Skip to main content

cedar_policy/
api.rs

1/*
2 * Copyright Cedar Contributors
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      https://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! This module contains the public library api
18#![allow(
19    clippy::missing_panics_doc,
20    clippy::missing_errors_doc,
21    clippy::similar_names,
22    clippy::result_large_err, // see #878
23    reason = "this module doesn't currently comply with these lints"
24)]
25
26mod id;
27use cedar_policy_core::pst::error_body;
28#[cfg(feature = "entity-manifest")]
29use cedar_policy_core::validator::entity_manifest;
30// TODO (#1157) implement wrappers for these structs before they become public
31#[cfg(feature = "entity-manifest")]
32pub use cedar_policy_core::validator::entity_manifest::{
33    AccessTrie, EntityManifest, EntityRoot, Fields, RootAccessTrie,
34};
35use cedar_policy_core::validator::json_schema;
36use cedar_policy_core::validator::typecheck::{PolicyCheck, Typechecker};
37pub use id::*;
38
39#[cfg(feature = "deprecated-schema-compat")]
40mod deprecated_schema_compat;
41
42mod err;
43pub use err::*;
44
45#[cfg(feature = "tpe")]
46mod tpe;
47#[cfg(feature = "tpe")]
48pub use tpe::*;
49
50pub use ast::Effect;
51pub use authorizer::Decision;
52#[cfg(feature = "partial-eval")]
53use cedar_policy_core::ast::BorrowedRestrictedExpr;
54use cedar_policy_core::ast::{self, RequestSchema, RestrictedExpr};
55use cedar_policy_core::authorizer::{self};
56use cedar_policy_core::entities::{ContextSchema, Dereference};
57use cedar_policy_core::est::{self, TemplateLink};
58use cedar_policy_core::evaluator::Evaluator;
59#[cfg(feature = "partial-eval")]
60use cedar_policy_core::evaluator::RestrictedEvaluator;
61use cedar_policy_core::extensions::Extensions;
62use cedar_policy_core::parser;
63pub use cedar_policy_core::pst;
64use cedar_policy_core::FromNormalizedStr;
65use itertools::{Either, Itertools};
66use linked_hash_map::LinkedHashMap;
67use miette::Diagnostic;
68use ref_cast::RefCast;
69use serde::{Deserialize, Serialize};
70use smol_str::SmolStr;
71use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet};
72use std::io::Read;
73use std::str::FromStr;
74use std::sync::Arc;
75
76#[expect(
77    clippy::unwrap_used,
78    reason = "`CARGO_PKG_VERSION` should return a valid SemVer version string"
79)]
80pub(crate) mod version {
81    use semver::Version;
82    use std::sync::LazyLock;
83
84    // Cedar Rust SDK Semantic Versioning version
85    static SDK_VERSION: LazyLock<Version> =
86        LazyLock::new(|| env!("CARGO_PKG_VERSION").parse().unwrap());
87    // Cedar language version
88    // The patch version field may be unnecessary
89    static LANG_VERSION: LazyLock<Version> = LazyLock::new(|| Version::new(4, 5, 0));
90
91    /// Get the Cedar SDK Semantic Versioning version
92    pub fn get_sdk_version() -> Version {
93        SDK_VERSION.clone()
94    }
95    /// Get the Cedar language version
96    pub fn get_lang_version() -> Version {
97        LANG_VERSION.clone()
98    }
99}
100
101/// Entity datatype
102#[repr(transparent)]
103#[derive(Debug, Clone, PartialEq, Eq, RefCast, Hash)]
104pub struct Entity(pub(crate) ast::Entity);
105
106#[doc(hidden)] // because this converts to a private/internal type
107impl AsRef<ast::Entity> for Entity {
108    fn as_ref(&self) -> &ast::Entity {
109        &self.0
110    }
111}
112
113#[doc(hidden)]
114impl From<ast::Entity> for Entity {
115    fn from(entity: ast::Entity) -> Self {
116        Self(entity)
117    }
118}
119
120impl Entity {
121    /// Create a new `Entity` with this Uid, attributes, and parents (and no tags).
122    ///
123    /// Attribute values are specified here as "restricted expressions".
124    /// See docs on `RestrictedExpression`
125    /// ```
126    /// # use cedar_policy::{Entity, EntityId, EntityTypeName, EntityUid, RestrictedExpression};
127    /// # use std::collections::{HashMap, HashSet};
128    /// # use std::str::FromStr;
129    /// let eid = EntityId::from_str("alice").unwrap();
130    /// let type_name = EntityTypeName::from_str("User").unwrap();
131    /// let euid = EntityUid::from_type_name_and_id(type_name, eid);
132    /// let attrs = HashMap::from([
133    ///     ("age".to_string(), RestrictedExpression::from_str("21").unwrap()),
134    ///     ("department".to_string(), RestrictedExpression::from_str("\"CS\"").unwrap()),
135    /// ]);
136    /// let parent_eid = EntityId::from_str("admin").unwrap();
137    /// let parent_type_name = EntityTypeName::from_str("Group").unwrap();
138    /// let parent_euid = EntityUid::from_type_name_and_id(parent_type_name, parent_eid);
139    /// let parents = HashSet::from([parent_euid]);
140    /// let entity = Entity::new(euid, attrs, parents);
141    ///```
142    pub fn new(
143        uid: EntityUid,
144        attrs: HashMap<String, RestrictedExpression>,
145        parents: HashSet<EntityUid>,
146    ) -> Result<Self, EntityAttrEvaluationError> {
147        Self::new_with_tags(uid, attrs, parents, [])
148    }
149
150    /// Create a new `Entity` with no attributes or tags.
151    ///
152    /// Unlike [`Entity::new()`], this constructor cannot error.
153    /// (The only source of errors in `Entity::new()` are attributes.)
154    pub fn new_no_attrs(uid: EntityUid, parents: HashSet<EntityUid>) -> Self {
155        // note that we take a "parents" parameter here; we will compute TC when
156        // the `Entities` object is created
157        Self(ast::Entity::new_with_attr_partial_value(
158            uid.into(),
159            [],
160            HashSet::new(),
161            parents.into_iter().map(EntityUid::into).collect(),
162            [],
163        ))
164    }
165
166    /// Create a new `Entity` with this Uid, attributes, parents, and tags.
167    ///
168    /// Attribute and tag values are specified here as "restricted expressions".
169    /// See docs on [`RestrictedExpression`].
170    pub fn new_with_tags(
171        uid: EntityUid,
172        attrs: impl IntoIterator<Item = (String, RestrictedExpression)>,
173        parents: impl IntoIterator<Item = EntityUid>,
174        tags: impl IntoIterator<Item = (String, RestrictedExpression)>,
175    ) -> Result<Self, EntityAttrEvaluationError> {
176        // note that we take a "parents" parameter here, not "ancestors"; we
177        // will compute TC when the `Entities` object is created
178        Ok(Self(ast::Entity::new(
179            uid.into(),
180            attrs.into_iter().map(|(k, v)| (k.into(), v.0)),
181            HashSet::new(),
182            parents.into_iter().map(EntityUid::into).collect(),
183            tags.into_iter().map(|(k, v)| (k.into(), v.0)),
184            Extensions::all_available(),
185        )?))
186    }
187
188    /// Create a new `Entity` with this Uid, no attributes, and no parents.
189    /// ```
190    /// # use cedar_policy::{Entity, EntityId, EntityTypeName, EntityUid};
191    /// # use std::str::FromStr;
192    /// let eid = EntityId::from_str("alice").unwrap();
193    /// let type_name = EntityTypeName::from_str("User").unwrap();
194    /// let euid = EntityUid::from_type_name_and_id(type_name, eid);
195    /// let alice = Entity::with_uid(euid);
196    /// # cool_asserts::assert_matches!(alice.attr("age"), None);
197    /// ```
198    pub fn with_uid(uid: EntityUid) -> Self {
199        Self(ast::Entity::with_uid(uid.into()))
200    }
201
202    /// Test if two entities are structurally equal. That is, not only do they
203    /// have the same UID, but they also have the same attributes and ancestors.
204    ///
205    /// Note that ancestor equality is determined by examining the ancestors
206    /// entities provided when constructing these objects, without computing
207    /// their transitive closure. For accurate comparison, entities should be
208    /// constructed with the transitive closure precomputed or be drawn from an
209    /// [`Entities`] object which will perform this computation.
210    pub fn deep_eq(&self, other: &Self) -> bool {
211        self.0.deep_eq(&other.0)
212    }
213
214    /// Get the Uid of this entity
215    /// ```
216    /// # use cedar_policy::{Entity, EntityId, EntityTypeName, EntityUid};
217    /// # use std::str::FromStr;
218    /// # let eid = EntityId::from_str("alice").unwrap();
219    /// let type_name = EntityTypeName::from_str("User").unwrap();
220    /// let euid = EntityUid::from_type_name_and_id(type_name, eid);
221    /// let alice = Entity::with_uid(euid.clone());
222    /// assert_eq!(alice.uid(), euid);
223    /// ```
224    pub fn uid(&self) -> EntityUid {
225        self.0.uid().clone().into()
226    }
227
228    /// Get the value for the given attribute, or `None` if not present.
229    ///
230    /// This can also return Some(Err) if the attribute is not a value (i.e., is
231    /// unknown due to partial evaluation).
232    /// ```
233    /// # use cedar_policy::{Entity, EntityId, EntityTypeName, EntityUid, EvalResult, RestrictedExpression};
234    /// # use std::collections::{HashMap, HashSet};
235    /// # use std::str::FromStr;
236    /// let eid = EntityId::from_str("alice").unwrap();
237    /// let type_name = EntityTypeName::from_str("User").unwrap();
238    /// let euid = EntityUid::from_type_name_and_id(type_name, eid);
239    /// let attrs = HashMap::from([
240    ///     ("age".to_string(), RestrictedExpression::from_str("21").unwrap()),
241    ///     ("department".to_string(), RestrictedExpression::from_str("\"CS\"").unwrap()),
242    /// ]);
243    /// let entity = Entity::new(euid, attrs, HashSet::new()).unwrap();
244    /// assert_eq!(entity.attr("age").unwrap().unwrap(), EvalResult::Long(21));
245    /// assert_eq!(entity.attr("department").unwrap().unwrap(), EvalResult::String("CS".to_string()));
246    /// assert!(entity.attr("foo").is_none());
247    /// ```
248    pub fn attr(&self, attr: &str) -> Option<Result<EvalResult, PartialValueToValueError>> {
249        match ast::Value::try_from(self.0.get(attr)?.clone()) {
250            Ok(v) => Some(Ok(EvalResult::from(v))),
251            Err(e) => Some(Err(e)),
252        }
253    }
254
255    /// Iterate over all attributes of the entity, as (name, value) pairs
256    ///
257    /// The value for any individual attribute may be `Err` if the attribute is
258    /// not a value (i.e., is unknown due to partial evaluation).
259    pub fn attrs(
260        &self,
261    ) -> impl Iterator<Item = (&str, Result<EvalResult, PartialValueToValueError>)> {
262        self.0.attrs().map(|(k, v)| {
263            (
264                k.as_ref(),
265                ast::Value::try_from(v.clone()).map(EvalResult::from),
266            )
267        })
268    }
269
270    /// Get the value for the given tag, or `None` if not present.
271    ///
272    /// This can also return Some(Err) if the tag is not a value (i.e., is
273    /// unknown due to partial evaluation).
274    pub fn tag(&self, tag: &str) -> Option<Result<EvalResult, PartialValueToValueError>> {
275        match ast::Value::try_from(self.0.get_tag(tag)?.clone()) {
276            Ok(v) => Some(Ok(EvalResult::from(v))),
277            Err(e) => Some(Err(e)),
278        }
279    }
280
281    /// Iterate over all tags of the entity, as (name, value) pairs
282    ///
283    /// The value for any individual tag may be `Err` if the tag is not a value
284    /// (i.e., is unknown due to partial evaluation).
285    pub fn tags(
286        &self,
287    ) -> impl Iterator<Item = (&str, Result<EvalResult, PartialValueToValueError>)> {
288        self.0.tags().map(|(k, v)| {
289            (
290                k.as_ref(),
291                ast::Value::try_from(v.clone()).map(EvalResult::from),
292            )
293        })
294    }
295
296    /// Consume the entity and return the entity's owned Uid, attributes and parents.
297    pub fn into_inner(
298        self,
299    ) -> (
300        EntityUid,
301        HashMap<String, RestrictedExpression>,
302        HashSet<EntityUid>,
303    ) {
304        let (uid, attrs, ancestors, mut parents, _) = self.0.into_inner();
305        parents.extend(ancestors);
306
307        let attrs = attrs
308            .into_iter()
309            .map(|(k, v)| {
310                (
311                    k.to_string(),
312                    match v {
313                        ast::PartialValue::Value(val) => {
314                            RestrictedExpression(ast::RestrictedExpr::from(val))
315                        }
316                        ast::PartialValue::Residual(exp) => {
317                            RestrictedExpression(ast::RestrictedExpr::new_unchecked(exp))
318                        }
319                    },
320                )
321            })
322            .collect();
323
324        (
325            uid.into(),
326            attrs,
327            parents.into_iter().map(Into::into).collect(),
328        )
329    }
330
331    /// Parse an entity from an in-memory JSON value
332    /// If a schema is provided, it is handled identically to [`Entities::from_json_str`]
333    pub fn from_json_value(
334        value: serde_json::Value,
335        schema: Option<&Schema>,
336    ) -> Result<Self, EntitiesError> {
337        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
338        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
339            schema.as_ref(),
340            Extensions::all_available(),
341            cedar_policy_core::entities::TCComputation::ComputeNow,
342        );
343        eparser.single_from_json_value(value).map(Self)
344    }
345
346    /// Parse an entity from a JSON string
347    /// If a schema is provided, it is handled identically to [`Entities::from_json_str`]
348    pub fn from_json_str(
349        src: impl AsRef<str>,
350        schema: Option<&Schema>,
351    ) -> Result<Self, EntitiesError> {
352        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
353        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
354            schema.as_ref(),
355            Extensions::all_available(),
356            cedar_policy_core::entities::TCComputation::ComputeNow,
357        );
358        eparser.single_from_json_str(src).map(Self)
359    }
360
361    /// Parse an entity from a JSON reader
362    /// If a schema is provided, it is handled identically to [`Entities::from_json_str`]
363    pub fn from_json_file(f: impl Read, schema: Option<&Schema>) -> Result<Self, EntitiesError> {
364        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
365        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
366            schema.as_ref(),
367            Extensions::all_available(),
368            cedar_policy_core::entities::TCComputation::ComputeNow,
369        );
370        eparser.single_from_json_file(f).map(Self)
371    }
372
373    /// Dump an `Entity` object into an entity JSON file.
374    ///
375    /// The resulting JSON will be suitable for parsing in via
376    /// `from_json_*`, and will be parse-able even with no [`Schema`].
377    ///
378    /// To read an `Entity` object from JSON , use
379    /// [`Self::from_json_file`], [`Self::from_json_value`], or [`Self::from_json_str`].
380    pub fn write_to_json(&self, f: impl std::io::Write) -> Result<(), EntitiesError> {
381        self.0.write_to_json(f)
382    }
383
384    /// Dump an `Entity` object into an in-memory JSON object.
385    ///
386    /// The resulting JSON will be suitable for parsing in via
387    /// `from_json_*`, and will be parse-able even with no `Schema`.
388    ///
389    /// To read an `Entity` object from JSON , use
390    /// [`Self::from_json_file`], [`Self::from_json_value`], or [`Self::from_json_str`].
391    pub fn to_json_value(&self) -> Result<serde_json::Value, EntitiesError> {
392        self.0.to_json_value()
393    }
394
395    /// Dump an `Entity` object into a JSON string.
396    ///
397    /// The resulting JSON will be suitable for parsing in via
398    /// `from_json_*`, and will be parse-able even with no `Schema`.
399    ///
400    /// To read an `Entity` object from JSON , use
401    /// [`Self::from_json_file`], [`Self::from_json_value`], or [`Self::from_json_str`].
402    pub fn to_json_string(&self) -> Result<String, EntitiesError> {
403        self.0.to_json_string()
404    }
405}
406
407impl std::fmt::Display for Entity {
408    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
409        write!(f, "{}", self.0)
410    }
411}
412
413/// Represents an entity hierarchy, and allows looking up `Entity` objects by
414/// Uid.
415#[repr(transparent)]
416#[derive(Debug, Clone, Default, PartialEq, Eq, RefCast)]
417pub struct Entities(pub(crate) cedar_policy_core::entities::Entities);
418
419#[doc(hidden)] // because this converts to a private/internal type
420impl AsRef<cedar_policy_core::entities::Entities> for Entities {
421    fn as_ref(&self) -> &cedar_policy_core::entities::Entities {
422        &self.0
423    }
424}
425
426#[doc(hidden)]
427impl From<cedar_policy_core::entities::Entities> for Entities {
428    fn from(entities: cedar_policy_core::entities::Entities) -> Self {
429        Self(entities)
430    }
431}
432
433use entities_errors::EntitiesError;
434
435impl Entities {
436    /// Create a fresh `Entities` with no entities
437    /// ```
438    /// # use cedar_policy::Entities;
439    /// let entities = Entities::empty();
440    /// # assert!(entities.is_empty());
441    /// ```
442    pub fn empty() -> Self {
443        Self(cedar_policy_core::entities::Entities::new())
444    }
445
446    /// Get the `Entity` with the given Uid, if any
447    pub fn get(&self, uid: &EntityUid) -> Option<&Entity> {
448        match self.0.entity(uid.as_ref()) {
449            Dereference::Residual(_) | Dereference::NoSuchEntity => None,
450            Dereference::Data(e) => Some(Entity::ref_cast(e)),
451        }
452    }
453
454    /// Transform the store into a partial store, where
455    /// attempting to dereference a non-existent `EntityUid` results in
456    /// a residual instead of an error.
457    #[doc = include_str!("../experimental_warning.md")]
458    #[must_use]
459    #[cfg(feature = "partial-eval")]
460    pub fn partial(self) -> Self {
461        Self(self.0.partial())
462    }
463
464    /// Iterate over the `Entity`'s in the `Entities`
465    pub fn iter(&self) -> impl Iterator<Item = &Entity> {
466        self.0.iter().map(Entity::ref_cast)
467    }
468
469    /// Test if two entity hierarchies are structurally equal. The hierarchies
470    /// must contain the same set of entity ids, and the entities with each id
471    /// must be structurally equal (decided by [`Entity::deep_eq`]). Ancestor
472    /// equality between entities is always decided by comparing the transitive
473    /// closure of ancestor and not direct parents.
474    pub fn deep_eq(&self, other: &Self) -> bool {
475        self.0.deep_eq(&other.0)
476    }
477
478    /// Create an `Entities` object with the given entities.
479    ///
480    /// `schema` represents a source of `Action` entities, which will be added
481    /// to the entities provided.
482    /// (If any `Action` entities are present in the provided entities, and a
483    /// `schema` is also provided, each `Action` entity in the provided entities
484    /// must exactly match its definition in the schema or an error is
485    /// returned.)
486    ///
487    /// If a `schema` is present, this function will also ensure that the
488    /// produced entities fully conform to the `schema` -- for instance, it will
489    /// error if attributes have the wrong types (e.g., string instead of
490    /// integer), or if required attributes are missing or superfluous
491    /// attributes are provided.
492    /// ## Errors
493    /// - [`EntitiesError::Duplicate`] if there are any duplicate entities in `entities`
494    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
495    ///   to the schema
496    pub fn from_entities(
497        entities: impl IntoIterator<Item = Entity>,
498        schema: Option<&Schema>,
499    ) -> Result<Self, EntitiesError> {
500        cedar_policy_core::entities::Entities::from_entities(
501            entities.into_iter().map(|e| e.0),
502            schema
503                .map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0))
504                .as_ref(),
505            cedar_policy_core::entities::TCComputation::ComputeNow,
506            Extensions::all_available(),
507        )
508        .map(Entities)
509    }
510
511    /// Add all of the [`Entity`]s in the collection to this [`Entities`]
512    /// structure, re-computing the transitive closure.
513    ///
514    /// If a `schema` is provided, this method will ensure that the added
515    /// entities fully conform to the schema -- for instance, it will error if
516    /// attributes have the wrong types (e.g., string instead of integer), or if
517    /// required attributes are missing or superfluous attributes are provided.
518    /// (This method will not add action entities from the `schema`.)
519    ///
520    /// Re-computing the transitive closure can be expensive, so it is advised
521    /// to not call this method in a loop.
522    /// ## Errors
523    /// - [`EntitiesError::Duplicate`] if there is a pair of non-identical entities in `entities` with the same Entity UID,
524    ///   or there is an entity in `entities` with the same Entity UID as a non-identical entity in this structure
525    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
526    ///   to the schema
527    pub fn add_entities(
528        self,
529        entities: impl IntoIterator<Item = Entity>,
530        schema: Option<&Schema>,
531    ) -> Result<Self, EntitiesError> {
532        Ok(Self(
533            self.0.add_entities(
534                entities.into_iter().map(|e| Arc::new(e.0)),
535                schema
536                    .map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0))
537                    .as_ref(),
538                cedar_policy_core::entities::TCComputation::ComputeNow,
539                Extensions::all_available(),
540            )?,
541        ))
542    }
543
544    /// Removes each of the [`EntityUid`]s in the iterator
545    /// from this [`Entities`] structure, re-computing the transitive
546    /// closure after removing all edges to/from the removed entities.
547    ///
548    /// Re-computing the transitive closure can be expensive, so it is
549    /// advised to not call this method in a loop.
550    pub fn remove_entities(
551        self,
552        entity_ids: impl IntoIterator<Item = EntityUid>,
553    ) -> Result<Self, EntitiesError> {
554        Ok(Self(self.0.remove_entities(
555            entity_ids.into_iter().map(|euid| euid.0),
556            cedar_policy_core::entities::TCComputation::ComputeNow,
557        )?))
558    }
559
560    /// Updates or adds all of the [`Entity`]s in the collection to this [`Entities`]
561    /// structure, re-computing the transitive closure.
562    ///
563    /// If a `schema` is provided, this method will ensure that the added
564    /// entities fully conform to the schema -- for instance, it will error if
565    /// attributes have the wrong types (e.g., string instead of integer), or if
566    /// required attributes are missing or superfluous attributes are provided.
567    /// (This method will not add action entities from the `schema`.)
568    ///
569    /// Re-computing the transitive closure can be expensive, so it is advised
570    /// to not call this method in a loop.
571    /// ## Errors
572    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
573    ///   to the schema
574    pub fn upsert_entities(
575        self,
576        entities: impl IntoIterator<Item = Entity>,
577        schema: Option<&Schema>,
578    ) -> Result<Self, EntitiesError> {
579        Ok(Self(
580            self.0.upsert_entities(
581                entities.into_iter().map(|e| Arc::new(e.0)),
582                schema
583                    .map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0))
584                    .as_ref(),
585                cedar_policy_core::entities::TCComputation::ComputeNow,
586                Extensions::all_available(),
587            )?,
588        ))
589    }
590
591    /// Parse an entities JSON file (in [&str] form) and add them into this
592    /// [`Entities`] structure, re-computing the transitive closure
593    ///
594    /// If a `schema` is provided, this will inform the parsing: for instance, it
595    /// will allow `__entity` and `__extn` escapes to be implicit.
596    /// This method will also ensure that the added entities fully conform to the
597    /// schema -- for instance, it will error if attributes have the wrong types
598    /// (e.g., string instead of integer), or if required attributes are missing
599    /// or superfluous attributes are provided.
600    /// (This method will not add action entities from the `schema`.)
601    ///
602    /// Re-computing the transitive closure can be expensive, so it is advised
603    /// to not call this method in a loop.
604    /// ## Errors
605    /// - [`EntitiesError::Duplicate`] if there is a pair of non-identical entities in
606    ///   `entities` with the same Entity UID, or there is an entity in `entities` with the
607    ///   same Entity UID as a non-identical entity in this structure
608    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
609    ///   to the schema
610    /// - [`EntitiesError::Deserialization`] if there are errors while parsing the json
611    pub fn add_entities_from_json_str(
612        self,
613        json: &str,
614        schema: Option<&Schema>,
615    ) -> Result<Self, EntitiesError> {
616        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
617        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
618            schema.as_ref(),
619            Extensions::all_available(),
620            cedar_policy_core::entities::TCComputation::ComputeNow,
621        );
622        let new_entities = eparser.iter_from_json_str(json)?.map(Arc::new);
623        Ok(Self(self.0.add_entities(
624            new_entities,
625            schema.as_ref(),
626            cedar_policy_core::entities::TCComputation::ComputeNow,
627            Extensions::all_available(),
628        )?))
629    }
630
631    /// Parse an entities JSON file (in [`serde_json::Value`] form) and add them
632    /// into this [`Entities`] structure, re-computing the transitive closure
633    ///
634    /// If a `schema` is provided, this will inform the parsing: for instance, it
635    /// will allow `__entity` and `__extn` escapes to be implicit.
636    /// This method will also ensure that the added entities fully conform to the
637    /// schema -- for instance, it will error if attributes have the wrong types
638    /// (e.g., string instead of integer), or if required attributes are missing
639    /// or superfluous attributes are provided.
640    /// (This method will not add action entities from the `schema`.)
641    ///
642    /// Re-computing the transitive closure can be expensive, so it is advised
643    /// to not call this method in a loop.
644    /// ## Errors
645    /// - [`EntitiesError::Duplicate`] if there is a pair of non-identical entities in
646    ///   `entities` with the same Entity UID, or there is an entity in `entities` with the same
647    ///   Entity UID as a non-identical entity in this structure
648    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
649    ///   to the schema
650    /// - [`EntitiesError::Deserialization`] if there are errors while parsing the json
651    pub fn add_entities_from_json_value(
652        self,
653        json: serde_json::Value,
654        schema: Option<&Schema>,
655    ) -> Result<Self, EntitiesError> {
656        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
657        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
658            schema.as_ref(),
659            Extensions::all_available(),
660            cedar_policy_core::entities::TCComputation::ComputeNow,
661        );
662        let new_entities = eparser.iter_from_json_value(json)?.map(Arc::new);
663        Ok(Self(self.0.add_entities(
664            new_entities,
665            schema.as_ref(),
666            cedar_policy_core::entities::TCComputation::ComputeNow,
667            Extensions::all_available(),
668        )?))
669    }
670
671    /// Parse an entities JSON file (in [`std::io::Read`] form) and add them
672    /// into this [`Entities`] structure, re-computing the transitive closure
673    ///
674    /// If a `schema` is provided, this will inform the parsing: for instance, it
675    /// will allow `__entity` and `__extn` escapes to be implicit.
676    /// This method will also ensure that the added entities fully conform to the
677    /// schema -- for instance, it will error if attributes have the wrong types
678    /// (e.g., string instead of integer), or if required attributes are missing
679    /// or superfluous attributes are provided.
680    /// (This method will not add action entities from the `schema`.)
681    ///
682    /// Re-computing the transitive closure can be expensive, so it is advised
683    /// to not call this method in a loop.
684    ///
685    /// ## Errors
686    /// - [`EntitiesError::Duplicate`] if there is a pair of non-identical entities in `entities`
687    ///   with the same Entity UID, or there is an entity in `entities` with the same Entity UID as a
688    ///   non-identical entity in this structure
689    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
690    ///   to the schema
691    /// - [`EntitiesError::Deserialization`] if there are errors while parsing the json
692    pub fn add_entities_from_json_file(
693        self,
694        json: impl std::io::Read,
695        schema: Option<&Schema>,
696    ) -> Result<Self, EntitiesError> {
697        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
698        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
699            schema.as_ref(),
700            Extensions::all_available(),
701            cedar_policy_core::entities::TCComputation::ComputeNow,
702        );
703        let new_entities = eparser.iter_from_json_file(json)?.map(Arc::new);
704        Ok(Self(self.0.add_entities(
705            new_entities,
706            schema.as_ref(),
707            cedar_policy_core::entities::TCComputation::ComputeNow,
708            Extensions::all_available(),
709        )?))
710    }
711
712    /// Parse an entities JSON file (in `&str` form) into an `Entities` object
713    ///
714    /// `schema` represents a source of `Action` entities, which will be added
715    /// to the entities parsed from JSON.
716    /// (If any `Action` entities are present in the JSON, and a `schema` is
717    /// also provided, each `Action` entity in the JSON must exactly match its
718    /// definition in the schema or an error is returned.)
719    ///
720    /// If a `schema` is present, this will also inform the parsing: for
721    /// instance, it will allow `__entity` and `__extn` escapes to be implicit.
722    ///
723    /// Finally, if a `schema` is present, this function will ensure
724    /// that the produced entities fully conform to the `schema` -- for
725    /// instance, it will error if attributes have the wrong types (e.g., string
726    /// instead of integer), or if required attributes are missing or
727    /// superfluous attributes are provided.
728    ///
729    /// ## Errors
730    /// - [`EntitiesError::Duplicate`] if there are any duplicate entities in `entities`
731    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
732    ///   to the schema
733    /// - [`EntitiesError::Deserialization`] if there are errors while parsing the json
734    ///
735    /// ```
736    /// # use cedar_policy::{Entities, EntityId, EntityTypeName, EntityUid, EvalResult, Request,PolicySet};
737    /// # use std::str::FromStr;
738    /// let data =r#"
739    /// [
740    /// {
741    ///   "uid": {"type":"User","id":"alice"},
742    ///   "attrs": {
743    ///     "age":19,
744    ///     "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
745    ///   },
746    ///   "parents": [{"type":"Group","id":"admin"}]
747    /// },
748    /// {
749    ///   "uid": {"type":"Group","id":"admin"},
750    ///   "attrs": {},
751    ///   "parents": []
752    /// }
753    /// ]
754    /// "#;
755    /// let entities = Entities::from_json_str(data, None).unwrap();
756    /// # let euid = EntityUid::from_str(r#"User::"alice""#).unwrap();
757    /// # let entity = entities.get(&euid).unwrap();
758    /// # assert_eq!(entity.attr("age").unwrap().unwrap(), EvalResult::Long(19));
759    /// # let ip = entity.attr("ip_addr").unwrap().unwrap();
760    /// # assert_eq!(ip, EvalResult::ExtensionValue("ip(\"10.0.1.101\")".to_string()));
761    /// ```
762    pub fn from_json_str(json: &str, schema: Option<&Schema>) -> Result<Self, EntitiesError> {
763        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
764        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
765            schema.as_ref(),
766            Extensions::all_available(),
767            cedar_policy_core::entities::TCComputation::ComputeNow,
768        );
769        eparser.from_json_str(json).map(Entities)
770    }
771
772    /// Parse an entities JSON file (in `serde_json::Value` form) into an
773    /// `Entities` object
774    ///
775    /// `schema` represents a source of `Action` entities, which will be added
776    /// to the entities parsed from JSON.
777    /// (If any `Action` entities are present in the JSON, and a `schema` is
778    /// also provided, each `Action` entity in the JSON must exactly match its
779    /// definition in the schema or an error is returned.)
780    ///
781    /// If a `schema` is present, this will also inform the parsing: for
782    /// instance, it will allow `__entity` and `__extn` escapes to be implicit.
