open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.66k stars 1.34k forks source link

Improve type checking #7057

Open nikpivkin opened 1 month ago

nikpivkin commented 1 month ago

What is the underlying problem you're trying to solve?

Type checking can be improved with schemas, it's very cool. Right now Rego only does type checking when accessing an object and its child properties that are associated with a schema. But type checking stops working in other very common cases:

Describe the ideal solution

The type is stored in the value and are used for type checking anywhere

Additional Context

In the example below, only the first case works.

Example Rego file:

package test

import rego.v1

deny if {

    # case 1
    input.foo.baz

    # case 2
    # foo := input.foo
    # foo.baz

    # case 3
    # test(input.foo)

    # case 4
    # object.get(input.foo, "baz", input.foo)
}

test(foo) if foo.baz

schema.json

{
    "type": "object",
    "properties": {
        "foo": {
            "type": "object"
        }
    }
}

input.json

{
    "foo": {}
}

Run opa eval data -d test.rego -i input.json -s schema.json

stale[bot] commented 2 days ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.