cedar-policy / cedar

Implementation of the Cedar Policy Language
https://www.cedarpolicy.com
Apache License 2.0
866 stars 79 forks source link

Return an validation warning when we know a policy always evaluates to `true` #1263

Open john-h-kastner-aws opened 1 month ago

john-h-kastner-aws commented 1 month ago

Category

Cedar validation features/changes

Describe the feature you'd like to request

We already have this for policies that evaluate to false, and a policy that always applies is potentially more problematic.

E.g.,

permit(principal, action, resource);

is always true, so we should return a warning

A slightly complex example might be

permit(principal, action, resource is Photo);

when the only resource type is Photo.


Two possible concerns:

  1. Users who want to emulate default-allow in Cedar might intentionally include a policy permit(principal, action, resource);. but the proposed change is a warning, so they can freely ignore it.
  2. We encourage users to write multiple simple policies, but the proposed change would not detect a set of policies which together always evaluate to at least one true. The false warning doesn't need to handle this because it would only need to warn when together all of the policies always evaluate to false, but this is means each individual policy always evaluates to false, which we warn about.

Describe alternatives you've considered

.

Additional context

No response

Is this something that you'd be interested in working on?

john-h-kastner-aws commented 1 month ago

Related to #103. Implementing that issue would very mean doing this one at the same time, but this issue is substantially simpler, taking a day or two rather than up to a week or two.