1#![allow(
19 clippy::missing_panics_doc,
20 clippy::missing_errors_doc,
21 clippy::similar_names,
22 clippy::result_large_err, reason = "this module doesn't currently comply with these lints"
24)]
25
26mod id;
27use cedar_policy_core::pst::error_body;
28#[cfg(feature = "entity-manifest")]
29use cedar_policy_core::validator::entity_manifest;
30#[cfg(feature = "entity-manifest")]
32pub use cedar_policy_core::validator::entity_manifest::{
33 AccessTrie, EntityManifest, EntityRoot, Fields, RootAccessTrie,
34};
35use cedar_policy_core::validator::json_schema;
36use cedar_policy_core::validator::typecheck::{PolicyCheck, Typechecker};
37pub use id::*;
38
39#[cfg(feature = "deprecated-schema-compat")]
40mod deprecated_schema_compat;
41
42mod err;
43pub use err::*;
44
45#[cfg(feature = "tpe")]
46mod tpe;
47#[cfg(feature = "tpe")]
48pub use tpe::*;
49
50pub use ast::Effect;
51pub use authorizer::Decision;
52#[cfg(feature = "partial-eval")]
53use cedar_policy_core::ast::BorrowedRestrictedExpr;
54use cedar_policy_core::ast::{self, RequestSchema, RestrictedExpr};
55use cedar_policy_core::authorizer::{self};
56use cedar_policy_core::entities::{ContextSchema, Dereference};
57use cedar_policy_core::est::{self, TemplateLink};
58use cedar_policy_core::evaluator::Evaluator;
59#[cfg(feature = "partial-eval")]
60use cedar_policy_core::evaluator::RestrictedEvaluator;
61use cedar_policy_core::extensions::Extensions;
62use cedar_policy_core::parser;
63pub use cedar_policy_core::pst;
64use cedar_policy_core::FromNormalizedStr;
65use itertools::{Either, Itertools};
66use linked_hash_map::LinkedHashMap;
67use miette::Diagnostic;
68use ref_cast::RefCast;
69use serde::{Deserialize, Serialize};
70use smol_str::SmolStr;
71use std::collections::{BTreeMap, BTreeSet, HashMap, HashSet};
72use std::io::Read;
73use std::str::FromStr;
74use std::sync::Arc;
75
76#[expect(
77 clippy::unwrap_used,
78 reason = "`CARGO_PKG_VERSION` should return a valid SemVer version string"
79)]
80pub(crate) mod version {
81 use semver::Version;
82 use std::sync::LazyLock;
83
84 static SDK_VERSION: LazyLock<Version> =
86 LazyLock::new(|| env!("CARGO_PKG_VERSION").parse().unwrap());
87 static LANG_VERSION: LazyLock<Version> = LazyLock::new(|| Version::new(4, 5, 0));
90
91 pub fn get_sdk_version() -> Version {
93 SDK_VERSION.clone()
94 }
95 pub fn get_lang_version() -> Version {
97 LANG_VERSION.clone()
98 }
99}
100
101#[repr(transparent)]
103#[derive(Debug, Clone, PartialEq, Eq, RefCast, Hash)]
104pub struct Entity(pub(crate) ast::Entity);
105
106#[doc(hidden)] impl AsRef<ast::Entity> for Entity {
108 fn as_ref(&self) -> &ast::Entity {
109 &self.0
110 }
111}
112
113#[doc(hidden)]
114impl From<ast::Entity> for Entity {
115 fn from(entity: ast::Entity) -> Self {
116 Self(entity)
117 }
118}
119
120impl Entity {
121 pub fn new(
143 uid: EntityUid,
144 attrs: HashMap<String, RestrictedExpression>,
145 parents: HashSet<EntityUid>,
146 ) -> Result<Self, EntityAttrEvaluationError> {
147 Self::new_with_tags(uid, attrs, parents, [])
148 }
149
150 pub fn new_no_attrs(uid: EntityUid, parents: HashSet<EntityUid>) -> Self {
155 Self(ast::Entity::new_with_attr_partial_value(
158 uid.into(),
159 [],
160 HashSet::new(),
161 parents.into_iter().map(EntityUid::into).collect(),
162 [],
163 ))
164 }
165
166 pub fn new_with_tags(
171 uid: EntityUid,
172 attrs: impl IntoIterator<Item = (String, RestrictedExpression)>,
173 parents: impl IntoIterator<Item = EntityUid>,
174 tags: impl IntoIterator<Item = (String, RestrictedExpression)>,
175 ) -> Result<Self, EntityAttrEvaluationError> {
176 Ok(Self(ast::Entity::new(
179 uid.into(),
180 attrs.into_iter().map(|(k, v)| (k.into(), v.0)),
181 HashSet::new(),
182 parents.into_iter().map(EntityUid::into).collect(),
183 tags.into_iter().map(|(k, v)| (k.into(), v.0)),
184 Extensions::all_available(),
185 )?))