783    ///
784    /// Finally, if a `schema` is present, this function will ensure
785    /// that the produced entities fully conform to the `schema` -- for
786    /// instance, it will error if attributes have the wrong types (e.g., string
787    /// instead of integer), or if required attributes are missing or
788    /// superfluous attributes are provided.
789    ///
790    /// ## Errors
791    /// - [`EntitiesError::Duplicate`] if there are any duplicate entities in `entities`
792    /// - [`EntitiesError::InvalidEntity`]if `schema` is not none and any entities do not conform
793    ///   to the schema
794    /// - [`EntitiesError::Deserialization`] if there are errors while parsing the json
795    ///
796    /// ```
797    /// # use cedar_policy::{Entities, EntityId, EntityTypeName, EntityUid, EvalResult, Request,PolicySet};
798    /// let data =serde_json::json!(
799    /// [
800    /// {
801    ///   "uid": {"type":"User","id":"alice"},
802    ///   "attrs": {
803    ///     "age":19,
804    ///     "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
805    ///   },
806    ///   "parents": [{"type":"Group","id":"admin"}]
807    /// },
808    /// {
809    ///   "uid": {"type":"Group","id":"admin"},
810    ///   "attrs": {},
811    ///   "parents": []
812    /// }
813    /// ]
814    /// );
815    /// let entities = Entities::from_json_value(data, None).unwrap();
816    /// ```
817    pub fn from_json_value(
818        json: serde_json::Value,
819        schema: Option<&Schema>,
820    ) -> Result<Self, EntitiesError> {
821        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
822        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
823            schema.as_ref(),
824            Extensions::all_available(),
825            cedar_policy_core::entities::TCComputation::ComputeNow,
826        );
827        eparser.from_json_value(json).map(Entities)
828    }
829
830    /// Parse an entities JSON file (in `std::io::Read` form) into an `Entities`
831    /// object
832    ///
833    /// `schema` represents a source of `Action` entities, which will be added
834    /// to the entities parsed from JSON.
835    /// (If any `Action` entities are present in the JSON, and a `schema` is
836    /// also provided, each `Action` entity in the JSON must exactly match its
837    /// definition in the schema or an error is returned.)
838    ///
839    /// If a `schema` is present, this will also inform the parsing: for
840    /// instance, it will allow `__entity` and `__extn` escapes to be implicit.
841    ///
842    /// Finally, if a `schema` is present, this function will ensure
843    /// that the produced entities fully conform to the `schema` -- for
844    /// instance, it will error if attributes have the wrong types (e.g., string
845    /// instead of integer), or if required attributes are missing or
846    /// superfluous attributes are provided.
847    ///
848    /// ## Errors
849    /// - [`EntitiesError::Duplicate`] if there are any duplicate entities in `entities`
850    /// - [`EntitiesError::InvalidEntity`] if `schema` is not none and any entities do not conform
851    ///   to the schema
852    /// - [`EntitiesError::Deserialization`] if there are errors while parsing the json
853    pub fn from_json_file(
854        json: impl std::io::Read,
855        schema: Option<&Schema>,
856    ) -> Result<Self, EntitiesError> {
857        let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
858        let eparser = cedar_policy_core::entities::EntityJsonParser::new(
859            schema.as_ref(),
860            Extensions::all_available(),
861            cedar_policy_core::entities::TCComputation::ComputeNow,
862        );
863        eparser.from_json_file(json).map(Entities)
864    }
865
866    /// Is entity `a` an ancestor of entity `b`?
867    /// Same semantics as `b in a` in the Cedar language
868    pub fn is_ancestor_of(&self, a: &EntityUid, b: &EntityUid) -> bool {
869        match self.0.entity(b.as_ref()) {
870            Dereference::Data(b) => b.is_descendant_of(a.as_ref()),
871            _ => a == b, // if b doesn't exist, `b in a` is only true if `b == a`
872        }
873    }
874
875    /// Get an iterator over the ancestors of the given Euid.
876    /// Returns `None` if the given `Euid` does not exist.
877    pub fn ancestors<'a>(
878        &'a self,
879        euid: &EntityUid,
880    ) -> Option<impl Iterator<Item = &'a EntityUid>> {
881        let entity = match self.0.entity(euid.as_ref()) {
882            Dereference::Residual(_) | Dereference::NoSuchEntity => None,
883            Dereference::Data(e) => Some(e),
884        }?;
885        Some(entity.ancestors().map(EntityUid::ref_cast))
886    }
887
888    /// Returns the number of `Entity`s in the `Entities`
889    pub fn len(&self) -> usize {
890        self.0.len()
891    }
892
893    /// Returns true if the `Entities` contains no `Entity`s
894    pub fn is_empty(&self) -> bool {
895        self.0.is_empty()
896    }
897
898    /// Dump an `Entities` object into an entities JSON file.
899    ///
900    /// The resulting JSON will be suitable for parsing in via
901    /// `from_json_*`, and will be parse-able even with no `Schema`.
902    ///
903    /// To read an `Entities` object from an entities JSON file, use
904    /// `from_json_file`.
905    pub fn write_to_json(&self, f: impl std::io::Write) -> std::result::Result<(), EntitiesError> {
906        self.0.write_to_json(f)
907    }
908
909    /// Dump an `Entities` object into an in-memory JSON object.
910    ///
911    /// The resulting JSON will be suitable for parsing in via
912    /// `from_json_*`, and will be parse-able even with no `Schema`.
913    ///
914    /// To read an `Entities` object from JSON, use
915    /// [`Self::from_json_file`], [`Self::from_json_value`], or [`Self::from_json_str`].
916    pub fn to_json_value(&self) -> Result<serde_json::Value, EntitiesError> {
917        self.0.to_json_value()
918    }
919
920    #[doc = include_str!("../experimental_warning.md")]
921    /// Visualize an `Entities` object in the graphviz `dot`
922    /// format. Entity visualization is best-effort and not well tested.
923    /// Feel free to submit an issue if you are using this feature and would like it improved.
924    pub fn to_dot_str(&self) -> String {
925        let mut dot_str = String::new();
926        #[expect(clippy::unwrap_used, reason = "writing to a String cannot fail")]
927        self.0.to_dot_str(&mut dot_str).unwrap();
928        dot_str
929    }
930}
931
932/// Validates scope variables against the provided schema
933///
934/// Returns Ok(()) if the context is valid according to the schema, or an error otherwise
935///
936/// This validation is already handled by `Request::new`, so there is no need to separately call
937/// if you are validating the whole request
938pub fn validate_scope_variables(
939    principal: &EntityUid,
940    action: &EntityUid,
941    resource: &EntityUid,
942    schema: &Schema,
943) -> std::result::Result<(), RequestValidationError> {
944    Ok(RequestSchema::validate_scope_variables(
945        &schema.0,
946        Some(&principal.0),
947        Some(&action.0),
948        Some(&resource.0),
949    )?)
950}
951
952/// Utilities for defining `IntoIterator` over `Entities`
953pub mod entities {
954
955    /// `IntoIter` iterator for `Entities`
956    #[derive(Debug)]
957    pub struct IntoIter {
958        pub(super) inner: <cedar_policy_core::entities::Entities as IntoIterator>::IntoIter,
959    }
960
961    impl Iterator for IntoIter {
962        type Item = super::Entity;
963
964        fn next(&mut self) -> Option<Self::Item> {
965            self.inner.next().map(super::Entity)
966        }
967        fn size_hint(&self) -> (usize, Option<usize>) {
968            self.inner.size_hint()
969        }
970    }
971}
972
973impl IntoIterator for Entities {
974    type Item = Entity;
975    type IntoIter = entities::IntoIter;
976
977    fn into_iter(self) -> Self::IntoIter {
978        Self::IntoIter {
979            inner: self.0.into_iter(),
980        }
981    }
982}
983
984/// Authorizer object, which provides responses to authorization queries
985#[repr(transparent)]
986#[derive(Debug, Clone, RefCast)]
987pub struct Authorizer(authorizer::Authorizer);
988
989#[doc(hidden)] // because this converts to a private/internal type
990impl AsRef<authorizer::Authorizer> for Authorizer {
991    fn as_ref(&self) -> &authorizer::Authorizer {
992        &self.0
993    }
994}
995
996impl Default for Authorizer {
997    fn default() -> Self {
998        Self::new()
999    }
1000}
1001
1002impl Authorizer {
1003    /// Create a new `Authorizer`
1004    ///
1005    /// The authorizer uses the `stacker` crate to manage stack size and tries to use a sane default.
1006    /// If the default is not right for you, you can try wrapping the authorizer or individual calls
1007    /// to `is_authorized` in `stacker::grow`.
1008    /// Note that on platforms not supported by `stacker` (e.g., Wasm, Android),
1009    /// the authorizer will simply assume that the stack size is sufficient. As a result, large inputs
1010    /// may result in stack overflows and crashing the process.
1011    /// But on all platforms supported by `stacker` (Linux, macOS, ...), Cedar will return the
1012    /// graceful error `RecursionLimit` instead of crashing.
1013    /// ```
1014    /// # use cedar_policy::{Authorizer, Context, Entities, EntityId, EntityTypeName,
1015    /// # EntityUid, Request,PolicySet};
1016    /// # use std::str::FromStr;
1017    /// # // create a request
1018    /// # let p_eid = EntityId::from_str("alice").unwrap();
1019    /// # let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
1020    /// # let p = EntityUid::from_type_name_and_id(p_name, p_eid);
1021    /// #
1022    /// # let a_eid = EntityId::from_str("view").unwrap();
1023    /// # let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
1024    /// # let a = EntityUid::from_type_name_and_id(a_name, a_eid);
1025    /// #
1026    /// # let r_eid = EntityId::from_str("trip").unwrap();
1027    /// # let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
1028    /// # let r = EntityUid::from_type_name_and_id(r_name, r_eid);
1029    /// #
1030    /// # let c = Context::empty();
1031    /// #
1032    /// # let request: Request = Request::new(p, a, r, c, None).unwrap();
1033    /// #
1034    /// # // create a policy
1035    /// # let s = r#"permit(
1036    /// #     principal == User::"alice",
1037    /// #     action == Action::"view",
1038    /// #     resource == Album::"trip"
1039    /// #   )when{
1040    /// #     principal.ip_addr.isIpv4()
1041    /// #   };
1042    /// # "#;
1043    /// # let policy = PolicySet::from_str(s).expect("policy error");
1044    /// # // create entities
1045    /// # let e = r#"[
1046    /// #     {
1047    /// #         "uid": {"type":"User","id":"alice"},
1048    /// #         "attrs": {
1049    /// #             "age":19,
1050    /// #             "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
1051    /// #         },
1052    /// #         "parents": []
1053    /// #     }
1054    /// # ]"#;
1055    /// # let entities = Entities::from_json_str(e, None).expect("entity error");
1056    /// let authorizer = Authorizer::new();
1057    /// let r = authorizer.is_authorized(&request, &policy, &entities);
1058    /// ```
1059    pub fn new() -> Self {
1060        Self(authorizer::Authorizer::new())
1061    }
1062
1063    /// Returns an authorization response for `r` with respect to the given
1064    /// `PolicySet` and `Entities`.
1065    ///
1066    /// The language spec and formal model give a precise definition of how this
1067    /// is computed.
1068    /// ```
1069    /// # use cedar_policy::{Authorizer,Context,Decision,Entities,EntityId,EntityTypeName, EntityUid, Request,PolicySet};
1070    /// # use std::str::FromStr;
1071    /// // create a request
1072    /// let p_eid = EntityId::from_str("alice").unwrap();
1073    /// let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
1074    /// let p = EntityUid::from_type_name_and_id(p_name, p_eid);
1075    ///
1076    /// let a_eid = EntityId::from_str("view").unwrap();
1077    /// let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
1078    /// let a = EntityUid::from_type_name_and_id(a_name, a_eid);
1079    ///
1080    /// let r_eid = EntityId::from_str("trip").unwrap();
1081    /// let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
1082    /// let r = EntityUid::from_type_name_and_id(r_name, r_eid);
1083    ///
1084    /// let c = Context::empty();
1085    ///
1086    /// let request: Request = Request::new(p, a, r, c, None).unwrap();
1087    ///
1088    /// // create a policy
1089    /// let s = r#"
1090    /// permit (
1091    ///   principal == User::"alice",
1092    ///   action == Action::"view",
1093    ///   resource == Album::"trip"
1094    /// )
1095    /// when { principal.ip_addr.isIpv4() };
1096    /// "#;
1097    /// let policy = PolicySet::from_str(s).expect("policy error");
1098    ///
1099    /// // create entities
1100    /// let e = r#"[
1101    ///     {
1102    ///         "uid": {"type":"User","id":"alice"},
1103    ///         "attrs": {
1104    ///             "age":19,
1105    ///             "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
1106    ///         },
1107    ///         "parents": []
1108    ///     }
1109    /// ]"#;
1110    /// let entities = Entities::from_json_str(e, None).expect("entity error");
1111    ///
1112    /// let authorizer = Authorizer::new();
1113    /// let response = authorizer.is_authorized(&request, &policy, &entities);
1114    /// assert_eq!(response.decision(), Decision::Allow);
1115    /// ```
1116    pub fn is_authorized(&self, r: &Request, p: &PolicySet, e: &Entities) -> Response {
1117        self.0.is_authorized(r.0.clone(), &p.ast, &e.0).into()
1118    }
1119
1120    /// A partially evaluated authorization request.
1121    /// The Authorizer will attempt to make as much progress as possible in the presence of unknowns.
1122    /// If the Authorizer can reach a response, it will return that response.
1123    /// Otherwise, it will return a list of residual policies that still need to be evaluated.
1124    #[doc = include_str!("../experimental_warning.md")]
1125    #[cfg(feature = "partial-eval")]
1126    pub fn is_authorized_partial(
1127        &self,
1128        query: &Request,
1129        policy_set: &PolicySet,
1130        entities: &Entities,
1131    ) -> PartialResponse {
1132        let response = self
1133            .0
1134            .is_authorized_core(query.0.clone(), &policy_set.ast, &entities.0);
1135        PartialResponse(response)
1136    }
1137}
1138
1139/// Authorization response returned from the `Authorizer`
1140#[derive(Debug, PartialEq, Eq, Clone)]
1141pub struct Response {
1142    /// Authorization decision
1143    pub(crate) decision: Decision,
1144    /// Diagnostics providing more information on how this decision was reached
1145    pub(crate) diagnostics: Diagnostics,
1146}
1147
1148/// A partially evaluated authorization response.
1149///
1150/// Splits the results into several categories: satisfied, false, and residual for each policy effect.
1151/// Also tracks all the errors that were encountered during evaluation.
1152#[doc = include_str!("../experimental_warning.md")]
1153#[cfg(feature = "partial-eval")]
1154#[repr(transparent)]
1155#[derive(Debug, Clone, RefCast)]
1156pub struct PartialResponse(cedar_policy_core::authorizer::PartialResponse);
1157
1158#[cfg(feature = "partial-eval")]
1159impl PartialResponse {
1160    /// Attempt to reach a partial decision; the presence of residuals may result in returning [`None`],
1161    /// indicating that a decision could not be reached given the unknowns
1162    pub fn decision(&self) -> Option<Decision> {
1163        self.0.decision()
1164    }
1165
1166    /// Convert this response into a concrete evaluation response.
1167    /// All residuals are treated as errors
1168    pub fn concretize(self) -> Response {
1169        self.0.concretize().into()
1170    }
1171
1172    /// Returns the set of [`Policy`]s that were definitely satisfied.
1173    /// This will be the set of policies (both `permit` and `forbid`) that evaluated to `true`
1174    pub fn definitely_satisfied(&self) -> impl Iterator<Item = Policy> + '_ {
1175        self.0.definitely_satisfied().map(Policy::from_ast)
1176    }
1177
1178    /// Returns the set of [`PolicyId`]s that encountered errors
1179    pub fn definitely_errored(&self) -> impl Iterator<Item = &PolicyId> {
1180        self.0.definitely_errored().map(PolicyId::ref_cast)
1181    }
1182
1183    /// Returns an over-approximation of the set of determining policies
1184    ///
1185    /// This is all policies that may be determining for any substitution of the unknowns.
1186    /// Policies not in this set will not affect the final decision, regardless of any
1187    /// substitutions.
1188    ///
1189    /// For more information on what counts as "determining" see: <https://docs.cedarpolicy.com/auth/authorization.html#request-authorization>
1190    pub fn may_be_determining(&self) -> impl Iterator<Item = Policy> + '_ {
1191        self.0.may_be_determining().map(Policy::from_ast)
1192    }
1193
1194    /// Returns an under-approximation of the set of determining policies
1195    ///
1196    /// This is all policies that must be determining for all possible substitutions of the unknowns.
1197    /// This set will include policies that evaluated to `true` and are guaranteed to be
1198    /// contributing to the final authorization decision.
1199    ///
1200    /// For more information on what counts as "determining" see: <https://docs.cedarpolicy.com/auth/authorization.html#request-authorization>
1201    pub fn must_be_determining(&self) -> impl Iterator<Item = Policy> + '_ {
1202        self.0.must_be_determining().map(Policy::from_ast)
1203    }
1204
1205    /// Returns the set of non-trivial (meaning more than just `true` or `false`) residual expressions.
1206    ///
1207    /// Call [`Policy::to_pst()`] on each result to convert to [`pst::Policy`]
1208    /// for structured inspection of the residual expression tree.
1209    pub fn nontrivial_residuals(&'_ self) -> impl Iterator<Item = Policy> + '_ {
1210        self.0.nontrivial_residuals().map(Policy::from_ast)
1211    }
1212
1213    /// Returns every policy as a residual expression.
1214    ///
1215    /// Call [`Policy::to_pst()`] on each result to convert to [`pst::Policy`]
1216    /// for structured inspection of the residual expression tree.
1217    pub fn all_residuals(&'_ self) -> impl Iterator<Item = Policy> + '_ {
1218        self.0.all_residuals().map(Policy::from_ast)
1219    }
1220
1221    /// Returns all unknown entities during the evaluation of the response
1222    pub fn unknown_entities(&self) -> HashSet<EntityUid> {
1223        let mut entity_uids = HashSet::new();
1224        for policy in self.0.all_residuals() {
1225            entity_uids.extend(policy.unknown_entities().into_iter().map(Into::into));
1226        }
1227        entity_uids
1228    }
1229
1230    /// Return the residual for a given [`PolicyId`], if it exists in the response
1231    pub fn get(&self, id: &PolicyId) -> Option<Policy> {
1232        self.0.get(id.as_ref()).map(Policy::from_ast)
1233    }
1234
1235    /// Attempt to re-authorize this response given a mapping from unknowns to values.
1236    #[expect(
1237        clippy::needless_pass_by_value,
1238        reason = "don't want to change signature of deprecated public function"
1239    )]
1240    #[deprecated = "use reauthorize_with_bindings"]
1241    pub fn reauthorize(
1242        &self,
1243        mapping: HashMap<SmolStr, RestrictedExpression>,
1244        auth: &Authorizer,
1245        es: &Entities,
1246    ) -> Result<Self, ReauthorizationError> {
1247        self.reauthorize_with_bindings(mapping.iter().map(|(k, v)| (k.as_str(), v)), auth, es)
1248    }
1249
1250    /// Attempt to re-authorize this response given a mapping from unknowns to values, provided as an iterator.
1251    /// Exhausts the iterator, returning any evaluation errors in the restricted expressions, regardless whether there is a matching unknown.
1252    pub fn reauthorize_with_bindings<'m>(
1253        &self,
1254        mapping: impl IntoIterator<Item = (&'m str, &'m RestrictedExpression)>,
1255        auth: &Authorizer,
1256        es: &Entities,
1257    ) -> Result<Self, ReauthorizationError> {
1258        let exts = Extensions::all_available();
1259        let evaluator = RestrictedEvaluator::new(exts);
1260        let mapping = mapping
1261            .into_iter()
1262            .map(|(name, expr)| {
1263                evaluator
1264                    .interpret(BorrowedRestrictedExpr::new_unchecked(expr.0.as_ref()))
1265                    .map(|v| (name.into(), v))
1266            })
1267            .collect::<Result<HashMap<_, _>, EvaluationError>>()?;
1268        let r = self.0.reauthorize(&mapping, &auth.0, &es.0)?;
1269        Ok(Self(r))
1270    }
1271}
1272
1273#[cfg(feature = "partial-eval")]
1274#[doc(hidden)]
1275impl From<cedar_policy_core::authorizer::PartialResponse> for PartialResponse {
1276    fn from(pr: cedar_policy_core::authorizer::PartialResponse) -> Self {
1277        Self(pr)
1278    }
1279}
1280
1281/// Diagnostics providing more information on how a `Decision` was reached
1282#[derive(Debug, PartialEq, Eq, Clone)]
1283pub struct Diagnostics {
1284    /// `PolicyId`s of the policies that contributed to the decision.
1285    /// If no policies applied to the request, this set will be empty.
1286    reason: HashSet<PolicyId>,
1287    /// Errors that occurred during authorization. The errors should be
1288    /// treated as unordered, since policies may be evaluated in any order.
1289    errors: Vec<AuthorizationError>,
1290}
1291
1292#[doc(hidden)]
1293impl From<authorizer::Diagnostics> for Diagnostics {
1294    fn from(diagnostics: authorizer::Diagnostics) -> Self {
1295        Self {
1296            reason: diagnostics.reason.into_iter().map(PolicyId::new).collect(),
1297            errors: diagnostics.errors.into_iter().map(Into::into).collect(),
1298        }
1299    }
1300}
1301
1302impl Diagnostics {
1303    /// Get the `PolicyId`s of the policies that contributed to the decision.
1304    /// If no policies applied to the request, this set will be empty.
1305    /// ```
1306    /// # use cedar_policy::{Authorizer, Context, Decision, Entities, EntityId, EntityTypeName,
1307    /// # EntityUid, Request,PolicySet};
1308    /// # use std::str::FromStr;
1309    /// # // create a request
1310    /// # let p_eid = EntityId::from_str("alice").unwrap();
1311    /// # let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
1312    /// # let p = EntityUid::from_type_name_and_id(p_name, p_eid);
1313    /// #
1314    /// # let a_eid = EntityId::from_str("view").unwrap();
1315    /// # let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
1316    /// # let a = EntityUid::from_type_name_and_id(a_name, a_eid);
1317    /// #
1318    /// # let r_eid = EntityId::from_str("trip").unwrap();
1319    /// # let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
1320    /// # let r = EntityUid::from_type_name_and_id(r_name, r_eid);
1321    /// #
1322    /// # let c = Context::empty();
1323    /// #
1324    /// # let request: Request = Request::new(p, a, r, c, None).unwrap();
1325    /// #
1326    /// # // create a policy
1327    /// # let s = r#"permit(
1328    /// #     principal == User::"alice",
1329    /// #     action == Action::"view",
1330    /// #     resource == Album::"trip"
1331    /// #   )when{
1332    /// #     principal.ip_addr.isIpv4()
1333    /// #   };
1334    /// # "#;
1335    /// # let policy = PolicySet::from_str(s).expect("policy error");
1336    /// # // create entities
1337    /// # let e = r#"[
1338    /// #     {
1339    /// #         "uid": {"type":"User","id":"alice"},
1340    /// #         "attrs": {
1341    /// #             "age":19,
1342    /// #             "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
1343    /// #         },
1344    /// #         "parents": []
1345    /// #     }
1346    /// # ]"#;
1347    /// # let entities = Entities::from_json_str(e, None).expect("entity error");
1348    /// let authorizer = Authorizer::new();
1349    /// let response = authorizer.is_authorized(&request, &policy, &entities);
1350    /// match response.decision() {
1351    ///     Decision::Allow => println!("ALLOW"),
1352    ///     Decision::Deny => println!("DENY"),
1353    /// }
1354    /// println!("note: this decision was due to the following policies:");
1355    /// for reason in response.diagnostics().reason() {
1356    ///     println!("{}", reason);
1357    /// }
1358    /// ```
1359    pub fn reason(&self) -> impl Iterator<Item = &PolicyId> {
1360        self.reason.iter()
1361    }
1362
1363    /// Get the errors that occurred during authorization. The errors should be
1364    /// treated as unordered, since policies may be evaluated in any order.
1365    /// ```
1366    /// # use cedar_policy::{Authorizer, Context, Decision, Entities, EntityId, EntityTypeName,
1367    /// # EntityUid, Request,PolicySet};
1368    /// # use std::str::FromStr;
1369    /// # // create a request
1370    /// # let p_eid = EntityId::from_str("alice").unwrap();
1371    /// # let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
1372    /// # let p = EntityUid::from_type_name_and_id(p_name, p_eid);
1373    /// #
1374    /// # let a_eid = EntityId::from_str("view").unwrap();
1375    /// # let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
1376    /// # let a = EntityUid::from_type_name_and_id(a_name, a_eid);
1377    /// #
1378    /// # let r_eid = EntityId::from_str("trip").unwrap();
1379    /// # let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
1380    /// # let r = EntityUid::from_type_name_and_id(r_name, r_eid);
1381    /// #
1382    /// # let c = Context::empty();
1383    /// #
1384    /// # let request: Request = Request::new(p, a, r, c, None).unwrap();
1385    /// #
1386    /// # // create a policy
1387    /// # let s = r#"permit(
1388    /// #     principal == User::"alice",
1389    /// #     action == Action::"view",
1390    /// #     resource == Album::"trip"
1391    /// #   )when{
1392    /// #     principal.ip_addr.isIpv4()
1393    /// #   };
1394    /// # "#;
1395    /// # let policy = PolicySet::from_str(s).expect("policy error");
1396    /// # // create entities
1397    /// # let e = r#"[
1398    /// #     {
1399    /// #         "uid": {"type":"User","id":"alice"},
1400    /// #         "attrs": {
1401    /// #             "age":19,
1402    /// #             "ip_addr":{"__extn":{"fn":"ip", "arg":"10.0.1.101"}}
1403    /// #         },
1404    /// #         "parents": []
1405    /// #     }
1406    /// # ]"#;
1407    /// # let entities = Entities::from_json_str(e, None).expect("entity error");
1408    /// let authorizer = Authorizer::new();
1409    /// let response = authorizer.is_authorized(&request, &policy, &entities);
1410    /// match response.decision() {
1411    ///     Decision::Allow => println!("ALLOW"),
1412    ///     Decision::Deny => println!("DENY"),
1413    /// }
1414    /// for err in response.diagnostics().errors() {
1415    ///     println!("{}", err);
1416    /// }
1417    /// ```
1418    pub fn errors(&self) -> impl Iterator<Item = &AuthorizationError> + '_ {
1419        self.errors.iter()
1420    }
1421
1422    /// Consume the `Diagnostics`, producing owned versions of `reason()` and `errors()`
1423    pub(crate) fn into_components(
1424        self,
1425    ) -> (
1426        impl Iterator<Item = PolicyId>,
1427        impl Iterator<Item = AuthorizationError>,
1428    ) {
1429        (self.reason.into_iter(), self.errors.into_iter())
1430    }
1431}
1432
1433impl Response {
1434    /// Create a new `Response`
1435    pub fn new(
1436        decision: Decision,
1437        reason: HashSet<PolicyId>,
1438        errors: Vec<AuthorizationError>,
1439    ) -> Self {
1440        Self {
1441            decision,
1442            diagnostics: Diagnostics { reason, errors },
1443        }
1444    }
1445
1446    /// Get the authorization decision
1447    pub fn decision(&self) -> Decision {
1448        self.decision
1449    }
1450
1451    /// Get the authorization diagnostics
1452    pub fn diagnostics(&self) -> &Diagnostics {
1453        &self.diagnostics
1454    }
1455}
1456
1457#[doc(hidden)]
1458impl From<authorizer::Response> for Response {
1459    fn from(a: authorizer::Response) -> Self {
1460        Self {
1461            decision: a.decision,
1462            diagnostics: a.diagnostics.into(),
1463        }
1464    }
1465}
1466
1467/// Used to select how a policy will be validated.
1468#[derive(Default, Eq, PartialEq, Copy, Clone, Debug, Serialize, Deserialize)]
1469#[cfg_attr(feature = "wasm", derive(tsify::Tsify))]
1470#[cfg_attr(feature = "wasm", tsify(into_wasm_abi, from_wasm_abi))]
1471#[serde(rename_all = "camelCase")]
1472#[non_exhaustive]
1473pub enum ValidationMode {
1474    /// Validate that policies do not contain any type errors, and additionally
1475    /// have a restricted form which is amenable for analysis.
1476    #[default]
1477    Strict,
1478    /// Validate that policies do not contain any type errors.
1479    #[doc = include_str!("../experimental_warning.md")]
1480    #[cfg(feature = "permissive-validate")]
1481    Permissive,
1482    /// Validate using a partial schema. Policies may contain type errors.
1483    #[doc = include_str!("../experimental_warning.md")]
1484    #[cfg(feature = "partial-validate")]
1485    Partial,
1486}
1487
1488#[doc(hidden)]
1489impl From<ValidationMode> for cedar_policy_core::validator::ValidationMode {
1490    fn from(mode: ValidationMode) -> Self {
1491        match mode {
1492            ValidationMode::Strict => Self::Strict,
1493            #[cfg(feature = "permissive-validate")]
1494            ValidationMode::Permissive => Self::Permissive,
1495            #[cfg(feature = "partial-validate")]
1496            ValidationMode::Partial => Self::Partial,
1497        }
1498    }
1499}
1500
1501/// Validator object, which provides policy validation and typechecking.
1502#[repr(transparent)]
1503#[derive(Debug, Clone, RefCast)]
1504pub struct Validator(cedar_policy_core::validator::Validator);
1505
1506#[doc(hidden)] // because this converts to a private/internal type
1507impl AsRef<cedar_policy_core::validator::Validator> for Validator {
1508    fn as_ref(&self) -> &cedar_policy_core::validator::Validator {
1509        &self.0
1510    }
1511}
1512
1513impl Validator {
1514    /// Construct a new `Validator` to validate policies using the given
1515    /// `Schema`.
1516    pub fn new(schema: Schema) -> Self {
1517        Self(cedar_policy_core::validator::Validator::new(schema.0))
1518    }
1519
1520    /// Get the `Schema` this `Validator` is using.
1521    pub fn schema(&self) -> &Schema {
1522        RefCast::ref_cast(self.0.schema())
1523    }
1524
1525    /// Validate all policies in a policy set, collecting all validation errors
1526    /// found into the returned `ValidationResult`. Each error is returned together with the
1527    /// policy id of the policy where the error was found. If a policy id
1528    /// included in the input policy set does not appear in the output iterator, then
1529    /// that policy passed the validator. If the function `validation_passed`
1530    /// returns true, then there were no validation errors found, so all
1531    /// policies in the policy set have passed the validator.
1532    pub fn validate(&self, pset: &PolicySet, mode: ValidationMode) -> ValidationResult {
1533        ValidationResult::from(self.0.validate(&pset.ast, mode.into()))
1534    }
1535
1536    /// Validate all policies in a policy set, collecting all validation errors
1537    /// found into the returned `ValidationResult`. If validation passes, run level
1538    /// validation (RFC 76). Each error is returned together with the policy id of the policy
1539    /// where the error was found. If a policy id included in the input policy set does not
1540    /// appear in the output iterator, then that policy passed the validator. If the function
1541    /// `validation_passed` returns true, then there were no validation errors found, so
1542    /// all policies in the policy set have passed the validator.
