It is important to ensure the policies you write are correct. Sentinel includes a built-in test framework that can be run locally and in CI environments to test that policies behave as expected.

A common pitfall with many simple ACL systems is that they provide no easy way to verify their correctness. You basically have to set the ACL and try the behaviors against a real system to verify it is working as expected. This requires a lot of setup and is unique to each system.

Sentinel's built-in test framework has zero dependencies. Contained within the Sentinel CLI, it can mock the data that real systems are exposing to the policy. It is designed to be CI-friendly and enables continuous testing of your policies. This is necessary for policy as code.

Detailed documentation on testing policies is available in the Sentinel Testing reference.

»Writing Tests

For this example, save the following policy as policy.sentinel:

is_weekday = rule { day not in ["saturday", "sunday"] }
is_open_hours = rule { hour > 8 and hour < 17 }
main = rule { is_open_hours and is_weekday }
is_weekday = rule { day not in ["saturday", "sunday"] }is_open_hours = rule { hour > 8 and hour < 17 }main = rule { is_open_hours and is_weekday }

Next, let's write a passing test case. This will test that the policy tests when we expect it to pass. Save the following in test/policy/good.hcl:

global "day" {
  value = "monday"

global "hour" {
  value = 14
global "day" {  value = "monday"}
global "hour" {  value = 14}

And run sentinel test:

$ sentinel test
PASS - policy.sentinel
  PASS - test/policy/good.json
$ sentinel testPASS - policy.sentinel  PASS - test/policy/good.json

The sentinel test command will automatically find all Sentinel policies and their associated test cases and run them all. The test framework will run all HCL files as individual test cases, allowing you to test a variety of scenarios for your policies.

Try adding another test case to force the policy to fail. This test case can be saved at test/policy/fail.hcl. For test cases with intentional failures, you'll need to use the test assertions described in the testing reference.

Now that you have a good grasp of what Sentinel is and how to use it, please feel free to look through the next steps you can take to further your Sentinel knowledge.