Rule: single-item-in (#1546)

Fixes #1516

Signed-off-by: Anders Eknert <anders@styra.com>

Author: anderseknert

README.md

@@ -245,6 +245,7 @@ The following rules are currently available:
 | idiomatic   | [no-defined-entrypoint](https://docs.styra.com/regal/rules/idiomatic/no-defined-entrypoint)             | Missing entrypoint annotation                             |
 | idiomatic   | [non-raw-regex-pattern](https://docs.styra.com/regal/rules/idiomatic/non-raw-regex-pattern)             | Use raw strings for regex patterns                        |
 | idiomatic   | [prefer-set-or-object-rule](https://docs.styra.com/regal/rules/idiomatic/prefer-set-or-object-rule)     | Prefer set or object rule over comprehension              |
+| idiomatic   | [single-item-in](https://docs.styra.com/regal/rules/idiomatic/single-item-in)                           | Avoid `in` for single item collection                     |
 | idiomatic   | [use-contains](https://docs.styra.com/regal/rules/idiomatic/use-contains)                               | Use the `contains` keyword                                |
 | idiomatic   | [use-if](https://docs.styra.com/regal/rules/idiomatic/use-if)                                           | Use the `if` keyword                                      |
 | idiomatic   | [use-in-operator](https://docs.styra.com/regal/rules/idiomatic/use-in-operator)                         | Use in to check for membership                            |

bundle/regal/config/provided/data.yaml

@@ -93,6 +93,8 @@ rules:
       level: error
     prefer-set-or-object-rule:
       level: error
+    single-item-in:
+      level: error
     use-contains:
       level: error
     use-if:

bundle/regal/rules/idiomatic/single-item-in/single_item_in.rego

@@ -0,0 +1,18 @@
+# METADATA
+# description: Avoid `in` for single item collection
+package regal.rules.idiomatic["single-item-in"]
+
+import data.regal.ast
+import data.regal.result
+
+report contains violation if {
+	call := ast.found.calls[_][_]
+
+	call[0].value[0].value == "internal"
+	call[0].value[1].value == "member_2"
+
+	call[2].type in {"array", "set", "object"}
+	count(call[2].value) == 1
+
+	violation := result.fail(rego.metadata.chain(), result.location(call))
+}

bundle/regal/rules/idiomatic/single-item-in/single_item_in_test.rego

@@ -0,0 +1,93 @@
+package regal.rules.idiomatic["single-item-in_test"]
+
+import data.regal.ast
+import data.regal.config
+
+import data.regal.rules.idiomatic["single-item-in"] as rule
+
+test_fail_single_item_in_array if {
+	r := rule.report with input as ast.policy("fail if 1 in [1]")
+
+	r == {{
+		"category": "idiomatic",
+		"description": "Avoid `in` for single item collection",
+		"level": "error",
+		"location": {
+			"col": 11,
+			"end": {
+				"col": 13,
+				"row": 3,
+			},
+			"file": "policy.rego",
+			"row": 3,
+			"text": "fail if 1 in [1]",
+		},
+		"related_resources": [{
+			"description": "documentation",
+			"ref": config.docs.resolve_url("$baseUrl/$category/single-item-in", "idiomatic"),
+		}],
+		"title": "single-item-in",
+	}}
+}
+
+test_fail_single_item_in_set if {
+	r := rule.report with input as ast.policy("fail if 1 in {1}")
+
+	r == {{
+		"category": "idiomatic",
+		"description": "Avoid `in` for single item collection",
+		"level": "error",
+		"location": {
+			"col": 11,
+			"end": {
+				"col": 13,
+				"row": 3,
+			},
+			"file": "policy.rego",
+			"row": 3,
+			"text": "fail if 1 in {1}",
+		},
+		"related_resources": [{
+			"description": "documentation",
+			"ref": config.docs.resolve_url("$baseUrl/$category/single-item-in", "idiomatic"),
+		}],
+		"title": "single-item-in",
+	}}
+}
+
+test_fail_single_item_in_object if {
+	r := rule.report with input as ast.policy(`fail if 1 in {"x": 1}`)
+
+	r == {{
+		"category": "idiomatic",
+		"description": "Avoid `in` for single item collection",
+		"level": "error",
+		"location": {
+			"col": 11,
+			"end": {
+				"col": 13,
+				"row": 3,
+			},
+			"file": "policy.rego",
+			"row": 3,
+			"text": `fail if 1 in {"x": 1}`,
+		},
+		"related_resources": [{
+			"description": "documentation",
+			"ref": config.docs.resolve_url("$baseUrl/$category/single-item-in", "idiomatic"),
+		}],
+		"title": "single-item-in",
+	}}
+}
+
+test_success_in_used_on_var if {
+	r := rule.report with input as ast.policy(`success if 1 in var`)
+
+	r == set()
+}
+
+test_success_some_in_used_on_var if {
+	r := rule.report with input as ast.policy(`success if [y | some y in x]`)
+
+	r == set()
+}

docs/rules/idiomatic/single-item-in.md

@@ -0,0 +1,48 @@
+# single-item-in
+
+**Summary**: Avoid `in` for single item collection
+
+**Category**: Idiomatic
+
+**Avoid**
+```rego
+package policy
+
+allow if input.role in {"admin"}
+```
+
+**Prefer**
+```rego
+package policy
+
+allow if input.role == "admin"
+```
+
+## Rationale
+
+Using `in` on a single-item collection (array, set or object) is a convoluted way of checking for equality. Better
+then to check for equality directly! Besides being more obvious, equality checks are also subject to rule indexing,
+whereas `in` checks currently aren't.
+
+## Configuration Options
+
+This linter rule provides the following configuration options:
+
+```yaml
+rules:
+  idiomatic:
+    single-item-in:
+      # one of "error", "warning", "ignore"
+      level: error
+```
+
+## Related Resources
+
+- OPA Docs: [Use indexed statements](https://www.openpolicyagent.org/docs/latest/policy-performance/#use-indexed-statements)
+- GitHub: [Source Code](https://github.com/StyraInc/regal/blob/main/bundle/regal/rules/idiomatic/single-item-in/single_item_in.rego)
+
+## Community
+
+If you think you've found a problem with this rule or its documentation, would like to suggest improvements, new rules,
+or just talk about Regal in general, please join us in the `#regal` channel in the Styra Community
+[Slack](https://inviter.co/styra)!