186 }
187
188 pub fn with_uid(uid: EntityUid) -> Self {
199 Self(ast::Entity::with_uid(uid.into()))
200 }
201
202 pub fn deep_eq(&self, other: &Self) -> bool {
211 self.0.deep_eq(&other.0)
212 }
213
214 pub fn uid(&self) -> EntityUid {
225 self.0.uid().clone().into()
226 }
227
228 pub fn attr(&self, attr: &str) -> Option<Result<EvalResult, PartialValueToValueError>> {
249 match ast::Value::try_from(self.0.get(attr)?.clone()) {
250 Ok(v) => Some(Ok(EvalResult::from(v))),
251 Err(e) => Some(Err(e)),
252 }
253 }
254
255 pub fn attrs(
260 &self,
261 ) -> impl Iterator<Item = (&str, Result<EvalResult, PartialValueToValueError>)> {
262 self.0.attrs().map(|(k, v)| {
263 (
264 k.as_ref(),
265 ast::Value::try_from(v.clone()).map(EvalResult::from),
266 )
267 })
268 }
269
270 pub fn tag(&self, tag: &str) -> Option<Result<EvalResult, PartialValueToValueError>> {
275 match ast::Value::try_from(self.0.get_tag(tag)?.clone()) {
276 Ok(v) => Some(Ok(EvalResult::from(v))),
277 Err(e) => Some(Err(e)),
278 }
279 }
280
281 pub fn tags(
286 &self,
287 ) -> impl Iterator<Item = (&str, Result<EvalResult, PartialValueToValueError>)> {
288 self.0.tags().map(|(k, v)| {
289 (
290 k.as_ref(),
291 ast::Value::try_from(v.clone()).map(EvalResult::from),
292 )
293 })
294 }
295
296 pub fn into_inner(
298 self,
299 ) -> (
300 EntityUid,
301 HashMap<String, RestrictedExpression>,
302 HashSet<EntityUid>,
303 ) {
304 let (uid, attrs, ancestors, mut parents, _) = self.0.into_inner();
305 parents.extend(ancestors);
306
307 let attrs = attrs
308 .into_iter()
309 .map(|(k, v)| {
310 (
311 k.to_string(),
312 match v {
313 ast::PartialValue::Value(val) => {
314 RestrictedExpression(ast::RestrictedExpr::from(val))
315 }
316 ast::PartialValue::Residual(exp) => {
317 RestrictedExpression(ast::RestrictedExpr::new_unchecked(exp))
318 }
319 },
320 )
321 })
322 .collect();
323
324 (
325 uid.into(),
326 attrs,
327 parents.into_iter().map(Into::into).collect(),
328 )
329 }
330
331 pub fn from_json_value(
334 value: serde_json::Value,
335 schema: Option<&Schema>,
336 ) -> Result<Self, EntitiesError> {
337 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
338 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
339 schema.as_ref(),
340 Extensions::all_available(),
341 cedar_policy_core::entities::TCComputation::ComputeNow,
342 );
343 eparser.single_from_json_value(value).map(Self)
344 }
345
346 pub fn from_json_str(
349 src: impl AsRef<str>,
350 schema: Option<&Schema>,
351 ) -> Result<Self, EntitiesError> {
352 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
353 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
354 schema.as_ref(),
355 Extensions::all_available(),
356 cedar_policy_core::entities::TCComputation::ComputeNow,
357 );
358 eparser.single_from_json_str(src).map(Self)
359 }
360
361 pub fn from_json_file(f: impl Read, schema: Option<&Schema>) -> Result<Self, EntitiesError> {
364 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
365 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
366 schema.as_ref(),
367 Extensions::all_available(),
368 cedar_policy_core::entities::TCComputation::ComputeNow,
369 );
370 eparser.single_from_json_file(f).map(Self)
371 }
372
373 pub fn write_to_json(&self, f: impl std::io::Write) -> Result<(), EntitiesError> {
381 self.0.write_to_json(f)
382 }
383
384 pub fn to_json_value(&self) -> Result<serde_json::Value, EntitiesError> {
392 self.0.to_json_value()
393 }
394
395 pub fn to_json_string(&self) -> Result<String, EntitiesError> {
403 self.0.to_json_string()
404 }
405}
406
407impl std::fmt::Display for Entity {
408 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
409 write!(f, "{}", self.0)
410 }
411}
412
413#[repr(transparent)]
416#[derive(Debug, Clone, Default, PartialEq, Eq, RefCast)]
417pub struct Entities(pub(crate) cedar_policy_core::entities::Entities);
418
419#[doc(hidden)] impl AsRef<cedar_policy_core::entities::Entities> for Entities {
421 fn as_ref(&self) -> &cedar_policy_core::entities::Entities {
422 &self.0
423 }
424}
425
426#[doc(hidden)]
427impl From<cedar_policy_core::entities::Entities> for Entities {
428 fn from(entities: cedar_policy_core::entities::Entities) -> Self {
429 Self(entities)
430 }
431}
432
433use entities_errors::EntitiesError;
434
435impl Entities {