1543    pub fn validate_with_level(
1544        &self,
1545        pset: &PolicySet,
1546        mode: ValidationMode,
1547        max_deref_level: u32,
1548    ) -> ValidationResult {
1549        ValidationResult::from(
1550            self.0
1551                .validate_with_level(&pset.ast, mode.into(), max_deref_level),
1552        )
1553    }
1554}
1555
1556/// Contains all the type information used to construct a `Schema` that can be
1557/// used to validate a policy.
1558#[derive(Debug, Clone)]
1559pub struct SchemaFragment {
1560    value: cedar_policy_core::validator::ValidatorSchemaFragment<
1561        cedar_policy_core::validator::ConditionalName,
1562        cedar_policy_core::validator::ConditionalName,
1563    >,
1564    lossless:
1565        cedar_policy_core::validator::json_schema::Fragment<cedar_policy_core::validator::RawName>,
1566}
1567
1568#[doc(hidden)] // because this converts to a private/internal type
1569impl
1570    AsRef<
1571        cedar_policy_core::validator::ValidatorSchemaFragment<
1572            cedar_policy_core::validator::ConditionalName,
1573            cedar_policy_core::validator::ConditionalName,
1574        >,
1575    > for SchemaFragment
1576{
1577    fn as_ref(
1578        &self,
1579    ) -> &cedar_policy_core::validator::ValidatorSchemaFragment<
1580        cedar_policy_core::validator::ConditionalName,
1581        cedar_policy_core::validator::ConditionalName,
1582    > {
1583        &self.value
1584    }
1585}
1586
1587#[doc(hidden)] // because this converts from a private/internal type
1588impl
1589    TryFrom<
1590        cedar_policy_core::validator::json_schema::Fragment<cedar_policy_core::validator::RawName>,
1591    > for SchemaFragment
1592{
1593    type Error = SchemaError;
1594    fn try_from(
1595        json_frag: cedar_policy_core::validator::json_schema::Fragment<
1596            cedar_policy_core::validator::RawName,
1597        >,
1598    ) -> Result<Self, Self::Error> {
1599        Ok(Self {
1600            value: json_frag.clone().try_into()?,
1601            lossless: json_frag,
1602        })
1603    }
1604}
1605
1606fn get_annotation_by_key(
1607    annotations: &est::Annotations,
1608    annotation_key: impl AsRef<str>,
1609) -> Option<&str> {
1610    annotations
1611        .0
1612        .get(&annotation_key.as_ref().parse().ok()?)
1613        .map(|value| annotation_value_to_str_ref(value.as_ref()))
1614}
1615
1616fn annotation_value_to_str_ref(value: Option<&ast::Annotation>) -> &str {
1617    value.map_or("", |a| a.as_ref())
1618}
1619
1620fn annotations_to_pairs(annotations: &est::Annotations) -> impl Iterator<Item = (&str, &str)> {
1621    annotations
1622        .0
1623        .iter()
1624        .map(|(key, value)| (key.as_ref(), annotation_value_to_str_ref(value.as_ref())))
1625}
1626
1627impl SchemaFragment {
1628    /// Get annotations of a non-empty namespace.
1629    ///
1630    /// We do not allow namespace-level annotations on the empty namespace.
1631    ///
1632    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`]
1633    pub fn namespace_annotations(
1634        &self,
1635        namespace: EntityNamespace,
1636    ) -> Option<impl Iterator<Item = (&str, &str)>> {
1637        self.lossless
1638            .0
1639            .get(&Some(namespace.0))
1640            .map(|ns_def| annotations_to_pairs(&ns_def.annotations))
1641    }
1642
1643    /// Get annotation value of a non-empty namespace by annotation key
1644    /// `annotation_key`
1645    ///
1646    /// We do not allow namespace-level annotations on the empty namespace.
1647    ///
1648    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`]
1649    /// or `annotation_key` is not a valid annotation key
1650    /// or it does not exist
1651    pub fn namespace_annotation(
1652        &self,
1653        namespace: EntityNamespace,
1654        annotation_key: impl AsRef<str>,
1655    ) -> Option<&str> {
1656        let ns = self.lossless.0.get(&Some(namespace.0))?;
1657        get_annotation_by_key(&ns.annotations, annotation_key)
1658    }
1659
1660    /// Get annotations of a common type declaration
1661    ///
1662    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`] or
1663    /// `ty` is not a valid common type ID or `ty` is not found in the
1664    /// corresponding namespace definition
1665    pub fn common_type_annotations(
1666        &self,
1667        namespace: Option<EntityNamespace>,
1668        ty: &str,
1669    ) -> Option<impl Iterator<Item = (&str, &str)>> {
1670        let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1671        let ty = json_schema::CommonTypeId::new(ast::UnreservedId::from_normalized_str(ty).ok()?)
1672            .ok()?;
1673        ns_def
1674            .common_types
1675            .get(&ty)
1676            .map(|ty| annotations_to_pairs(&ty.annotations))
1677    }
1678
1679    /// Get annotation value of a common type declaration by annotation key
1680    /// `annotation_key`
1681    ///
1682    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`]
1683    /// or `ty` is not a valid common type ID
1684    /// or `ty` is not found in the corresponding namespace definition
1685    /// or `annotation_key` is not a valid annotation key
1686    /// or it does not exist
1687    pub fn common_type_annotation(
1688        &self,
1689        namespace: Option<EntityNamespace>,
1690        ty: &str,
1691        annotation_key: impl AsRef<str>,
1692    ) -> Option<&str> {
1693        let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1694        let ty = json_schema::CommonTypeId::new(ast::UnreservedId::from_normalized_str(ty).ok()?)
1695            .ok()?;
1696        get_annotation_by_key(&ns_def.common_types.get(&ty)?.annotations, annotation_key)
1697    }
1698
1699    /// Get annotations of an entity type declaration
1700    ///
1701    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`] or
1702    /// `ty` is not a valid entity type name or `ty` is not found in the
1703    /// corresponding namespace definition
1704    pub fn entity_type_annotations(
1705        &self,
1706        namespace: Option<EntityNamespace>,
1707        ty: &str,
1708    ) -> Option<impl Iterator<Item = (&str, &str)>> {
1709        let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1710        let ty = ast::UnreservedId::from_normalized_str(ty).ok()?;
1711        ns_def
1712            .entity_types
1713            .get(&ty)
1714            .map(|ty| annotations_to_pairs(&ty.annotations))
1715    }
1716
1717    /// Get annotation value of an entity type declaration by annotation key
1718    /// `annotation_key`
1719    ///
1720    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`]
1721    /// or `ty` is not a valid entity type name
1722    /// or `ty` is not found in the corresponding namespace definition
1723    /// or `annotation_key` is not a valid annotation key
1724    /// or it does not exist
1725    pub fn entity_type_annotation(
1726        &self,
1727        namespace: Option<EntityNamespace>,
1728        ty: &str,
1729        annotation_key: impl AsRef<str>,
1730    ) -> Option<&str> {
1731        let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1732        let ty = ast::UnreservedId::from_normalized_str(ty).ok()?;
1733        get_annotation_by_key(&ns_def.entity_types.get(&ty)?.annotations, annotation_key)
1734    }
1735
1736    /// Get annotations of an action declaration
1737    ///
1738    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`] or
1739    /// `id` is not found in the corresponding namespace definition
1740    pub fn action_annotations(
1741        &self,
1742        namespace: Option<EntityNamespace>,
1743        id: &EntityId,
1744    ) -> Option<impl Iterator<Item = (&str, &str)>> {
1745        let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1746        ns_def
1747            .actions
1748            .get(id.unescaped())
1749            .map(|a| annotations_to_pairs(&a.annotations))
1750    }
1751
1752    /// Get annotation value of an action declaration by annotation key
1753    /// `annotation_key`
1754    ///
1755    /// Returns `None` if `namespace` is not found in the [`SchemaFragment`]
1756    /// or `id` is not found in the corresponding namespace definition
1757    /// or `annotation_key` is not a valid annotation key
1758    /// or it does not exist
1759    pub fn action_annotation(
1760        &self,
1761        namespace: Option<EntityNamespace>,
1762        id: &EntityId,
1763        annotation_key: impl AsRef<str>,
1764    ) -> Option<&str> {
1765        let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1766        get_annotation_by_key(
1767            &ns_def.actions.get(id.unescaped())?.annotations,
1768            annotation_key,
1769        )
1770    }
1771
1772    /// Extract namespaces defined in this [`SchemaFragment`].
1773    ///
1774    /// `None` indicates the empty namespace.
1775    pub fn namespaces(&self) -> impl Iterator<Item = Option<EntityNamespace>> + '_ {
1776        self.value.namespaces().filter_map(|ns| {
1777            match ns.map(|ns| ast::Name::try_from(ns.clone())) {
1778                Some(Ok(n)) => Some(Some(EntityNamespace(n))),
1779                None => Some(None), // empty namespace, which we want to surface to the user
1780                Some(Err(_)) => {
1781                    // if the `SchemaFragment` contains namespaces with
1782                    // reserved `__cedar` components, that's an internal
1783                    // implementation detail; hide that from the user.
1784                    // Also note that `EntityNamespace` is backed by `Name`
1785                    // which can't even contain names with reserved
1786                    // `__cedar` components.
1787                    None
1788                }
1789            }
1790        })
1791    }
1792
1793    /// Create a [`SchemaFragment`] from a string containing JSON in the
1794    /// JSON schema format.
1795    pub fn from_json_str(src: &str) -> Result<Self, SchemaError> {
1796        let lossless = cedar_policy_core::validator::json_schema::Fragment::from_json_str(src)?;
1797        Ok(Self {
1798            value: lossless.clone().try_into()?,
1799            lossless,
1800        })
1801    }
1802
1803    /// Create a [`SchemaFragment`] from a JSON value (which should be an
1804    /// object of the shape required for the JSON schema format).
1805    pub fn from_json_value(json: serde_json::Value) -> Result<Self, SchemaError> {
1806        let lossless = cedar_policy_core::validator::json_schema::Fragment::from_json_value(json)?;
1807        Ok(Self {
1808            value: lossless.clone().try_into()?,
1809            lossless,
1810        })
1811    }
1812
1813    /// Parse a [`SchemaFragment`] from a reader containing the Cedar schema syntax
1814    pub fn from_cedarschema_file(
1815        r: impl std::io::Read,
1816    ) -> Result<(Self, impl Iterator<Item = SchemaWarning>), CedarSchemaError> {
1817        let (lossless, warnings) =
1818            cedar_policy_core::validator::json_schema::Fragment::from_cedarschema_file(
1819                r,
1820                Extensions::all_available(),
1821            )?;
1822        Ok((
1823            Self {
1824                value: lossless.clone().try_into()?,
1825                lossless,
1826            },
1827            warnings,
1828        ))
1829    }
1830
1831    /// Parse a [`SchemaFragment`] from a string containing the Cedar schema syntax
1832    pub fn from_cedarschema_str(
1833        src: &str,
1834    ) -> Result<(Self, impl Iterator<Item = SchemaWarning>), CedarSchemaError> {
1835        let (lossless, warnings) =
1836            cedar_policy_core::validator::json_schema::Fragment::from_cedarschema_str(
1837                src,
1838                Extensions::all_available(),
1839            )?;
1840        Ok((
1841            Self {
1842                value: lossless.clone().try_into()?,
1843                lossless,
1844            },
1845            warnings,
1846        ))
1847    }
1848
1849    /// Create a [`SchemaFragment`] directly from a JSON file (which should
1850    /// contain an object of the shape required for the JSON schema format).
1851    pub fn from_json_file(file: impl std::io::Read) -> Result<Self, SchemaError> {
1852        let lossless = cedar_policy_core::validator::json_schema::Fragment::from_json_file(file)?;
1853        Ok(Self {
1854            value: lossless.clone().try_into()?,
1855            lossless,
1856        })
1857    }
1858
1859    /// Serialize this [`SchemaFragment`] as a JSON value
1860    pub fn to_json_value(self) -> Result<serde_json::Value, SchemaError> {
1861        serde_json::to_value(self.lossless).map_err(|e| SchemaError::JsonSerialization(e.into()))
1862    }
1863
1864    /// Serialize this [`SchemaFragment`] as a JSON string
1865    pub fn to_json_string(&self) -> Result<String, SchemaError> {
1866        serde_json::to_string(&self.lossless).map_err(|e| SchemaError::JsonSerialization(e.into()))
1867    }
1868
1869    /// Serialize this [`SchemaFragment`] into a string in the Cedar schema
1870    /// syntax
1871    pub fn to_cedarschema(&self) -> Result<String, ToCedarSchemaError> {
1872        let str = self.lossless.to_cedarschema()?;
1873        Ok(str)
1874    }
1875}
1876
1877impl TryInto<Schema> for SchemaFragment {
1878    type Error = SchemaError;
1879
1880    /// Convert [`SchemaFragment`] into a [`Schema`]. To build the [`Schema`] we
1881    /// need to have all entity types defined, so an error will be returned if
1882    /// any undeclared entity types are referenced in the schema fragment.
1883    fn try_into(self) -> Result<Schema, Self::Error> {
1884        Ok(Schema(
1885            cedar_policy_core::validator::ValidatorSchema::from_schema_fragments(
1886                [self.value],
1887                Extensions::all_available(),
1888            )?,
1889        ))
1890    }
1891}
1892
1893impl FromStr for SchemaFragment {
1894    type Err = CedarSchemaError;
1895    /// Construct [`SchemaFragment`] from a string containing a schema formatted
1896    /// in the Cedar schema format. This can fail if the string is not a valid
1897    /// schema. This function does not check for consistency in the schema
1898    /// (e.g., references to undefined entities) because this is not required
1899    /// until a `Schema` is constructed.
1900    fn from_str(src: &str) -> Result<Self, Self::Err> {
1901        Self::from_cedarschema_str(src).map(|(frag, _)| frag)
1902    }
1903}
1904
1905/// Object containing schema information used by the validator.
1906#[repr(transparent)]
1907#[derive(Debug, Clone, RefCast)]
1908pub struct Schema(pub(crate) cedar_policy_core::validator::ValidatorSchema);
1909
1910#[doc(hidden)] // because this converts to a private/internal type
1911impl AsRef<cedar_policy_core::validator::ValidatorSchema> for Schema {
1912    fn as_ref(&self) -> &cedar_policy_core::validator::ValidatorSchema {
1913        &self.0
1914    }
1915}
1916
1917#[doc(hidden)]
1918impl From<cedar_policy_core::validator::ValidatorSchema> for Schema {
1919    fn from(schema: cedar_policy_core::validator::ValidatorSchema) -> Self {
1920        Self(schema)
1921    }
1922}
1923
1924impl FromStr for Schema {
1925    type Err = CedarSchemaError;
1926
1927    /// Construct a [`Schema`] from a string containing a schema formatted in
1928    /// the Cedar schema format. This can fail if it is not possible to parse a
1929    /// schema from the string, or if errors in values in the schema are
1930    /// uncovered after parsing. For instance, when an entity attribute name is
1931    /// found to not be a valid attribute name according to the Cedar
1932    /// grammar.
1933    fn from_str(schema_src: &str) -> Result<Self, Self::Err> {
1934        Self::from_cedarschema_str(schema_src).map(|(schema, _)| schema)
1935    }
1936}
1937
1938impl Schema {
1939    /// Create a [`Schema`] from multiple [`SchemaFragment`]. The individual
1940    /// fragments may reference entity or common types that are not declared in that
1941    /// fragment, but all referenced entity and common types must be declared in some
1942    /// fragment.
1943    pub fn from_schema_fragments(
1944        fragments: impl IntoIterator<Item = SchemaFragment>,
1945    ) -> Result<Self, SchemaError> {
1946        Ok(Self(
1947            cedar_policy_core::validator::ValidatorSchema::from_schema_fragments(
1948                fragments.into_iter().map(|f| f.value),
1949                Extensions::all_available(),
1950            )?,
1951        ))
1952    }
1953
1954    /// Create a [`Schema`] from a JSON value (which should be an object of the
1955    /// shape required for the JSON schema format).
1956    pub fn from_json_value(json: serde_json::Value) -> Result<Self, SchemaError> {
1957        Ok(Self(
1958            cedar_policy_core::validator::ValidatorSchema::from_json_value(
1959                json,
1960                Extensions::all_available(),
1961            )?,
1962        ))
1963    }
1964
1965    /// Create a [`Schema`] from a string containing JSON in the appropriate
1966    /// shape.
1967    pub fn from_json_str(json: &str) -> Result<Self, SchemaError> {
1968        Ok(Self(
1969            cedar_policy_core::validator::ValidatorSchema::from_json_str(
1970                json,
1971                Extensions::all_available(),
1972            )?,
1973        ))
1974    }
1975
1976    /// Create a [`Schema`] directly from a file containing JSON in the
1977    /// appropriate shape.
1978    pub fn from_json_file(file: impl std::io::Read) -> Result<Self, SchemaError> {
1979        Ok(Self(
1980            cedar_policy_core::validator::ValidatorSchema::from_json_file(
1981                file,
1982                Extensions::all_available(),
1983            )?,
1984        ))
1985    }
1986
1987    /// Parse the schema from a reader, in the Cedar schema format.
1988    pub fn from_cedarschema_file(
1989        file: impl std::io::Read,
1990    ) -> Result<(Self, impl Iterator<Item = SchemaWarning> + 'static), CedarSchemaError> {
1991        let (schema, warnings) =
1992            cedar_policy_core::validator::ValidatorSchema::from_cedarschema_file(
1993                file,
1994                Extensions::all_available(),
1995            )?;
1996        Ok((Self(schema), warnings))
1997    }
1998
1999    /// Parse the schema from a string, in the Cedar schema format.
2000    pub fn from_cedarschema_str(
2001        src: &str,
2002    ) -> Result<(Self, impl Iterator<Item = SchemaWarning>), CedarSchemaError> {
2003        let (schema, warnings) =
2004            cedar_policy_core::validator::ValidatorSchema::from_cedarschema_str(
2005                src,
2006                Extensions::all_available(),
2007            )?;
2008        Ok((Self(schema), warnings))
2009    }
2010
2011    /// Extract from the schema an [`Entities`] containing the action entities
2012    /// declared in the schema.
2013    pub fn action_entities(&self) -> Result<Entities, EntitiesError> {
2014        Ok(Entities(self.0.action_entities()?))
2015    }
2016
2017    /// Returns an iterator over every entity type that can be a principal for any action in this schema
2018    ///
2019    /// Note: this iterator may contain duplicates.
2020    ///
2021    /// # Examples
2022    /// Here's an example of using a [`std::collections::HashSet`] to get a de-duplicated set of principals
2023    /// ```
2024    /// use std::collections::HashSet;
2025    /// use cedar_policy::Schema;
2026    /// let schema : Schema = r#"
2027    ///     entity User;
2028    ///     entity Folder;
2029    ///     action Access appliesTo {
2030    ///         principal : User,
2031    ///         resource : Folder,
2032    ///     };
2033    ///     action Delete appliesTo {
2034    ///         principal : User,
2035    ///         resource : Folder,
2036    ///     };
2037    /// "#.parse().unwrap();
2038    /// let principals = schema.principals().collect::<HashSet<_>>();
2039    /// assert_eq!(principals, HashSet::from([&"User".parse().unwrap()]));
2040    /// ```
2041    pub fn principals(&self) -> impl Iterator<Item = &EntityTypeName> {
2042        self.0.principals().map(RefCast::ref_cast)
2043    }
2044
2045    /// Returns an iterator over every entity type that can be a resource for any action in this schema
2046    ///
2047    /// Note: this iterator may contain duplicates.
2048    /// # Examples
2049    /// Here's an example of using a [`std::collections::HashSet`] to get a de-duplicated set of resources
2050    /// ```
2051    /// use std::collections::HashSet;
2052    /// use cedar_policy::Schema;
2053    /// let schema : Schema = r#"
2054    ///     entity User;
2055    ///     entity Folder;
2056    ///     action Access appliesTo {
2057    ///         principal : User,
2058    ///         resource : Folder,
2059    ///     };
2060    ///     action Delete appliesTo {
2061    ///         principal : User,
2062    ///         resource : Folder,
2063    ///     };
2064    /// "#.parse().unwrap();
2065    /// let resources = schema.resources().collect::<HashSet<_>>();
2066    /// assert_eq!(resources, HashSet::from([&"Folder".parse().unwrap()]));
2067    /// ```
2068    pub fn resources(&self) -> impl Iterator<Item = &EntityTypeName> {
2069        self.0.resources().map(RefCast::ref_cast)
2070    }
2071
2072    /// Returns an iterator over every entity type that can be a principal for `action` in this schema
2073    ///
2074    /// ## Errors
2075    ///
2076    /// Returns [`None`] if `action` is not found in the schema
2077    pub fn principals_for_action(
2078        &self,
2079        action: &EntityUid,
2080    ) -> Option<impl Iterator<Item = &EntityTypeName>> {
2081        self.0
2082            .principals_for_action(&action.0)
2083            .map(|iter| iter.map(RefCast::ref_cast))
2084    }
2085
2086    /// Returns an iterator over every entity type that can be a resource for `action` in this schema
2087    ///
2088    /// ## Errors
2089    ///
2090    /// Returns [`None`] if `action` is not found in the schema
2091    pub fn resources_for_action(
2092        &self,
2093        action: &EntityUid,
2094    ) -> Option<impl Iterator<Item = &EntityTypeName>> {
2095        self.0
2096            .resources_for_action(&action.0)
2097            .map(|iter| iter.map(RefCast::ref_cast))
2098    }
2099
2100    /// Returns an iterator over all the [`RequestEnv`]s that are valid
2101    /// according to this schema.
2102    pub fn request_envs(&self) -> impl Iterator<Item = RequestEnv> + '_ {
2103        self.0
2104            .unlinked_request_envs(cedar_policy_core::validator::ValidationMode::Strict)
2105            .map(Into::into)
2106    }
2107
2108    /// Returns an iterator over all the entity types that can be an ancestor of `ty`
2109    ///
2110    /// ## Errors
2111    ///
2112    /// Returns [`None`] if the `ty` is not found in the schema
2113    pub fn ancestors<'a>(
2114        &'a self,
2115        ty: &'a EntityTypeName,
2116    ) -> Option<impl Iterator<Item = &'a EntityTypeName> + 'a> {
2117        self.0
2118            .ancestors(&ty.0)
2119            .map(|iter| iter.map(RefCast::ref_cast))
2120    }
2121
2122    /// Returns an iterator over all the action groups defined in this schema
2123    pub fn action_groups(&self) -> impl Iterator<Item = &EntityUid> {
2124        self.0.action_groups().map(RefCast::ref_cast)
2125    }
2126
2127    /// Returns an iterator over all entity types defined in this schema
2128    pub fn entity_types(&self) -> impl Iterator<Item = &EntityTypeName> {
2129        self.0
2130            .entity_types()
2131            .map(|ety| RefCast::ref_cast(ety.name()))
2132    }
2133
2134    /// Returns an iterator over all actions defined in this schema
2135    pub fn actions(&self) -> impl Iterator<Item = &EntityUid> {
2136        self.0.actions().map(RefCast::ref_cast)
2137    }
2138
2139    /// Returns an iterator over the actions that apply to this principal and
2140    /// resource type, as specified by the `appliesTo` block for the action in
2141    /// this schema.
2142    pub fn actions_for_principal_and_resource<'a: 'b, 'b>(
2143        &'a self,
2144        principal_type: &'b EntityTypeName,
2145        resource_type: &'b EntityTypeName,
2146    ) -> impl Iterator<Item = &'a EntityUid> + 'b {
2147        self.0
2148            .actions_for_principal_and_resource(&principal_type.0, &resource_type.0)
2149            .map(RefCast::ref_cast)
2150    }
2151}
2152
2153/// Convert a Cedar schema string to JSON format with resolved types.
2154///
2155/// This function resolves ambiguous "`EntityOrCommon`" types to their specific
2156/// Entity or `CommonType` classifications using the schema's type definitions.
2157/// This is primarily meant to be used when working with schemas programmatically,
2158/// for example when creating a schema building UI.
2159///
2160/// Returns `Ok((json_value, warnings))` on success, or `Err(error)` on failure.
2161/// Fails if there are any types in the schema that are unresolved.
2162pub fn schema_str_to_json_with_resolved_types(
2163    schema_str: &str,
2164) -> Result<(serde_json::Value, Vec<SchemaWarning>), CedarSchemaError> {
2165    // Parse the Cedar schema string into a fragment
2166    let (json_schema_fragment, warnings) =
2167        json_schema::Fragment::from_cedarschema_str(schema_str, Extensions::all_available())
2168            .map_err(
2169                |e: cedar_policy_core::validator::CedarSchemaError| -> CedarSchemaError {
2170                    e.into()
2171                },
2172            )?;
2173
2174    let warnings_as_schema_warnings: Vec<SchemaWarning> = warnings.collect();
2175
2176    // Use the new method from json_schema.rs to get the resolved fragment
2177    let fully_resolved_fragment =
2178        match json_schema_fragment.to_internal_name_fragment_with_resolved_types() {
2179            Ok(fragment) => fragment,
2180            Err(e) => {
2181                // SchemaError can be directly converted to CedarSchemaError
2182                return Err(e.into());
2183            }
2184        };
2185
2186    // Serialize the resolved fragment to JSON
2187    let json_value = serde_json::to_value(&fully_resolved_fragment).map_err(|e| {
2188        let schema_error = SchemaError::JsonSerialization(
2189            cedar_policy_core::validator::schema_errors::JsonSerializationError::from(e),
2190        );
2191        CedarSchemaError::Schema(schema_error)
2192    })?;
2193
2194    Ok((json_value, warnings_as_schema_warnings))
2195}
2196
2197/// Contains the result of policy validation.
2198///
2199/// The result includes the list of issues found by validation and whether validation succeeds or fails.
2200
2201#[cfg(test)]
2202mod test_schema_str_to_json_with_resolved_types {
2203    use super::*;
2204
2205    #[test]
2206    fn test_unresolved_type_error() {
2207        let schema_str = r#"entity User = { "name": MyName };"#;
2208
2209        let result = schema_str_to_json_with_resolved_types(schema_str);
2210
2211        // Should return an error because MyName is not defined
2212        match result {
2213            Ok(_) => panic!("Expected error but got success - MyName should not be resolved"),
2214            Err(CedarSchemaError::Schema(SchemaError::TypeNotDefined(type_not_defined_error))) => {
2215                // Verify that the error message contains information about the undefined type "MyName"
2216                let error_message = format!("{}", type_not_defined_error);
2217                assert!(
2218                    error_message.contains("MyName"),
2219                    "Expected error message to contain 'MyName', but got: {}",
2220                    error_message
2221                );
2222
2223                // Verify it's specifically about failing to resolve types
2224                assert!(
2225                    error_message.contains("failed to resolve type"),
2226                    "Expected error message to mention 'failed to resolve type', but got: {}",
2227                    error_message
2228                );
2229            }
2230            Err(CedarSchemaError::Schema(other_schema_error)) => {
2231                panic!(
2232                    "Expected TypeNotDefined error, but got different SchemaError: {:?}",
2233                    other_schema_error
2234                );
2235            }
2236            Err(CedarSchemaError::Parse(parse_error)) => {
2237                panic!(
2238                    "Expected TypeNotDefined error, but got parse error: {:?}",
2239                    parse_error
2240                );
2241            }
2242            Err(CedarSchemaError::Io(io_error)) => {
2243                panic!(
2244                    "Expected TypeNotDefined error, but got IO error: {:?}",
2245                    io_error
2246                );
2247            }
2248        }
2249    }
2250
2251    #[test]
2252    fn test_successful_resolution() {
2253        let schema_str = r#"
2254            type MyName = String;
2255            entity User = { "name": MyName };
2256        "#;
2257
2258        let result = schema_str_to_json_with_resolved_types(schema_str);
2259
2260        match result {
2261            Ok((json_value, warnings)) => {
2262                // Verify we got a JSON value
2263                assert!(json_value.is_object(), "Expected JSON object");
2264
2265                // Verify the JSON doesn't contain "EntityOrCommon" (should be resolved)
2266                let json_str = serde_json::to_string(&json_value).unwrap();
2267                assert!(
2268                    !json_str.contains("EntityOrCommon"),
2269                    "JSON should not contain unresolved EntityOrCommon types: {}",
2270                    json_str
2271                );
2272
2273                // Verify MyName is resolved to a reference to the common type
2274                assert!(
2275                    json_str.contains("MyName"),
2276                    "JSON should contain resolved MyName type reference: {}",
2277                    json_str
2278                );
2279
2280                // Should have no warnings for this simple valid schema
2281                assert_eq!(warnings.len(), 0, "Expected no warnings for valid schema");
2282            }
2283            Err(e) => panic!("Expected success but got error: {:?}", e),
2284        }
2285    }
2286}
2287/// Validation succeeds if there are no fatal errors. There may still be
2288/// non-fatal warnings present when validation passes.
2289#[derive(Debug, Clone)]
2290pub struct ValidationResult {
2291    validation_errors: Vec<ValidationError>,
2292    validation_warnings: Vec<ValidationWarning>,
2293}
2294
2295impl ValidationResult {
2296    /// True when validation passes. There are no errors, but there may be
2297    /// non-fatal warnings. Use [`ValidationResult::validation_passed_without_warnings`]
2298    /// to check that there are also no warnings.
2299    pub fn validation_passed(&self) -> bool {
2300        self.validation_errors.is_empty()
2301    }
2302
2303    /// True when validation passes (i.e., there are no errors) and there are
2304    /// additionally no non-fatal warnings.
2305    pub fn validation_passed_without_warnings(&self) -> bool {
2306        self.validation_errors.is_empty() && self.validation_warnings.is_empty()
2307    }
2308
2309    /// Get an iterator over the errors found by the validator.
2310    pub fn validation_errors(&self) -> impl Iterator<Item = &ValidationError> {
2311        self.validation_errors.iter()
2312    }
2313
2314    /// Get an iterator over the warnings found by the validator.
