Open
Description
Dusting off some old notes I found, and this one still seems relevant.
package p
import rego.v1
deny contains "noooo" if {
# ... conditions
}
allow if {
not deny # should be a type error, as the "comparison" is invalid
}
# also quite "common" in tests, where `count(deny)` should have been used
test_deny if {
not deny with ...
}While it's unlikely that this code would make it to production, it's happened quite a few times that developers make this mistake in the policy authoring process, and will have to spend time troubleshooting rather than having fun.
We already have rules in Regal to catch some of these mistakes, like impossible-not, or constant-condition.. but I think it begs the question why the compiler should refuse 1 == "1" but allow equally impossible not my_set.