" && $$1 ~ /entity\.go/ { next } $$2 == "typeOfExtensionCall" { next } { if ($$3 < 100.0) { printf "Insufficient code coverage for %s\n", $$0; failed=1 } } END { exit failed }'
+	go tool cover -func=coverage.out | sed 's/%$$//' | awk '{ if ($$3 < 100.0) { printf "Insufficient code coverage for %s\n", $$0; failed=1 } } END { exit failed }'
 
 # Download the latest corpus tests tarball and overwrite corpus-tests.tar.gz if changed
 check-upstream-corpus:

corpus-tests-json-schemas.tar.gz

@@ -1,6 +1,7 @@
 package validate
 
 import (
+	"cmp"
 	"fmt"
 	"slices"
 	"strings"
@@ -36,6 +37,28 @@ type entityAttrSource struct {
 type typeEntity struct{ lub entityLUB }       // Entity with LUB of types
 type typeExtension struct{ name types.Ident } // Extension type (ipaddr, decimal, etc.)
 
+var cedarTypeKindRanks = map[string]int{
+	fmt.Sprintf("%T", typeTrue{}):      0,
+	fmt.Sprintf("%T", typeFalse{}):     1,
+	fmt.Sprintf("%T", typeBool{}):      2,
+	fmt.Sprintf("%T", typeNever{}):     3,
+	fmt.Sprintf("%T", typeLong{}):      4,
+	fmt.Sprintf("%T", typeString{}):    5,
+	fmt.Sprintf("%T", typeSet{}):       6,
+	fmt.Sprintf("%T", typeRecord{}):    7,
+	fmt.Sprintf("%T", typeEntity{}):    8,
+	fmt.Sprintf("%T", typeExtension{}): 9,
+}
+
+var cedarPrimitiveTypeNames = map[string]string{
+	fmt.Sprintf("%T", typeNever{}):  "__cedar::internal::Any",
+	fmt.Sprintf("%T", typeTrue{}):   "__cedar::internal::True",
+	fmt.Sprintf("%T", typeFalse{}):  "__cedar::internal::False",
+	fmt.Sprintf("%T", typeBool{}):   "Bool",
+	fmt.Sprintf("%T", typeLong{}):   "Long",
+	fmt.Sprintf("%T", typeString{}): "String",
+}
+
 func (typeNever) isCedarType()     { _ = "hack for code coverage" }
 func (typeTrue) isCedarType()      { _ = "hack for code coverage" }
 func (typeFalse) isCedarType()     { _ = "hack for code coverage" }
@@ -51,7 +74,7 @@ func (typeExtension) isCedarType() { _ = "hack for code coverage" }
 func typeIncompatErr(a, b cedarType) *typeIncompatError {
 	nameA := cedarTypeName(a)
 	nameB := cedarTypeName(b)
-	if cedarTypeSortKey(a) > cedarTypeSortKey(b) {
+	if compareCedarType(a, b) > 0 {
 		nameA, nameB = nameB, nameA
 	}
 	return &typeIncompatError{msg: fmt.Sprintf("the types %s and %s are not compatible", nameA, nameB)}
@@ -64,14 +87,7 @@ func typeIncompatErrMulti(types []cedarType) *typeIncompatError {
 	sorted := make([]cedarType, len(types))
 	copy(sorted, types)
 	slices.SortFunc(sorted, func(a, b cedarType) int {
-		ka, kb := cedarTypeSortKey(a), cedarTypeSortKey(b)
-		if ka < kb {
-			return -1
-		}
-		if ka > kb {
-			return 1
-		}
-		return 0
+		return compareCedarType(a, b)
 	})
 	names := make([]string, len(sorted))
 	for i, t := range sorted {
@@ -99,74 +115,85 @@ func typeIncompatErrMulti(types []cedarType) *typeIncompatError {
 	return &typeIncompatError{msg: sb.String()}
 }
 