2315    pub fn validation_warnings(&self) -> impl Iterator<Item = &ValidationWarning> {
2316        self.validation_warnings.iter()
2317    }
2318
2319    fn first_error_or_warning(&self) -> Option<&dyn Diagnostic> {
2320        self.validation_errors
2321            .first()
2322            .map(|e| e as &dyn Diagnostic)
2323            .or_else(|| {
2324                self.validation_warnings
2325                    .first()
2326                    .map(|w| w as &dyn Diagnostic)
2327            })
2328    }
2329
2330    pub(crate) fn into_errors_and_warnings(
2331        self,
2332    ) -> (
2333        impl Iterator<Item = ValidationError>,
2334        impl Iterator<Item = ValidationWarning>,
2335    ) {
2336        (
2337            self.validation_errors.into_iter(),
2338            self.validation_warnings.into_iter(),
2339        )
2340    }
2341}
2342
2343#[doc(hidden)]
2344impl From<cedar_policy_core::validator::ValidationResult> for ValidationResult {
2345    fn from(r: cedar_policy_core::validator::ValidationResult) -> Self {
2346        let (errors, warnings) = r.into_errors_and_warnings();
2347        Self {
2348            validation_errors: errors.map(ValidationError::from).collect(),
2349            validation_warnings: warnings.map(ValidationWarning::from).collect(),
2350        }
2351    }
2352}
2353
2354impl std::fmt::Display for ValidationResult {
2355    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
2356        match self.first_error_or_warning() {
2357            Some(diagnostic) => write!(f, "{diagnostic}"),
2358            None => write!(f, "no errors or warnings"),
2359        }
2360    }
2361}
2362
2363impl std::error::Error for ValidationResult {
2364    fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
2365        self.first_error_or_warning()
2366            .and_then(std::error::Error::source)
2367    }
2368
2369    fn description(&self) -> &str {
2370        #[expect(
2371            deprecated,
2372            reason = "description() is deprecated but we still want to forward it"
2373        )]
2374        self.first_error_or_warning()
2375            .map_or("no errors or warnings", std::error::Error::description)
2376    }
2377
2378    fn cause(&self) -> Option<&dyn std::error::Error> {
2379        #[expect(
2380            deprecated,
2381            reason = "cause() is deprecated but we still want to forward it"
2382        )]
2383        self.first_error_or_warning()
2384            .and_then(std::error::Error::cause)
2385    }
2386}
2387
2388// Except for `.related()`, and `.severity` everything is forwarded to the first
2389// error, or to the first warning if there are no errors. This is done for the
2390// same reason as policy parse errors.
2391impl Diagnostic for ValidationResult {
2392    fn related(&self) -> Option<Box<dyn Iterator<Item = &dyn Diagnostic> + '_>> {
2393        let mut related = self
2394            .validation_errors
2395            .iter()
2396            .map(|err| err as &dyn Diagnostic)
2397            .chain(
2398                self.validation_warnings
2399                    .iter()
2400                    .map(|warn| warn as &dyn Diagnostic),
2401            );
2402        related.next().map(move |first| match first.related() {
2403            Some(first_related) => Box::new(first_related.chain(related)),
2404            None => Box::new(related) as Box<dyn Iterator<Item = _>>,
2405        })
2406    }
2407
2408    fn severity(&self) -> Option<miette::Severity> {
2409        self.first_error_or_warning()
2410            .map_or(Some(miette::Severity::Advice), Diagnostic::severity)
2411    }
2412
2413    fn labels(&self) -> Option<Box<dyn Iterator<Item = miette::LabeledSpan> + '_>> {
2414        self.first_error_or_warning().and_then(Diagnostic::labels)
2415    }
2416
2417    fn source_code(&self) -> Option<&dyn miette::SourceCode> {
2418        self.first_error_or_warning()
2419            .and_then(Diagnostic::source_code)
2420    }
2421
2422    fn code(&self) -> Option<Box<dyn std::fmt::Display + '_>> {
2423        self.first_error_or_warning().and_then(Diagnostic::code)
2424    }
2425
2426    fn url(&self) -> Option<Box<dyn std::fmt::Display + '_>> {
2427        self.first_error_or_warning().and_then(Diagnostic::url)
2428    }
2429
2430    fn help(&self) -> Option<Box<dyn std::fmt::Display + '_>> {
2431        self.first_error_or_warning().and_then(Diagnostic::help)
2432    }
2433
2434    fn diagnostic_source(&self) -> Option<&dyn Diagnostic> {
2435        self.first_error_or_warning()
2436            .and_then(Diagnostic::diagnostic_source)
2437    }
2438}
2439
2440/// Scan a set of policies for potentially confusing/obfuscating text.
2441///
2442/// These checks are also provided through [`Validator::validate`] which provides more
2443/// comprehensive error detection, but this function can be used to check for
2444/// confusable strings without defining a schema.
2445pub fn confusable_string_checker<'a>(
2446    templates: impl Iterator<Item = &'a Template> + 'a,
2447) -> impl Iterator<Item = ValidationWarning> + 'a {
2448    cedar_policy_core::validator::confusable_string_checks(templates.map(|t| &t.ast))
2449        .map(std::convert::Into::into)
2450}
2451
2452/// Represents a namespace.
2453///
2454/// An `EntityNamespace` can can be constructed using
2455/// [`EntityNamespace::from_str`] or by calling `parse()` on a string.
2456/// _This can fail_, so it is important to properly handle an `Err` result.
2457///
2458/// ```
2459/// # use cedar_policy::EntityNamespace;
2460/// let id : Result<EntityNamespace, _> = "My::Name::Space".parse();
2461/// # assert_eq!(id.unwrap().to_string(), "My::Name::Space".to_string());
2462/// ```
2463#[derive(Debug, Clone, Hash, PartialEq, Eq, PartialOrd, Ord)]
2464pub struct EntityNamespace(pub(crate) ast::Name);
2465
2466#[doc(hidden)] // because this converts to a private/internal type
2467impl AsRef<ast::Name> for EntityNamespace {
2468    fn as_ref(&self) -> &ast::Name {
2469        &self.0
2470    }
2471}
2472
2473/// This `FromStr` implementation requires the _normalized_ representation of the
2474/// namespace. See <https://github.com/cedar-policy/rfcs/pull/9/>.
2475impl FromStr for EntityNamespace {
2476    type Err = ParseErrors;
2477
2478    fn from_str(namespace_str: &str) -> Result<Self, Self::Err> {
2479        ast::Name::from_normalized_str(namespace_str)
2480            .map(EntityNamespace)
2481            .map_err(Into::into)
2482    }
2483}
2484
2485impl std::fmt::Display for EntityNamespace {
2486    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
2487        write!(f, "{}", self.0)
2488    }
2489}
2490
2491#[derive(Debug, Clone, Default)]
2492/// A struct representing a `PolicySet` as a series of strings for ser/de.
2493/// A `PolicySet` that contains template-linked policies cannot be
2494/// represented as this struct.
2495pub(crate) struct StringifiedPolicySet {
2496    /// The static policies in the set
2497    pub policies: Vec<String>,
2498    /// The policy templates in the set
2499    pub policy_templates: Vec<String>,
2500}
2501
2502/// Represents a set of `Policy`s
2503#[derive(Debug, Clone, Default)]
2504pub struct PolicySet {
2505    /// AST representation. Technically partially redundant with the other fields.
2506    /// Internally, we ensure that the duplicated information remains consistent.
2507    pub(crate) ast: ast::PolicySet,
2508    /// Policies in the set (this includes both static policies and template linked-policies)
2509    policies: LinkedHashMap<PolicyId, Policy>,
2510    /// Templates in the set
2511    templates: LinkedHashMap<PolicyId, Template>,
2512}
2513
2514impl PartialEq for PolicySet {
2515    fn eq(&self, other: &Self) -> bool {
2516        // eq is based on just the `ast`
2517        self.ast.eq(&other.ast)
2518    }
2519}
2520impl Eq for PolicySet {}
2521
2522#[doc(hidden)] // because this converts to a private/internal type
2523impl AsRef<ast::PolicySet> for PolicySet {
2524    fn as_ref(&self) -> &ast::PolicySet {
2525        &self.ast
2526    }
2527}
2528
2529#[doc(hidden)]
2530impl TryFrom<ast::PolicySet> for PolicySet {
2531    type Error = PolicySetError;
2532    fn try_from(pset: ast::PolicySet) -> Result<Self, Self::Error> {
2533        Self::from_ast(pset)
2534    }
2535}
2536
2537impl FromStr for PolicySet {
2538    type Err = ParseErrors;
2539
2540    /// Create a policy set from multiple statements.
2541    ///
2542    /// Policy ids will default to "policy*" with numbers from 0.
2543    /// If you load more policies, do not use the default id, or there will be conflicts.
2544    ///
2545    /// See [`Policy`] for more.
2546    fn from_str(policies: &str) -> Result<Self, Self::Err> {
2547        let (texts, pset) = parser::parse_policyset_and_also_return_policy_text(policies)?;
2548        #[expect(clippy::expect_used, reason = "By the invariant on `parse_policyset_and_also_return_policy_text(policies)`, every `PolicyId` in `pset.policies()` occurs as a key in `text`.")]
2549        let policies = pset.policies().map(|p|
2550            (
2551                PolicyId::new(p.id().clone()),
2552                Policy { lossless: LosslessPolicy::policy_or_template_text(*texts.get(p.id()).expect("internal invariant violation: policy id exists in asts but not texts")), ast: p.clone() }
2553            )
2554        ).collect();
2555        #[expect(
2556            clippy::expect_used,
2557            reason = "By the invariant on `parse_policyset_and_also_return_policy_text(policies)`, every `PolicyId` in `pset.templates()` also occurs as a key in `text`."
2558        )]
2559        let templates = pset
2560            .templates()
2561            .map(|t| {
2562                (
2563                    PolicyId::new(t.id().clone()),
2564                    Template {
2565                        lossless: LosslessTemplate::from_text(*texts.get(t.id()).expect(
2566                            "internal invariant violation: template id exists in asts but not ests",
2567                        )),
2568                        ast: t.clone(),
2569                    },
2570                )
2571            })
2572            .collect();
2573        Ok(Self {
2574            ast: pset,
2575            policies,
2576            templates,
2577        })
2578    }
2579}
2580
2581impl PolicySet {
2582    /// Build the policy set AST from the EST
2583    fn from_est(est: &est::PolicySet) -> Result<Self, PolicySetError> {
2584        let ast: ast::PolicySet = est.clone().try_into()?;
2585        #[expect(
2586            clippy::expect_used,
2587            reason = "Since conversion from EST to AST succeeded, every `PolicyId` in `ast.policies()` occurs in `est`"
2588        )]
2589        let policies = ast
2590            .policies()
2591            .map(|p| {
2592                (
2593                    PolicyId::new(p.id().clone()),
2594                    Policy {
2595                        lossless: LosslessPolicy::Est(est.get_policy(p.id()).expect(
2596                            "internal invariant violation: policy id exists in asts but not ests",
2597                        )),
2598                        ast: p.clone(),
2599                    },
2600                )
2601            })
2602            .collect();
2603        #[expect(
2604            clippy::expect_used,
2605            reason = "Since conversion from EST to AST succeeded, every `PolicyId` in `ast.templates()` occurs in `est`"
2606        )]
2607        let templates = ast
2608            .templates()
2609            .map(|t| {
2610                (
2611                    PolicyId::new(t.id().clone()),
2612                    Template {
2613                        lossless: LosslessTemplate::Est(est.get_template(t.id()).expect(
2614                            "internal invariant violation: template id exists in asts but not ests",
2615                        )),
2616                        ast: t.clone(),
2617                    },
2618                )
2619            })
2620            .collect();
2621        Ok(Self {
2622            ast,
2623            policies,
2624            templates,
2625        })
2626    }
2627
2628    /// Build the [`PolicySet`] from just the AST information
2629    pub(crate) fn from_ast(ast: ast::PolicySet) -> Result<Self, PolicySetError> {
2630        let templates = ast
2631            .templates()
2632            .cloned()
2633            .map(|t| (PolicyId::new(t.id().clone()), t.into()))
2634            .collect();
2635        let policies = ast
2636            .policies()
2637            .cloned()
2638            .map(|p| (PolicyId::new(p.id().clone()), p.into()))
2639            .collect();
2640        Ok(Self {
2641            ast,
2642            policies,
2643            templates,
2644        })
2645    }
2646
2647    /// Construct a [`PolicySet`] from a PST [`pst::PolicySet`].
2648    ///
2649    /// Templates, static policies, and template links are all converted.
2650    /// A subsequent call to [`to_pst()`](Self::to_pst) or
2651    /// [`try_into_pst()`](Self::try_into_pst) will return the original PST
2652    /// without re-conversion.
2653    pub fn from_pst(pst_set: pst::PolicySet) -> Result<Self, PolicySetError> {
2654        let mut set = Self::new();
2655        for (id, template) in pst_set.templates {
2656            let ast_template: ast::Template = template.clone().try_into()?;
2657            set.ast.add_template(ast_template.clone())?;
2658            set.templates.insert(
2659                id.into(),
2660                Template {
2661                    ast: ast_template,
2662                    lossless: LosslessTemplate::Pst(template),
2663                },
2664            );
2665        }
2666        for (id, static_policy) in pst_set.policies {
2667            let pst_policy = pst::Policy::Static(static_policy);
2668            let ast_policy: ast::Policy = pst_policy.clone().try_into()?;
2669            set.ast.add(ast_policy.clone())?;
2670            set.policies.insert(
2671                id.into(),
2672                Policy {
2673                    ast: ast_policy,
2674                    lossless: LosslessPolicy::Pst(pst_policy),
2675                },
2676            );
2677        }
2678        for link in pst_set.template_links {
2679            let vals: HashMap<SlotId, EntityUid> = link
2680                .values
2681                .into_iter()
2682                .map(|(k, v)| {
2683                    let ast_uid = ast::EntityUID::from(v);
2684                    (k.into(), EntityUid(ast_uid))
2685                })
2686                .collect();
2687            set.link(link.template_id.into(), link.new_id.into(), vals)?;
2688        }
2689        Ok(set)
2690    }
2691
2692    /// Deserialize the [`PolicySet`] from a JSON string
2693    pub fn from_json_str(src: impl AsRef<str>) -> Result<Self, PolicySetError> {
2694        let est: est::PolicySet = serde_json::from_str(src.as_ref())
2695            .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2696        Self::from_est(&est)
2697    }
2698
2699    /// Deserialize the [`PolicySet`] from a JSON value
2700    pub fn from_json_value(src: serde_json::Value) -> Result<Self, PolicySetError> {
2701        let est: est::PolicySet = serde_json::from_value(src)
2702            .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2703        Self::from_est(&est)
2704    }
2705
2706    /// Deserialize the [`PolicySet`] from a JSON reader
2707    pub fn from_json_file(r: impl std::io::Read) -> Result<Self, PolicySetError> {
2708        let est: est::PolicySet = serde_json::from_reader(r)
2709            .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2710        Self::from_est(&est)
2711    }
2712
2713    /// Serialize the [`PolicySet`] as a JSON value
2714    pub fn to_json(self) -> Result<serde_json::Value, PolicySetError> {
2715        let est = self.est()?;
2716        let value = serde_json::to_value(est)
2717            .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2718        Ok(value)
2719    }
2720
2721    /// Get the PST representation of this [`PolicySet`].
2722    ///
2723    /// Returns a [`pst::PolicySet`] containing the templates, static policies,
2724    /// and template links. Linked policies are decomposed into
2725    /// [`pst::TemplateLink`] entries.
2726    ///
2727    /// If the `PolicySet` was originally constructed from PST, the stored
2728    /// representation is cloned. Otherwise, each policy and template is
2729    /// converted to PST.
2730    pub fn to_pst(&self) -> Result<pst::PolicySet, PolicySetError> {
2731        let templates = self
2732            .templates
2733            .iter()
2734            .map(|(id, t)| Ok((id.clone().into(), t.to_pst()?)))
2735            .collect::<Result<_, pst::PstConstructionError>>()?;
2736        let mut policies = LinkedHashMap::new();
2737        let mut template_links = Vec::new();
2738        for (id, policy) in &self.policies {
2739            if policy.is_static() {
2740                if let pst::Policy::Static(sp) = policy.to_pst()? {
2741                    policies.insert(id.clone().into(), sp);
2742                }
2743            } else {
2744                template_links.push(pst::TemplateLink {
2745                    template_id: policy.ast.template().id().clone().into(),
2746                    new_id: id.clone().into(),
2747                    values: policy
2748                        .ast
2749                        .env()
2750                        .iter()
2751                        .map(|(k, v)| ((*k).into(), v.clone().into()))
2752                        .collect(),
2753                });
2754            }
2755        }
2756        Ok(pst::PolicySet {
2757            templates,
2758            policies,
2759            template_links,
2760        })
2761    }
2762
2763    /// Get an owned PST representation of this [`PolicySet`].
2764    ///
2765    /// Like [`to_pst()`](Self::to_pst), but consumes `self` to avoid cloning
2766    /// when the `PolicySet` was originally constructed from PST.
2767    pub fn try_into_pst(self) -> Result<pst::PolicySet, PolicySetError> {
2768        let templates = self
2769            .templates
2770            .into_iter()
2771            .map(|(id, t)| Ok((id.into(), t.try_into_pst()?)))
2772            .collect::<Result<_, pst::PstConstructionError>>()?;
2773        let mut policies = LinkedHashMap::new();
2774        let mut template_links = Vec::new();
2775        for (id, policy) in self.policies {
2776            if policy.is_static() {
2777                if let pst::Policy::Static(sp) = policy.try_into_pst()? {
2778                    policies.insert(id.into(), sp);
2779                }
2780            } else {
2781                template_links.push(pst::TemplateLink {
2782                    template_id: policy.ast.template().id().clone().into(),
2783                    new_id: id.into(),
2784                    values: policy
2785                        .ast
2786                        .env()
2787                        .iter()
2788                        .map(|(k, v)| ((*k).into(), v.clone().into()))
2789                        .collect(),
2790                });
2791            }
2792        }
2793        Ok(pst::PolicySet {
2794            templates,
2795            policies,
2796            template_links,
2797        })
2798    }
2799
2800    /// Get the EST representation of the [`PolicySet`]
2801    fn est(self) -> Result<est::PolicySet, PolicyToJsonError> {
2802        let (static_policies, template_links): (Vec<_>, Vec<_>) =
2803            fold_partition(self.policies, is_static_or_link)?;
2804        let static_policies = static_policies.into_iter().collect::<LinkedHashMap<_, _>>();
2805        let templates = self
2806            .templates
2807            .into_iter()
2808            .map(|(id, template)| {
2809                template
2810                    .lossless
2811                    .est(|| template.ast.clone().into())
2812                    .map(|est| (id.into(), est))
2813            })
2814            .collect::<Result<LinkedHashMap<_, _>, _>>()?;
2815        let est = est::PolicySet {
2816            templates,
2817            static_policies,
2818            template_links,
2819        };
2820
2821        Ok(est)
2822    }
2823
2824    /// Get the human-readable Cedar syntax representation of this policy set.
2825    /// This function is primarily intended for rendering JSON policies in the
2826    /// human-readable syntax, but it will also return the original policy text
2827    /// (though possibly re-ordering policies within the policy set) when the
2828    /// policy-set contains policies parsed from the human-readable syntax.
2829    ///
2830    /// This will return `None` if there are any linked policies in the policy
2831    /// set because they cannot be directly rendered in Cedar syntax. It also
2832    /// cannot record policy ids because these cannot be specified in the Cedar
2833    /// syntax. The policies may be reordered, so parsing the resulting string
2834    /// with [`PolicySet::from_str`] is likely to yield different policy id
2835    /// assignments. For these reasons you should prefer serializing as JSON (or protobuf) and
2836    /// only using this function to obtain a representation to display to human
2837    /// users.
2838    ///
2839    /// This function does not format the policy according to any particular
2840    /// rules.  Policy formatting can be done through the Cedar policy CLI or
2841    /// the `cedar-policy-formatter` crate.
2842    pub fn to_cedar(&self) -> Option<String> {
2843        match self.stringify() {
2844            Some(StringifiedPolicySet {
2845                policies,
2846                policy_templates,
2847            }) => {
2848                let policies_as_vec = policies
2849                    .into_iter()
2850                    .chain(policy_templates)
2851                    .collect::<Vec<_>>();
2852                Some(policies_as_vec.join("\n\n"))
2853            }
2854            None => None,
2855        }
2856    }
2857
2858    /// Get the human-readable Cedar syntax representation of this policy set,
2859    /// as a vec of strings. This function is useful to break up a large cedar
2860    /// file containing many policies into individual policies.
2861    ///
2862    /// This will return `None` if there are any linked policies in the policy
2863    /// set because they cannot be directly rendered in Cedar syntax. It also
2864    /// cannot record policy ids because these cannot be specified in the Cedar
2865    /// syntax. The policies may be reordered, so parsing the resulting string
2866    /// with [`PolicySet::from_str`] is likely to yield different policy id
2867    /// assignments. For these reasons you should prefer serializing as JSON (or protobuf) and
2868    /// only using this function to obtain a compact cedar representation,
2869    /// perhaps for storage purposes.
2870    ///
2871    /// This function does not format the policy according to any particular
2872    /// rules.  Policy formatting can be done through the Cedar policy CLI or
2873    /// the `cedar-policy-formatter` crate.
2874    pub(crate) fn stringify(&self) -> Option<StringifiedPolicySet> {
2875        let policies = self
2876            .policies
2877            .values()
2878            // We'd like to print policies in a deterministic order, so we sort
2879            // before printing, hoping that the size of policy sets is fairly
2880            // small.
2881            .sorted_by_key(|p| AsRef::<str>::as_ref(p.id()))
2882            .map(Policy::to_cedar)
2883            .collect::<Option<Vec<_>>>()?;
2884        let policy_templates = self
2885            .templates
2886            .values()
2887            .sorted_by_key(|t| AsRef::<str>::as_ref(t.id()))
2888            .map(Template::to_cedar)
2889            .collect_vec();
2890
2891        Some(StringifiedPolicySet {
2892            policies,
2893            policy_templates,
2894        })
2895    }
2896
2897    /// Create a fresh empty `PolicySet`
2898    pub fn new() -> Self {
2899        Self {
2900            ast: ast::PolicySet::new(),
2901            policies: LinkedHashMap::new(),
2902            templates: LinkedHashMap::new(),
2903        }
2904    }
2905
2906    /// Create a `PolicySet` from the given policies
2907    pub fn from_policies(
2908        policies: impl IntoIterator<Item = Policy>,
2909    ) -> Result<Self, PolicySetError> {
2910        let mut set = Self::new();
2911        for policy in policies {
2912            set.add(policy)?;
2913        }
2914        Ok(set)
2915    }
2916
2917    /// Merges this `PolicySet` with another `PolicySet`.
2918    /// This `PolicySet` is modified while the other `PolicySet`
2919    /// remains unchanged.
2920    ///
2921    /// The flag `rename_duplicates` controls the expected behavior
2922    /// when a `PolicyId` in this and the other `PolicySet` conflict.
2923    ///
2924    /// When `rename_duplicates` is false, conflicting `PolicyId`s result
2925    /// in a `PolicySetError::AlreadyDefined` error.
2926    ///
2927    /// Otherwise, when `rename_duplicates` is true, conflicting `PolicyId`s from
2928    /// the other `PolicySet` are automatically renamed to avoid conflict.
2929    /// This renaming is returned as a Hashmap from the old `PolicyId` to the
2930    /// renamed `PolicyId`.
2931    pub fn merge(
2932        &mut self,
2933        other: &Self,
2934        rename_duplicates: bool,
2935    ) -> Result<HashMap<PolicyId, PolicyId>, PolicySetError> {
2936        match self.ast.merge_policyset(&other.ast, rename_duplicates) {
2937            Ok(renaming) => {
2938                let renaming: HashMap<PolicyId, PolicyId> = renaming
2939                    .into_iter()
2940                    .map(|(old_pid, new_pid)| (PolicyId::new(old_pid), PolicyId::new(new_pid)))
2941                    .collect();
2942
2943                for (old_pid, op) in &other.policies {
2944                    let pid = renaming.get(old_pid).unwrap_or(old_pid);
2945                    if !self.policies.contains_key(pid) {
2946                        let lossless = if renaming.contains_key(old_pid) {
2947                            op.lossless.new_id(pid.clone())
2948                        } else {
2949                            op.lossless.clone()
2950                        };
2951                        #[expect(
2952                            clippy::unwrap_used,
2953                            reason = "`pid` is the new id of a policy from `other`, so it will be in `self` after merging"
2954                        )]
2955                        let new_p = Policy {
2956                            // Use the representation from `self.ast` so that we get a version with internal references to
2957                            // policy ids updated to account for the renaming.
2958                            ast: self.ast.get(pid.as_ref()).unwrap().clone(),
2959                            lossless,
2960                        };
2961                        self.policies.insert(pid.clone(), new_p);
2962                    }
2963                }
2964                for (old_pid, ot) in &other.templates {
2965                    let pid = renaming.get(old_pid).unwrap_or(old_pid);
2966                    if !self.templates.contains_key(pid) {
2967                        let lossless = if renaming.contains_key(old_pid) {
2968                            ot.lossless.new_id(pid.clone())
2969                        } else {
2970                            ot.lossless.clone()
2971                        };
2972                        #[expect(
2973                            clippy::unwrap_used,
2974                            reason = "`pid` is the new id of a template from `other`, so it will be in `self` after merging"
2975                        )]
2976                        let new_t = Template {
2977                            ast: self.ast.get_template(pid.as_ref()).unwrap().clone(),
2978                            lossless,
2979                        };
2980                        self.templates.insert(pid.clone(), new_t);
2981                    }
2982                }
2983
2984                Ok(renaming)
2985            }
2986            Err(ast::PolicySetError::Occupied { id }) => Err(PolicySetError::AlreadyDefined(
2987                policy_set_errors::AlreadyDefined {
2988                    id: PolicyId::new(id),
2989                },
2990            )),
2991        }
2992    }
2993
2994    /// Add an static policy to the `PolicySet`. To add a template instance, use
2995    /// `link` instead. This function will return an error (and not modify
2996    /// the `PolicySet`) if a template-linked policy is passed in.
2997    pub fn add(&mut self, policy: Policy) -> Result<(), PolicySetError> {
2998        if policy.is_static() {
2999            let id = PolicyId::new(policy.ast.id().clone());
3000            self.ast.add(policy.ast.clone())?;
3001            self.policies.insert(id, policy);
3002            Ok(())
3003        } else {
3004            Err(PolicySetError::ExpectedStatic(
3005                policy_set_errors::ExpectedStatic::new(),
3006            ))
3007        }
3008    }
3009
3010    /// Remove a static `Policy` from the `PolicySet`.
3011    ///
3012    /// This will error if the policy is not a static policy.
3013    pub fn remove_static(&mut self, policy_id: PolicyId) -> Result<Policy, PolicySetError> {
3014        let Some(policy) = self.policies.remove(&policy_id) else {
3015            return Err(PolicySetError::PolicyNonexistent(
3016                policy_set_errors::PolicyNonexistentError { policy_id },
3017            ));
3018        };
3019        if self
3020            .ast
3021            .remove_static(&ast::PolicyID::from_string(&policy_id))
3022            .is_ok()
3023        {
3024            Ok(policy)
3025        } else {
3026            //Restore self.policies
3027            self.policies.insert(policy_id.clone(), policy);
3028            Err(PolicySetError::PolicyNonexistent(
3029                policy_set_errors::PolicyNonexistentError { policy_id },
3030            ))
3031        }
3032    }
3033
3034    /// Add a `Template` to the `PolicySet`
3035    pub fn add_template(&mut self, template: Template) -> Result<(), PolicySetError> {
3036        let id = PolicyId::new(template.ast.id().clone());
3037        self.ast.add_template(template.ast.clone())?;
3038        self.templates.insert(id, template);
3039        Ok(())
3040    }
3041
3042    /// Remove a `Template` from the `PolicySet`.
3043    ///
3044    /// This will error if any policy is linked to the template.
3045    /// This will error if `policy_id` is not a template.
3046    pub fn remove_template(&mut self, template_id: PolicyId) -> Result<Template, PolicySetError> {
3047        let Some(template) = self.templates.remove(&template_id) else {
3048            return Err(PolicySetError::TemplateNonexistent(
3049                policy_set_errors::TemplateNonexistentError { template_id },
3050            ));
3051        };
3052        // If self.templates and self.ast disagree, authorization cannot be trusted.
3053        #[expect(clippy::panic, reason = "We just found the policy in self.templates")]
3054        match self
3055            .ast
3056            .remove_template(&ast::PolicyID::from_string(&template_id))
3057        {
3058            Ok(_) => Ok(template),
3059            Err(ast::PolicySetTemplateRemovalError::RemoveTemplateWithLinksError(_)) => {
3060                self.templates.insert(template_id.clone(), template);
3061                Err(PolicySetError::RemoveTemplateWithActiveLinks(
3062                    policy_set_errors::RemoveTemplateWithActiveLinksError { template_id },
3063                ))
3064            }
3065            Err(ast::PolicySetTemplateRemovalError::NotTemplateError(_)) => {
3066                self.templates.insert(template_id.clone(), template);
3067                Err(PolicySetError::RemoveTemplateNotTemplate(
3068                    policy_set_errors::RemoveTemplateNotTemplateError { template_id },
3069                ))
3070            }
3071            Err(ast::PolicySetTemplateRemovalError::RemovePolicyNoTemplateError(_)) => {
3072                panic!("Found template policy in self.templates but not in self.ast");
3073            }
3074        }
3075    }
3076
3077    /// Get policies linked to a `Template` in the `PolicySet`.
3078    /// If any policy is linked to the template, this will error
3079    pub fn get_linked_policies(
3080        &self,
3081        template_id: PolicyId,
3082    ) -> Result<impl Iterator<Item = &PolicyId>, PolicySetError> {
3083        self.ast
3084            .get_linked_policies(&ast::PolicyID::from_string(&template_id))
3085            .map_or_else(
3086                |_| {
3087                    Err(PolicySetError::TemplateNonexistent(
3088                        policy_set_errors::TemplateNonexistentError { template_id },
3089                    ))
3090                },
3091                |v| Ok(v.map(PolicyId::ref_cast)),
3092            )
3093    }
3094
3095    /// Iterate over all the `Policy`s in the `PolicySet`.
3096    ///
3097    /// This will include both static and template-linked policies.
3098    pub fn policies(&self) -> impl Iterator<Item = &Policy> {
3099        self.policies.values()
3100    }
3101
3102    /// Iterate over the `Template`'s in the `PolicySet`.
3103    pub fn templates(&self) -> impl Iterator<Item = &Template> {
3104        self.templates.values()
3105    }
3106
3107    /// Get a `Template` by its `PolicyId`
3108    pub fn template(&self, id: &PolicyId) -> Option<&Template> {
3109        self.templates.get(id)
3110    }
3111
3112    /// Get a `Policy` by its `PolicyId`
3113    pub fn policy(&self, id: &PolicyId) -> Option<&Policy> {
3114        self.policies.get(id)
3115    }
3116
3117    /// Extract annotation data from a `Policy` by its `PolicyId` and annotation key.
3118    /// If the annotation is present without an explicit value (e.g., `@annotation`),
3119    /// then this function returns `Some("")`. It returns `None` only when the
3120    /// annotation is not present.
3121    pub fn annotation(&self, id: &PolicyId, key: impl AsRef<str>) -> Option<&str> {
3122        self.ast
3123            .get(id.as_ref())?
3124            .annotation(&key.as_ref().parse().ok()?)
3125            .map(AsRef::as_ref)
3126    }
3127
3128    /// Extract annotation data from a `Template` by its `PolicyId` and annotation key.
3129    /// If the annotation is present without an explicit value (e.g., `@annotation`),
3130    /// then this function returns `Some("")`. It returns `None` only when the
3131    /// annotation is not present.
3132    pub fn template_annotation(&self, id: &PolicyId, key: impl AsRef<str>) -> Option<&str> {
3133        self.ast
3134            .get_template(id.as_ref())?
3135            .annotation(&key.as_ref().parse().ok()?)
