Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for isEmpty() Set operator #1356

Closed
1 of 2 tasks
jxiao opened this issue Dec 5, 2024 · 0 comments · Fixed by #1358
Closed
1 of 2 tasks

Request for isEmpty() Set operator #1356

jxiao opened this issue Dec 5, 2024 · 0 comments · Fixed by #1358
Labels
feature-request This issue requets a substantial new feature pending-review A Cedar maintainer has looked at this, but believes it needs review by more of the core team

Comments

@jxiao
Copy link

jxiao commented Dec 5, 2024

Category

Cedar language or syntax features/changes

Describe the feature you'd like to request

The request is to add an isEmpty() operator that when applied to Sets, returns a boolean describing whether the set is empty or not. This should be a valid operator usage even when validation is enabled. The following would be a sample usage:

permit (
  principal,
  action == Action::"claimPrize",
  resource
) when { context.claimedUsers.isEmpty() }

Today, if validation is not enabled, we can check for set emptiness with context.mySet == []. However, according to the docs, [] is not considered a valid Set. So, this syntax as is will not work when validation is enabled.

There exists a workaround today (credit to Craig Disselkoen) for when validation is enabled.

The problem is that the validator needs to know the type of [], which needs to be the same as the type of context.claimedUsers, and Cedar doesn’t have type inference (yet). The workaround for that is to declare some additional context attribute like emptyUsers of the appropriate type (the same type as claimedUsers), and pass the empty-set as the value for that context attribute, and then in your policy you can write context.claimedUsers == context.emptyUsers.

It would be great if users did not need to add workaround attributes to their contexts to mimic this state -- hence, an isEmpty() operator.

Describe alternatives you've considered

There exists a workaround today in the event that validation is enabled, but it can be inconvenient to define a separate attribute per type of Set. The workaround is copied above.

Additional context

No response

Is this something that you'd be interested in working on?

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change
@jxiao jxiao added feature-request This issue requets a substantial new feature pending-triage The cedar maintainers haven't looked at this yet. Automicaly added to all new issues. labels Dec 5, 2024
@shaobo-he-aws shaobo-he-aws added pending-review A Cedar maintainer has looked at this, but believes it needs review by more of the core team and removed pending-triage The cedar maintainers haven't looked at this yet. Automicaly added to all new issues. labels Dec 5, 2024
@cdisselkoen cdisselkoen mentioned this issue Dec 5, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request This issue requets a substantial new feature pending-review A Cedar maintainer has looked at this, but believes it needs review by more of the core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

implement .isEmpty() method cedar-policy/cedar
2 participants
@jxiao @shaobo-he-aws