-// cedarTypeSortKey returns a sort key for ordering types in error messages.
-// Matches Rust's structural type ordering (True < False < Never < Long < String < Set < Record < Entity < Extension).
-func cedarTypeSortKey(t cedarType) string {
-	switch tv := t.(type) {
-	case typeTrue:
-		return "0a"
-	case typeFalse:
-		return "0b"
-	case typeBool:
-		return "0c"
-	case typeNever:
-		return "1"
-	case typeLong:
-		return "2"
-	case typeString:
-		return "3"
-	case typeSet:
-		return "4:" + cedarTypeSortKey(tv.element)
-	case typeRecord:
-		// Sort by attribute keys/types (matches Rust BTreeMap ordering)
-		key := "5"
-		keys := make([]string, 0, len(tv.attrs))
-		for k := range tv.attrs {
-			keys = append(keys, string(k))
-		}
-		slices.Sort(keys)
-		for _, k := range keys {
-			at := tv.attrs[types.String(k)]
-			key += ":" + k + ":" + cedarTypeSortKey(at.typ)
-		}
-		return key
-	case typeEntity:
-		return "6:" + cedarEntityTypeName(tv.lub)
-	case typeExtension:
+func compareCedarType(a, b cedarType) int {
+	ak, bk := cedarTypeKindRank(a), cedarTypeKindRank(b)
+	if ak != bk {
+		return ak - bk
+	}
+
+	if av, ok := a.(typeSet); ok {
+		return compareCedarType(av.element, b.(typeSet).element)
+	}
+	if av, ok := a.(typeRecord); ok {
+		return compareRecordTypes(av, b.(typeRecord))
+	}
+	if av, ok := a.(typeEntity); ok {
+		return compareEntityLUB(av.lub, b.(typeEntity).lub)
+	}
+	return strings.Compare(cedarTypeName(a), cedarTypeName(b))
+}
+
+func cedarTypeKindRank(t cedarType) int {
+	return cedarTypeKindRanks[fmt.Sprintf("%T", t)]
+}
+
+func compareRecordTypes(a, b typeRecord) int {
+	ak := make([]string, 0, len(a.attrs))
+	for k := range a.attrs {
+		ak = append(ak, string(k))
 	}
-	return "7:" + string(t.(typeExtension).name)
+	bk := make([]string, 0, len(b.attrs))
+	for k := range b.attrs {
+		bk = append(bk, string(k))
+	}
+	slices.Sort(ak)
+	slices.Sort(bk)
+
+	n := len(ak)
+	if len(bk) < n {
+		n = len(bk)
+	}
+	for i := 0; i < n; i++ {
+		if c := strings.Compare(ak[i], bk[i]); c != 0 {
+			return c
+		}
+		aat := a.attrs[types.String(ak[i])]
+		bat := b.attrs[types.String(bk[i])]
+		if c := compareCedarType(aat.typ, bat.typ); c != 0 {
+			return c
+		}
+	}
+	return cmp.Compare(len(ak), len(bk))
+}
+
+func compareEntityLUB(a, b entityLUB) int {
+	n := min(len(a.elements), len(b.elements))
+	for i := 0; i < n; i++ {
+		as, bs := string(a.elements[i]), string(b.elements[i])
+		if c := strings.Compare(as, bs); c != 0 {
+			return c
+		}
+	}
+	return cmp.Compare(len(a.elements), len(b.elements))
 }
 
 // cedarTypeName returns the Rust Cedar display name for a type.
 func cedarTypeName(t cedarType) string {
 	switch tv := t.(type) {
-	case typeNever:
-		return "__cedar::internal::Any"
-	case typeTrue:
-		return "__cedar::internal::True"
-	case typeFalse:
-		return "__cedar::internal::False"
-	case typeBool:
-		return "Bool"
-	case typeLong:
-		return "Long"
-	case typeString:
-		return "String"
+	case typeNever, typeTrue, typeFalse, typeBool, typeLong, typeString:
 	case typeSet:
 		return "Set<" + cedarTypeName(tv.element) + ">"
 	case typeRecord:
 		return cedarRecordTypeName(tv)
 	case typeEntity:
 		return cedarEntityTypeName(tv.lub)
 	case typeExtension:
+		return string(tv.name)
 	}
-	return string(t.(typeExtension).name)
+	return cedarPrimitiveTypeNames[fmt.Sprintf("%T", t)]
 }
 