436 pub fn empty() -> Self {
443 Self(cedar_policy_core::entities::Entities::new())
444 }
445
446 pub fn get(&self, uid: &EntityUid) -> Option<&Entity> {
448 match self.0.entity(uid.as_ref()) {
449 Dereference::Residual(_) | Dereference::NoSuchEntity => None,
450 Dereference::Data(e) => Some(Entity::ref_cast(e)),
451 }
452 }
453
454 #[doc = include_str!("../experimental_warning.md")]
458 #[must_use]
459 #[cfg(feature = "partial-eval")]
460 pub fn partial(self) -> Self {
461 Self(self.0.partial())
462 }
463
464 pub fn iter(&self) -> impl Iterator<Item = &Entity> {
466 self.0.iter().map(Entity::ref_cast)
467 }
468
469 pub fn deep_eq(&self, other: &Self) -> bool {
475 self.0.deep_eq(&other.0)
476 }
477
478 pub fn from_entities(
497 entities: impl IntoIterator<Item = Entity>,
498 schema: Option<&Schema>,
499 ) -> Result<Self, EntitiesError> {
500 cedar_policy_core::entities::Entities::from_entities(
501 entities.into_iter().map(|e| e.0),
502 schema
503 .map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0))
504 .as_ref(),
505 cedar_policy_core::entities::TCComputation::ComputeNow,
506 Extensions::all_available(),
507 )
508 .map(Entities)
509 }
510
511 pub fn add_entities(
528 self,
529 entities: impl IntoIterator<Item = Entity>,
530 schema: Option<&Schema>,
531 ) -> Result<Self, EntitiesError> {
532 Ok(Self(
533 self.0.add_entities(
534 entities.into_iter().map(|e| Arc::new(e.0)),
535 schema
536 .map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0))
537 .as_ref(),
538 cedar_policy_core::entities::TCComputation::ComputeNow,
539 Extensions::all_available(),
540 )?,
541 ))
542 }
543
544 pub fn remove_entities(
551 self,
552 entity_ids: impl IntoIterator<Item = EntityUid>,
553 ) -> Result<Self, EntitiesError> {
554 Ok(Self(self.0.remove_entities(
555 entity_ids.into_iter().map(|euid| euid.0),
556 cedar_policy_core::entities::TCComputation::ComputeNow,
557 )?))
558 }
559
560 pub fn upsert_entities(
575 self,
576 entities: impl IntoIterator<Item = Entity>,
577 schema: Option<&Schema>,
578 ) -> Result<Self, EntitiesError> {
579 Ok(Self(
580 self.0.upsert_entities(
581 entities.into_iter().map(|e| Arc::new(e.0)),
582 schema
583 .map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0))
584 .as_ref(),
585 cedar_policy_core::entities::TCComputation::ComputeNow,
586 Extensions::all_available(),
587 )?,
588 ))
589 }
590
591 pub fn add_entities_from_json_str(
612 self,
613 json: &str,
614 schema: Option<&Schema>,
615 ) -> Result<Self, EntitiesError> {
616 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
617 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
618 schema.as_ref(),
619 Extensions::all_available(),
620 cedar_policy_core::entities::TCComputation::ComputeNow,
621 );
622 let new_entities = eparser.iter_from_json_str(json)?.map(Arc::new);
623 Ok(Self(self.0.add_entities(
624 new_entities,
625 schema.as_ref(),
626 cedar_policy_core::entities::TCComputation::ComputeNow,
627 Extensions::all_available(),
628 )?))
629 }
630
631 pub fn add_entities_from_json_value(
652 self,
653 json: serde_json::Value,
654 schema: Option<&Schema>,
655 ) -> Result<Self, EntitiesError> {
656 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
657 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
658 schema.as_ref(),
659 Extensions::all_available(),
660 cedar_policy_core::entities::TCComputation::ComputeNow,
661 );
662 let new_entities = eparser.iter_from_json_value(json)?.map(Arc::new);
663 Ok(Self(self.0.add_entities(
664 new_entities,
665 schema.as_ref(),
666 cedar_policy_core::entities::TCComputation::ComputeNow,
667 Extensions::all_available(),
668 )?))
669 }
670
671 pub fn add_entities_from_json_file(
693 self,
694 json: impl std::io::Read,
695 schema: Option<&Schema>,
696 ) -> Result<Self, EntitiesError> {
697 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
698 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
699 schema.as_ref(),
700 Extensions::all_available(),
701 cedar_policy_core::entities::TCComputation::ComputeNow,
702 );
703 let new_entities = eparser.iter_from_json_file(json)?.map(Arc::new);
704 Ok(Self(self.0.add_entities(
705 new_entities,
706 schema.as_ref(),
707 cedar_policy_core::entities::TCComputation::ComputeNow,
708 Extensions::all_available(),
709 )?))
