Category
Cedar validation features
Describe the feature you'd like to request
The validator currently uses the ValidationError type to describe both issues that can lead to authorization-time type errors (e.g., 1 < "foo") and issues that will not lead to type errors but are likely not what the user intended (e.g., a policy evaluates to false under all environments allowed by the schema). It may be useful to distinguish between these two classes of issues using two types: ValidationError and ValidationWarning. Then the ValidationResult type could be updated to be something like the following:
pub struct ValidationResult<'a> {
validation_errors: Vec<ValidationError<'a>>,
validation_warnings: Vec<ValidationWarning<'a>>,
}
Note that Cedar does currently defines a ValidationWarning type, but this type is only used by the standalone confusable_string_checker function, which checks a policy for potentially confusing/obfuscating text. Adding support for returning ValidationWarnings from the validator would make it more natural to integrate this check into validation.
Describe alternatives you've considered
We could leave the current interface as-is, but supporting warnings gives us more flexibility in reporting suspected problems in the policy. It could also be useful in conjunction with RFC#8: Partial schema validation to give suggestions about how to improve the schema.
Additional context
No response
Is this something that you'd be interested in working on?
Category
Cedar validation features
Describe the feature you'd like to request
The validator currently uses the
ValidationErrortype to describe both issues that can lead to authorization-time type errors (e.g.,1 < "foo") and issues that will not lead to type errors but are likely not what the user intended (e.g., a policy evaluates to false under all environments allowed by the schema). It may be useful to distinguish between these two classes of issues using two types:ValidationErrorandValidationWarning. Then theValidationResulttype could be updated to be something like the following:Note that Cedar does currently defines a
ValidationWarningtype, but this type is only used by the standaloneconfusable_string_checkerfunction, which checks a policy for potentially confusing/obfuscating text. Adding support for returningValidationWarnings from the validator would make it more natural to integrate this check into validation.Describe alternatives you've considered
We could leave the current interface as-is, but supporting warnings gives us more flexibility in reporting suspected problems in the policy. It could also be useful in conjunction with RFC#8: Partial schema validation to give suggestions about how to improve the schema.
Additional context
No response
Is this something that you'd be interested in working on?