 func cedarEntityTypeName(lub entityLUB) string {
-	if len(lub.elements) == 0 {
-		return "__cedar::internal::AnyEntity"
-	}
 	if len(lub.elements) == 1 {
 		return string(lub.elements[0])
 	}
@@ -192,6 +219,9 @@ func cedarRecordTypeName(r typeRecord) string {
 	for _, k := range keys {
 		at := r.attrs[types.String(k)]
 		sb.WriteString(k)
+		if !at.required {
+			sb.WriteRune('?')
+		}
 		sb.WriteString(": ")
 		sb.WriteString(cedarTypeName(at.typ))
 		sb.WriteRune(',')
@@ -254,14 +284,13 @@ func (v *Validator) isSubtype(a, b cedarType) bool {
 
 // leastUpperBound computes the LUB of two types.
 func (v *Validator) leastUpperBound(a, b cedarType) (cedarType, error) {
-	if _, ok := a.(typeNever); ok {
-		return b, nil
-	}
 	if _, ok := b.(typeNever); ok {
 		return a, nil
 	}
 
 	switch av := a.(type) {
+	case typeNever:
+		return b, nil
 	case typeTrue:
 		switch b.(type) {
 		case typeTrue:
@@ -279,10 +308,8 @@ func (v *Validator) leastUpperBound(a, b cedarType) (cedarType, error) {
 		case typeNever, typeLong, typeString, typeSet, typeRecord, typeEntity, typeExtension:
 		}
 	case typeBool:
-		switch b.(type) {
-		case typeTrue, typeFalse, typeBool:
+		if isBoolType(b) {
 			return typeBool{}, nil
-		case typeNever, typeLong, typeString, typeSet, typeRecord, typeEntity, typeExtension:
 		}
 	case typeLong:
 		if _, ok := b.(typeLong); ok {
@@ -312,8 +339,6 @@ func (v *Validator) leastUpperBound(a, b cedarType) (cedarType, error) {
 		if bv, ok := b.(typeExtension); ok && av.name == bv.name {
 			return av, nil
 		}
-	case typeNever:
-		// Already handled above; unreachable.
 	}
 
 	return nil, fmt.Errorf("incompatible types for least upper bound")

corpus-tests-validation.tar.gz

@@ -15,11 +15,4 @@ func TestMarkerMethods(t *testing.T) {
 	typeRecord{}.isCedarType()
 	typeEntity{}.isCedarType()
 	typeExtension{}.isCedarType()
-
-	// Defensive type name/sort key paths for types that rarely appear in error messages
-	cedarTypeSortKey(typeNever{})
-	cedarTypeSortKey(typeBool{})
-	cedarTypeName(typeNever{})
-	cedarEntityTypeName(entityLUB{})
-
 }

corpus-tests.tar.gz

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"slices"
+	"strings"
 
 	"github.com/cedar-policy/cedar-go/types"
 	"github.com/cedar-policy/cedar-go/x/exp/ast"
@@ -39,24 +40,26 @@ func (v *Validator) Policy(policyID string, policy *ast.Policy) error {
 	}
 
 	// Check action application
-	if err := v.validateActionApplication(principalTypes, resourceTypes, actionUIDs); err != nil {
-		errs = append(errs, err)
+	actionAppErr := v.validateActionApplication(principalTypes, resourceTypes, actionUIDs)
+	if actionAppErr != nil {
+		errs = append(errs, actionAppErr)
 	}
 
 	// Expression type checking
 	allEnvs := v.generateRequestEnvs()
 	envs := v.filterEnvsForPolicy(allEnvs, principalTypes, resourceTypes, actionUIDs)
 