710 }
711
712 pub fn from_json_str(json: &str, schema: Option<&Schema>) -> Result<Self, EntitiesError> {
763 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
764 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
765 schema.as_ref(),
766 Extensions::all_available(),
767 cedar_policy_core::entities::TCComputation::ComputeNow,
768 );
769 eparser.from_json_str(json).map(Entities)
770 }
771
772 pub fn from_json_value(
818 json: serde_json::Value,
819 schema: Option<&Schema>,
820 ) -> Result<Self, EntitiesError> {
821 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
822 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
823 schema.as_ref(),
824 Extensions::all_available(),
825 cedar_policy_core::entities::TCComputation::ComputeNow,
826 );
827 eparser.from_json_value(json).map(Entities)
828 }
829
830 pub fn from_json_file(
854 json: impl std::io::Read,
855 schema: Option<&Schema>,
856 ) -> Result<Self, EntitiesError> {
857 let schema = schema.map(|s| cedar_policy_core::validator::CoreSchema::new(&s.0));
858 let eparser = cedar_policy_core::entities::EntityJsonParser::new(
859 schema.as_ref(),
860 Extensions::all_available(),
861 cedar_policy_core::entities::TCComputation::ComputeNow,
862 );
863 eparser.from_json_file(json).map(Entities)
864 }
865
866 pub fn is_ancestor_of(&self, a: &EntityUid, b: &EntityUid) -> bool {
869 match self.0.entity(b.as_ref()) {
870 Dereference::Data(b) => b.is_descendant_of(a.as_ref()),
871 _ => a == b, }
873 }
874
875 pub fn ancestors<'a>(
878 &'a self,
879 euid: &EntityUid,
880 ) -> Option<impl Iterator<Item = &'a EntityUid>> {
881 let entity = match self.0.entity(euid.as_ref()) {
882 Dereference::Residual(_) | Dereference::NoSuchEntity => None,
883 Dereference::Data(e) => Some(e),
884 }?;
885 Some(entity.ancestors().map(EntityUid::ref_cast))
886 }
887
888 pub fn len(&self) -> usize {
890 self.0.len()
891 }
892
893 pub fn is_empty(&self) -> bool {
895 self.0.is_empty()
896 }
897
898 pub fn write_to_json(&self, f: impl std::io::Write) -> std::result::Result<(), EntitiesError> {
906 self.0.write_to_json(f)
907 }
908
909 pub fn to_json_value(&self) -> Result<serde_json::Value, EntitiesError> {
917 self.0.to_json_value()
918 }
919
920 #[doc = include_str!("../experimental_warning.md")]
921 pub fn to_dot_str(&self) -> String {
925 let mut dot_str = String::new();
926 #[expect(clippy::unwrap_used, reason = "writing to a String cannot fail")]
927 self.0.to_dot_str(&mut dot_str).unwrap();
928 dot_str
929 }
930}
931
932pub fn validate_scope_variables(
939 principal: &EntityUid,
940 action: &EntityUid,
941 resource: &EntityUid,
942 schema: &Schema,
943) -> std::result::Result<(), RequestValidationError> {
944 Ok(RequestSchema::validate_scope_variables(
945 &schema.0,
946 Some(&principal.0),
947 Some(&action.0),
948 Some(&resource.0),
949 )?)
950}
951
952pub mod entities {
954
955 #[derive(Debug)]
957 pub struct IntoIter {
958 pub(super) inner: <cedar_policy_core::entities::Entities as IntoIterator>::IntoIter,
959 }
960
961 impl Iterator for IntoIter {
962 type Item = super::Entity;
963
964 fn next(&mut self) -> Option<Self::Item> {
965 self.inner.next().map(super::Entity)
966 }
967 fn size_hint(&self) -> (usize, Option<usize>) {
968 self.inner.size_hint()
969 }
970 }
971}
972
973impl IntoIterator for Entities {
974 type Item = Entity;
975 type IntoIter = entities::IntoIter;
976
977 fn into_iter(self) -> Self::IntoIter {
978 Self::IntoIter {
979 inner: self.0.into_iter(),
980 }
981 }
982}
983
984#[repr(transparent)]
986#[derive(Debug, Clone, RefCast)]
987pub struct Authorizer(authorizer::Authorizer);
988
989#[doc(hidden)] impl AsRef<authorizer::Authorizer> for Authorizer {
991 fn as_ref(&self) -> &authorizer::Authorizer {
992 &self.0
993 }
994}
995
996impl Default for Authorizer {
997 fn default() -> Self {
998 Self::new()
999 }
1000}
1001
1002impl Authorizer {
1003 pub fn new() -> Self {
1060 Self(authorizer::Authorizer::new())
1061 }
1062
1063 pub fn is_authorized(&self, r: &Request, p: &PolicySet, e: &Entities) -> Response {
1117 self.0.is_authorized(r.0.clone(), &p.ast, &e.0).into()
1118 }
1119
1120 #[doc = include_str!("../experimental_warning.md")]
1125 #[cfg(feature = "partial-eval")]
1126 pub fn is_authorized_partial(
1127 &self,
1128 query: &Request,
1129 policy_set: &PolicySet,
