-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: detect free variables in rule expressions #179
Conversation
It would be nice to merge the implementations, but there might be issues with trait implementation? Maybe if keeping the trait implementations in biscuit-auth |
Maybe we can keep the biscuit-auth types as newtypes if we want to avoid
orphan instances. (It depends on where the traits are defined ofc).
|
Are you ok with the error span being on the whole rule instead of just the head for head variables? Also for checks & policies, it will require a bit of work to collect scope errors in all rule bodies without aborting on the first rule with free variables. |
@@ -328,33 +328,38 @@ impl Rule { | |||
} | |||
|
|||
pub fn validate_variables(&self) -> Result<(), String> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this would need to return a 3-valued enum (Head, Body, Both) to signal where the free variables were found, in order to only return the relevant span in the parsing error.
This only happens during evaluation. Earlier checks depend on changes from #179
Free variables are already forbidden in rule heads, but not in rule expressions.
a2ddd67
to
b64cbab
Compare
|
Free variables are already forbidden in rule heads, but not in rule expressions.
Open questions
The reported error span was the rule head when we were looking for free variables in the rule head. Now free variables can be found in the whole expression, so for now the whole expression is reported as the error span, which is not perfect.
The ideal solution would be to have multiple errors, one per free variable instance, with the span being only the variable itself. That may be hard to achieve, so maybe just being able to keep the expression span (or the rule head span) would be good, but that's still quite a bit of work.
I noticed a fair amount of duplication between the
builder
module inbiscuit-parser
and the one inbiscuit-auth
. For instance,validate_variables
from biscuit-auth is not used anywhere, only the one frombiscuit-parser
. Could thebiscuit-auth
builder
module be significantly reduced to use types and functions frombiscuit-parser
?ToDo