Skip to content

Move ImpossiblePolicy from error to warning #716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Mar 22, 2024
Merged

Move ImpossiblePolicy from error to warning #716

merged 20 commits into from
Mar 22, 2024

Conversation

@khieta
Copy link
Contributor

@khieta khieta commented Mar 11, 2024
edited
Loading

Description of changes

  • Deprecated TypeErrorKind::ImpossiblePolicy
  • Added ValidationWarningKind::ImpossiblePolicy ⬅️ this requires a minor version bump
  • Moved the definition of ValidationWarning to validation_results.rs
  • Updated unit tests ⬅️ this accounts for most of the diff

As discussed in #539, ImpossiblePolicy is different from our other errors because it does not signal a potential authorization-time error. Instead, it indicates a policy that will not apply for any valid request.

As we increase the precision of the Cedar typechecker, ImpossiblePolicy errors will occur in more cases (a breaking change), while other types of errors will occur in fewer cases (a non-breaking change). So to make potential changes easier going forward, we've decided to demote ImpossiblePolicy to a warning. We consider this a non-breaking change because all policies that previously validated will continue to validate.

Issue #, if available

#539

Checklist for requesting a review

The change in this PR is (choose one, and delete the other options):

  • A backwards-compatible change requiring a minor version bump to cedar-policy (e.g., addition of a new API).

I confirm that this PR (choose one, and delete the other options):

  • Updates the "Unreleased" section of the CHANGELOG with a description of my change (required for major/minor version bumps).

I confirm that cedar-spec (choose one, and delete the other options):

  • Requires updates, and I have made / will make these updates myself. (Please include in your description a timeline or link to the relevant PR in cedar-spec, and how you have tested that your updates are correct.)

Disclaimer

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@khieta khieta added the 3.2 Features for 3.2 label Mar 11, 2024
@khieta khieta force-pushed the khieta/impossible-policy branch from 5a45b0e to 0b22686 Compare March 11, 2024 21:57
khieta and others added 8 commits March 11, 2024 17:58
@khieta
first pass
6e817c7 
Signed-off-by: Kesha Hietala <[email protected]>
@khieta
Refactoring in integration testing code (#707)
b8eee31 
Signed-off-by: Kesha Hietala <[email protected]>
@cdisselkoen @khieta
bring 3.1.0 changelogs from release branch (#710)
a39c11a 
Signed-off-by: Craig Disselkoen <[email protected]>
@john-h-kastner-aws @khieta
Fix typechecking in for action in different namespaces (#704)
d3ac51d 
Signed-off-by: John Kastner <[email protected]>
Signed-off-by: Kesha Hietala <[email protected]>
@john-h-kastner-aws @khieta
Use human friendly type format for type error display (#708)
555b375 
Signed-off-by: John Kastner <[email protected]>
@iamsauravsharma @khieta
fix: unsoundness issue caught in recent nightly (#712)
426cebb 
Signed-off-by: Saurav Sharma <[email protected]>
Signed-off-by: Kesha Hietala <[email protected]>
@iamsauravsharma @khieta
refactor: remove unnecessary lifetimes from validation related structs (
145c3c6 
#715)

Signed-off-by: Saurav Sharma <[email protected]>
@khieta
fix test
b2e34e8 
Signed-off-by: Kesha Hietala <[email protected]>
@khieta khieta force-pushed the khieta/impossible-policy branch from 0b22686 to b2e34e8 Compare March 11, 2024 22:01
khieta added 2 commits March 11, 2024 18:03
@khieta
merge issues
7f8b164 
Signed-off-by: Kesha Hietala <[email protected]>
@khieta
merge issues pt2
7195954 
Signed-off-by: Kesha Hietala <[email protected]>
@khieta
Copy link
Contributor Author

khieta commented Mar 11, 2024

Note: the corpus test failure is expected since the tests were generated when we expected "impossible policy" to be an error (and thus the test says that the policy should not validate)

cdisselkoen
cdisselkoen approved these changes Mar 12, 2024
View reviewed changes
john-h-kastner-aws
john-h-kastner-aws approved these changes Mar 12, 2024
View reviewed changes
@khieta
review comments
bef1acd 
Signed-off-by: Kesha Hietala <[email protected]>
@khieta khieta mentioned this pull request Mar 13, 2024
Merged
3 tasks
@khieta
Copy link
Contributor Author

khieta commented Mar 15, 2024

Fyi: this PR will be on hold temporarily since I'll be OOTO until next Wednesday. I'm holding off on merging for now because I don't want to leave the corpus tests in a broken state.

@khieta
Copy link
Contributor Author

khieta commented Mar 22, 2024

I've pulled in the latest changes from main, so this PR is ready to merge (pending re-approval). Other PRs should expect the Run cargo test --verbose --features "integration-testing" -- --ignored step of CI to fail until I can manually update the corpus tests. I expect to do this either this weekend or early next week.

@khieta khieta merged commit c16e932 into main Mar 22, 2024
@khieta khieta deleted the khieta/impossible-policy branch March 22, 2024 14:12
@khieta khieta mentioned this pull request Mar 25, 2024
Merged
@shaobo-he-aws shaobo-he-aws mentioned this pull request Mar 26, 2024
Closed
2 tasks
shaobo-he-aws pushed a commit that referenced this pull request May 3, 2024
@khieta @shaobo-he-aws
Move ImpossiblePolicy from error to warning (#716)
805f13c 
Signed-off-by: Kesha Hietala <[email protected]>
@shaobo-he-aws shaobo-he-aws mentioned this pull request May 3, 2024
Closed
john-h-kastner-aws pushed a commit that referenced this pull request May 7, 2024
@khieta @john-h-kastner-aws
Move ImpossiblePolicy from error to warning (#716)
c77975a 
Signed-off-by: Kesha Hietala <[email protected]>
@john-h-kastner-aws john-h-kastner-aws mentioned this pull request May 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdisselkoen cdisselkoen cdisselkoen approved these changes

@john-h-kastner-aws john-h-kastner-aws john-h-kastner-aws approved these changes

Assignees

No one assigned

Labels

3.2 Features for 3.2

Projects

No open projects
Cedar 3.2 Status
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@khieta @cdisselkoen @john-h-kastner-aws @iamsauravsharma