Rule: redundant-incremental-definition

[anderseknert]

Another issue I saw in a policy in the wild today is where one definition of an incremental rule is essentially dead code, due to a common condition that would be met by the least complex definition in both rules. Extremely simplified:

allow if "admin" in input.user.roles

alow if {
    "admin" in input.user.roles
    endswith(input.user.email, "@acmecorp.com") # this is pointless
}

The second rule definition is of course pointless in this case, as the first condition of both rules is the same, and there's no reason to evaluate the email address of the user if they're an admin.

There's probably a million things for where this could be true but we can't easily find using only static analysis. That's fine. Just covering the easy/obvious cases is still better than no coverage.

[anderseknert]

This should apply to else clauses as well:

yes if {
    user == "joe"
} else if {
    user == "joe"
    # more conditions
}

So we'll probably need a better name for this rule than redundant-incremental-definition.