Investigate new "dot" operator with error-on-undefined behavior

[tsandall]

In Rego the "dot" operator selects fields in arrays, objects, and sets. If the field is missing, the variable assignments in the evaluation context do not produce a result, i.e., the expression/query is undefined. In some cases it would be nice to have a stricter version of the operator that throws an error if the selected field is missing.

I'm filing this issue so that we can start tracking discussion and design around a new kind of dot operator. Off the top of my head, there are a few things to consider:

• Are errors recoverable from within the policy. This has implications for multi-tenancy use cases.
• How does the operator interact with rule indexing? Similarly, what are the implications on expression ordering?

[pciazynski]

That would be a perfect match for writing deny rules for Kubernetes. Cause if for (whatever reason) some path is not existing, then the rule do nothing and simply allow things, which can be very insecure... We encountered that problem just recently.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.