Rule: if-object-literal (#835)

This replaces `if-empty-object`, and covers any object literal.

Fixes #822

Signed-off-by: Anders Eknert <anders@styra.com>

README.md

@@ -187,6 +187,7 @@ The following rules are currently available:
 | bugs        | [deprecated-builtin](https://docs.styra.com/regal/rules/bugs/deprecated-builtin)                      | Avoid using deprecated built-in functions                 |
 | bugs        | [duplicate-rule](https://docs.styra.com/regal/rules/bugs/duplicate-rule)                              | Duplicate rule                                            |
 | bugs        | [if-empty-object](https://docs.styra.com/regal/rules/bugs/if-empty-object)                            | Empty object following `if`                               |
+| bugs        | [if-object-literal](https://docs.styra.com/regal/rules/bugs/if-object-literal)                        | Object literal following `if`                             |
 | bugs        | [impossible-not](https://docs.styra.com/regal/rules/bugs/impossible-not)                              | Impossible `not` condition                                |
 | bugs        | [inconsistent-args](https://docs.styra.com/regal/rules/bugs/inconsistent-args)                        | Inconsistently named function arguments                   |
 | bugs        | [internal-entrypoint](https://docs.styra.com/regal/rules/bugs/internal-entrypoint)                    | Entrypoint can't be marked internal                       |

bundle/regal/config/provided/data.yaml

@@ -10,6 +10,9 @@ rules:
     duplicate-rule:
       level: error
     if-empty-object:
+      # deprecated with the introduction of if-object-literal
+      level: ignore
+    if-object-literal:
       level: error
     impossible-not:
       level: error

bundle/regal/rules/bugs/if_empty_object.rego

@@ -2,6 +2,10 @@
 # description: Empty object following `if`
 package regal.rules.bugs["if-empty-object"]
 
+# NOTE: this rule has been deprecated and is no longer enabled by default
+# Use the `if-object-literal` rule instead, which checks for any object,
+# non-empty or not
+
 import rego.v1
 
 import data.regal.capabilities

bundle/regal/rules/bugs/if_object_literal.rego

@@ -0,0 +1,24 @@
+# METADATA
+# description: Object literal following `if`
+package regal.rules.bugs["if-object-literal"]
+
+import rego.v1
+
+import data.regal.capabilities
+import data.regal.result
+
+# METADATA
+# description: Missing capability for keyword `if`
+# custom:
+#   severity: warning
+notices contains result.notice(rego.metadata.chain()) if not capabilities.has_if
+
+report contains violation if {
+	some rule in input.rules
+
+	count(rule.body) == 1
+
+	rule.body[0].terms.type == "object"
+
+	violation := result.fail(rego.metadata.chain(), result.location(rule))
+}

bundle/regal/rules/bugs/if_object_literal_test.rego

@@ -0,0 +1,46 @@
+package regal.rules.bugs["if-object-literal_test"]
+
+import rego.v1
+
+import data.regal.ast
+import data.regal.config
+
+import data.regal.rules.bugs["if-object-literal"] as rule
+
+test_fail_if_empty_object if {
+	module := ast.with_rego_v1("rule if {}")
+	r := rule.report with input as module
+	r == {{
+		"category": "bugs",
+		"description": "Object literal following `if`",
+		"level": "error",
+		"location": {"col": 1, "file": "policy.rego", "row": 5, "text": "rule if {}"},
+		"related_resources": [{
+			"description": "documentation",
+			"ref": config.docs.resolve_url("$baseUrl/$category/if-object-literal", "bugs"),
+		}],
+		"title": "if-object-literal",
+	}}
+}
+
+test_fail_non_empty_object if {
+	module := ast.with_rego_v1(`rule if {"x": input.x}`)
+	r := rule.report with input as module
+	r == {{
+		"category": "bugs",
+		"description": "Object literal following `if`",
+		"level": "error",
+		"location": {"col": 1, "file": "policy.rego", "row": 5, "text": `rule if {"x": input.x}`},
+		"related_resources": [{
+			"description": "documentation",
+			"ref": config.docs.resolve_url("$baseUrl/$category/if-object-literal", "bugs"),
+		}],
+		"title": "if-object-literal",
+	}}
+}
+
+test_success_not_an_object if {
+	module := ast.with_rego_v1(`rule if { true }`)
+	r := rule.report with input as module
+	r == set()
+}

docs/rules/bugs/if-empty-object.md

@@ -1,5 +1,9 @@
 # if-empty-object
 
+**This rule has been deprecated and replaced by the
+[if-object-literal](https://docs.styra.com/regal/rules/bugs/if-object-literal) rule. Documentation kept here only for
+the sake of posterity.**
+
 **Summary**: Empty object following `if`
 
 **Category**: Bugs

docs/rules/bugs/if-object-literal.md

@@ -0,0 +1,45 @@
+# if-object-literal
+
+**Summary**: Object literal following `if`
+
+**Category**: Bugs
+
+**Avoid**
+```rego
+package policy
+
+import rego.v1
+
+# {} interpreted as object, not a rule body
+allow if {}
+
+allow if {
+    # perhaps meant to be comparison?
+    # but this too is an object
+    input.x: 10
+}
+```
+
+## Rationale
+
+An object literal immediately following an `if` is almost certainly a mistake, and the intention was likely to express
+a rule body in its place. This isn't too common, but can happen when either an empty object `{}` is all that follows the
+`if`, or an expression in the "body" mistakenly is written as a `key: value` pair.
+
+## Configuration Options
+
+This linter rule provides the following configuration options:
+
+```yaml
+rules:
+  bugs:
+    if-object-literal:
+      # one of "error", "warning", "ignore"
+      level: error
+```
+
+## Community
+
+If you think you've found a problem with this rule or its documentation, would like to suggest improvements, new rules,
+or just talk about Regal in general, please join us in the `#regal` channel in the Styra Community
+[Slack](https://communityinviter.com/apps/styracommunity/signup)!