Category

Cedar language or syntax features/changes

Describe the feature you'd like to request

The request is to add an isEmpty() operator that when applied to Sets, returns a boolean describing whether the set is empty or not. This should be a valid operator usage even when validation is enabled. The following would be a sample usage:

permit (
  principal,
  action == Action::"claimPrize",
  resource
) when { context.claimedUsers.isEmpty() }

Today, if validation is not enabled, we can check for set emptiness with context.mySet == []. However, according to the docs, [] is not considered a valid Set. So, this syntax as is will not work when validation is enabled.

There exists a workaround today (credit to Craig Disselkoen) for when validation is enabled.

The problem is that the validator needs to know the type of [], which needs to be the same as the type of context.claimedUsers, and Cedar doesn’t have type inference (yet). The workaround for that is to declare some additional context attribute like emptyUsers of the appropriate type (the same type as claimedUsers), and pass the empty-set as the value for that context attribute, and then in your policy you can write context.claimedUsers == context.emptyUsers.

It would be great if users did not need to add workaround attributes to their contexts to mimic this state -- hence, an isEmpty() operator.

Describe alternatives you've considered

There exists a workaround today in the event that validation is enabled, but it can be inconvenient to define a separate attribute per type of Set. The workaround is copied above.

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change