3136            .map(AsRef::as_ref)
3137    }
3138
3139    /// Returns true iff the `PolicySet` is empty
3140    pub fn is_empty(&self) -> bool {
3141        debug_assert_eq!(
3142            self.ast.is_empty(),
3143            self.policies.is_empty() && self.templates.is_empty()
3144        );
3145        self.ast.is_empty()
3146    }
3147
3148    /// Returns the number of `Policy`s in the `PolicySet`.
3149    ///
3150    /// This will include both static and template-linked policies.
3151    pub fn num_of_policies(&self) -> usize {
3152        self.policies.len()
3153    }
3154
3155    /// Returns the number of `Template`s in the `PolicySet`.
3156    pub fn num_of_templates(&self) -> usize {
3157        self.templates.len()
3158    }
3159
3160    /// Attempt to link a template and add the new template-linked policy to the policy set.
3161    /// If link fails, the `PolicySet` is not modified.
3162    /// Failure can happen for three reasons
3163    ///   1) The map passed in `vals` may not match the slots in the template
3164    ///   2) The `new_id` may conflict w/ a policy that already exists in the set
3165    ///   3) `template_id` does not correspond to a template. Either the id is
3166    ///      not in the policy set, or it is in the policy set but is either a
3167    ///      linked or static policy rather than a template
3168    pub fn link(
3169        &mut self,
3170        template_id: PolicyId,
3171        new_id: PolicyId,
3172        vals: HashMap<SlotId, EntityUid>,
3173    ) -> Result<(), PolicySetError> {
3174        let unwrapped_vals: HashMap<ast::SlotId, ast::EntityUID> = vals
3175            .into_iter()
3176            .map(|(key, value)| (key.into(), value.into()))
3177            .collect();
3178
3179        // Try to get the template with the id we're linking from.  We do this
3180        // _before_ calling `self.ast.link` because `link` mutates the policy
3181        // set by creating a new link entry in a hashmap. This happens even when
3182        // trying to link a static policy, which we want to error on here.
3183        let Some(template) = self.templates.get(&template_id) else {
3184            return Err(if self.policies.contains_key(&template_id) {
3185                policy_set_errors::ExpectedTemplate::new().into()
3186            } else {
3187                policy_set_errors::LinkingError {
3188                    inner: ast::LinkingError::NoSuchTemplate {
3189                        id: template_id.into(),
3190                    },
3191                }
3192                .into()
3193            });
3194        };
3195
3196        let linked_ast = self.ast.link(
3197            template_id.into(),
3198            new_id.clone().into(),
3199            unwrapped_vals.clone(),
3200        )?;
3201
3202        #[expect(
3203            clippy::expect_used,
3204            reason = "`lossless.link()` will not fail after `ast.link()` succeeds"
3205        )]
3206        let linked_lossless = template
3207            .lossless
3208            .clone()
3209            .link(
3210                new_id.clone().into(),
3211                unwrapped_vals.iter().map(|(k, v)| (*k, v)),
3212            )
3213            // The only error case for `lossless.link()` is a template with
3214            // slots which are not filled by the provided values. `ast.link()`
3215            // will have already errored if there are any unfilled slots in the
3216            // template.
3217            .expect("ast.link() didn't fail above, so this shouldn't fail");
3218        self.policies.insert(
3219            new_id,
3220            Policy {
3221                ast: linked_ast.clone(),
3222                lossless: linked_lossless,
3223            },
3224        );
3225        Ok(())
3226    }
3227
3228    /// Get all the unknown entities from the policy set
3229    #[doc = include_str!("../experimental_warning.md")]
3230    #[cfg(feature = "partial-eval")]
3231    pub fn unknown_entities(&self) -> HashSet<EntityUid> {
3232        let mut entity_uids = HashSet::new();
3233        for policy in self.policies.values() {
3234            entity_uids.extend(policy.unknown_entities());
3235        }
3236        entity_uids
3237    }
3238
3239    /// Unlink a template-linked policy from the policy set.
3240    /// Returns the policy that was unlinked.
3241    pub fn unlink(&mut self, policy_id: PolicyId) -> Result<Policy, PolicySetError> {
3242        let Some(policy) = self.policies.remove(&policy_id) else {
3243            return Err(PolicySetError::LinkNonexistent(
3244                policy_set_errors::LinkNonexistentError { policy_id },
3245            ));
3246        };
3247        // If self.policies and self.ast disagree, authorization cannot be trusted.
3248        #[expect(clippy::panic, reason = "We just found the policy in self.policies")]
3249        match self.ast.unlink(&ast::PolicyID::from_string(&policy_id)) {
3250            Ok(_) => Ok(policy),
3251            Err(ast::PolicySetUnlinkError::NotLinkError(_)) => {
3252                //Restore self.policies
3253                self.policies.insert(policy_id.clone(), policy);
3254                Err(PolicySetError::UnlinkLinkNotLink(
3255                    policy_set_errors::UnlinkLinkNotLinkError { policy_id },
3256                ))
3257            }
3258            Err(ast::PolicySetUnlinkError::UnlinkingError(_)) => {
3259                panic!("Found linked policy in self.policies but not in self.ast")
3260            }
3261        }
3262    }
3263}
3264
3265impl std::fmt::Display for PolicySet {
3266    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3267        // prefer to display the lossless format
3268        let mut policies = self.policies().peekable();
3269        while let Some(policy) = policies.next() {
3270            policy.lossless.fmt(|| policy.ast.clone().into(), f)?;
3271            if policies.peek().is_some() {
3272                writeln!(f)?;
3273            }
3274        }
3275        Ok(())
3276    }
3277}
3278
3279/// Given a [`PolicyId`] and a [`Policy`], determine if the policy represents a static policy or a
3280/// link
3281fn is_static_or_link(
3282    (id, policy): (PolicyId, Policy),
3283) -> Result<Either<(ast::PolicyID, est::Policy), TemplateLink>, PolicyToJsonError> {
3284    match policy.template_id() {
3285        Some(template_id) => {
3286            let values = policy
3287                .ast
3288                .env()
3289                .iter()
3290                .map(|(id, euid)| (*id, euid.clone()))
3291                .collect();
3292            Ok(Either::Right(TemplateLink {
3293                new_id: id.into(),
3294                template_id: template_id.clone().into(),
3295                values,
3296            }))
3297        }
3298        None => policy
3299            .lossless
3300            .est(|| policy.ast.clone().into())
3301            .map(|est| Either::Left((id.into(), est))),
3302    }
3303}
3304
3305/// Like [`itertools::Itertools::partition_map`], but accepts a function that can fail.
3306/// The first invocation of `f` that fails causes the whole computation to fail
3307#[expect(
3308    clippy::redundant_pub_crate,
3309    reason = "can't be private because it's used in tests"
3310)]
3311pub(crate) fn fold_partition<T, A, B, E>(
3312    i: impl IntoIterator<Item = T>,
3313    f: impl Fn(T) -> Result<Either<A, B>, E>,
3314) -> Result<(Vec<A>, Vec<B>), E> {
3315    let mut lefts = vec![];
3316    let mut rights = vec![];
3317
3318    for item in i {
3319        match f(item)? {
3320            Either::Left(left) => lefts.push(left),
3321            Either::Right(right) => rights.push(right),
3322        }
3323    }
3324
3325    Ok((lefts, rights))
3326}
3327
3328/// The "type" of a [`Request`], i.e., the [`EntityTypeName`]s of principal
3329/// and resource, the [`EntityUid`] of action, and [`Option<EntityTypeName>`]s
3330/// of principal slot and resource slot
3331#[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
3332pub struct RequestEnv {
3333    pub(crate) principal: EntityTypeName,
3334    pub(crate) action: EntityUid,
3335    pub(crate) resource: EntityTypeName,
3336    pub(crate) principal_slot: Option<EntityTypeName>,
3337    pub(crate) resource_slot: Option<EntityTypeName>,
3338}
3339
3340impl RequestEnv {
3341    /// Construct a [`RequestEnv`]
3342    pub fn new(principal: EntityTypeName, action: EntityUid, resource: EntityTypeName) -> Self {
3343        Self {
3344            principal,
3345            action,
3346            resource,
3347            principal_slot: None,
3348            resource_slot: None,
3349        }
3350    }
3351
3352    /// Construct a [`RequestEnv`] that contains slots in the scope
3353    pub fn new_request_env_with_slots(
3354        principal: EntityTypeName,
3355        action: EntityUid,
3356        resource: EntityTypeName,
3357        principal_slot: Option<EntityTypeName>,
3358        resource_slot: Option<EntityTypeName>,
3359    ) -> Self {
3360        Self {
3361            principal,
3362            action,
3363            resource,
3364            principal_slot,
3365            resource_slot,
3366        }
3367    }
3368
3369    /// Get the principal type name
3370    pub fn principal(&self) -> &EntityTypeName {
3371        &self.principal
3372    }
3373
3374    /// Get the action [`EntityUid`]
3375    pub fn action(&self) -> &EntityUid {
3376        &self.action
3377    }
3378
3379    /// Get the resource type name
3380    pub fn resource(&self) -> &EntityTypeName {
3381        &self.resource
3382    }
3383
3384    /// Get the principal slot type name
3385    pub fn principal_slot(&self) -> Option<&EntityTypeName> {
3386        self.principal_slot.as_ref()
3387    }
3388
3389    /// Get the resource slot type name
3390    pub fn resource_slot(&self) -> Option<&EntityTypeName> {
3391        self.resource_slot.as_ref()
3392    }
3393}
3394
3395#[doc(hidden)]
3396impl From<cedar_policy_core::validator::types::RequestEnv<'_>> for RequestEnv {
3397    fn from(renv: cedar_policy_core::validator::types::RequestEnv<'_>) -> Self {
3398        match renv {
3399            cedar_policy_core::validator::types::RequestEnv::DeclaredAction {
3400                principal,
3401                action,
3402                resource,
3403                principal_slot,
3404                resource_slot,
3405                ..
3406            } => Self {
3407                principal: principal.clone().into(),
3408                action: action.clone().into(),
3409                resource: resource.clone().into(),
3410                principal_slot: principal_slot.map(EntityTypeName::from),
3411                resource_slot: resource_slot.map(EntityTypeName::from),
3412            },
3413            #[expect(
3414                clippy::unreachable,
3415                reason = "partial validation is not enabled and hence `RequestEnv::UndeclaredAction` should not show up"
3416            )]
3417            cedar_policy_core::validator::types::RequestEnv::UndeclaredAction => {
3418                unreachable!("used unsupported feature")
3419            }
3420        }
3421    }
3422}
3423
3424/// Get valid request envs for an `ast::Template`
3425///
3426/// This function is called by [`Template::get_valid_request_envs`] and
3427/// [`Policy::get_valid_request_envs`]
3428fn get_valid_request_envs(ast: &ast::Template, s: &Schema) -> impl Iterator<Item = RequestEnv> {
3429    let tc = Typechecker::new(
3430        &s.0,
3431        cedar_policy_core::validator::ValidationMode::default(),
3432    );
3433    tc.typecheck_by_request_env(ast)
3434        .into_iter()
3435        .filter_map(|(env, pc)| {
3436            if matches!(pc, PolicyCheck::Success(_)) {
3437                Some(env.into())
3438            } else {
3439                None
3440            }
3441        })
3442        .collect::<BTreeSet<_>>()
3443        .into_iter()
3444}
3445
3446/// Policy template datatype
3447//
3448// NOTE: Unlike the internal type [`ast::Template`], this type only supports
3449// templates. The `Template` constructors will return an error if provided with
3450// a static policy.
3451#[derive(Debug, Clone)]
3452pub struct Template {
3453    /// AST representation of the template, used for most operations.
3454    /// In particular, the `ast` contains the authoritative `PolicyId` for the template.
3455    pub(crate) ast: ast::Template,
3456
3457    /// Some "lossless" representation of the template, whichever is most
3458    /// convenient to provide (and can be provided with the least overhead).
3459    /// This is used just for `to_json()`.
3460    /// We can't just derive this on-demand from `ast`, because the AST is lossy:
3461    /// we can't reconstruct an accurate CST/EST/policy-text from the AST, but
3462    /// we can from the EST (modulo whitespace and a few other things like the
3463    /// order of annotations).
3464    pub(crate) lossless: LosslessTemplate,
3465}
3466
3467impl PartialEq for Template {
3468    fn eq(&self, other: &Self) -> bool {
3469        // eq is based on just the `ast`
3470        self.ast.eq(&other.ast)
3471    }
3472}
3473impl Eq for Template {}
3474
3475#[doc(hidden)] // because this converts to a private/internal type
3476impl AsRef<ast::Template> for Template {
3477    fn as_ref(&self) -> &ast::Template {
3478        &self.ast
3479    }
3480}
3481
3482#[doc(hidden)]
3483impl From<ast::Template> for Template {
3484    fn from(template: ast::Template) -> Self {
3485        Self::from_ast(template)
3486    }
3487}
3488
3489impl Template {
3490    /// Construct a [`Template`] from a PST template.
3491    /// Returns an error if the PST template has no template slots.
3492    pub fn from_pst(pst_template: pst::Template) -> Result<Self, pst::PstConstructionError> {
3493        let ast: ast::Template = pst_template.clone().try_into()?;
3494        if ast.slots().count() == 0 {
3495            return Err(error_body::ExpectedTemplateWithSlotsError.into());
3496        }
3497        Ok(Self {
3498            ast,
3499            lossless: LosslessTemplate::Pst(pst_template),
3500        })
3501    }
3502
3503    /// Get the PST representation of this template.
3504    pub fn to_pst(&self) -> Result<pst::Template, pst::PstConstructionError> {
3505        self.lossless
3506            .pst(|| pst::Template::try_from(self.ast.clone()))
3507            .map(|t| t.with_id(self.ast.id().clone().into()))
3508    }
3509
3510    /// Get an owned PST representation of this template.
3511    /// Can return an error if the template was built from a non-PST representation that
3512    /// is not a valid Cedar template.
3513    pub fn try_into_pst(self) -> Result<pst::Template, pst::PstConstructionError> {
3514        self.lossless
3515            .try_into_pst(|| pst::Template::try_from(self.ast))
3516    }
3517
3518    /// Attempt to parse a [`Template`] from source.
3519    /// Returns an error if the input is a static policy (i.e., has no slots).
3520    /// If `id` is Some, then the resulting template will have that `id`.
3521    /// If the `id` is None, the parser will use the default "policy0".
3522    /// The behavior around None may change in the future.
3523    pub fn parse(id: Option<PolicyId>, src: impl AsRef<str>) -> Result<Self, ParseErrors> {
3524        let ast = parser::parse_template(id.map(Into::into), src.as_ref())?;
3525        Ok(Self {
3526            ast,
3527            lossless: LosslessTemplate::from_text(Some(src.as_ref())),
3528        })
3529    }
3530
3531    /// Get the `PolicyId` of this `Template`
3532    pub fn id(&self) -> &PolicyId {
3533        PolicyId::ref_cast(self.ast.id())
3534    }
3535
3536    /// Clone this `Template` with a new `PolicyId`
3537    #[must_use]
3538    pub fn new_id(&self, id: PolicyId) -> Self {
3539        Self {
3540            ast: self.ast.new_id(id.clone().into()),
3541            lossless: self.lossless.new_id(id),
3542        }
3543    }
3544
3545    /// Get the `Effect` (`Forbid` or `Permit`) of this `Template`
3546    pub fn effect(&self) -> Effect {
3547        self.ast.effect()
3548    }
3549
3550    /// Returns `true` if this template has a `when` or `unless` clause.
3551    pub fn has_non_scope_constraint(&self) -> bool {
3552        self.ast.non_scope_constraints().is_some()
3553    }
3554
3555    /// Get an annotation value of this `Template`.
3556    /// If the annotation is present without an explicit value (e.g., `@annotation`),
3557    /// then this function returns `Some("")`. Returns `None` when the
3558    /// annotation is not present or when `key` is not a valid annotation identifier.
3559    pub fn annotation(&self, key: impl AsRef<str>) -> Option<&str> {
3560        self.ast
3561            .annotation(&key.as_ref().parse().ok()?)
3562            .map(AsRef::as_ref)
3563    }
3564
3565    /// Iterate through annotation data of this `Template` as key-value pairs.
3566    /// Annotations which do not have an explicit value (e.g., `@annotation`),
3567    /// are included in the iterator with the value `""`.
3568    pub fn annotations(&self) -> impl Iterator<Item = (&str, &str)> {
3569        self.ast
3570            .annotations()
3571            .map(|(k, v)| (k.as_ref(), v.as_ref()))
3572    }
3573
3574    /// Iterate over the open slots in this `Template`
3575    pub fn slots(&self) -> impl Iterator<Item = &SlotId> {
3576        self.ast.slots().map(|slot| SlotId::ref_cast(&slot.id))
3577    }
3578
3579    /// Get the scope constraint on this policy's principal
3580    pub fn principal_constraint(&self) -> TemplatePrincipalConstraint {
3581        match self.ast.principal_constraint().as_inner() {
3582            ast::PrincipalOrResourceConstraint::Any => TemplatePrincipalConstraint::Any,
3583            ast::PrincipalOrResourceConstraint::In(eref) => {
3584                TemplatePrincipalConstraint::In(match eref {
3585                    ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3586                    ast::EntityReference::Slot(_) => None,
3587                })
3588            }
3589            ast::PrincipalOrResourceConstraint::Eq(eref) => {
3590                TemplatePrincipalConstraint::Eq(match eref {
3591                    ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3592                    ast::EntityReference::Slot(_) => None,
3593                })
3594            }
3595            ast::PrincipalOrResourceConstraint::Is(entity_type) => {
3596                TemplatePrincipalConstraint::Is(entity_type.as_ref().clone().into())
3597            }
3598            ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
3599                TemplatePrincipalConstraint::IsIn(
3600                    entity_type.as_ref().clone().into(),
3601                    match eref {
3602                        ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3603                        ast::EntityReference::Slot(_) => None,
3604                    },
3605                )
3606            }
3607        }
3608    }
3609
3610    /// Get the scope constraint on this policy's action
3611    pub fn action_constraint(&self) -> ActionConstraint {
3612        // Clone the data from Core to be consistent with the other constraints
3613        match self.ast.action_constraint() {
3614            ast::ActionConstraint::Any => ActionConstraint::Any,
3615            ast::ActionConstraint::In(ids) => {
3616                ActionConstraint::In(ids.iter().map(|id| id.as_ref().clone().into()).collect())
3617            }
3618            ast::ActionConstraint::Eq(id) => ActionConstraint::Eq(id.as_ref().clone().into()),
3619            #[cfg(feature = "tolerant-ast")]
3620            #[expect(clippy::unimplemented, reason = "experimental feature")]
3621            ast::ActionConstraint::ErrorConstraint => {
3622                unimplemented!("internal ErrorConstraint cannot be represented in the public API")
3623            }
3624        }
3625    }
3626
3627    /// Get the scope constraint on this policy's resource
3628    pub fn resource_constraint(&self) -> TemplateResourceConstraint {
3629        match self.ast.resource_constraint().as_inner() {
3630            ast::PrincipalOrResourceConstraint::Any => TemplateResourceConstraint::Any,
3631            ast::PrincipalOrResourceConstraint::In(eref) => {
3632                TemplateResourceConstraint::In(match eref {
3633                    ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3634                    ast::EntityReference::Slot(_) => None,
3635                })
3636            }
3637            ast::PrincipalOrResourceConstraint::Eq(eref) => {
3638                TemplateResourceConstraint::Eq(match eref {
3639                    ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3640                    ast::EntityReference::Slot(_) => None,
3641                })
3642            }
3643            ast::PrincipalOrResourceConstraint::Is(entity_type) => {
3644                TemplateResourceConstraint::Is(entity_type.as_ref().clone().into())
3645            }
3646            ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
3647                TemplateResourceConstraint::IsIn(
3648                    entity_type.as_ref().clone().into(),
3649                    match eref {
3650                        ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3651                        ast::EntityReference::Slot(_) => None,
3652                    },
3653                )
3654            }
3655        }
3656    }
3657
3658    /// Create a [`Template`] from its JSON representation.
3659    /// Returns an error if the input is a static policy (i.e., has no slots).
3660    /// If `id` is Some, the policy will be given that Policy Id.
3661    /// If `id` is None, then "JSON policy" will be used.
3662    /// The behavior around None may change in the future.
3663    pub fn from_json(
3664        id: Option<PolicyId>,
3665        json: serde_json::Value,
3666    ) -> Result<Self, PolicyFromJsonError> {
3667        let est: est::Policy = serde_json::from_value(json)
3668            .map_err(|e| entities_json_errors::JsonDeserializationError::Serde(e.into()))
3669            .map_err(cedar_policy_core::est::FromJsonError::from)?;
3670        Self::from_est(id, est)
3671    }
3672
3673    fn from_est(id: Option<PolicyId>, est: est::Policy) -> Result<Self, PolicyFromJsonError> {
3674        Ok(Self {
3675            ast: est.clone().try_into_ast_template(id.map(PolicyId::into))?,
3676            lossless: LosslessTemplate::Est(est),
3677        })
3678    }
3679
3680    pub(crate) fn from_ast(ast: ast::Template) -> Self {
3681        Self {
3682            lossless: LosslessTemplate::Est(ast.clone().into()),
3683            ast,
3684        }
3685    }
3686
3687    /// Get the JSON representation of this `Template`.
3688    pub fn to_json(&self) -> Result<serde_json::Value, PolicyToJsonError> {
3689        let est = self.lossless.est(|| self.ast.clone().into())?;
3690        serde_json::to_value(est).map_err(Into::into)
3691    }
3692
3693    /// Get the human-readable Cedar syntax representation of this template.
3694    /// This function is primarily intended for rendering JSON policies in the
3695    /// human-readable syntax, but it will also return the original policy text
3696    /// when given a policy parsed from the human-readable syntax.
3697    ///
3698    /// It also does not format the policy according to any particular rules.
3699    /// Policy formatting can be done through the Cedar policy CLI or
3700    /// the `cedar-policy-formatter` crate.
3701    pub fn to_cedar(&self) -> String {
3702        match &self.lossless {
3703            LosslessTemplate::Empty | LosslessTemplate::Est(_) | LosslessTemplate::Pst(_) => {
3704                self.ast.to_string()
3705            }
3706            LosslessTemplate::Text(text) => text.clone(),
3707        }
3708    }
3709
3710    /// Get the valid [`RequestEnv`]s for this template, according to the schema.
3711    ///
3712    /// That is, all the [`RequestEnv`]s in the schema for which this template is
3713    /// not trivially false.
3714    pub fn get_valid_request_envs(&self, s: &Schema) -> impl Iterator<Item = RequestEnv> {
3715        get_valid_request_envs(&self.ast, s)
3716    }
3717}
3718
3719impl std::fmt::Display for Template {
3720    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3721        // prefer to display the lossless format
3722        self.lossless.fmt(|| self.ast.clone().into(), f)
3723    }
3724}
3725
3726impl FromStr for Template {
3727    type Err = ParseErrors;
3728
3729    fn from_str(src: &str) -> Result<Self, Self::Err> {
3730        Self::parse(None, src)
3731    }
3732}
3733
3734/// Scope constraint on policy principals.
3735#[derive(Debug, Clone, PartialEq, Eq)]
3736pub enum PrincipalConstraint {
3737    /// Un-constrained
3738    Any,
3739    /// Must be In the given [`EntityUid`]
3740    In(EntityUid),
3741    /// Must be equal to the given [`EntityUid`]
3742    Eq(EntityUid),
3743    /// Must be the given [`EntityTypeName`]
3744    Is(EntityTypeName),
3745    /// Must be the given [`EntityTypeName`], and `in` the [`EntityUid`]
3746    IsIn(EntityTypeName, EntityUid),
3747}
3748
3749/// Scope constraint on policy principals for templates.
3750#[derive(Debug, Clone, PartialEq, Eq)]
3751pub enum TemplatePrincipalConstraint {
3752    /// Un-constrained
3753    Any,
3754    /// Must be In the given [`EntityUid`].
3755    /// If [`None`], then it is a template slot.
3756    In(Option<EntityUid>),
3757    /// Must be equal to the given [`EntityUid`].
3758    /// If [`None`], then it is a template slot.
3759    Eq(Option<EntityUid>),
3760    /// Must be the given [`EntityTypeName`].
3761    Is(EntityTypeName),
3762    /// Must be the given [`EntityTypeName`], and `in` the [`EntityUid`].
3763    /// If the [`EntityUid`] is [`Option::None`], then it is a template slot.
3764    IsIn(EntityTypeName, Option<EntityUid>),
3765}
3766
3767impl TemplatePrincipalConstraint {
3768    /// Does this constraint contain a slot?
3769    pub fn has_slot(&self) -> bool {
3770        match self {
3771            Self::Any | Self::Is(_) => false,
3772            Self::In(o) | Self::Eq(o) | Self::IsIn(_, o) => o.is_none(),
3773        }
3774    }
3775}
3776
3777/// Scope constraint on policy actions.
3778#[derive(Debug, Clone, PartialEq, Eq)]
3779pub enum ActionConstraint {
3780    /// Un-constrained
3781    Any,
3782    /// Must be In the given [`EntityUid`]
3783    In(Vec<EntityUid>),
3784    /// Must be equal to the given [`EntityUid]`
3785    Eq(EntityUid),
3786}
3787
3788/// Scope constraint on policy resources.
3789#[derive(Debug, Clone, PartialEq, Eq)]
3790pub enum ResourceConstraint {
3791    /// Un-constrained
3792    Any,
3793    /// Must be In the given [`EntityUid`]
3794    In(EntityUid),
3795    /// Must be equal to the given [`EntityUid`]
3796    Eq(EntityUid),
3797    /// Must be the given [`EntityTypeName`]
3798    Is(EntityTypeName),
3799    /// Must be the given [`EntityTypeName`], and `in` the [`EntityUid`]
3800    IsIn(EntityTypeName, EntityUid),
3801}
3802
3803/// Scope constraint on policy resources for templates.
3804#[derive(Debug, Clone, PartialEq, Eq)]
3805pub enum TemplateResourceConstraint {
3806    /// Un-constrained
3807    Any,
3808    /// Must be In the given [`EntityUid`].
3809    /// If [`None`], then it is a template slot.
3810    In(Option<EntityUid>),
3811    /// Must be equal to the given [`EntityUid`].
3812    /// If [`None`], then it is a template slot.
3813    Eq(Option<EntityUid>),
3814    /// Must be the given [`EntityTypeName`].
3815    Is(EntityTypeName),
3816    /// Must be the given [`EntityTypeName`], and `in` the [`EntityUid`].
3817    /// If the [`EntityUid`] is [`Option::None`], then it is a template slot.
3818    IsIn(EntityTypeName, Option<EntityUid>),
3819}
3820
3821impl TemplateResourceConstraint {
3822    /// Does this constraint contain a slot?
3823    pub fn has_slot(&self) -> bool {
3824        match self {
3825            Self::Any | Self::Is(_) => false,
3826            Self::In(o) | Self::Eq(o) | Self::IsIn(_, o) => o.is_none(),
3827        }
3828    }
3829}
3830
3831/// Structure for a `Policy`. Includes both static policies and template-linked policies.
3832#[derive(Debug, Clone)]
3833pub struct Policy {
3834    /// AST representation of the policy, used for most operations.
3835    /// In particular, the `ast` contains the authoritative `PolicyId` for the policy.
3836    pub(crate) ast: ast::Policy,
3837    /// Some "lossless" representation of the policy, whichever is most
3838    /// convenient to provide (and can be provided with the least overhead).
3839    /// This is for `to_json()` and `to_pst()`.
3840    /// We can't just derive this on-demand from `ast`, because the AST is lossy:
3841    /// we can't reconstruct an accurate CST/EST/policy-text from the AST, but
3842    /// we can from the EST (modulo whitespace and a few other things like the
3843    /// we can from the EST or PST (modulo whitespace and a few other things like the
3844    /// order of annotations).
3845    pub(crate) lossless: LosslessPolicy,
3846}
3847
3848impl PartialEq for Policy {
3849    fn eq(&self, other: &Self) -> bool {
3850        // eq is based on just the `ast`
3851        self.ast.eq(&other.ast)
3852    }
3853}
3854impl Eq for Policy {}
3855
3856#[doc(hidden)] // because this converts to a private/internal type
3857impl AsRef<ast::Policy> for Policy {
3858    fn as_ref(&self) -> &ast::Policy {
3859        &self.ast
3860    }
3861}
3862
3863#[doc(hidden)]
3864impl From<ast::Policy> for Policy {
3865    fn from(policy: ast::Policy) -> Self {
3866        Self::from_ast(policy)
3867    }
3868}
3869
3870#[doc(hidden)]
3871impl From<ast::StaticPolicy> for Policy {
3872    fn from(policy: ast::StaticPolicy) -> Self {
3873        ast::Policy::from(policy).into()
3874    }
3875}
3876
3877impl Policy {
3878    /// Construct a [`Policy`] from a PST policy.
3879    /// Accepts both static and linked PST policies.
3880    pub fn from_pst(pst_policy: pst::Policy) -> Result<Self, pst::PstConstructionError> {
3881        let ast = ast::Policy::try_from(pst_policy.clone())?;
3882        Ok(Self {
3883            ast,
3884            lossless: LosslessPolicy::Pst(pst_policy),
3885        })
3886    }
3887
3888    /// Get the `PolicyId` of the `Template` this is linked to.
3889    /// If this is a static policy, this will return `None`.
3890    pub fn template_id(&self) -> Option<&PolicyId> {
3891        if self.is_static() {
3892            None
3893        } else {
3894            Some(PolicyId::ref_cast(self.ast.template().id()))
3895        }
3896    }
3897
3898    /// Get the values this `Template` is linked to, expressed as a map from `SlotId` to `EntityUid`.
3899    /// If this is a static policy, this will return `None`.
3900    pub fn template_links(&self) -> Option<HashMap<SlotId, EntityUid>> {
3901        if self.is_static() {
3902            None
3903        } else {
3904            let wrapped_vals: HashMap<SlotId, EntityUid> = self
3905                .ast
3906                .env()
3907                .iter()
3908                .map(|(key, value)| ((*key).into(), value.clone().into()))
3909                .collect();
3910            Some(wrapped_vals)
3911        }
3912    }
3913
3914    /// Get the `Effect` (`Permit` or `Forbid`) for this instance
3915    pub fn effect(&self) -> Effect {
3916        self.ast.effect()
3917    }
3918
3919    /// Returns `true` if this policy has a `when` or `unless` clause.
3920    pub fn has_non_scope_constraint(&self) -> bool {
3921        self.ast.non_scope_constraints().is_some()
3922    }
3923
3924    /// Get an annotation value of this template-linked or static policy.
3925    /// If the annotation is present without an explicit value (e.g., `@annotation`),
3926    /// then this function returns `Some("")`. Returns `None` when the
3927    /// annotation is not present or when `key` is not a valid annotations identifier.
3928    pub fn annotation(&self, key: impl AsRef<str>) -> Option<&str> {
3929        self.ast
3930            .annotation(&key.as_ref().parse().ok()?)
3931            .map(AsRef::as_ref)
3932    }
3933
3934    /// Iterate through annotation data of this template-linked or static policy.
3935    /// Annotations which do not have an explicit value (e.g., `@annotation`),
3936    /// are included in the iterator with the value `""`.
