Skip to content

Compiler / type checker to fail on impossible (or constant) conditions #6998

Open
@anderseknert

Description

@anderseknert

Dusting off some old notes I found, and this one still seems relevant.

package p

import rego.v1

deny contains "noooo" if {
    # ... conditions
}

allow if {
    not deny # should be a type error, as the "comparison" is invalid
}

# also quite "common" in tests, where `count(deny)` should have been used
test_deny if {
    not deny with ...
}

While it's unlikely that this code would make it to production, it's happened quite a few times that developers make this mistake in the policy authoring process, and will have to spend time troubleshooting rather than having fun.

We already have rules in Regal to catch some of these mistakes, like impossible-not, or constant-condition.. but I think it begs the question why the compiler should refuse 1 == "1" but allow equally impossible not my_set.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions