cerbos
Detect missing lenient scopes configuration
Is there an existing issue for this?
- [X] I have searched the existing issues
Feature description
When compiling policies, if there is a nested scope but the lenient scopes flag isn't set in the server config or the test suite show a message to the user suggesting this is why things are working as expected
What would the ideal solution look like to you?
No response
Anything else?
No response
Hello @alexolivier :)
Hello please include a check to see if the "lenient scopes" flag is absent when using nested scopes during policy compilation. Show the user a clear warning message if the flag is not set and advise them to enable it in the server configuration or test suite. This will guarantee correct handling of nested scopes in policies and avoid confusion.
I don't understand this one. As it says in the docs
This setting only affects how Cerbos treats missing leaf scopes when searching for policies.
How could we know at compile time if the user is going to query at run time for a leaf scope that doesn't exist?
The only thing we can check at compile time is if there are any broken scope chains. We already do that (and it's independent of whether lenient scopes are enabled).
Agreed for compile time - where this got run into is specifically around tests which don't have the flag enabled. We have the fixtures and so know the scopes.
Ok, that makes more sense. So maybe we can do something like "If a test fails, but would've passed had lenientScopeSearch been enabled, include a warning in the results"?
Maybe something even simpler. "Your policies contain scopes and the test suite is running with leninetScopesSearch ENABLED/DISABLED"
I would be reluctant to print a message if everything is fine, except maybe in verbose mode.