3937    pub fn annotations(&self) -> impl Iterator<Item = (&str, &str)> {
3938        self.ast
3939            .annotations()
3940            .map(|(k, v)| (k.as_ref(), v.as_ref()))
3941    }
3942
3943    /// Get the `PolicyId` for this template-linked or static policy
3944    pub fn id(&self) -> &PolicyId {
3945        PolicyId::ref_cast(self.ast.id())
3946    }
3947
3948    /// Clone this `Policy` with a new `PolicyId`
3949    #[must_use]
3950    pub fn new_id(&self, id: PolicyId) -> Self {
3951        Self {
3952            ast: self.ast.new_id(id.clone().into()),
3953            lossless: self.lossless.new_id(id),
3954        }
3955    }
3956
3957    /// Returns `true` if this is a static policy, `false` otherwise.
3958    pub fn is_static(&self) -> bool {
3959        self.ast.is_static()
3960    }
3961
3962    /// Get the scope constraint on this policy's principal
3963    pub fn principal_constraint(&self) -> PrincipalConstraint {
3964        let slot_id = ast::SlotId::principal();
3965        match self.ast.template().principal_constraint().as_inner() {
3966            ast::PrincipalOrResourceConstraint::Any => PrincipalConstraint::Any,
3967            ast::PrincipalOrResourceConstraint::In(eref) => {
3968                PrincipalConstraint::In(self.convert_entity_reference(eref, slot_id).clone())
3969            }
3970            ast::PrincipalOrResourceConstraint::Eq(eref) => {
3971                PrincipalConstraint::Eq(self.convert_entity_reference(eref, slot_id).clone())
3972            }
3973            ast::PrincipalOrResourceConstraint::Is(entity_type) => {
3974                PrincipalConstraint::Is(entity_type.as_ref().clone().into())
3975            }
3976            ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
3977                PrincipalConstraint::IsIn(
3978                    entity_type.as_ref().clone().into(),
3979                    self.convert_entity_reference(eref, slot_id).clone(),
3980                )
3981            }
3982        }
3983    }
3984
3985    /// Get the scope constraint on this policy's action
3986    pub fn action_constraint(&self) -> ActionConstraint {
3987        // Clone the data from Core to be consistant with the other constraints
3988        match self.ast.template().action_constraint() {
3989            ast::ActionConstraint::Any => ActionConstraint::Any,
3990            ast::ActionConstraint::In(ids) => ActionConstraint::In(
3991                ids.iter()
3992                    .map(|euid| EntityUid::ref_cast(euid.as_ref()))
3993                    .cloned()
3994                    .collect(),
3995            ),
3996            ast::ActionConstraint::Eq(id) => ActionConstraint::Eq(EntityUid::ref_cast(id).clone()),
3997            #[cfg(feature = "tolerant-ast")]
3998            #[expect(clippy::unimplemented, reason = "experimental feature")]
3999            ast::ActionConstraint::ErrorConstraint => {
4000                unimplemented!("internal ErrorConstraint cannot be represented in the public API")
4001            }
4002        }
4003    }
4004
4005    /// Get the scope constraint on this policy's resource
4006    pub fn resource_constraint(&self) -> ResourceConstraint {
4007        let slot_id = ast::SlotId::resource();
4008        match self.ast.template().resource_constraint().as_inner() {
4009            ast::PrincipalOrResourceConstraint::Any => ResourceConstraint::Any,
4010            ast::PrincipalOrResourceConstraint::In(eref) => {
4011                ResourceConstraint::In(self.convert_entity_reference(eref, slot_id).clone())
4012            }
4013            ast::PrincipalOrResourceConstraint::Eq(eref) => {
4014                ResourceConstraint::Eq(self.convert_entity_reference(eref, slot_id).clone())
4015            }
4016            ast::PrincipalOrResourceConstraint::Is(entity_type) => {
4017                ResourceConstraint::Is(entity_type.as_ref().clone().into())
4018            }
4019            ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
4020                ResourceConstraint::IsIn(
4021                    entity_type.as_ref().clone().into(),
4022                    self.convert_entity_reference(eref, slot_id).clone(),
4023                )
4024            }
4025        }
4026    }
4027
4028    /// To avoid panicking, this function may only be called when `slot` is the
4029    /// `SlotId` corresponding to the scope constraint from which the entity
4030    /// reference `r` was extracted. I.e., If `r` is taken from the principal
4031    /// scope constraint, `slot` must be `?principal`. This ensures that the
4032    /// `SlotId` exists in the policy (and therefore the slot environment map)
4033    /// whenever the `EntityReference` `r` is the Slot variant.
4034    fn convert_entity_reference<'a>(
4035        &'a self,
4036        r: &'a ast::EntityReference,
4037        slot: ast::SlotId,
4038    ) -> &'a EntityUid {
4039        match r {
4040            ast::EntityReference::EUID(euid) => EntityUid::ref_cast(euid),
4041            #[expect(
4042                clippy::unwrap_used,
4043                reason = "This `unwrap` here is safe due the invariant (values total map) on policies"
4044            )]
4045            ast::EntityReference::Slot(_) => {
4046                EntityUid::ref_cast(self.ast.env().get(&slot).unwrap())
4047            }
4048        }
4049    }
4050
4051    /// Parse a single policy.
4052    /// If `id` is Some, the policy will be given that Policy Id.
4053    /// If `id` is None, then "policy0" will be used.
4054    /// The behavior around None may change in the future.
4055    ///
4056    /// This can fail if the policy fails to parse.
4057    /// It can also fail if a template was passed in, as this function only accepts static
4058    /// policies
4059    pub fn parse(id: Option<PolicyId>, policy_src: impl AsRef<str>) -> Result<Self, ParseErrors> {
4060        let inline_ast = parser::parse_policy(id.map(Into::into), policy_src.as_ref())?;
4061        let (_, ast) = ast::Template::link_static_policy(inline_ast);
4062        Ok(Self {
4063            ast,
4064            lossless: LosslessPolicy::policy_or_template_text(Some(policy_src.as_ref())),
4065        })
4066    }
4067
4068    /// Create a `Policy` from its JSON representation.
4069    /// If `id` is Some, the policy will be given that Policy Id.
4070    /// If `id` is None, then "JSON policy" will be used.
4071    /// The behavior around None may change in the future.
4072    ///
4073    /// ```
4074    /// # use cedar_policy::{Policy, PolicyId};
4075    ///
4076    /// let json: serde_json::Value = serde_json::json!(
4077    ///        {
4078    ///            "effect":"permit",
4079    ///            "principal":{
4080    ///            "op":"==",
4081    ///            "entity":{
4082    ///                "type":"User",
4083    ///                "id":"bob"
4084    ///            }
4085    ///            },
4086    ///            "action":{
4087    ///            "op":"==",
4088    ///            "entity":{
4089    ///                "type":"Action",
4090    ///                "id":"view"
4091    ///            }
4092    ///            },
4093    ///            "resource":{
4094    ///            "op":"==",
4095    ///            "entity":{
4096    ///                "type":"Album",
4097    ///                "id":"trip"
4098    ///            }
4099    ///            },
4100    ///            "conditions":[
4101    ///            {
4102    ///                "kind":"when",
4103    ///                "body":{
4104    ///                   ">":{
4105    ///                        "left":{
4106    ///                        ".":{
4107    ///                            "left":{
4108    ///                                "Var":"principal"
4109    ///                            },
4110    ///                            "attr":"age"
4111    ///                        }
4112    ///                        },
4113    ///                        "right":{
4114    ///                        "Value":18
4115    ///                        }
4116    ///                    }
4117    ///                }
4118    ///            }
4119    ///            ]
4120    ///        }
4121    /// );
4122    /// let json_policy = Policy::from_json(None, json).unwrap();
4123    /// let src = r#"
4124    ///   permit(
4125    ///     principal == User::"bob",
4126    ///     action == Action::"view",
4127    ///     resource == Album::"trip"
4128    ///   )
4129    ///   when { principal.age > 18 };"#;
4130    /// let text_policy = Policy::parse(None, src).unwrap();
4131    /// assert_eq!(json_policy.to_json().unwrap(), text_policy.to_json().unwrap());
4132    /// ```
4133    pub fn from_json(
4134        id: Option<PolicyId>,
4135        json: serde_json::Value,
4136    ) -> Result<Self, PolicyFromJsonError> {
4137        let est: est::Policy = serde_json::from_value(json)
4138            .map_err(|e| entities_json_errors::JsonDeserializationError::Serde(e.into()))
4139            .map_err(cedar_policy_core::est::FromJsonError::from)?;
4140        Self::from_est(id, est)
4141    }
4142
4143    /// Get the valid [`RequestEnv`]s for this policy, according to the schema.
4144    ///
4145    /// That is, all the [`RequestEnv`]s in the schema for which this policy is
4146    /// not trivially false.
4147    pub fn get_valid_request_envs(&self, s: &Schema) -> impl Iterator<Item = RequestEnv> {
4148        get_valid_request_envs(self.ast.template(), s)
4149    }
4150
4151    /// Get all entity literals occuring in a `Policy`
4152    pub fn entity_literals(&self) -> Vec<EntityUid> {
4153        self.ast
4154            .condition()
4155            .subexpressions()
4156            .filter_map(|e| match e.expr_kind() {
4157                cedar_policy_core::ast::ExprKind::Lit(
4158                    cedar_policy_core::ast::Literal::EntityUID(euid),
4159                ) => Some(EntityUid((*euid).as_ref().clone())),
4160                _ => None,
4161            })
4162            .collect()
4163    }
4164
4165    /// Return a new policy where all occurrences of key `EntityUid`s are replaced by value `EntityUid`
4166    /// (as a single, non-sequential substitution).
4167    pub fn sub_entity_literals(
4168        &self,
4169        mapping: BTreeMap<EntityUid, EntityUid>,
4170    ) -> Result<Self, PolicyFromJsonError> {
4171        #[expect(
4172            clippy::expect_used,
4173            reason = "This can't fail for a policy that was already constructed"
4174        )]
4175        let cloned_est = self
4176            .lossless
4177            .est(|| self.ast.clone().into())
4178            .expect("Internal error, failed to construct est.");
4179
4180        let mapping = mapping.into_iter().map(|(k, v)| (k.0, v.0)).collect();
4181
4182        #[expect(
4183            clippy::expect_used,
4184            reason = "This can't fail for a policy that was already constructed"
4185        )]
4186        let est = cloned_est
4187            .sub_entity_literals(&mapping)
4188            .expect("Internal error, failed to sub entity literals.");
4189
4190        let ast = est
4191            .clone()
4192            .try_into_ast_policy(Some(self.ast.id().clone()))?;
4193
4194        Ok(Self {
4195            ast,
4196            lossless: LosslessPolicy::Est(est),
4197        })
4198    }
4199
4200    fn from_est(id: Option<PolicyId>, est: est::Policy) -> Result<Self, PolicyFromJsonError> {
4201        Ok(Self {
4202            ast: est.clone().try_into_ast_policy(id.map(PolicyId::into))?,
4203            lossless: LosslessPolicy::Est(est),
4204        })
4205    }
4206
4207    /// Get the JSON representation of this `Policy`.
4208    ///  ```
4209    /// # use cedar_policy::Policy;
4210    /// let src = r#"
4211    ///   permit(
4212    ///     principal == User::"bob",
4213    ///     action == Action::"view",
4214    ///     resource == Album::"trip"
4215    ///   )
4216    ///   when { principal.age > 18 };"#;
4217    ///
4218    /// let policy = Policy::parse(None, src).unwrap();
4219    /// println!("{}", policy);
4220    /// // convert the policy to JSON
4221    /// let json = policy.to_json().unwrap();
4222    /// println!("{}", json);
4223    /// assert_eq!(json, Policy::from_json(None, json.clone()).unwrap().to_json().unwrap());
4224    /// ```
4225    pub fn to_json(&self) -> Result<serde_json::Value, PolicyToJsonError> {
4226        let est = self.lossless.est(|| self.ast.clone().into())?;
4227        serde_json::to_value(est).map_err(Into::into)
4228    }
4229
4230    /// Get the human-readable Cedar syntax representation of this policy. This
4231    /// function is primarily intended for rendering JSON policies in the
4232    /// human-readable syntax, but it will also return the original policy text
4233    /// when given a policy parsed from the human-readable syntax.
4234    ///
4235    /// It will return `None` for linked policies because they cannot be
4236    /// directly rendered in Cedar syntax. You can instead render the unlinked
4237    /// template if you do not need to preserve links. If serializing links is
4238    /// important, then you will need to serialize the whole policy set
4239    /// containing the template and link to JSON (or protobuf).
4240    ///
4241    /// It also does not format the policy according to any particular rules.
4242    /// Policy formatting can be done through the Cedar policy CLI or
4243    /// the `cedar-policy-formatter` crate.
4244    pub fn to_cedar(&self) -> Option<String> {
4245        match &self.lossless {
4246            LosslessPolicy::Empty | LosslessPolicy::Est(_) | LosslessPolicy::Pst(_) => {
4247                Some(self.ast.to_string())
4248            }
4249            LosslessPolicy::Text { text, slots } => {
4250                if slots.is_empty() {
4251                    Some(text.clone())
4252                } else {
4253                    None
4254                }
4255            }
4256        }
4257    }
4258
4259    /// Get the PST representation of this policy.
4260    pub fn to_pst(&self) -> Result<pst::Policy, pst::PstConstructionError> {
4261        self.lossless
4262            .pst(|| pst::Policy::try_from(self.ast.clone()))
4263            .map(|p| p.new_id(self.ast.id().clone().into()))
4264    }
4265
4266    /// Get an owned PST representation of this policy. May return an error when the policy
4267    /// has been constructed from a different representation that is not a valid Cedar policy.
4268    pub fn try_into_pst(self) -> Result<pst::Policy, pst::PstConstructionError> {
4269        self.lossless
4270            .try_into_pst(|| pst::Policy::try_from(self.ast.clone()))
4271    }
4272
4273    /// Get all the unknown entities from the policy
4274    #[doc = include_str!("../experimental_warning.md")]
4275    #[cfg(feature = "partial-eval")]
4276    pub fn unknown_entities(&self) -> HashSet<EntityUid> {
4277        self.ast
4278            .unknown_entities()
4279            .into_iter()
4280            .map(Into::into)
4281            .collect()
4282    }
4283
4284    /// Create a `Policy` from its AST representation only. The `LosslessPolicy`
4285    /// will reflect the AST structure. When possible, don't use this method and
4286    /// create the `Policy` from the policy text, CST, or EST instead, as the
4287    /// conversion to AST is lossy. ESTs for policies generated by this method
4288    /// will reflect the AST and not the original policy syntax.
4289    pub(crate) fn from_ast(ast: ast::Policy) -> Self {
4290        // In from_ast we have choices in the LosslessPolicy representation:
4291        // - eagerly choose one representation and store it. If the consumer actually
4292        //.  wants that representation, we saved time.
4293        // - do not pick a representation, and trigger the conversion from AST every time
4294        //.  the consumer needs a particular representation (test, EST or PST).
4295        //
4296        // A previous implementation stored the text printed to the ast, but this creates
4297        // some overhead when calling `from_ast` (printing). Converting to any non-text
4298        // representation is also expensive compared to AST to other syntax tree conversions.
4299        //
4300        // This implementation now picks LosslessPolicy::Empty, the cost of printing/converting
4301        // is only paid when the consumer actually needs the representation.
4302        //
4303        // Benchmarked some choices in `benches/from_ast.rs`: the new path is ~22–190×
4304        // faster than the old to_string + re-parse path on the sample of 4 policies.
4305        Self {
4306            ast,
4307            lossless: LosslessPolicy::Empty,
4308        }
4309    }
4310}
4311
4312impl std::fmt::Display for Policy {
4313    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4314        // prefer to display the lossless format
4315        self.lossless.fmt(|| self.ast.clone().into(), f)
4316    }
4317}
4318
4319impl FromStr for Policy {
4320    type Err = ParseErrors;
4321    /// Create a policy
4322    ///
4323    /// Important note: Policies have ids, but this interface does not
4324    /// allow them to be set. It will use the default "policy0", which
4325    /// may cause id conflicts if not handled. Use `Policy::parse` to set
4326    /// the id when parsing, or `Policy::new_id` to clone a policy with
4327    /// a new id.
4328    fn from_str(policy: &str) -> Result<Self, Self::Err> {
4329        Self::parse(None, policy)
4330    }
4331}
4332
4333/// Lossless representation of a template (no slot values).
4334/// See comments on [`Template`].
4335#[derive(Debug, Clone)]
4336pub(crate) enum LosslessTemplate {
4337    /// An empty representation
4338    Empty,
4339    /// EST representation
4340    Est(est::Policy),
4341    /// PST representation
4342    Pst(pst::Template),
4343    /// Text representation (templates never carry slot values)
4344    Text(String),
4345}
4346
4347impl LosslessTemplate {
4348    /// Create a new `LosslessTemplate` from the text of a template.
4349    fn from_text(text: Option<impl Into<String>>) -> Self {
4350        text.map_or(Self::Empty, |text| Self::Text(text.into()))
4351    }
4352
4353    /// Clone this `LosslessTemplate` with a new policy ID.
4354    /// Only the PST variant embeds the ID; other variants are unaffected.
4355    fn new_id(&self, id: PolicyId) -> Self {
4356        match self {
4357            Self::Pst(pst) => {
4358                let mut pst = pst.clone();
4359                pst.id = id.into();
4360                Self::Pst(pst)
4361            }
4362            other => other.clone(),
4363        }
4364    }
4365
4366    /// Get the EST representation of this template.
4367    fn est(
4368        &self,
4369        fallback_est: impl FnOnce() -> est::Policy,
4370    ) -> Result<est::Policy, PolicyToJsonError> {
4371        match self {
4372            Self::Empty => Ok(fallback_est()),
4373            Self::Est(est) => Ok(est.clone()),
4374            Self::Pst(pst) => Ok(pst.clone().try_into()?),
4375            Self::Text(text) => {
4376                Ok(parser::parse_policy_or_template_to_est(text).map_err(ParseErrors::from)?)
4377            }
4378        }
4379    }
4380
4381    /// Get the PST representation of this template.
4382    fn pst(
4383        &self,
4384        fallback_pst: impl FnOnce() -> Result<pst::Template, pst::PstConstructionError>,
4385    ) -> Result<pst::Template, pst::PstConstructionError> {
4386        match self {
4387            Self::Empty => fallback_pst(),
4388            Self::Est(est) => Ok(est.clone().try_into()?),
4389            Self::Pst(pst) => Ok(pst.clone()),
4390            Self::Text(text) => Ok(parser::parse_policy_or_template_to_est(text)?.try_into()?),
4391        }
4392    }
4393
4394    /// Get an owned PST representation of this template.
4395    fn try_into_pst(
4396        self,
4397        fallback_pst: impl FnOnce() -> Result<pst::Template, pst::PstConstructionError>,
4398    ) -> Result<pst::Template, pst::PstConstructionError> {
4399        match self {
4400            Self::Empty => fallback_pst(),
4401            Self::Est(est) => Ok(est.try_into()?),
4402            Self::Pst(pst) => Ok(pst),
4403            Self::Text(text) => Ok(parser::parse_policy_or_template_to_est(&text)?.try_into()?),
4404        }
4405    }
4406
4407    /// Link this template with slot values, producing a [`LosslessPolicy`].
4408    fn link<'a>(
4409        self,
4410        link_id: ast::PolicyID,
4411        vals: impl IntoIterator<Item = (ast::SlotId, &'a ast::EntityUID)>,
4412    ) -> Result<LosslessPolicy, est::LinkingError> {
4413        match self {
4414            Self::Empty => Ok(LosslessPolicy::Empty),
4415            Self::Est(est) => {
4416                let unwrapped_vals: HashMap<
4417                    ast::SlotId,
4418                    cedar_policy_core::entities::EntityUidJson,
4419                > = vals.into_iter().map(|(k, v)| (k, v.into())).collect();
4420                Ok(LosslessPolicy::Est(est.link(&unwrapped_vals)?))
4421            }
4422            Self::Pst(template) => {
4423                let values: HashMap<pst::SlotId, pst::EntityUID> = vals
4424                    .into_iter()
4425                    .map(|(k, v)| (k.into(), v.clone().into()))
4426                    .collect();
4427                let pst_policy = pst::LinkedPolicy::new(Arc::new(template), values, link_id.into())
4428                    .map_err(est::LinkingError::from)?;
4429                Ok(LosslessPolicy::Pst(pst::Policy::Linked(pst_policy)))
4430            }
4431            Self::Text(text) => {
4432                let slots = vals.into_iter().map(|(k, v)| (k, v.clone())).collect();
4433                Ok(LosslessPolicy::Text { text, slots })
4434            }
4435        }
4436    }
4437
4438    fn fmt(
4439        &self,
4440        fallback_est: impl FnOnce() -> est::Policy,
4441        f: &mut std::fmt::Formatter<'_>,
4442    ) -> std::fmt::Result {
4443        match self {
4444            Self::Empty => match self.est(fallback_est) {
4445                Ok(est) => write!(f, "{est}"),
4446                Err(e) => write!(f, "<invalid policy: {e}>"),
4447            },
4448            Self::Pst(pst) => write!(f, "{pst}"), // PST -> EST conversion in display
4449            Self::Est(est) => write!(f, "{est}"),
4450            Self::Text(text) => write!(f, "{text}"),
4451        }
4452    }
4453}
4454
4455/// Lossless representation of a static or linked policy.
4456/// See comments on [`Policy`].
4457#[derive(Debug, Clone)]
4458pub(crate) enum LosslessPolicy {
4459    /// An empty representation
4460    Empty,
4461    /// EST representation
4462    Est(est::Policy),
4463    /// PST representation
4464    Pst(pst::Policy),
4465    /// Text representation
4466    Text {
4467        /// actual policy text
4468        text: String,
4469        /// For linked policies, map of slot to UID. Static policies have an
4470        /// empty map here.
4471        slots: HashMap<ast::SlotId, ast::EntityUID>,
4472    },
4473}
4474
4475impl LosslessPolicy {
4476    /// Create a new `LosslessPolicy` from the text of a policy.
4477    fn policy_or_template_text(text: Option<impl Into<String>>) -> Self {
4478        text.map_or(Self::Empty, |text| Self::Text {
4479            text: text.into(),
4480            slots: HashMap::new(),
4481        })
4482    }
4483
4484    /// Clone this `LosslessPolicy` with a new policy ID.
4485    /// Only the PST variant embeds the ID; other variants are unaffected.
4486    fn new_id(&self, id: PolicyId) -> Self {
4487        match self {
4488            Self::Pst(pst) => Self::Pst(pst.new_id(id.into())),
4489            other => other.clone(),
4490        }
4491    }
4492
4493    /// Get the EST representation of this policy.
4494    fn est(
4495        &self,
4496        fallback_est: impl FnOnce() -> est::Policy,
4497    ) -> Result<est::Policy, PolicyToJsonError> {
4498        match self {
4499            Self::Empty => Ok(fallback_est()),
4500            Self::Est(est) => Ok(est.clone()),
4501            Self::Pst(pst) => {
4502                // Convert the effective body (with slots resolved for linked policies) to EST
4503                // (same behavior as policies from text)
4504                match pst {
4505                    pst::Policy::Static(sp) => Ok(sp.body().clone().try_into()?),
4506                    pst::Policy::Linked(lp) => {
4507                        let static_policy = lp.into_static_policy()?;
4508                        Ok(static_policy.body().clone().try_into()?)
4509                    }
4510                }
4511            }
4512            Self::Text { text, slots } => {
4513                let est =
4514                    parser::parse_policy_or_template_to_est(text).map_err(ParseErrors::from)?;
4515                if slots.is_empty() {
4516                    Ok(est)
4517                } else {
4518                    let unwrapped_vals = slots.iter().map(|(k, v)| (*k, v.into())).collect();
4519                    Ok(est.link(&unwrapped_vals)?)
4520                }
4521            }
4522        }
4523    }
4524
4525    /// Get the PST representation of this policy.
4526    fn pst(
4527        &self,
4528        fallback_pst: impl FnOnce() -> Result<pst::Policy, pst::PstConstructionError>,
4529    ) -> Result<pst::Policy, pst::PstConstructionError> {
4530        match self {
4531            Self::Empty => fallback_pst(),
4532            Self::Est(est) => {
4533                let template: pst::Template = est.clone().try_into()?;
4534                Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4535            }
4536            Self::Pst(pst) => Ok(pst.clone()),
4537            Self::Text { text, slots } => {
4538                let template: pst::Template =
4539                    parser::parse_policy_or_template_to_est(text)?.try_into()?;
4540                if slots.is_empty() {
4541                    Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4542                } else {
4543                    let pst_vals: HashMap<pst::SlotId, pst::EntityUID> = slots
4544                        .iter()
4545                        .map(|(k, v)| ((*k).into(), v.clone().into()))
4546                        .collect();
4547                    let static_policy = template.link(&pst_vals)?;
4548                    Ok(pst::Policy::Static(static_policy))
4549                }
4550            }
4551        }
4552    }
4553
4554    /// Get an owned PST representation of this policy.
4555    fn try_into_pst(
4556        self,
4557        fallback_pst: impl FnOnce() -> Result<pst::Policy, pst::PstConstructionError>,
4558    ) -> Result<pst::Policy, pst::PstConstructionError> {
4559        match self {
4560            Self::Empty => fallback_pst(),
4561            Self::Est(est) => {
4562                let template: pst::Template = est.try_into()?;
4563                Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4564            }
4565            Self::Pst(pst) => Ok(pst),
4566            Self::Text { text, slots } => {
4567                let template: pst::Template =
4568                    parser::parse_policy_or_template_to_est(&text)?.try_into()?;
4569                if slots.is_empty() {
4570                    Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4571                } else {
4572                    let pst_vals: HashMap<pst::SlotId, pst::EntityUID> = slots
4573                        .into_iter()
4574                        .map(|(k, v)| (pst::SlotId::from(k), v.into()))
4575                        .collect();
4576                    let static_policy = template.link(&pst_vals)?;
4577                    Ok(pst::Policy::Static(static_policy))
4578                }
4579            }
4580        }
4581    }
4582
4583    fn fmt(
4584        &self,
4585        fallback_est: impl FnOnce() -> est::Policy,
4586        f: &mut std::fmt::Formatter<'_>,
4587    ) -> std::fmt::Result {
4588        match self {
4589            Self::Empty => match self.est(fallback_est) {
4590                Ok(est) => write!(f, "{est}"),
4591                Err(e) => write!(f, "<invalid policy: {e}>"),
4592            },
4593            Self::Pst(pst) => write!(f, "{pst}"), // Does PST -> EST
4594            Self::Est(est) => write!(f, "{est}"),
4595            Self::Text { text, slots } => {
4596                if slots.is_empty() {
4597                    write!(f, "{text}")
4598                } else {
4599                    match self.est(fallback_est) {
4600                        Ok(est) => write!(f, "{est}"),
4601                        Err(e) => write!(f, "<invalid linked policy: {e}>"),
4602                    }
4603                }
4604            }
4605        }
4606    }
4607}
4608
4609/// Expressions to be evaluated
4610#[repr(transparent)]
4611#[derive(Debug, Clone, RefCast)]
4612pub struct Expression(pub(crate) ast::Expr);
4613
4614#[doc(hidden)] // because this converts to a private/internal type
4615impl AsRef<ast::Expr> for Expression {
4616    fn as_ref(&self) -> &ast::Expr {
4617        &self.0
4618    }
4619}
4620
4621#[doc(hidden)]
4622impl From<ast::Expr> for Expression {
4623    fn from(expr: ast::Expr) -> Self {
4624        Self(expr)
4625    }
4626}
4627
4628impl Expression {
4629    /// Create an expression representing a literal string.
4630    pub fn new_string(value: String) -> Self {
4631        Self(ast::Expr::val(value))
4632    }
4633
4634    /// Create an expression representing a literal bool.
4635    pub fn new_bool(value: bool) -> Self {
4636        Self(ast::Expr::val(value))
4637    }
4638
4639    /// Create an expression representing a literal long.
4640    pub fn new_long(value: ast::Integer) -> Self {
4641        Self(ast::Expr::val(value))
4642    }
4643
4644    /// Create an expression representing a record.
4645    ///
4646    /// Error if any key appears two or more times in `fields`.
4647    pub fn new_record(
4648        fields: impl IntoIterator<Item = (String, Self)>,
4649    ) -> Result<Self, ExpressionConstructionError> {
4650        Ok(Self(ast::Expr::record(
4651            fields.into_iter().map(|(k, v)| (SmolStr::from(k), v.0)),
4652        )?))
4653    }
4654
4655    /// Create an expression representing a Set.
4656    pub fn new_set(values: impl IntoIterator<Item = Self>) -> Self {
4657        Self(ast::Expr::set(values.into_iter().map(|v| v.0)))
4658    }
4659
4660    /// Create an expression representing an ip address.
4661    /// This function does not perform error checking on the source string,
4662    /// it creates an expression that calls the `ip` constructor.
4663    pub fn new_ip(src: impl AsRef<str>) -> Self {
4664        let src_expr = ast::Expr::val(src.as_ref());
4665        Self(ast::Expr::call_extension_fn(
4666            ip_extension_name(),
4667            vec![src_expr],
4668        ))
4669    }
4670
4671    /// Create an expression representing a fixed precision decimal number.
4672    /// This function does not perform error checking on the source string,
4673    /// it creates an expression that calls the `decimal` constructor.
4674    pub fn new_decimal(src: impl AsRef<str>) -> Self {
4675        let src_expr = ast::Expr::val(src.as_ref());
4676        Self(ast::Expr::call_extension_fn(
4677            decimal_extension_name(),
4678            vec![src_expr],
4679        ))
4680    }
4681
4682    /// Create an expression representing a particular instant of time.
4683    /// This function does not perform error checking on the source string,
4684    /// it creates an expression that calls the `datetime` constructor.
4685    pub fn new_datetime(src: impl AsRef<str>) -> Self {
4686        let src_expr = ast::Expr::val(src.as_ref());
4687        Self(ast::Expr::call_extension_fn(
4688            datetime_extension_name(),
4689            vec![src_expr],
4690        ))
4691    }
4692
4693    /// Create an expression representing a duration of time.
4694    /// This function does not perform error checking on the source string,
4695    /// it creates an expression that calls the `datetime` constructor.
4696    pub fn new_duration(src: impl AsRef<str>) -> Self {
4697        let src_expr = ast::Expr::val(src.as_ref());
4698        Self(ast::Expr::call_extension_fn(
4699            duration_extension_name(),
4700            vec![src_expr],
4701        ))
4702    }
4703}
4704
4705#[cfg(test)]
4706impl Expression {
4707    /// Deconstruct an [`Expression`] to get the internal type.
4708    /// This function is only intended to be used internally.
4709    pub(crate) fn into_inner(self) -> ast::Expr {
4710        self.0
4711    }
4712}
4713
4714impl FromStr for Expression {
4715    type Err = ParseErrors;
4716
4717    /// create an Expression using Cedar syntax
4718    fn from_str(expression: &str) -> Result<Self, Self::Err> {
4719        ast::Expr::from_str(expression)
4720            .map(Expression)
4721            .map_err(Into::into)
4722    }
4723}
4724
4725impl std::fmt::Display for Expression {
4726    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4727        write!(f, "{}", &self.0)
4728    }
4729}
4730
4731/// "Restricted" expressions are used for attribute values and `context`.
