search

google / cel-go

Fast, portable, non-Turing complete expression evaluation with gradual typing (Go)
https://cel.dev
Apache License 2.0
2.3k stars 224 forks source link

[Policy compiler] Match blocks with missing outputs are silently ignored #999

Closed seirl closed 3 months ago

seirl commented 3 months ago

Describe the bug Match blocks with missing outputs are silently ignored.

To Reproduce

Sample expression and input that reproduces the issue:

rule:
  match:
  - condition: "!a.hasValue()"
  - condition: "!a.field.hasValue()"
  - output: "a.field.value()"

This gets compiled to the following expression:

a.field.value()

Expected behavior

Two possible behaviors would work here:

  1. this should return an error because some match blocks don't have a rule or an output.
  2. the expression should instead be compiled to a rule with an optional output:
!a.hasValue() ? optional.none() : !a.field.hasValue() ? optional.none() : a.field.value()
TristonianJones commented 3 months ago

For conditions, they should have either a rule or an output, so this should be an error.