1130 entities: &Entities,
1131 ) -> PartialResponse {
1132 let response = self
1133 .0
1134 .is_authorized_core(query.0.clone(), &policy_set.ast, &entities.0);
1135 PartialResponse(response)
1136 }
1137}
1138
1139#[derive(Debug, PartialEq, Eq, Clone)]
1141pub struct Response {
1142 pub(crate) decision: Decision,
1144 pub(crate) diagnostics: Diagnostics,
1146}
1147
1148#[doc = include_str!("../experimental_warning.md")]
1153#[cfg(feature = "partial-eval")]
1154#[repr(transparent)]
1155#[derive(Debug, Clone, RefCast)]
1156pub struct PartialResponse(cedar_policy_core::authorizer::PartialResponse);
1157
1158#[cfg(feature = "partial-eval")]
1159impl PartialResponse {
1160 pub fn decision(&self) -> Option<Decision> {
1163 self.0.decision()
1164 }
1165
1166 pub fn concretize(self) -> Response {
1169 self.0.concretize().into()
1170 }
1171
1172 pub fn definitely_satisfied(&self) -> impl Iterator<Item = Policy> + '_ {
1175 self.0.definitely_satisfied().map(Policy::from_ast)
1176 }
1177
1178 pub fn definitely_errored(&self) -> impl Iterator<Item = &PolicyId> {
1180 self.0.definitely_errored().map(PolicyId::ref_cast)
1181 }
1182
1183 pub fn may_be_determining(&self) -> impl Iterator<Item = Policy> + '_ {
1191 self.0.may_be_determining().map(Policy::from_ast)
1192 }
1193
1194 pub fn must_be_determining(&self) -> impl Iterator<Item = Policy> + '_ {
1202 self.0.must_be_determining().map(Policy::from_ast)
1203 }
1204
1205 pub fn nontrivial_residuals(&'_ self) -> impl Iterator<Item = Policy> + '_ {
1210 self.0.nontrivial_residuals().map(Policy::from_ast)
1211 }
1212
1213 pub fn all_residuals(&'_ self) -> impl Iterator<Item = Policy> + '_ {
1218 self.0.all_residuals().map(Policy::from_ast)
1219 }
1220
1221 pub fn unknown_entities(&self) -> HashSet<EntityUid> {
1223 let mut entity_uids = HashSet::new();
1224 for policy in self.0.all_residuals() {
1225 entity_uids.extend(policy.unknown_entities().into_iter().map(Into::into));
1226 }
1227 entity_uids
1228 }
1229
1230 pub fn get(&self, id: &PolicyId) -> Option<Policy> {
1232 self.0.get(id.as_ref()).map(Policy::from_ast)
1233 }
1234
1235 #[expect(
1237 clippy::needless_pass_by_value,
1238 reason = "don't want to change signature of deprecated public function"
1239 )]
1240 #[deprecated = "use reauthorize_with_bindings"]
1241 pub fn reauthorize(
1242 &self,
1243 mapping: HashMap<SmolStr, RestrictedExpression>,
1244 auth: &Authorizer,
1245 es: &Entities,
1246 ) -> Result<Self, ReauthorizationError> {
1247 self.reauthorize_with_bindings(mapping.iter().map(|(k, v)| (k.as_str(), v)), auth, es)
1248 }
1249
1250 pub fn reauthorize_with_bindings<'m>(
1253 &self,
1254 mapping: impl IntoIterator<Item = (&'m str, &'m RestrictedExpression)>,
1255 auth: &Authorizer,
1256 es: &Entities,
1257 ) -> Result<Self, ReauthorizationError> {
1258 let exts = Extensions::all_available();
1259 let evaluator = RestrictedEvaluator::new(exts);
1260 let mapping = mapping
1261 .into_iter()
1262 .map(|(name, expr)| {
1263 evaluator
1264 .interpret(BorrowedRestrictedExpr::new_unchecked(expr.0.as_ref()))
1265 .map(|v| (name.into(), v))
1266 })
1267 .collect::<Result<HashMap<_, _>, EvaluationError>>()?;
1268 let r = self.0.reauthorize(&mapping, &auth.0, &es.0)?;
1269 Ok(Self(r))
1270 }
1271}
1272
1273#[cfg(feature = "partial-eval")]
1274#[doc(hidden)]
1275impl From<cedar_policy_core::authorizer::PartialResponse> for PartialResponse {
1276 fn from(pr: cedar_policy_core::authorizer::PartialResponse) -> Self {
1277 Self(pr)
1278 }
1279}
1280
1281#[derive(Debug, PartialEq, Eq, Clone)]
1283pub struct Diagnostics {
1284 reason: HashSet<PolicyId>,
1287 errors: Vec<AuthorizationError>,
1290}
1291
1292#[doc(hidden)]
1293impl From<authorizer::Diagnostics> for Diagnostics {
1294 fn from(diagnostics: authorizer::Diagnostics) -> Self {
1295 Self {
1296 reason: diagnostics.reason.into_iter().map(PolicyId::new).collect(),
1297 errors: diagnostics.errors.into_iter().map(Into::into).collect(),
1298 }
1299 }
1300}
1301
1302impl Diagnostics {
1303 pub fn reason(&self) -> impl Iterator<Item = &PolicyId> {
1360 self.reason.iter()
1361 }
1362
1363 pub fn errors(&self) -> impl Iterator<Item = &AuthorizationError> + '_ {
1419 self.errors.iter()
1420 }
1421
1422 pub(crate) fn into_components(
1424 self,
1425 ) -> (
1426 impl Iterator<Item = PolicyId>,
