CLI `run-tests` should accept schema and validate policies+entities+requests

[john-h-kastner-aws]

Category

CLI features/changes

Describe the feature you'd like to request

The run-tests command at the CLI lets you assert that some request gives the expected authorization decision, but it's easy to write incorrect tests with invalid entity data or request variables.

E.g., this test case might be invalid if read only applies to Document, not Dir, but the test might still pass, depending on the applicable policies.

[
  {
    "name": "alice_can_read",
    "request": {
      "principal": "User::\"alice\"",
      "action": "Action::\"read\"",
      "resource": "Dir::\"dir1\"",
      "context": {}
    },
    "entities": [],
    "decision": "allow",
    "reason": [],
    "num_errors": 0
  }
]

The run-tests command should accept a --schema argument and use it to validate that requests and entities for each test case before running the test. Invalid requests should be treated as test failures. The --schema argument should behave the same as --schema for cedar authorize.

Describe alternatives you've considered

.

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

[repairman29]

Hi! I'm interested in helping with this issue.

I have experience with index (repairman29/ai-gm-service) and think I can contribute here. Would love to discuss the approach and see if we can make this happen.

(Connected via Echeo - a platform for matching developers with open source bounties)

[cdisselkoen]

#2101 already has this issue, it looks like.