We already have this for policies that evaluate to false, and a policy that always applies is potentially more problematic.
E.g.,
permit(principal, action, resource);
is always true, so we should return a warning
A slightly complex example might be
permit(principal, action, resource is Photo);
when the only resource type is Photo.
Two possible concerns:
Users who want to emulate default-allow in Cedar might intentionally include a policy permit(principal, action, resource);. but the proposed change is a warning, so they can freely ignore it.
We encourage users to write multiple simple policies, but the proposed change would not detect a set of policies which together always evaluate to at least one true. The false warning doesn't need to handle this because it would only need to warn when together all of the policies always evaluate to false, but this is means each individual policy always evaluates to false, which we warn about.
Describe alternatives you've considered
.
Additional context
No response
Is this something that you'd be interested in working on?
[ ] 👋 I may be able to implement this feature request
Related to #103. Implementing that issue would very mean doing this one at the same time, but this issue is substantially simpler, taking a day or two rather than up to a week or two.
Category
Cedar validation features/changes
Describe the feature you'd like to request
We already have this for policies that evaluate to
false
, and a policy that always applies is potentially more problematic.E.g.,
is always true, so we should return a warning
A slightly complex example might be
when the only resource type is
Photo
.Two possible concerns:
permit(principal, action, resource);
. but the proposed change is a warning, so they can freely ignore it.true
. Thefalse
warning doesn't need to handle this because it would only need to warn when together all of the policies always evaluate to false, but this is means each individual policy always evaluates to false, which we warn about.Describe alternatives you've considered
.
Additional context
No response
Is this something that you'd be interested in working on?