Skip to main content

Crate cedar_policy_core

Crate cedar_policy_core 

Source
Expand description

Implementation of the Cedar parser and evaluation engine in Rust.

This package exposes low-level and advanced Cedar APIs, e.g., for interacting with policy ASTs directly.

WARNING Anyone simply wanting to use Cedar from a Rust client (e.g., to make authorization decisions) should use cedar-policy instead.

§Feature flags

§Default features

The following features are enabled by default and provide the built-in Cedar extension functions:

  • ipaddr — IP address extension functions (ip, isIpv4, isIpv6, isLoopback, isMulticast, isInRange).
  • decimal — Decimal number extension functions (decimal, lessThan, lessThanOrEqual, greaterThan, greaterThanOrEqual).
  • datetime — Date and time extension functions (datetime, duration, offset, durationSince, toDate, toTime). Enables the chrono dependency.

§Optional features

  • arbitrary — Enables Arbitrary implementations for several types in this crate. Useful for fuzzing.
  • test-util — Exposes the test_utils module with helpers for testing.
  • wasm — Enables WebAssembly bindings via wasm-bindgen and tsify.

§Experimental features

WARNING: Experimental features are unstable and subject to breaking changes in any release, including patch releases. Use those features at your own risk.

  • experimental — Enables all experimental features listed below.
  • variadic-is-in-range — Variadic overload for the isInRange function.
  • tpe — Type-aware partial evaluation / batched authorization. Enables the batched_evaluator and tpe modules.
  • partial-eval — Partial evaluation of Cedar policies. You should prefer tpe above.
  • partial-validate — Partial validation of Cedar policies.
  • (deprecated) entity-manifest — Entity manifest computation for entity slicing. This feature is deprecated; you should use tpe instead.

§Unstable tooling features

WARNING Unstable tooling features are subject to breaking changes in any release, including patch releases. They should never be enabled by clients. They are intended for language servers and other tools that need to use internal functionality, and manipulate error tolerant representations of the language to provide helpful error messages.

They must not be used in an authorization path. This includes, but is not limited to, parsing, serializing, and deserializing policies. Use them only for development, testing, or prototyping purposes.

  • tolerant-ast — Error-tolerant parsing that produces a (possibly incomplete) AST even when the input contains syntax errors. This should only be used for providing helpful error handling in language servers.
  • extended-schema — The extended schema feature is also intended for language servers.

Modules§

ast
This module contains the AST datatypes.
authorizer
This module contains the Cedar “authorizer”, which implements the actual authorization logic.
batched_evaluatortpe
This module contains the batched evaluator implementation and the (internal) definition of EntityLoader
entities
This module contains the Entities type and related functionality.
est
This module contains the External Syntax Tree (EST)
evaluator
This module contains the Cedar evaluator.
expr_builder
Contains the trait ExprBuilder, defining a generic interface for building different expression data structures (e.g., AST and EST).
extensions
This module contains all of the standard Cedar extensions.
fuzzy_match
This module provides the fuzzy matching utility used to make suggestions when encountering unknown values in entities, functions, etc.
jsonvalue
This module provides general-purpose JSON utilities not specific to Cedar.
parser
This module contains the parser for the Cedar language.
pst
The PST is a syntax tree representation of Cedar policies designed for programmatic manipulation.
test_utilstest-util
Shared test utilities.
tpetpe
This module contains the type-aware partial evaluator.
transitive_closure
Module containing code to compute the transitive closure of a graph. This is a generic utility, and not specific to Cedar.
validator
Validator for Cedar policies

Macros§

assert_deep_eq
Assert equality of Entities using structural equality with the deep_eq method.
assert_not_deep_eq
Assert inequality of Entities using structural equality with the deep_eq method.
impl_diagnostic_from_method_on_field
Macro which implements the .labels() and .source_code() methods of miette::Diagnostic by using the parameter $i which must be a field of some type for which the method $m() returns Option<&Loc>. E.g., a field of type Expr or Box<Expr>, where $m is source_loc.
impl_diagnostic_from_method_on_nonempty_field
Macro which implements the .labels() and .source_code() methods of miette::Diagnostic by using the parameter $i which must be a field of type NonEmpty<T> where T has a method $m() which returns Option<&Loc>. E.g., a field of type NonEmpty<EntityUID>, where $m is loc. Only the first item in the NonEmpty will be underlined.
impl_diagnostic_from_source_loc_opt_field
Macro which implements the .labels() and .source_code() methods of miette::Diagnostic by using the parameter $i which must be the name of a field of type Option<Loc>
impl_diagnostic_from_two_source_loc_opt_fields
Macro which implements the .labels() and .source_code() methods of miette::Diagnostic by using the parameters $i and $j which must be the names of fields of type Option<Loc>. Both locations will be underlined, if both locs are present. It is assumed that both locs have the same src, if both locs are present.

Traits§

FromNormalizedStr
Trait for parsing “normalized” strings only, throwing an error if a non-normalized string is encountered. See docs on the FromNormalizedStr::from_normalized_str trait function.

Functions§

default_from_normalized_str
Default implementation of from_normalized_str(), which may be overridden for particular types if there is a more optimized implementation available.