Typed input and data

[mbrg]

One of the biggest challanges we face maintaining hundreds of policies and running them with conftest is the unstructured nature of input and data. We end up spending a lot of time correcting typos or recreating the right inputs for each test.

Since we run conftest on a fixed set of inputs, with the same data (used as context) every time, it would be much easier if those were structured. That would completly eliminate simple mistakes and also guarantee that policies will actually apply to real data. Structured input and data would enable auto-complete and error-detection as we write policies, dramatically increaing our productivity with Rego.

Anybody else facing a similar issue? Are there any alternative solutions?

[anderseknert]

Have you checked out the type checking capabilities via JSON schemas added recently to OPA? It sounds a lot like what you are asking for :) I don't know whether conftest presently supports this though, but if not we should raise the issue there.

Also see the blog posts on the topic on the OPA blog:

• https://blog.openpolicyagent.org/type-checking-your-rego-policies-with-json-schema-in-opa-5f7ac4c8a958
• https://blog.openpolicyagent.org/enhanced-type-checking-for-opa-with-json-schema-annotations-826acb0f575

@jpreese @jalseth, thoughts?

[mbrg]

Thank you @anderseknert! This is great. I've added my +1 to the conftest issue: open-policy-agent/conftest#528.

It would also be helpful to have auto-complete based on those schemas for easier policy writing.

[anderseknert]

Indeed, that would be awesome!

[EldarSehayekZenity]

Hi @anderseknert and @mbrg , jumping in on the thread. I think @mbrg suggestion is great, and I think that even a "strict mode" would do the trick (like JavaScript has) where accessing undefined properties etc. will cause an error that can be used to differ between "rule didn't find issues and returned False/Undefined" and "rule had syntax error". Such a strict mode will require ways to check if properties exist to keep support for dynamically structure objects so they can be explored safely.

[anderseknert]

Have you tried out the JSON schema powered type checking capabilities @EldarSehayekZenity?
If I don't misunderstand you, that sounds pretty much like what you want :)

As far as I know, strict mode in Javascript does not affect behavior with regards to accessing undefined properties of an object?