4732///
4733/// Restricted expressions can contain only the following:
4734///   - bool, int, and string literals
4735///   - literal `EntityUid`s such as `User::"alice"`
4736///   - extension function calls, where the arguments must be other things
4737///     on this list
4738///   - set and record literals, where the values must be other things on
4739///     this list
4740///
4741/// That means the following are not allowed in restricted expressions:
4742///   - `principal`, `action`, `resource`, `context`
4743///   - builtin operators and functions, including `.`, `in`, `has`, `like`,
4744///     `.contains()`
4745///   - if-then-else expressions
4746#[repr(transparent)]
4747#[derive(Debug, Clone, RefCast, PartialEq, Eq)]
4748pub struct RestrictedExpression(pub(crate) ast::RestrictedExpr);
4749
4750#[doc(hidden)] // because this converts to a private/internal type
4751impl AsRef<ast::RestrictedExpr> for RestrictedExpression {
4752    fn as_ref(&self) -> &ast::RestrictedExpr {
4753        &self.0
4754    }
4755}
4756
4757#[doc(hidden)]
4758impl From<ast::RestrictedExpr> for RestrictedExpression {
4759    fn from(expr: ast::RestrictedExpr) -> Self {
4760        Self(expr)
4761    }
4762}
4763
4764impl RestrictedExpression {
4765    /// Create an expression representing a literal string.
4766    pub fn new_string(value: String) -> Self {
4767        Self(ast::RestrictedExpr::val(value))
4768    }
4769
4770    /// Create an expression representing a literal bool.
4771    pub fn new_bool(value: bool) -> Self {
4772        Self(ast::RestrictedExpr::val(value))
4773    }
4774
4775    /// Create an expression representing a literal long.
4776    pub fn new_long(value: ast::Integer) -> Self {
4777        Self(ast::RestrictedExpr::val(value))
4778    }
4779
4780    /// Create an expression representing a literal `EntityUid`.
4781    pub fn new_entity_uid(value: EntityUid) -> Self {
4782        Self(ast::RestrictedExpr::val(ast::EntityUID::from(value)))
4783    }
4784
4785    /// Create an expression representing a record.
4786    ///
4787    /// Error if any key appears two or more times in `fields`.
4788    pub fn new_record(
4789        fields: impl IntoIterator<Item = (String, Self)>,
4790    ) -> Result<Self, ExpressionConstructionError> {
4791        Ok(Self(ast::RestrictedExpr::record(
4792            fields.into_iter().map(|(k, v)| (SmolStr::from(k), v.0)),
4793        )?))
4794    }
4795
4796    /// Create an expression representing a Set.
4797    pub fn new_set(values: impl IntoIterator<Item = Self>) -> Self {
4798        Self(ast::RestrictedExpr::set(values.into_iter().map(|v| v.0)))
4799    }
4800
4801    /// Create an expression representing an ip address.
4802    /// This function does not perform error checking on the source string,
4803    /// it creates an expression that calls the `ip` constructor.
4804    pub fn new_ip(src: impl AsRef<str>) -> Self {
4805        let src_expr = ast::RestrictedExpr::val(src.as_ref());
4806        Self(ast::RestrictedExpr::call_extension_fn(
4807            ip_extension_name(),
4808            [src_expr],
4809        ))
4810    }
4811
4812    /// Create an expression representing a fixed precision decimal number.
4813    /// This function does not perform error checking on the source string,
4814    /// it creates an expression that calls the `decimal` constructor.
4815    pub fn new_decimal(src: impl AsRef<str>) -> Self {
4816        let src_expr = ast::RestrictedExpr::val(src.as_ref());
4817        Self(ast::RestrictedExpr::call_extension_fn(
4818            decimal_extension_name(),
4819            [src_expr],
4820        ))
4821    }
4822
4823    /// Create an expression representing a particular instant of time.
4824    /// This function does not perform error checking on the source string,
4825    /// it creates an expression that calls the `datetime` constructor.
4826    pub fn new_datetime(src: impl AsRef<str>) -> Self {
4827        let src_expr = ast::RestrictedExpr::val(src.as_ref());
4828        Self(ast::RestrictedExpr::call_extension_fn(
4829            datetime_extension_name(),
4830            [src_expr],
4831        ))
4832    }
4833
4834    /// Create an expression representing a duration of time.
4835    /// This function does not perform error checking on the source string,
4836    /// it creates an expression that calls the `datetime` constructor.
4837    pub fn new_duration(src: impl AsRef<str>) -> Self {
4838        let src_expr = ast::RestrictedExpr::val(src.as_ref());
4839        Self(ast::RestrictedExpr::call_extension_fn(
4840            duration_extension_name(),
4841            [src_expr],
4842        ))
4843    }
4844
4845    /// Create an unknown expression
4846    #[cfg(feature = "partial-eval")]
4847    pub fn new_unknown(name: impl AsRef<str>) -> Self {
4848        Self(ast::RestrictedExpr::unknown(ast::Unknown::new_untyped(
4849            name.as_ref(),
4850        )))
4851    }
4852}
4853
4854#[cfg(test)]
4855impl RestrictedExpression {
4856    /// Deconstruct an [`RestrictedExpression`] to get the internal type.
4857    /// This function is only intended to be used internally.
4858    pub(crate) fn into_inner(self) -> ast::RestrictedExpr {
4859        self.0
4860    }
4861}
4862
4863fn decimal_extension_name() -> ast::Name {
4864    #[expect(
4865        clippy::unwrap_used,
4866        reason = "This is a constant and is known to be safe, verified by a test"
4867    )]
4868    ast::Name::unqualified_name("decimal".parse().unwrap())
4869}
4870
4871fn ip_extension_name() -> ast::Name {
4872    #[expect(
4873        clippy::unwrap_used,
4874        reason = "This is a constant and is known to be safe, verified by a test"
4875    )]
4876    ast::Name::unqualified_name("ip".parse().unwrap())
4877}
4878
4879fn datetime_extension_name() -> ast::Name {
4880    #[expect(
4881        clippy::unwrap_used,
4882        reason = "This is a constant and is known to be safe, verified by a test"
4883    )]
4884    ast::Name::unqualified_name("datetime".parse().unwrap())
4885}
4886
4887fn duration_extension_name() -> ast::Name {
4888    #[expect(
4889        clippy::unwrap_used,
4890        reason = "This is a constant and is known to be safe, verified by a test"
4891    )]
4892    ast::Name::unqualified_name("duration".parse().unwrap())
4893}
4894
4895impl FromStr for RestrictedExpression {
4896    type Err = RestrictedExpressionParseError;
4897
4898    /// create a `RestrictedExpression` using Cedar syntax
4899    fn from_str(expression: &str) -> Result<Self, Self::Err> {
4900        ast::RestrictedExpr::from_str(expression)
4901            .map(RestrictedExpression)
4902            .map_err(Into::into)
4903    }
4904}
4905
4906/// Builder for a [`Request`]
4907///
4908/// The default for principal, action, resource, and context fields is Unknown
4909/// for partial evaluation.
4910#[doc = include_str!("../experimental_warning.md")]
4911#[cfg(feature = "partial-eval")]
4912#[derive(Debug, Clone)]
4913pub struct RequestBuilder<S> {
4914    principal: ast::EntityUIDEntry,
4915    action: ast::EntityUIDEntry,
4916    resource: ast::EntityUIDEntry,
4917    /// Here, `None` means unknown
4918    context: Option<ast::Context>,
4919    schema: S,
4920}
4921
4922/// A marker type that indicates [`Schema`] is not set for a request
4923#[doc = include_str!("../experimental_warning.md")]
4924#[cfg(feature = "partial-eval")]
4925#[derive(Debug, Clone, Copy)]
4926pub struct UnsetSchema;
4927
4928#[cfg(feature = "partial-eval")]
4929impl Default for RequestBuilder<UnsetSchema> {
4930    fn default() -> Self {
4931        Self {
4932            principal: ast::EntityUIDEntry::unknown(),
4933            action: ast::EntityUIDEntry::unknown(),
4934            resource: ast::EntityUIDEntry::unknown(),
4935            context: None,
4936            schema: UnsetSchema,
4937        }
4938    }
4939}
4940
4941#[cfg(feature = "partial-eval")]
4942impl<S> RequestBuilder<S> {
4943    /// Set the principal.
4944    ///
4945    /// Note that you can create the `EntityUid` using `.parse()` on any
4946    /// string (via the `FromStr` implementation for `EntityUid`).
4947    #[must_use]
4948    pub fn principal(self, principal: EntityUid) -> Self {
4949        Self {
4950            principal: ast::EntityUIDEntry::known(principal.into(), None),
4951            ..self
4952        }
4953    }
4954
4955    /// Set the principal to be unknown, but known to belong to a certain entity type.
4956    ///
4957    /// This information is taken into account when evaluating 'is', '==' and '!=' expressions.
4958    #[must_use]
4959    pub fn unknown_principal_with_type(self, principal_type: EntityTypeName) -> Self {
4960        Self {
4961            principal: ast::EntityUIDEntry::unknown_with_type(principal_type.0, None),
4962            ..self
4963        }
4964    }
4965
4966    /// Set the action.
4967    ///
4968    /// Note that you can create the `EntityUid` using `.parse()` on any
4969    /// string (via the `FromStr` implementation for `EntityUid`).
4970    #[must_use]
4971    pub fn action(self, action: EntityUid) -> Self {
4972        Self {
4973            action: ast::EntityUIDEntry::known(action.into(), None),
4974            ..self
4975        }
4976    }
4977
4978    /// Set the resource.
4979    ///
4980    /// Note that you can create the `EntityUid` using `.parse()` on any
4981    /// string (via the `FromStr` implementation for `EntityUid`).
4982    #[must_use]
4983    pub fn resource(self, resource: EntityUid) -> Self {
4984        Self {
4985            resource: ast::EntityUIDEntry::known(resource.into(), None),
4986            ..self
4987        }
4988    }
4989
4990    /// Set the resource to be unknown, but known to belong to a certain entity type.
4991    ///
4992    /// This information is taken into account when evaluating 'is', '==' and '!=' expressions.
4993    #[must_use]
4994    pub fn unknown_resource_with_type(self, resource_type: EntityTypeName) -> Self {
4995        Self {
4996            resource: ast::EntityUIDEntry::unknown_with_type(resource_type.0, None),
4997            ..self
4998        }
4999    }
5000
5001    /// Set the context.
5002    #[must_use]
5003    pub fn context(self, context: Context) -> Self {
5004        Self {
5005            context: Some(context.0),
5006            ..self
5007        }
5008    }
5009}
5010
5011#[cfg(feature = "partial-eval")]
5012impl RequestBuilder<UnsetSchema> {
5013    /// Set the schema. If present, this will be used for request validation.
5014    #[must_use]
5015    pub fn schema(self, schema: &Schema) -> RequestBuilder<&Schema> {
5016        RequestBuilder {
5017            principal: self.principal,
5018            action: self.action,
5019            resource: self.resource,
5020            context: self.context,
5021            schema,
5022        }
5023    }
5024
5025    /// Create the [`Request`]
5026    pub fn build(self) -> Request {
5027        Request(ast::Request::new_unchecked(
5028            self.principal,
5029            self.action,
5030            self.resource,
5031            self.context,
5032        ))
5033    }
5034}
5035
5036#[cfg(feature = "partial-eval")]
5037impl RequestBuilder<&Schema> {
5038    /// Create the [`Request`]
5039    pub fn build(self) -> Result<Request, RequestValidationError> {
5040        Ok(Request(ast::Request::new_with_unknowns(
5041            self.principal,
5042            self.action,
5043            self.resource,
5044            self.context,
5045            Some(&self.schema.0),
5046            Extensions::all_available(),
5047        )?))
5048    }
5049}
5050
5051/// An authorization request is a tuple `<P, A, R, C>` where
5052/// * P is the principal [`EntityUid`],
5053/// * A is the action [`EntityUid`],
5054/// * R is the resource [`EntityUid`], and
5055/// * C is the request [`Context`] record.
5056///
5057/// It represents an authorization request asking the question, "Can this
5058/// principal take this action on this resource in this context?"
5059#[repr(transparent)]
5060#[derive(Debug, Clone, RefCast)]
5061pub struct Request(pub(crate) ast::Request);
5062
5063#[doc(hidden)] // because this converts to a private/internal type
5064impl AsRef<ast::Request> for Request {
5065    fn as_ref(&self) -> &ast::Request {
5066        &self.0
5067    }
5068}
5069
5070#[doc(hidden)]
5071impl From<ast::Request> for Request {
5072    fn from(req: ast::Request) -> Self {
5073        Self(req)
5074    }
5075}
5076
5077impl PartialEq for Request {
5078    fn eq(&self, other: &Self) -> bool {
5079        self.principal() == other.principal()
5080            && self.action() == other.action()
5081            && self.resource() == other.resource()
5082            && self.context() == other.context()
5083    }
5084}
5085
5086impl Request {
5087    /// Create a [`RequestBuilder`]
5088    #[doc = include_str!("../experimental_warning.md")]
5089    #[cfg(feature = "partial-eval")]
5090    pub fn builder() -> RequestBuilder<UnsetSchema> {
5091        RequestBuilder::default()
5092    }
5093
5094    /// Create a Request.
5095    ///
5096    /// Note that you can create the `EntityUid`s using `.parse()` on any
5097    /// string (via the `FromStr` implementation for `EntityUid`).
5098    /// The principal, action, and resource fields are optional to support
5099    /// the case where these fields do not contribute to authorization
5100    /// decisions (e.g., because they are not used in your policies).
5101    /// If any of the fields are `None`, we will automatically generate
5102    /// a unique entity UID that is not equal to any UID in the store.
5103    ///
5104    /// If `schema` is present, this constructor will validate that the
5105    /// `Request` complies with the given `schema`.
5106    pub fn new(
5107        principal: EntityUid,
5108        action: EntityUid,
5109        resource: EntityUid,
5110        context: Context,
5111        schema: Option<&Schema>,
5112    ) -> Result<Self, RequestValidationError> {
5113        Ok(Self(ast::Request::new(
5114            (principal.into(), None),
5115            (action.into(), None),
5116            (resource.into(), None),
5117            context.0,
5118            schema.map(|schema| &schema.0),
5119            Extensions::all_available(),
5120        )?))
5121    }
5122
5123    /// Get the context component of the request. Returns `None` if the context is
5124    /// "unknown" (i.e., constructed using the partial evaluation APIs).
5125    pub fn context(&self) -> Option<&Context> {
5126        self.0.context().map(Context::ref_cast)
5127    }
5128
5129    /// Get the principal component of the request. Returns `None` if the principal is
5130    /// "unknown" (i.e., constructed using the partial evaluation APIs).
5131    pub fn principal(&self) -> Option<&EntityUid> {
5132        match self.0.principal() {
5133            ast::EntityUIDEntry::Known { euid, .. } => Some(EntityUid::ref_cast(euid.as_ref())),
5134            ast::EntityUIDEntry::Unknown { .. } => None,
5135        }
5136    }
5137
5138    /// Get the action component of the request. Returns `None` if the action is
5139    /// "unknown" (i.e., constructed using the partial evaluation APIs).
5140    pub fn action(&self) -> Option<&EntityUid> {
5141        match self.0.action() {
5142            ast::EntityUIDEntry::Known { euid, .. } => Some(EntityUid::ref_cast(euid.as_ref())),
5143            ast::EntityUIDEntry::Unknown { .. } => None,
5144        }
5145    }
5146
5147    /// Get the resource component of the request. Returns `None` if the resource is
5148    /// "unknown" (i.e., constructed using the partial evaluation APIs).
5149    pub fn resource(&self) -> Option<&EntityUid> {
5150        match self.0.resource() {
5151            ast::EntityUIDEntry::Known { euid, .. } => Some(EntityUid::ref_cast(euid.as_ref())),
5152            ast::EntityUIDEntry::Unknown { .. } => None,
5153        }
5154    }
5155}
5156
5157/// the Context object for an authorization request
5158#[repr(transparent)]
5159#[derive(Debug, Clone, PartialEq, Eq, RefCast)]
5160pub struct Context(ast::Context);
5161
5162#[doc(hidden)] // because this converts to a private/internal type
5163impl AsRef<ast::Context> for Context {
5164    fn as_ref(&self) -> &ast::Context {
5165        &self.0
5166    }
5167}
5168
5169impl Context {
5170    /// Create an empty `Context`
5171    /// ```
5172    /// # use cedar_policy::Context;
5173    /// let context = Context::empty();
5174    /// # assert_eq!(context.into_iter().next(), None);
5175    /// ```
5176    pub fn empty() -> Self {
5177        Self(ast::Context::empty())
5178    }
5179
5180    /// Create a `Context` from a map of key to "restricted expression",
5181    /// or a Vec of `(key, restricted expression)` pairs, or any other iterator
5182    /// of `(key, restricted expression)` pairs.
5183    /// ```
5184    /// # use cedar_policy::{Context, EntityUid, RestrictedExpression, Request};
5185    /// # use std::str::FromStr;
5186    /// let context = Context::from_pairs([
5187    ///   ("key".to_string(), RestrictedExpression::from_str(r#""value""#).unwrap()),
5188    ///   ("age".to_string(), RestrictedExpression::from_str("18").unwrap()),
5189    /// ]).unwrap();
5190    /// # // create a request
5191    /// # let p = EntityUid::from_str(r#"User::"alice""#).unwrap();
5192    /// # let a = EntityUid::from_str(r#"Action::"view""#).unwrap();
5193    /// # let r = EntityUid::from_str(r#"Album::"trip""#).unwrap();
5194    /// # let request: Request = Request::new(p, a, r, context, None).unwrap();
5195    /// ```
5196    pub fn from_pairs(
5197        pairs: impl IntoIterator<Item = (String, RestrictedExpression)>,
5198    ) -> Result<Self, ContextCreationError> {
5199        Ok(Self(ast::Context::from_pairs(
5200            pairs.into_iter().map(|(k, v)| (SmolStr::from(k), v.0)),
5201            Extensions::all_available(),
5202        )?))
5203    }
5204
5205    /// Retrieves a value from the Context by its key.
5206    ///
5207    /// # Arguments
5208    ///
5209    /// * `key` - The key to look up in the context
5210    ///
5211    /// # Returns
5212    ///
5213    /// * `Some(EvalResult)` - If the key exists in the context, returns its value
5214    /// * `None` - If the key doesn't exist or if the context is not a Value type
5215    ///
5216    /// # Examples
5217    ///
5218    /// ```
5219    /// # use cedar_policy::{Context, Request, EntityUid};
5220    /// # use std::str::FromStr;
5221    /// let context = Context::from_json_str(r#"{"rayId": "abc123"}"#, None).unwrap();
5222    /// if let Some(value) = context.get("rayId") {
5223    ///     // value here is an EvalResult, convertible from the internal Value type
5224    ///     println!("Found value: {:?}", value);
5225    /// }
5226    /// assert_eq!(context.get("nonexistent"), None);
5227    /// ```
5228    pub fn get(&self, key: &str) -> Option<EvalResult> {
5229        match &self.0 {
5230            ast::Context::Value(map) => map.get(key).map(|v| EvalResult::from(v.clone())),
5231            ast::Context::RestrictedResidual(_) => None,
5232        }
5233    }
5234
5235    /// Create a `Context` from a string containing JSON (which must be a JSON
5236    /// object, not any other JSON type, or you will get an error here).
5237    /// JSON here must use the `__entity` and `__extn` escapes for entity
5238    /// references, extension values, etc.
5239    ///
5240    /// If a `schema` is provided, this will inform the parsing: for instance, it
5241    /// will allow `__entity` and `__extn` escapes to be implicit, and it will error
5242    /// if attributes have the wrong types (e.g., string instead of integer).
5243    /// Since different Actions have different schemas for `Context`, you also
5244    /// must specify the `Action` for schema-based parsing.
5245    /// ```
5246    /// # use cedar_policy::{Context, EntityUid, RestrictedExpression, Request};
5247    /// # use std::str::FromStr;
5248    /// let json_data = r#"{
5249    ///     "sub": "1234",
5250    ///     "groups": {
5251    ///         "1234": {
5252    ///             "group_id": "abcd",
5253    ///             "group_name": "test-group"
5254    ///         }
5255    ///     }
5256    /// }"#;
5257    /// let context = Context::from_json_str(json_data, None).unwrap();
5258    /// # // create a request
5259    /// # let p = EntityUid::from_str(r#"User::"alice""#).unwrap();
5260    /// # let a = EntityUid::from_str(r#"Action::"view""#).unwrap();
5261    /// # let r = EntityUid::from_str(r#"Album::"trip""#).unwrap();
5262    /// # let request: Request = Request::new(p, a, r, context, None).unwrap();
5263    /// ```
5264    pub fn from_json_str(
5265        json: &str,
5266        schema: Option<(&Schema, &EntityUid)>,
5267    ) -> Result<Self, ContextJsonError> {
5268        let schema = schema
5269            .map(|(s, uid)| Self::get_context_schema(s, uid))
5270            .transpose()?;
5271        let context = cedar_policy_core::entities::ContextJsonParser::new(
5272            schema.as_ref(),
5273            Extensions::all_available(),
5274        )
5275        .from_json_str(json)?;
5276        Ok(Self(context))
5277    }
5278
5279    /// Create a `Context` from a `serde_json::Value` (which must be a JSON object,
5280    /// not any other JSON type, or you will get an error here).
5281    /// JSON here must use the `__entity` and `__extn` escapes for entity
5282    /// references, extension values, etc.
5283    ///
5284    /// If a `schema` is provided, this will inform the parsing: for instance, it
5285    /// will allow `__entity` and `__extn` escapes to be implicit, and it will error
5286    /// if attributes have the wrong types (e.g., string instead of integer).
5287    /// Since different Actions have different schemas for `Context`, you also
5288    /// must specify the `Action` for schema-based parsing.
5289    /// ```
5290    /// # use cedar_policy::{Context, EntityUid, EntityId, EntityTypeName, RestrictedExpression, Request, Schema};
5291    /// # use std::str::FromStr;
5292    /// let schema_json = serde_json::json!(
5293    ///     {
5294    ///       "": {
5295    ///         "entityTypes": {
5296    ///           "User": {},
5297    ///           "Album": {},
5298    ///         },
5299    ///         "actions": {
5300    ///           "view": {
5301    ///              "appliesTo": {
5302    ///                "principalTypes": ["User"],
5303    ///                "resourceTypes": ["Album"],
5304    ///                "context": {
5305    ///                  "type": "Record",
5306    ///                  "attributes": {
5307    ///                    "sub": { "type": "Long" }
5308    ///                  }
5309    ///                }
5310    ///              }
5311    ///           }
5312    ///         }
5313    ///       }
5314    ///     });
5315    /// let schema = Schema::from_json_value(schema_json).unwrap();
5316    ///
5317    /// let a_eid = EntityId::from_str("view").unwrap();
5318    /// let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
5319    /// let action = EntityUid::from_type_name_and_id(a_name, a_eid);
5320    /// let data = serde_json::json!({
5321    ///     "sub": 1234
5322    /// });
5323    /// let context = Context::from_json_value(data, Some((&schema, &action))).unwrap();
5324    /// # let p = EntityUid::from_str(r#"User::"alice""#).unwrap();
5325    /// # let r = EntityUid::from_str(r#"Album::"trip""#).unwrap();
5326    /// # let request: Request = Request::new(p, action, r, context, Some(&schema)).unwrap();
5327    /// ```
5328    pub fn from_json_value(
5329        json: serde_json::Value,
5330        schema: Option<(&Schema, &EntityUid)>,
5331    ) -> Result<Self, ContextJsonError> {
5332        let schema = schema
5333            .map(|(s, uid)| Self::get_context_schema(s, uid))
5334            .transpose()?;
5335        let context = cedar_policy_core::entities::ContextJsonParser::new(
5336            schema.as_ref(),
5337            Extensions::all_available(),
5338        )
5339        .from_json_value(json)?;
5340        Ok(Self(context))
5341    }
5342
5343    /// Create a `Context` from a JSON file.  The JSON file must contain a JSON
5344    /// object, not any other JSON type, or you will get an error here.
5345    /// JSON here must use the `__entity` and `__extn` escapes for entity
5346    /// references, extension values, etc.
5347    ///
5348    /// If a `schema` is provided, this will inform the parsing: for instance, it
5349    /// will allow `__entity` and `__extn` escapes to be implicit, and it will error
5350    /// if attributes have the wrong types (e.g., string instead of integer).
5351    /// Since different Actions have different schemas for `Context`, you also
5352    /// must specify the `Action` for schema-based parsing.
5353    /// ```no_run
5354    /// # use cedar_policy::{Context, RestrictedExpression};
5355    /// # use cedar_policy::{Entities, EntityId, EntityTypeName, EntityUid, Request,PolicySet};
5356    /// # use std::collections::HashMap;
5357    /// # use std::str::FromStr;
5358    /// # use std::fs::File;
5359    /// let mut json = File::open("json_file.json").unwrap();
5360    /// let context = Context::from_json_file(&json, None).unwrap();
5361    /// # // create a request
5362    /// # let p_eid = EntityId::from_str("alice").unwrap();
5363    /// # let p_name: EntityTypeName = EntityTypeName::from_str("User").unwrap();
5364    /// # let p = EntityUid::from_type_name_and_id(p_name, p_eid);
5365    /// #
5366    /// # let a_eid = EntityId::from_str("view").unwrap();
5367    /// # let a_name: EntityTypeName = EntityTypeName::from_str("Action").unwrap();
5368    /// # let a = EntityUid::from_type_name_and_id(a_name, a_eid);
5369    /// # let r_eid = EntityId::from_str("trip").unwrap();
5370    /// # let r_name: EntityTypeName = EntityTypeName::from_str("Album").unwrap();
5371    /// # let r = EntityUid::from_type_name_and_id(r_name, r_eid);
5372    /// # let request: Request = Request::new(p, a, r, context, None).unwrap();
5373    /// ```
5374    pub fn from_json_file(
5375        json: impl std::io::Read,
5376        schema: Option<(&Schema, &EntityUid)>,
5377    ) -> Result<Self, ContextJsonError> {
5378        let schema = schema
5379            .map(|(s, uid)| Self::get_context_schema(s, uid))
5380            .transpose()?;
5381        let context = cedar_policy_core::entities::ContextJsonParser::new(
5382            schema.as_ref(),
5383            Extensions::all_available(),
5384        )
5385        .from_json_file(json)?;
5386        Ok(Self(context))
5387    }
5388
5389    /// Convert this `Context` into a JSON value
5390    pub fn to_json_value(
5391        &self,
5392    ) -> Result<serde_json::Value, entities_json_errors::JsonSerializationError> {
5393        self.0.to_json_value()
5394    }
5395
5396    /// Internal helper function to convert `(&Schema, &EntityUid)` to `impl ContextSchema`
5397    fn get_context_schema(
5398        schema: &Schema,
5399        action: &EntityUid,
5400    ) -> Result<impl ContextSchema, ContextJsonError> {
5401        cedar_policy_core::validator::context_schema_for_action(&schema.0, action.as_ref())
5402            .ok_or_else(|| ContextJsonError::missing_action(action.clone()))
5403    }
5404
5405    /// Merge this [`Context`] with another context (or iterator over
5406    /// `(String, RestrictedExpression)` pairs), returning an error if the two
5407    /// contain overlapping keys
5408    pub fn merge(
5409        self,
5410        other_context: impl IntoIterator<Item = (String, RestrictedExpression)>,
5411    ) -> Result<Self, ContextCreationError> {
5412        Self::from_pairs(self.into_iter().chain(other_context))
5413    }
5414
5415    /// Validates this context against the provided schema
5416    ///
5417    /// Returns Ok(()) if the context is valid according to the schema, or an error otherwise
5418    ///
5419    /// This validation is already handled by `Request::new`, so there is no need to separately call
5420    /// if you are validating the whole request
5421    pub fn validate(
5422        &self,
5423        schema: &crate::Schema,
5424        action: &EntityUid,
5425    ) -> std::result::Result<(), RequestValidationError> {
5426        // Call the validate_context function from coreschema.rs
5427        Ok(RequestSchema::validate_context(
5428            &schema.0,
5429            &self.0,
5430            action.as_ref(),
5431            Extensions::all_available(),
5432        )?)