1427 impl Iterator<Item = AuthorizationError>,
1428 ) {
1429 (self.reason.into_iter(), self.errors.into_iter())
1430 }
1431}
1432
1433impl Response {
1434 pub fn new(
1436 decision: Decision,
1437 reason: HashSet<PolicyId>,
1438 errors: Vec<AuthorizationError>,
1439 ) -> Self {
1440 Self {
1441 decision,
1442 diagnostics: Diagnostics { reason, errors },
1443 }
1444 }
1445
1446 pub fn decision(&self) -> Decision {
1448 self.decision
1449 }
1450
1451 pub fn diagnostics(&self) -> &Diagnostics {
1453 &self.diagnostics
1454 }
1455}
1456
1457#[doc(hidden)]
1458impl From<authorizer::Response> for Response {
1459 fn from(a: authorizer::Response) -> Self {
1460 Self {
1461 decision: a.decision,
1462 diagnostics: a.diagnostics.into(),
1463 }
1464 }
1465}
1466
1467#[derive(Default, Eq, PartialEq, Copy, Clone, Debug, Serialize, Deserialize)]
1469#[cfg_attr(feature = "wasm", derive(tsify::Tsify))]
1470#[cfg_attr(feature = "wasm", tsify(into_wasm_abi, from_wasm_abi))]
1471#[serde(rename_all = "camelCase")]
1472#[non_exhaustive]
1473pub enum ValidationMode {
1474 #[default]
1477 Strict,
1478 #[doc = include_str!("../experimental_warning.md")]
1480 #[cfg(feature = "permissive-validate")]
1481 Permissive,
1482 #[doc = include_str!("../experimental_warning.md")]
1484 #[cfg(feature = "partial-validate")]
1485 Partial,
1486}
1487
1488#[doc(hidden)]
1489impl From<ValidationMode> for cedar_policy_core::validator::ValidationMode {
1490 fn from(mode: ValidationMode) -> Self {
1491 match mode {
1492 ValidationMode::Strict => Self::Strict,
1493 #[cfg(feature = "permissive-validate")]
1494 ValidationMode::Permissive => Self::Permissive,
1495 #[cfg(feature = "partial-validate")]
1496 ValidationMode::Partial => Self::Partial,
1497 }
1498 }
1499}
1500
1501#[repr(transparent)]
1503#[derive(Debug, Clone, RefCast)]
1504pub struct Validator(cedar_policy_core::validator::Validator);
1505
1506#[doc(hidden)] impl AsRef<cedar_policy_core::validator::Validator> for Validator {
1508 fn as_ref(&self) -> &cedar_policy_core::validator::Validator {
1509 &self.0
1510 }
1511}
1512
1513impl Validator {
1514 pub fn new(schema: Schema) -> Self {
1517 Self(cedar_policy_core::validator::Validator::new(schema.0))
1518 }
1519
1520 pub fn schema(&self) -> &Schema {
1522 RefCast::ref_cast(self.0.schema())
1523 }
1524
1525 pub fn validate(&self, pset: &PolicySet, mode: ValidationMode) -> ValidationResult {
1533 ValidationResult::from(self.0.validate(&pset.ast, mode.into()))
1534 }
1535
1536 pub fn validate_with_level(
1544 &self,
1545 pset: &PolicySet,
1546 mode: ValidationMode,
1547 max_deref_level: u32,
1548 ) -> ValidationResult {
1549 ValidationResult::from(
1550 self.0
1551 .validate_with_level(&pset.ast, mode.into(), max_deref_level),
1552 )
1553 }
1554}
1555
1556#[derive(Debug, Clone)]
1559pub struct SchemaFragment {
1560 value: cedar_policy_core::validator::ValidatorSchemaFragment<
1561 cedar_policy_core::validator::ConditionalName,
1562 cedar_policy_core::validator::ConditionalName,
1563 >,
1564 lossless:
1565 cedar_policy_core::validator::json_schema::Fragment<cedar_policy_core::validator::RawName>,
1566}
1567
1568#[doc(hidden)] impl
1570 AsRef<
1571 cedar_policy_core::validator::ValidatorSchemaFragment<
1572 cedar_policy_core::validator::ConditionalName,
1573 cedar_policy_core::validator::ConditionalName,
1574 >,
1575 > for SchemaFragment
1576{
1577 fn as_ref(
1578 &self,
1579 ) -> &cedar_policy_core::validator::ValidatorSchemaFragment<
1580 cedar_policy_core::validator::ConditionalName,
1581 cedar_policy_core::validator::ConditionalName,
1582 > {
1583 &self.value
1584 }
1585}
1586
1587#[doc(hidden)] impl
1589 TryFrom<
1590 cedar_policy_core::validator::json_schema::Fragment<cedar_policy_core::validator::RawName>,
1591 > for SchemaFragment
1592{
1593 type Error = SchemaError;
1594 fn try_from(
1595 json_frag: cedar_policy_core::validator::json_schema::Fragment<
1596 cedar_policy_core::validator::RawName,
1597 >,
1598 ) -> Result<Self, Self::Error> {
1599 Ok(Self {
1600 value: json_frag.clone().try_into()?,
1601 lossless: json_frag,
1602 })
1603 }
1604}
1605
1606fn get_annotation_by_key(
1607 annotations: &est::Annotations,
1608 annotation_key: impl AsRef<str>,
1609) -> Option<&str> {
1610 annotations
1611 .0
1612 .get(&annotation_key.as_ref().parse().ok()?)
