search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.31k stars 1.29k forks source link

Allow `not every` #6761

Open anderseknert opened 1 month ago

anderseknert commented 1 month ago

I know there are reasons why we currently don't, and that there are other ways to achieve the same outcome, but for someone not deeply familiar with Rego, it might not be obvious how to get there. Additionally, and certainly not to be dismissed, not every reads rather nicely compared to many of the alternatives.

report contains "missing important attribute" if {
    not every resource in list {
        resource.important_attribute
    }
}

As a "good enough" solution if we intend to keep the current behavior, we can improve the error message, and rather than to say:

unexpected every keyword: illegal negation of 'every'

We point the user to documentation where we explain why it can't be expressed that way, and what they should use instead.

A side note really, but a pretty nice side-effect of allowing this is how every provides a body of its own, and can be used even with "single-line" rules, which would allow the example above to be written as:

report contains "missing important attribute" if not every resource in list {
    resource.important_attribute
}
johanfylling commented 1 month ago

When read as natural-language English, not every x in y could be interpreted as some x in y, which excludes no x in y. Not an argument against this change, just something we might want to clarify in the docs.

srenatus commented 1 month ago

When read as natural-language English, not every x in y could be interpreted as some x in y, which excludes no x in y.

What do you mean with "excludes no x in y"? 🤔

"Not every fruit in the basket is yellow" (not every x in y { p(x) }) ⬇️ "There is a fruit in the basked that is not yellow" (some x in y; not p(x))

johanfylling commented 1 month ago

Although not logically correct, when you say that not every item in a group has a property, the listener might incorrectly infer the subtext that at least a non-zero amount does: "Not every fruit in the basket is yellow" == "Not every fruit in the basket is yellow, but some are". Just a quirk in how a listener/reader might fill in the blanks, even when there are none to fill. Might even be something not even worthwhile noting in the docs, as people are probably in a more precise state of mind when reading code.

anderseknert commented 1 month ago

"All animals are equal, but some animals are more equal than others"

:)

srenatus commented 1 month ago

two feet bad

stale[bot] commented 5 days ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.