cedar-py swallow errors if invalid schema is provided

[bdatdo0601]

Hi,

I am planning to integrate Cedar policy engine in our application via cedar-py binding library. I noticed when passing an invalid schema, cedar-py will ignore it and only validate the request against entities and policies. There were no indication from AuthzResult response neither.

Would it make sense to have the expected behavior to fail the the authorization if a non-empty invalid schema is provided? Happy to raise a PR from my end as well

Thanks!

[skuenzli]

Thanks for raising this issue.

I think it would be useful to signal the schema was invalid to the library user.

I could see modeling this as NoDecision in the AuthzResult and populating diagnostics with what is known, if anything about the schema failure.

If you want to create a PR for that change, I'd be happy to review it and help to iterate on it.

[skuenzli]

I haven't looked into this deeply. But I think we should understand the semantics of how the official JavaFFI implementation handles validating the schema and the request and entities.

This looks like an entrypoint to that handling:
https://github.com/cedar-policy/cedar/blob/a40dbad356bdd08c900bb9605f9a3ccc8cdd1129/cedar-policy/src/ffi/is_authorized.rs#L478

[skuenzli]

@bdatdo0601 - we just added validate_policies support in #34, released in v4.7.1. So you can at least validate policies prior to authorization if you like.