OPA test - fails to identify the keyword present in policy name and still passes all the tests without failing about opa HOT 6 CLOSED

Thank your helping. I think we got the issue. This is not a bug, a miss from our end. The rules added were only test rules not of any significance.

from opa.

Please provide an example policy.

from opa.

I have updated the description. The policy name has promoPackage but if you write any tests it will still pass. But the bundles do now allow such path at all, So should we not include this in test results as well ?

from opa.

I'm confused is that your exact policy? Because that package name works fine -- I just tried in the playground.

How do you experience

the bundles do now allow such path at all

exactly?

from opa.

BTW I think it's instructive to run your policy on the playground: see here.

In the lower right, you'll notice some Regal findings, and one of them stands out to me: "impossible not".

bugs/impossible-not: Impossible not condition (Learn more)

That line,

deny[output] {
    not permit # <------
    output := "deny "
}

cannot fail because it's a multi-value rule (or "partial set rule"). Even if its body never succeeds, the result with be an empty set, and not ... of that is false.

As a remedy, you could write count(permit) == 0 or permit == set(). See here for more details.

from opa.

Adding to what @srenatus said, there are more impossible conditions, or expressions that are essentially constant in your policy:

authorize = deny[output] {
    deny
}

authorize = permit[output] {
    permit
}

As both deny and permit are multi-value rules, they will always evaluate to something (minimum, an empty set), so they'll always evaluate "truthy".

Perhaps if you describe what you're trying to accomplish, we can try and help write a policy for that purpose 🙂

from opa.