5433    }
5434}
5435
5436/// Utilities for implementing `IntoIterator` for `Context`
5437mod context {
5438    use super::{ast, RestrictedExpression};
5439
5440    /// `IntoIter` iterator for `Context`
5441    #[derive(Debug)]
5442    pub struct IntoIter {
5443        pub(super) inner: <ast::Context as IntoIterator>::IntoIter,
5444    }
5445
5446    impl Iterator for IntoIter {
5447        type Item = (String, RestrictedExpression);
5448
5449        fn next(&mut self) -> Option<Self::Item> {
5450            self.inner
5451                .next()
5452                .map(|(k, v)| (k.to_string(), RestrictedExpression(v)))
5453        }
5454    }
5455}
5456
5457impl IntoIterator for Context {
5458    type Item = (String, RestrictedExpression);
5459
5460    type IntoIter = context::IntoIter;
5461
5462    fn into_iter(self) -> Self::IntoIter {
5463        Self::IntoIter {
5464            inner: self.0.into_iter(),
5465        }
5466    }
5467}
5468
5469#[doc(hidden)]
5470impl From<ast::Context> for Context {
5471    fn from(c: ast::Context) -> Self {
5472        Self(c)
5473    }
5474}
5475
5476impl std::fmt::Display for Request {
5477    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5478        write!(f, "{}", self.0)
5479    }
5480}
5481
5482impl std::fmt::Display for Context {
5483    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5484        write!(f, "{}", self.0)
5485    }
5486}
5487
5488/// Result of Evaluation
5489#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
5490pub enum EvalResult {
5491    /// Boolean value
5492    Bool(bool),
5493    /// Signed integer value
5494    Long(ast::Integer),
5495    /// String value
5496    String(String),
5497    /// Entity Uid
5498    EntityUid(EntityUid),
5499    /// A first-class set
5500    Set(Set),
5501    /// A first-class anonymous record
5502    Record(Record),
5503    /// An extension value, currently limited to String results
5504    ExtensionValue(String),
5505    // ExtensionValue(std::sync::Arc<dyn InternalExtensionValue>),
5506}
5507
5508/// Sets of Cedar values
5509#[derive(Debug, Clone, Eq, PartialEq, PartialOrd, Ord)]
5510pub struct Set(BTreeSet<EvalResult>);
5511
5512impl Set {
5513    /// Iterate over the members of the set
5514    pub fn iter(&self) -> impl Iterator<Item = &EvalResult> {
5515        self.0.iter()
5516    }
5517
5518    /// Is a given element in the set
5519    pub fn contains(&self, elem: &EvalResult) -> bool {
5520        self.0.contains(elem)
5521    }
5522
5523    /// Get the number of members of the set
5524    pub fn len(&self) -> usize {
5525        self.0.len()
5526    }
5527
5528    /// Test if the set is empty
5529    pub fn is_empty(&self) -> bool {
5530        self.0.is_empty()
5531    }
5532}
5533
5534/// A record of Cedar values
5535#[derive(Debug, Clone, Eq, PartialEq, PartialOrd, Ord)]
5536pub struct Record(BTreeMap<String, EvalResult>);
5537
5538impl Record {
5539    /// Iterate over the attribute/value pairs in the record
5540    pub fn iter(&self) -> impl Iterator<Item = (&String, &EvalResult)> {
5541        self.0.iter()
5542    }
5543
5544    /// Check if a given attribute is in the record
5545    pub fn contains_attribute(&self, key: impl AsRef<str>) -> bool {
5546        self.0.contains_key(key.as_ref())
5547    }
5548
5549    /// Get a given attribute from the record
5550    pub fn get(&self, key: impl AsRef<str>) -> Option<&EvalResult> {
5551        self.0.get(key.as_ref())
5552    }
5553
5554    /// Get the number of attributes in the record
5555    pub fn len(&self) -> usize {
5556        self.0.len()
5557    }
5558
5559    /// Test if the record is empty
5560    pub fn is_empty(&self) -> bool {
5561        self.0.is_empty()
5562    }
5563}
5564
5565#[doc(hidden)]
5566impl From<ast::Value> for EvalResult {
5567    fn from(v: ast::Value) -> Self {
5568        match v.value {
5569            ast::ValueKind::Lit(ast::Literal::Bool(b)) => Self::Bool(b),
5570            ast::ValueKind::Lit(ast::Literal::Long(i)) => Self::Long(i),
5571            ast::ValueKind::Lit(ast::Literal::String(s)) => Self::String(s.to_string()),
5572            ast::ValueKind::Lit(ast::Literal::EntityUID(e)) => {
5573                Self::EntityUid(ast::EntityUID::clone(&e).into())
5574            }
5575            ast::ValueKind::Set(set) => Self::Set(Set(set
5576                .authoritative
5577                .iter()
5578                .map(|v| v.clone().into())
5579                .collect())),
5580            ast::ValueKind::Record(record) => Self::Record(Record(
5581                record
5582                    .iter()
5583                    .map(|(k, v)| (k.to_string(), v.clone().into()))
5584                    .collect(),
5585            )),
5586            ast::ValueKind::ExtensionValue(ev) => {
5587                Self::ExtensionValue(RestrictedExpr::from(ev.as_ref().clone()).to_string())
5588            }
5589        }
5590    }
5591}
5592
5593#[doc(hidden)]
5594#[expect(
5595    clippy::fallible_impl_from,
5596    reason = "see the panic safety comments below"
5597)]
5598impl From<EvalResult> for Expression {
5599    fn from(res: EvalResult) -> Self {
5600        match res {
5601            EvalResult::Bool(b) => Self::new_bool(b),
5602            EvalResult::Long(l) => Self::new_long(l),
5603            EvalResult::String(s) => Self::new_string(s),
5604            EvalResult::EntityUid(eid) => {
5605                Self::from(ast::Expr::from(ast::Value::from(ast::EntityUID::from(eid))))
5606            }
5607            EvalResult::Set(set) => Self::new_set(set.iter().cloned().map(Self::from)),
5608            EvalResult::Record(r) =>
5609            {
5610                #[expect(
5611                    clippy::unwrap_used,
5612                    reason = "record originates from EvalResult so should not panic when reconstructing as an Expression"
5613                )]
5614                Self::new_record(r.iter().map(|(k, v)| (k.clone(), Self::from(v.clone())))).unwrap()
5615            }
5616            EvalResult::ExtensionValue(s) => {
5617                #[expect(
5618                    clippy::unwrap_used,
5619                    reason = "the string s is constructed using RestrictedExpr::to_string() so should not panic when being parsed back into a RestrictedExpr"
5620                )]
5621                let expr: ast::Expr = ast::RestrictedExpr::from_str(&s).unwrap().into();
5622                Self::from(expr)
5623            }
5624        }
5625    }
5626}
5627
5628impl std::fmt::Display for EvalResult {
5629    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5630        match self {
5631            Self::Bool(b) => write!(f, "{b}"),
5632            Self::Long(l) => write!(f, "{l}"),
5633            Self::String(s) => write!(f, "\"{}\"", s.escape_debug()),
5634            Self::EntityUid(uid) => write!(f, "{uid}"),
5635            Self::Set(s) => {
5636                write!(f, "[")?;
5637                for (i, ev) in s.iter().enumerate() {
5638                    write!(f, "{ev}")?;
5639                    if (i + 1) < s.len() {
5640                        write!(f, ", ")?;
5641                    }
5642                }
5643                write!(f, "]")?;
5644                Ok(())
5645            }
5646            Self::Record(r) => {
5647                write!(f, "{{")?;
5648                for (i, (k, v)) in r.iter().enumerate() {
5649                    write!(f, "\"{}\": {v}", k.escape_debug())?;
5650                    if (i + 1) < r.len() {
5651                        write!(f, ", ")?;
5652                    }
5653                }
5654                write!(f, "}}")?;
5655                Ok(())
5656            }
5657            Self::ExtensionValue(s) => write!(f, "{s}"),
5658        }
5659    }
5660}
5661
5662/// Evaluates an expression.
5663///
5664/// If evaluation results in an error (e.g., attempting to access a non-existent Entity or Record,
5665/// passing the wrong number of arguments to a function etc.), that error is returned as a String
5666pub fn eval_expression(
5667    request: &Request,
5668    entities: &Entities,
5669    expr: &Expression,
5670) -> Result<EvalResult, EvaluationError> {
5671    let all_ext = Extensions::all_available();
5672    let eval = Evaluator::new(request.0.clone(), &entities.0, all_ext);
5673    Ok(EvalResult::from(
5674        // Evaluate under the empty slot map, as an expression should not have slots
5675        eval.interpret(&expr.0, &ast::SlotEnv::new())?,
5676    ))
5677}
5678
5679// These are the same tests in validator, just ensuring all the plumbing is done correctly
5680#[cfg(test)]
5681mod test_access {
5682    use cedar_policy_core::ast;
5683
5684    use super::*;
5685
5686    fn schema() -> Schema {
5687        let src = r#"
5688        type Task = {
5689    "id": Long,
5690    "name": String,
5691    "state": String,
5692};
5693
5694type T = String;
5695
5696type Tasks = Set<Task>;
5697entity List in [Application] = {
5698  "editors": Team,
5699  "name": String,
5700  "owner": User,
5701  "readers": Team,
5702  "tasks": Tasks,
5703};
5704entity Application;
5705entity User in [Team, Application] = {
5706  "joblevel": Long,
5707  "location": String,
5708};
5709
5710entity CoolList;
5711
5712entity Team in [Team, Application];
5713
5714action Read, Write, Create;
5715
5716action DeleteList, EditShare, UpdateList, CreateTask, UpdateTask, DeleteTask in Write appliesTo {
5717    principal: [User],
5718    resource : [List]
5719};
5720
5721action GetList in Read appliesTo {
5722    principal : [User],
5723    resource : [List, CoolList]
5724};
5725
5726action GetLists in Read appliesTo {
5727    principal : [User],
5728    resource : [Application]
5729};
5730
5731action CreateList in Create appliesTo {
5732    principal : [User],
5733    resource : [Application]
5734};
5735
5736        "#;
5737
5738        src.parse().unwrap()
5739    }
5740
5741    #[test]
5742    fn principals() {
5743        let schema = schema();
5744        let principals = schema.principals().collect::<HashSet<_>>();
5745        assert_eq!(principals.len(), 1);
5746        let user: EntityTypeName = "User".parse().unwrap();
5747        assert!(principals.contains(&user));
5748        let principals = schema.principals().collect::<Vec<_>>();
5749        assert!(principals.len() > 1);
5750        assert!(principals.iter().all(|ety| **ety == user));
5751        assert!(principals.iter().all(|ety| ety.0.loc().is_some()));
5752
5753        let et = ast::EntityType::EntityType(ast::Name::from_normalized_str("User").unwrap());
5754        let et = schema.0.get_entity_type(&et).unwrap();
5755        assert!(et.loc.is_some());
5756    }
5757
5758    #[cfg(feature = "extended-schema")]
5759    #[test]
5760    fn common_types_extended() {
5761        use cool_asserts::assert_matches;
5762
5763        use cedar_policy_core::validator::{types::Type, LocatedCommonType};
5764
5765        let schema = schema();
5766        assert_eq!(schema.0.common_types().collect::<HashSet<_>>().len(), 3);
5767        let task_type = LocatedCommonType {
5768            name: "Task".into(),
5769            name_loc: None,
5770            type_loc: None,
5771        };
5772        assert!(schema.0.common_types().contains(&task_type));
5773
5774        let tasks_type = LocatedCommonType {
5775            name: "Tasks".into(),
5776            name_loc: None,
5777            type_loc: None,
5778        };
5779        assert!(schema.0.common_types().contains(&tasks_type));
5780        assert!(schema.0.common_types().all(|ct| ct.name_loc.is_some()));
5781        assert!(schema.0.common_types().all(|ct| ct.type_loc.is_some()));
5782
5783        let tasks_type = LocatedCommonType {
5784            name: "T".into(),
5785            name_loc: None,
5786            type_loc: None,
5787        };
5788        assert!(schema.0.common_types().contains(&tasks_type));
5789
5790        let et = ast::EntityType::EntityType(ast::Name::from_normalized_str("List").unwrap());
5791        let et = schema.0.get_entity_type(&et).unwrap();
5792        let attrs = et.attributes();
5793
5794        // Assert that attributes that are resolved from common types still get source locations
5795        let t = attrs.get_attr("tasks").unwrap();
5796        assert!(t.loc.is_some());
5797        assert_matches!(t.attr_type.as_ref(), cedar_policy_core::validator::types::Type::Set { ref element_type } => {
5798            let el = element_type.as_ref().unwrap();
5799            assert_matches!(el.as_ref(), Type::Record{ attrs, .. } => {
5800                assert!(attrs.get_attr("name").unwrap().loc.is_some());
5801                assert!(attrs.get_attr("id").unwrap().loc.is_some());
5802                assert!(attrs.get_attr("state").unwrap().loc.is_some());
5803            });
5804        });
5805    }
5806
5807    #[cfg(feature = "extended-schema")]
5808    #[test]
5809    fn namespace_extended() {
5810        let schema = schema();
5811        assert_eq!(schema.0.namespaces().collect::<HashSet<_>>().len(), 1);
5812        let default_namespace = schema.0.namespaces().last().unwrap();
5813        assert_eq!(default_namespace.name, SmolStr::from("__cedar"));
5814        assert!(default_namespace.name_loc.is_none());
5815        assert!(default_namespace.def_loc.is_none());
5816    }
5817
5818    #[test]
5819    fn empty_schema_principals_and_resources() {
5820        let empty: Schema = "".parse().unwrap();
5821        assert!(empty.principals().next().is_none());
5822        assert!(empty.resources().next().is_none());
5823    }
5824
5825    #[test]
5826    fn resources() {
5827        let schema = schema();
5828        let resources = schema.resources().cloned().collect::<HashSet<_>>();
5829        let expected: HashSet<EntityTypeName> = HashSet::from([
5830            "List".parse().unwrap(),
5831            "Application".parse().unwrap(),
5832            "CoolList".parse().unwrap(),
5833        ]);
5834        assert_eq!(resources, expected);
5835        assert!(resources.iter().all(|ety| ety.0.loc().is_some()));
5836    }
5837
5838    #[test]
5839    fn principals_for_action() {
5840        let schema = schema();
5841        let delete_list: EntityUid = r#"Action::"DeleteList""#.parse().unwrap();
5842        let delete_user: EntityUid = r#"Action::"DeleteUser""#.parse().unwrap();
5843        let got = schema
5844            .principals_for_action(&delete_list)
5845            .unwrap()
5846            .cloned()
5847            .collect::<Vec<_>>();
5848        assert_eq!(got, vec!["User".parse().unwrap()]);
5849        assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5850        assert!(schema.principals_for_action(&delete_user).is_none());
5851    }
5852
5853    #[test]
5854    fn resources_for_action() {
5855        let schema = schema();
5856        let delete_list: EntityUid = r#"Action::"DeleteList""#.parse().unwrap();
5857        let delete_user: EntityUid = r#"Action::"DeleteUser""#.parse().unwrap();
5858        let create_list: EntityUid = r#"Action::"CreateList""#.parse().unwrap();
5859        let get_list: EntityUid = r#"Action::"GetList""#.parse().unwrap();
5860        let got = schema
5861            .resources_for_action(&delete_list)
5862            .unwrap()
5863            .cloned()
5864            .collect::<Vec<_>>();
5865        assert_eq!(got, vec!["List".parse().unwrap()]);
5866        assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5867        let got = schema
5868            .resources_for_action(&create_list)
5869            .unwrap()
5870            .cloned()
5871            .collect::<Vec<_>>();
5872        assert_eq!(got, vec!["Application".parse().unwrap()]);
5873        assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5874        let got = schema
5875            .resources_for_action(&get_list)
5876            .unwrap()
5877            .cloned()
5878            .collect::<HashSet<_>>();
5879        assert_eq!(
5880            got,
5881            HashSet::from(["List".parse().unwrap(), "CoolList".parse().unwrap()])
5882        );
5883        assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5884        assert!(schema.principals_for_action(&delete_user).is_none());
5885    }
5886
5887    #[test]
5888    fn principal_parents() {
5889        let schema = schema();
5890        let user: EntityTypeName = "User".parse().unwrap();
5891        let parents = schema
5892            .ancestors(&user)
5893            .unwrap()
5894            .cloned()
5895            .collect::<HashSet<_>>();
5896        assert!(parents.iter().all(|ety| ety.0.loc().is_some()));
5897        let expected = HashSet::from(["Team".parse().unwrap(), "Application".parse().unwrap()]);
5898        assert_eq!(parents, expected);
5899        let parents = schema
5900            .ancestors(&"List".parse().unwrap())
5901            .unwrap()
5902            .cloned()
5903            .collect::<HashSet<_>>();
5904        assert!(parents.iter().all(|ety| ety.0.loc().is_some()));
5905        let expected = HashSet::from(["Application".parse().unwrap()]);
5906        assert_eq!(parents, expected);
5907        assert!(schema.ancestors(&"Foo".parse().unwrap()).is_none());
5908        let parents = schema
5909            .ancestors(&"CoolList".parse().unwrap())
5910            .unwrap()
5911            .cloned()
5912            .collect::<HashSet<_>>();
5913        assert!(parents.iter().all(|ety| ety.0.loc().is_some()));
5914        let expected = HashSet::from([]);
5915        assert_eq!(parents, expected);
5916    }
5917
5918    #[test]
5919    fn action_groups() {
5920        let schema = schema();
5921        let groups = schema.action_groups().cloned().collect::<HashSet<_>>();
5922        let expected = ["Read", "Write", "Create"]
5923            .into_iter()
5924            .map(|ty| format!("Action::\"{ty}\"").parse().unwrap())
5925            .collect::<HashSet<EntityUid>>();
5926        #[cfg(feature = "extended-schema")]
5927        assert!(groups.iter().all(|ety| ety.0.loc().is_some()));
5928        assert_eq!(groups, expected);
5929    }
5930
5931    #[test]
5932    fn actions() {
5933        let schema = schema();
5934        let actions = schema.actions().cloned().collect::<HashSet<_>>();
5935        let expected = [
5936            "Read",
5937            "Write",
5938            "Create",
5939            "DeleteList",
5940            "EditShare",
5941            "UpdateList",
5942            "CreateTask",
5943            "UpdateTask",
5944            "DeleteTask",
5945            "GetList",
5946            "GetLists",
5947            "CreateList",
5948        ]
5949        .into_iter()
5950        .map(|ty| format!("Action::\"{ty}\"").parse().unwrap())
5951        .collect::<HashSet<EntityUid>>();
5952        assert_eq!(actions, expected);
5953        #[cfg(feature = "extended-schema")]
5954        assert!(actions.iter().all(|ety| ety.0.loc().is_some()));
5955    }
5956
5957    #[test]
5958    fn actions_for_principal_and_resource() {
5959        let schema = schema();
5960        let pty: EntityTypeName = "User".parse().unwrap();
5961        let rty: EntityTypeName = "Application".parse().unwrap();
5962        let actions = schema
5963            .actions_for_principal_and_resource(&pty, &rty)
5964            .cloned()
5965            .collect::<HashSet<EntityUid>>();
5966        let expected = ["GetLists", "CreateList"]
5967            .into_iter()
5968            .map(|ty| format!("Action::\"{ty}\"").parse().unwrap())
5969            .collect::<HashSet<EntityUid>>();
5970        assert_eq!(actions, expected);
5971    }
5972
5973    #[test]
5974    fn entities() {
5975        let schema = schema();
5976        let entities = schema.entity_types().cloned().collect::<HashSet<_>>();
5977        let expected = ["List", "Application", "User", "CoolList", "Team"]
5978            .into_iter()
5979            .map(|ty| ty.parse().unwrap())
5980            .collect::<HashSet<EntityTypeName>>();
5981        assert_eq!(entities, expected);
5982    }
5983}
5984
5985#[cfg(test)]
5986mod test_access_namespace {
5987    use super::*;
5988
5989    fn schema() -> Schema {
5990        let src = r#"
5991        namespace Foo {
5992        type Task = {
5993    "id": Long,
5994    "name": String,
5995    "state": String,
5996};
5997
5998type Tasks = Set<Task>;
5999entity List in [Application] = {
6000  "editors": Team,
6001  "name": String,
6002  "owner": User,
6003  "readers": Team,
6004  "tasks": Tasks,
6005};
6006entity Application;
6007entity User in [Team, Application] = {
6008  "joblevel": Long,
6009  "location": String,
6010};
6011
6012entity CoolList;
6013
6014entity Team in [Team, Application];
6015
6016action Read, Write, Create;
6017
6018action DeleteList, EditShare, UpdateList, CreateTask, UpdateTask, DeleteTask in Write appliesTo {
6019    principal: [User],
6020    resource : [List]
6021};
6022
6023action GetList in Read appliesTo {
6024    principal : [User],
6025    resource : [List, CoolList]
6026};
6027
6028action GetLists in Read appliesTo {
6029    principal : [User],
6030    resource : [Application]
6031};
6032
6033action CreateList in Create appliesTo {
6034    principal : [User],
6035    resource : [Application]
6036};
6037    }
6038
6039        "#;
6040
6041        src.parse().unwrap()
6042    }
6043
6044    #[test]
6045    fn principals() {
6046        let schema = schema();
6047        let principals = schema.principals().collect::<HashSet<_>>();
6048        assert_eq!(principals.len(), 1);
6049        let user: EntityTypeName = "Foo::User".parse().unwrap();
6050        assert!(principals.contains(&user));
6051        let principals = schema.principals().collect::<Vec<_>>();
6052        assert!(principals.len() > 1);
6053        assert!(principals.iter().all(|ety| **ety == user));
6054        assert!(principals.iter().all(|ety| ety.0.loc().is_some()));
6055    }
6056
6057    #[test]
6058    fn empty_schema_principals_and_resources() {
6059        let empty: Schema = "".parse().unwrap();
6060        assert!(empty.principals().next().is_none());
6061        assert!(empty.resources().next().is_none());
6062    }
6063
6064    #[test]
6065    fn resources() {
6066        let schema = schema();
6067        let resources = schema.resources().cloned().collect::<HashSet<_>>();
6068        let expected: HashSet<EntityTypeName> = HashSet::from([
6069            "Foo::List".parse().unwrap(),
6070            "Foo::Application".parse().unwrap(),
6071            "Foo::CoolList".parse().unwrap(),
6072        ]);
6073        assert_eq!(resources, expected);
6074        assert!(resources.iter().all(|ety| ety.0.loc().is_some()));
6075    }
6076
6077    #[test]
6078    fn principals_for_action() {
6079        let schema = schema();
6080        let delete_list: EntityUid = r#"Foo::Action::"DeleteList""#.parse().unwrap();
6081        let delete_user: EntityUid = r#"Foo::Action::"DeleteUser""#.parse().unwrap();
6082        let got = schema
6083            .principals_for_action(&delete_list)
6084            .unwrap()
6085            .cloned()
6086            .collect::<Vec<_>>();
6087        assert_eq!(got, vec!["Foo::User".parse().unwrap()]);
6088        assert!(schema.principals_for_action(&delete_user).is_none());
6089    }
6090
6091    #[test]
6092    fn resources_for_action() {
6093        let schema = schema();
6094        let delete_list: EntityUid = r#"Foo::Action::"DeleteList""#.parse().unwrap();
6095        let delete_user: EntityUid = r#"Foo::Action::"DeleteUser""#.parse().unwrap();
6096        let create_list: EntityUid = r#"Foo::Action::"CreateList""#.parse().unwrap();
6097        let get_list: EntityUid = r#"Foo::Action::"GetList""#.parse().unwrap();
6098        let got = schema
6099            .resources_for_action(&delete_list)
6100            .unwrap()
6101            .cloned()
6102            .collect::<Vec<_>>();
6103        assert!(got.iter().all(|ety| ety.0.loc().is_some()));
6104
6105        assert_eq!(got, vec!["Foo::List".parse().unwrap()]);
6106        let got = schema
6107            .resources_for_action(&create_list)
6108            .unwrap()
6109            .cloned()
6110            .collect::<Vec<_>>();
6111        assert_eq!(got, vec!["Foo::Application".parse().unwrap()]);
6112        assert!(got.iter().all(|ety| ety.0.loc().is_some()));
6113
6114        let got = schema
6115            .resources_for_action(&get_list)
6116            .unwrap()
6117            .cloned()
6118            .collect::<HashSet<_>>();
6119        assert_eq!(
6120            got,
6121            HashSet::from([
6122                "Foo::List".parse().unwrap(),
6123                "Foo::CoolList".parse().unwrap()
6124            ])
6125        );
6126        assert!(schema.principals_for_action(&delete_user).is_none());
6127    }
6128
6129    #[test]
6130    fn principal_parents() {
6131        let schema = schema();
6132        let user: EntityTypeName = "Foo::User".parse().unwrap();
6133        let parents = schema
6134            .ancestors(&user)
6135            .unwrap()
6136            .cloned()
6137            .collect::<HashSet<_>>();
6138        let expected = HashSet::from([
6139            "Foo::Team".parse().unwrap(),
6140            "Foo::Application".parse().unwrap(),
6141        ]);
6142        assert_eq!(parents, expected);
6143        let parents = schema
6144            .ancestors(&"Foo::List".parse().unwrap())
6145            .unwrap()
6146            .cloned()
6147            .collect::<HashSet<_>>();
6148        let expected = HashSet::from(["Foo::Application".parse().unwrap()]);
6149        assert_eq!(parents, expected);
6150        assert!(schema.ancestors(&"Foo::Foo".parse().unwrap()).is_none());
6151        let parents = schema
6152            .ancestors(&"Foo::CoolList".parse().unwrap())
6153            .unwrap()
6154            .cloned()
6155            .collect::<HashSet<_>>();
6156        let expected = HashSet::from([]);
6157        assert_eq!(parents, expected);
6158    }
6159
6160    #[test]
6161    fn action_groups() {
6162        let schema = schema();
6163        let groups = schema.action_groups().cloned().collect::<HashSet<_>>();
6164        let expected = ["Read", "Write", "Create"]
6165            .into_iter()
6166            .map(|ty| format!("Foo::Action::\"{ty}\"").parse().unwrap())
6167            .collect::<HashSet<EntityUid>>();
6168        assert_eq!(groups, expected);
6169    }
6170
6171    #[test]
6172    fn actions() {
6173        let schema = schema();
6174        let actions = schema.actions().cloned().collect::<HashSet<_>>();
6175        let expected = [
6176            "Read",
6177            "Write",
6178            "Create",
6179            "DeleteList",
6180            "EditShare",
6181            "UpdateList",
6182            "CreateTask",
6183            "UpdateTask",
6184            "DeleteTask",
6185            "GetList",
6186            "GetLists",
6187            "CreateList",
6188        ]
6189        .into_iter()
6190        .map(|ty| format!("Foo::Action::\"{ty}\"").parse().unwrap())
6191        .collect::<HashSet<EntityUid>>();
6192        assert_eq!(actions, expected);
6193    }
6194
6195    #[test]
6196    fn entities() {
6197        let schema = schema();
6198        let entities = schema.entity_types().cloned().collect::<HashSet<_>>();
6199        let expected = [
6200            "Foo::List",
6201            "Foo::Application",
6202            "Foo::User",
6203            "Foo::CoolList",
6204            "Foo::Team",
6205        ]
6206        .into_iter()
6207        .map(|ty| ty.parse().unwrap())
6208        .collect::<HashSet<EntityTypeName>>();
6209        assert_eq!(entities, expected);
6210    }
6211
6212    #[test]
6213    fn test_request_context() {
6214        // Create a context with some test data
6215        let context =
6216            Context::from_json_str(r#"{"testKey": "testValue", "numKey": 42}"#, None).unwrap();
6217
6218        // Create entity UIDs for the request
6219        let principal: EntityUid = "User::\"alice\"".parse().unwrap();
6220        let action: EntityUid = "Action::\"view\"".parse().unwrap();
6221        let resource: EntityUid = "Resource::\"doc123\"".parse().unwrap();
6222
6223        // Create the request
6224        let request = Request::new(
6225            principal, action, resource, context, None, // no schema validation for this test
6226        )
6227        .unwrap();
6228
6229        // Test context() method
6230        let retrieved_context = request.context().expect("Context should be present");
6231
6232        // Test get() method on the retrieved context
6233        assert!(retrieved_context.get("testKey").is_some());
6234        assert!(retrieved_context.get("numKey").is_some());
6235        assert!(retrieved_context.get("nonexistent").is_none());
6236    }
6237
6238    #[cfg(feature = "extended-schema")]
6239    #[test]
6240    fn namespace_extended() {
6241        let schema = schema();
6242        assert_eq!(schema.0.namespaces().collect::<HashSet<_>>().len(), 2);
6243        let default_namespace = schema
6244            .0
6245            .namespaces()
6246            .filter(|n| n.name == *"__cedar")
6247            .last()
6248            .unwrap();
6249        assert!(default_namespace.name_loc.is_none());
6250        assert!(default_namespace.def_loc.is_none());
6251
6252        let default_namespace = schema
6253            .0
6254            .namespaces()
6255            .filter(|n| n.name == *"Foo")
6256            .last()
6257            .unwrap();
6258        assert!(default_namespace.name_loc.is_some());
6259        assert!(default_namespace.def_loc.is_some());
6260    }
6261}
6262
6263#[cfg(test)]
6264mod test_lossless_empty {
6265    use super::{LosslessPolicy, LosslessTemplate, Policy, PolicyId, Template};
6266    use cedar_policy_core::pst;
6267    use cool_asserts::assert_matches;
6268
6269    #[test]
6270    fn test_lossless_empty_policy() {
6271        const STATIC_POLICY_TEXT: &str = "permit(principal,action,resource);";
6272        let policy0 = Policy::parse(Some(PolicyId::new("policy0")), STATIC_POLICY_TEXT)
6273            .expect("Failed to parse");
6274        let lossy_policy0 = Policy {
6275            ast: policy0.ast.clone(),
6276            lossless: LosslessPolicy::policy_or_template_text(None::<&str>),
6277        };
6278        // The `to_cedar` representation becomes lossy since we didn't provide text
6279        assert_eq!(
6280            lossy_policy0.to_cedar(),
6281            Some(String::from(
6282                "permit(\n  principal,\n  action,\n  resource\n);"
6283            ))
6284        );
6285        // The EST representation is obtained from the AST
6286        let lossy_policy0_est = lossy_policy0
6287            .lossless
6288            .est(|| policy0.ast.clone().into())
6289            .unwrap();
6290        assert_eq!(lossy_policy0_est, policy0.ast.into());
6291    }
6292
6293    #[test]
6294    fn test_lossless_empty_template() {
6295        const TEMPLATE_TEXT: &str = "permit(principal == ?principal,action,resource);";
6296        let template0 = Template::parse(Some(PolicyId::new("template0")), TEMPLATE_TEXT)
6297            .expect("Failed to parse");
6298        let lossy_template0 = Template {
6299            ast: template0.ast.clone(),
6300            lossless: LosslessTemplate::from_text(None::<&str>),
6301        };
6302        // The `to_cedar` representation becomes lossy since we didn't provide text
6303        assert_eq!(
6304            lossy_template0.to_cedar(),
6305            String::from("permit(\n  principal == ?principal,\n  action,\n  resource\n);")
6306        );
6307        // The EST representation is obtained from the AST
6308        let lossy_template0_est = lossy_template0
6309            .lossless
6310            .est(|| template0.ast.clone().into())
6311            .unwrap();
6312        assert_eq!(lossy_template0_est, template0.ast.into());
6313    }
6314
6315    #[test]
6316    fn try_into_pst_empty_policy() {
6317        let p = Policy::parse(
6318            Some(PolicyId::new("p")),
6319            "permit(principal,action,resource);",
6320        )
6321        .expect("parse");
6322        let empty = Policy {
6323            ast: p.ast,
6324            lossless: LosslessPolicy::policy_or_template_text(None::<&str>),
6325        };
6326        assert_matches!(
6327            empty.try_into_pst().unwrap().body(),
6328            pst::Template {
6329                effect: pst::Effect::Permit,
6330                principal: pst::PrincipalConstraint::Any,
6331                resource: pst::ResourceConstraint::Any,
6332                action: pst::ActionConstraint::Any,
6333                ..
6334            },
6335        );
6336    }
6337
6338    #[test]
6339    fn try_into_pst_empty_template() {
6340        let t = Template::parse(
6341            Some(PolicyId::new("t")),
6342            "permit(principal == ?principal,action,resource);",
6343        )
6344        .expect("parse");
6345        let empty = Template {
6346            ast: t.ast,
6347            lossless: LosslessTemplate::from_text(None::<&str>),
6348        };
6349        assert_matches!(
6350            empty.try_into_pst().unwrap(),
6351            pst::Template {
6352                effect: pst::Effect::Permit,
6353                principal: pst::PrincipalConstraint::Eq(pst::EntityOrSlot::Slot(
6354                    pst::SlotId::Principal
6355                )),
6356                resource: pst::ResourceConstraint::Any,
6357                action: pst::ActionConstraint::Any,
6358                ..
6359            },
6360        );
6361    }
6362}
6363
6364/// Given a schema and policy set, compute an entity manifest.
6365///
6366/// The policies must validate against the schema in strict mode,
6367/// otherwise an error is returned.
6368/// The manifest describes the data required to answer requests
6369/// for each action.
6370#[doc = include_str!("../experimental_warning.md")]
6371#[deprecated = "The `entity-manifest` experimental feature and all associated functions are deprecated. Migrate to `PolicySet::is_authorized_batch` for efficient authorization with on-demand entity loading."]
6372#[cfg(feature = "entity-manifest")]
6373pub fn compute_entity_manifest(
6374    validator: &Validator,
6375    pset: &PolicySet,
6376) -> Result<EntityManifest, EntityManifestError> {
6377    entity_manifest::compute_entity_manifest(&validator.0, &pset.ast).map_err(Into::into)
6378}