-	if len(envs) > 0 {
-		// Check for empty action set literal in strict mode. This matches Rust
-		// where the scope is part of the typechecked condition — the empty set
-		// check only fires when prior scope constraints don't short-circuit.
-		if v.strict {
-			if sc, ok := policy.Action.(ast.ScopeTypeInSet); ok && len(sc.Entities) == 0 {
-				errs = append(errs, fmt.Errorf("empty set literals are forbidden in policies"))
-			}
+	// In strict mode, empty action set scopes always report this error.
+	if v.strict {
+		if sc, ok := policy.Action.(ast.ScopeTypeInSet); ok && len(sc.Entities) == 0 {
+			errs = append(errs, fmt.Errorf("empty set literals are forbidden in policies"))
 		}
-		if len(policy.Conditions) > 0 {
+	}
+
+	if len(envs) > 0 {
+		// In permissive mode, if action applicability already failed, Rust does
+		// not typecheck policy conditions.
+		if len(policy.Conditions) > 0 && (v.strict || actionAppErr == nil) {
 			if err := v.typecheckConditions(envs, policy.Conditions); err != nil {
 				errs = append(errs, flattenErrors(err)...)
 			}
@@ -338,14 +341,18 @@ func (v *Validator) typecheckConditions(envs []requestEnv, conditions []ast.Cond
 	var allErrs []error
 	for _, cond := range conditions {
 		// Collect error multisets per environment and merge (element-wise max count).
-		// This deduplicates identical errors across environments while preserving
-		// duplicates from different expression positions within the same environment.
+		// For dynamic tag-key diagnostics:
+		// - `principal.*` tag keys aggregate by principal type
+		// - `resource.*` tag keys aggregate by resource type
 		type errEntry struct {
 			err   error
 			count int
 		}
 		merged := map[string]*errEntry{}
 		var mergedOrder []string
+		const unsafeTagPrefix = "unable to guarantee safety of access to tag `"
+		principalTagByType := map[string]map[types.EntityType]int{}
+		resourceTagByType := map[string]map[types.EntityType]int{}
 		for _, env := range envs {
 			caps := newCapabilitySet()
 			t, _, err := v.typeOfExpr(&env, cond.Body, caps)
@@ -370,14 +377,53 @@ func (v *Validator) typecheckConditions(envs []requestEnv, conditions []ast.Cond
 					envCounts[msg] = &envErr{err: e, count: 1}
 				}
 			}
-			// Merge: deduplicate across environments, preserving per-environment counts.
-			// The same expression evaluated in different type contexts produces the same
-			// count for any shared error message, so first-seen count is sufficient.
 			for msg, ee := range envCounts {
 				if _, ok := merged[msg]; !ok {
 					mergedOrder = append(mergedOrder, msg)
 					merged[msg] = &errEntry{err: ee.err, count: ee.count}
 				}
+				merged[msg].count = max(merged[msg].count, ee.count)
+				if strings.HasPrefix(msg, unsafeTagPrefix) && strings.Contains(msg, "`principal.") {
+					byType, ok := principalTagByType[msg]
+					if !ok {
+						byType = map[types.EntityType]int{}
+						principalTagByType[msg] = byType
+					}
+					if ee.count > byType[env.principalType] {
+						byType[env.principalType] = ee.count
+					}
+				}
+				if strings.HasPrefix(msg, unsafeTagPrefix) && strings.Contains(msg, "`resource.") {
+					byType, ok := resourceTagByType[msg]
+					if !ok {
+						byType = map[types.EntityType]int{}
+						resourceTagByType[msg] = byType
+					}
+					if ee.count > byType[env.resourceType] {
+						byType[env.resourceType] = ee.count
+					}
+				}
+			}
+		}
+		for _, msg := range mergedOrder {
+			if byType, ok := principalTagByType[msg]; ok {
+				total := 0
+				for _, count := range byType {
+					total += count
+				}
+				if total > 0 {
+					merged[msg].count = total
+				}
+				continue
+			}
+			if byType, ok := resourceTagByType[msg]; ok {
+				total := 0
+				for _, count := range byType {
+					total += count
+				}
+				if total > 0 {
+					merged[msg].count = total
+				}
 			}
 		}
 		// Emit merged errors preserving first-seen order and original error types