You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The validate function currently (v3.x) returns a ValidationResult, which consists of validation_errors and validation_warnings. One current validation error is the TypeErrorImpossiblePolicy, which indicates that a policy will always evaluate to false (i.e., it will never fire). We had always intended for this to be more of a "warning" than an "error," but we didn’t add official support for warnings until recently (see #225). We would now like to move this error to be a warning instead.
Benefits
Since the ImpossiblePolicy error is returned on a best-effort basis (i.e., we may miss some "impossible" policies), it is sensitive to changes in our typing precision. This means that seemingly small changes to our typing algorithm could easily become breaking changes. For example: say that we decide to encode in the validator that an expression like 1 == 2 is always false (this is currently not checked). Then policies that previously validated will no longer be valid.
Although having a policy that never applies is likely an error, it is not an issue that would lead to an authorization-time error, which is what the validator is intended to protect against. So this "feels" more like a warning than an error.
There could be legitimate reasons for generating policies that never apply. For example, a user might be generating policies programmatically, expecting that "impossible" policies are ignored.
This would set the precedent for adding more warnings to the validator. Easy example: check whether a policy always evaluates to true (i.e., will always fire).
Impact
Some policies that previously would not validate will now validate, but with a warning. All previously-validated policies will remain valid.
Describe alternatives you've considered
We could leave ImpossiblePolicy as an error, which is the status quo.
Additional context
No response
Is this something that you'd be interested in working on?
👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change
The text was updated successfully, but these errors were encountered:
Category
Cedar validation features
Describe the feature you'd like to request
The validate function currently (v3.x) returns a
ValidationResult
, which consists ofvalidation_errors
andvalidation_warnings
. One current validation error is theTypeError
ImpossiblePolicy
, which indicates that a policy will always evaluate to false (i.e., it will never fire). We had always intended for this to be more of a "warning" than an "error," but we didn’t add official support for warnings until recently (see #225). We would now like to move this error to be a warning instead.Benefits
ImpossiblePolicy
error is returned on a best-effort basis (i.e., we may miss some "impossible" policies), it is sensitive to changes in our typing precision. This means that seemingly small changes to our typing algorithm could easily become breaking changes. For example: say that we decide to encode in the validator that an expression like1 == 2
is always false (this is currently not checked). Then policies that previously validated will no longer be valid.Impact
Some policies that previously would not validate will now validate, but with a warning. All previously-validated policies will remain valid.
Describe alternatives you've considered
We could leave
ImpossiblePolicy
as an error, which is the status quo.Additional context
No response
Is this something that you'd be interested in working on?
The text was updated successfully, but these errors were encountered: