Expand description
Validator for Cedar policies
Modules§
- human_
schema - typecheck
- Implements typechecking for Cedar policies. Typechecking is done using
the
Typecheckerstruct by calling thetypecheck_policymethod given a policy. - types
- Defines the type structure for typechecking and various utilities for constructing and manipulating types.
Structs§
- Action
EntityUID - Action
Type - An action type describes a specific action entity. It also describes what kinds of entities it can be used on.
- Apply
Spec - The apply spec specifies what principals and resources an action can be used with. This specification can either be done through containing to entity types. The fields of this record are optional so that they can be omitted to declare that the apply spec for the principal or resource is undefined, meaning that the action can be applied to any principal or resource. This is different than providing an empty list because the empty list is interpreted as specifying that there are no principals or resources that an action applies to.
- Attributes
OrContext - Context
Schema - Struct which carries enough information that it can impl Core’s
ContextSchema. - Core
Schema - Struct which carries enough information that it can (efficiently) impl Core’s
Schema - Entity
Type - Entity types describe the relationships in the entity store, including what entities can be members of groups of what types, and what attributes can/should be included on entities of each type.
- Entity
Type Description - Struct which carries enough information that it can impl Core’s
EntityTypeDescription - Function
Argument Validation Error - Structure containing details about a function argument validation error.
- Hierarchy
NotRespected - Structure containing details about a hierarchy not respected error
- Incompatible
Types - Structure containing details about an incompatible type error.
- Invalid
Action Application - Structure containing details about an invalid action application error.
- Multiply
Defined Function - Structure containing details about a multiply defined function error.
- Schema
Fragment - A SchemaFragment describe the types for a given instance of Cedar.
SchemaFragments are composed of Entity Types and Action Types. The
schema fragment is split into multiple namespace definitions, eac including
a namespace name which is applied to all entity types (and the implicit
Actionentity type for all actions) in the schema. - Source
Location - Represents a location in Cedar policy source.
- Type
Error - The structure for type errors. A type errors knows the expression that triggered the type error, as well as additional information for specific kinds of type errors.
- Type
OfAttribute - Used to describe the type of a record or entity attribute. It contains a the
type of the attribute and whether the attribute is required. The type is
flattened for serialization, so, in JSON format, this appears as a regular
type with one extra property
required. - Undefined
Function - Structure containing details about an undefined function error.
- Unexpected
Type - Structure containing details about an unexpected type error.
- Unrecognized
Action Id - Structure containing details about an unrecognized action id error.
- Unrecognized
Entity Type - Structure containing details about an unrecognized entity type error.
- Unsafe
Attribute Access - Structure containing details about a missing attribute error.
- Unsafe
Optional Attribute Access - Structure containing details about an unsafe optional attribute error.
- Unspecified
Entity Error - Structure containing details about an unspecified entity error.
- Validation
Error - An error generated by the validator when it finds a potential problem in a policy. The error contains a enumeration that specifies the kind of problem, and provides details specific to that kind of problem. The error also records where the problem was encountered.
- Validation
Result - Contains the result of policy validation. The result includes the list of issues found by validation and whether validation succeeds or fails. Validation succeeds if there are no fatal errors. There may still be non-fatal warnings present when validation passes.
- Validation
Warning - The structure for validation warnings.
- Validator
- Structure containing the context needed for policy validation. This is
currently only the
EntityTypes andActionTypes from a single schema. - Validator
Action Id - Contains information about actions used by the validator. The contents of
the struct are the same as the schema entity type structure, but the
member_ofrelation is reversed to instead bedescendants. - Validator
Entity Type - Contains entity type information for use by the validator. The contents of
the struct are the same as the schema entity type structure, but the
member_ofrelation is reversed to instead bedescendants. - Validator
Namespace Def - A single namespace definition from the schema json processed into a form
which is closer to that used by the validator. The processing includes
detection of some errors, for example, parse errors in entity type names or
entity type which are declared multiple times. This does not detect
references to undeclared entity types because any entity type may be
declared in a different fragment that will only be known about when building
the complete
ValidatorSchema. - Validator
Schema - Validator
Schema Fragment - Wrong
Call Style - Structure containing details about a wrong call style error.
- Wrong
Number Arguments - Structure containing details about a wrong number of arguments error.
Enums§
- Action
Behavior - Context
OrShape - Human
Schema Error - Request
Validation Error - Schema
Error - Schema
Type - A restricted version of the
Typeenum containing only the types which are exposed to users. - Schema
Type Variant - Type
Error Kind - Represents the different kinds of type errors and contains information specific to that type error kind.
- Unsupported
Feature - Validation
Error Kind - Enumeration of the possible diagnostic error that could be found by the verification steps.
- Validation
Mode - Used to select how a policy will be validated.
- Validation
Warning Kind - Represents the different kinds of validation warnings and information
specific to that warning. Marked as
non_exhaustiveto allow adding additional warnings in the future as a non-breaking change.
Functions§
- confusable_
string_ checks - Perform identifier and string safety checks.
- context_
schema_ for_ action - Since different Actions have different schemas for
Context, you must specify theActionin order to get aContextSchema. - is_
builtin_ type_ name