1613 .map(|value| annotation_value_to_str_ref(value.as_ref()))
1614}
1615
1616fn annotation_value_to_str_ref(value: Option<&ast::Annotation>) -> &str {
1617 value.map_or("", |a| a.as_ref())
1618}
1619
1620fn annotations_to_pairs(annotations: &est::Annotations) -> impl Iterator<Item = (&str, &str)> {
1621 annotations
1622 .0
1623 .iter()
1624 .map(|(key, value)| (key.as_ref(), annotation_value_to_str_ref(value.as_ref())))
1625}
1626
1627impl SchemaFragment {
1628 pub fn namespace_annotations(
1634 &self,
1635 namespace: EntityNamespace,
1636 ) -> Option<impl Iterator<Item = (&str, &str)>> {
1637 self.lossless
1638 .0
1639 .get(&Some(namespace.0))
1640 .map(|ns_def| annotations_to_pairs(&ns_def.annotations))
1641 }
1642
1643 pub fn namespace_annotation(
1652 &self,
1653 namespace: EntityNamespace,
1654 annotation_key: impl AsRef<str>,
1655 ) -> Option<&str> {
1656 let ns = self.lossless.0.get(&Some(namespace.0))?;
1657 get_annotation_by_key(&ns.annotations, annotation_key)
1658 }
1659
1660 pub fn common_type_annotations(
1666 &self,
1667 namespace: Option<EntityNamespace>,
1668 ty: &str,
1669 ) -> Option<impl Iterator<Item = (&str, &str)>> {
1670 let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1671 let ty = json_schema::CommonTypeId::new(ast::UnreservedId::from_normalized_str(ty).ok()?)
1672 .ok()?;
1673 ns_def
1674 .common_types
1675 .get(&ty)
1676 .map(|ty| annotations_to_pairs(&ty.annotations))
1677 }
1678
1679 pub fn common_type_annotation(
1688 &self,
1689 namespace: Option<EntityNamespace>,
1690 ty: &str,
1691 annotation_key: impl AsRef<str>,
1692 ) -> Option<&str> {
1693 let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1694 let ty = json_schema::CommonTypeId::new(ast::UnreservedId::from_normalized_str(ty).ok()?)
1695 .ok()?;
1696 get_annotation_by_key(&ns_def.common_types.get(&ty)?.annotations, annotation_key)
1697 }
1698
1699 pub fn entity_type_annotations(
1705 &self,
1706 namespace: Option<EntityNamespace>,
1707 ty: &str,
1708 ) -> Option<impl Iterator<Item = (&str, &str)>> {
1709 let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1710 let ty = ast::UnreservedId::from_normalized_str(ty).ok()?;
1711 ns_def
1712 .entity_types
1713 .get(&ty)
1714 .map(|ty| annotations_to_pairs(&ty.annotations))
1715 }
1716
1717 pub fn entity_type_annotation(
1726 &self,
1727 namespace: Option<EntityNamespace>,
1728 ty: &str,
1729 annotation_key: impl AsRef<str>,
1730 ) -> Option<&str> {
1731 let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1732 let ty = ast::UnreservedId::from_normalized_str(ty).ok()?;
1733 get_annotation_by_key(&ns_def.entity_types.get(&ty)?.annotations, annotation_key)
1734 }
1735
1736 pub fn action_annotations(
1741 &self,
1742 namespace: Option<EntityNamespace>,
1743 id: &EntityId,
1744 ) -> Option<impl Iterator<Item = (&str, &str)>> {
1745 let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1746 ns_def
1747 .actions
1748 .get(id.unescaped())
1749 .map(|a| annotations_to_pairs(&a.annotations))
1750 }
1751
1752 pub fn action_annotation(
1760 &self,
1761 namespace: Option<EntityNamespace>,
1762 id: &EntityId,
1763 annotation_key: impl AsRef<str>,
1764 ) -> Option<&str> {
1765 let ns_def = self.lossless.0.get(&namespace.map(|n| n.0))?;
1766 get_annotation_by_key(
1767 &ns_def.actions.get(id.unescaped())?.annotations,
1768 annotation_key,
1769 )
1770 }
1771
1772 pub fn namespaces(&self) -> impl Iterator<Item = Option<EntityNamespace>> + '_ {
1776 self.value.namespaces().filter_map(|ns| {
1777 match ns.map(|ns| ast::Name::try_from(ns.clone())) {
1778 Some(Ok(n)) => Some(Some(EntityNamespace(n))),
1779 None => Some(None), Some(Err(_)) => {
1781 None
1788 }
1789 }
1790 })
1791 }
1792
1793 pub fn from_json_str(src: &str) -> Result<Self, SchemaError> {
1796 let lossless = cedar_policy_core::validator::json_schema::Fragment::from_json_str(src)?;
1797 Ok(Self {
1798 value: lossless.clone().try_into()?,
1799 lossless,
1800 })
1801 }
1802
1803 pub fn from_json_value(json: serde_json::Value) -> Result<Self, SchemaError> {
1806 let lossless = cedar_policy_core::validator::json_schema::Fragment::from_json_value(json)?;
1807 Ok(Self {
1808 value: lossless.clone().try_into()?,
1809 lossless,
1810 })
1811 }
1812
1813 pub fn from_cedarschema_file(
1815 r: impl std::io::Read,
1816 ) -> Result<(Self, impl Iterator<Item = SchemaWarning>), CedarSchemaError> {
1817 let (lossless, warnings) =
1818 cedar_policy_core::validator::json_schema::Fragment::from_cedarschema_file(
1819 r,
1820 Extensions::all_available(),
1821 )?;
1822 Ok((
1823 Self {
1824 value: lossless.clone().try_into()?,
1825 lossless,
1826 },
1827 warnings,
1828 ))
1829 }
1830
1831 pub fn from_cedarschema_str(
1833 src: &str,
1834 ) -> Result<(Self, impl Iterator<Item = SchemaWarning>), CedarSchemaError> {
1835 let (lossless, warnings) =
1836 cedar_policy_core::validator::json_schema::Fragment::from_cedarschema_str(
1837 src,
1838 Extensions::all_available(),
1839 )?;
1840 Ok((
1841 Self {
1842 value: lossless.clone().try_into()?,
1843 lossless,
1844 },
1845 warnings,
1846 ))
1847 }
1848
1849 pub fn from_json_file(file: impl std::io::Read) -> Result<Self, SchemaError> {
1852 let lossless = cedar_policy_core::validator::json_schema::Fragment::from_json_file(file)?;
1853 Ok(Self {
1854 value: lossless.clone().try_into()?,
1855 lossless,
1856 })
1857 }
1858
1859 pub fn to_json_value(self) -> Result<serde_json::Value, SchemaError> {
1861 serde_json::to_value(self.lossless).map_err(|e| SchemaError::JsonSerialization(e.into()))
1862 }
1863
1864 pub fn to_json_string(&self) -> Result<String, SchemaError> {
1866 serde_json::to_string(&self.lossless).map_err(|e| SchemaError::JsonSerialization(e.into()))
1867 }
1868
1869 pub fn to_cedarschema(&self) -> Result<String, ToCedarSchemaError> {
1872 let str = self.lossless.to_cedarschema()?;
1873 Ok(str)
1874 }
1875}
1876
1877impl TryInto<Schema> for SchemaFragment {
1878 type Error = SchemaError;
1879
1880 fn try_into(self) -> Result<Schema, Self::Error> {
1884 Ok(Schema(
1885 cedar_policy_core::validator::ValidatorSchema::from_schema_fragments(
1886 [self.value],
1887 Extensions::all_available(),
1888 )?,
1889 ))
1890 }
1891}
1892
1893impl FromStr for SchemaFragment {
1894 type Err = CedarSchemaError;
1895 fn from_str(src: &str) -> Result<Self, Self::Err> {
1901 Self::from_cedarschema_str(src).map(|(frag, _)| frag)
1902 }
1903}
1904
1905#[repr(transparent)]
1907#[derive(Debug, Clone, RefCast)]
1908pub struct Schema(pub(crate) cedar_policy_core::validator::ValidatorSchema);
1909
1910#[doc(hidden)] impl AsRef<cedar_policy_core::validator::ValidatorSchema> for Schema {
1912 fn as_ref(&self) -> &cedar_policy_core::validator::ValidatorSchema {
1913 &self.0
1914 }
1915}
1916
1917#[doc(hidden)]
1918impl From<cedar_policy_core::validator::ValidatorSchema> for Schema {
1919 fn from(schema: cedar_policy_core::validator::ValidatorSchema) -> Self {
1920 Self(schema)
1921 }
1922}
1923
1924impl FromStr for Schema {
1925 type Err = CedarSchemaError;
1926
1927 fn from_str(schema_src: &str) -> Result<Self, Self::Err> {
1934 Self::from_cedarschema_str(schema_src).map(|(schema, _)| schema)
1935 }
1936}
1937
1938impl Schema {
1939 pub fn from_schema_fragments(
1944 fragments: impl IntoIterator<Item = SchemaFragment>,
1945 ) -> Result<Self, SchemaError> {
1946 Ok(Self(
1947 cedar_policy_core::validator::ValidatorSchema::from_schema_fragments(
1948 fragments.into_iter().map(|f| f.value),
1949 Extensions::all_available(),
1950 )?,
1951 ))
1952 }
1953
1954 pub fn from_json_value(json: serde_json::Value) -> Result<Self, SchemaError> {
1957 Ok(Self(
1958 cedar_policy_core::validator::ValidatorSchema::from_json_value(
1959 json,
1960 Extensions::all_available(),
1961 )?,
1962 ))
1963 }
1964
1965 pub fn from_json_str(json: &str) -> Result<Self, SchemaError> {
1968 Ok(Self(
1969 cedar_policy_core::validator::ValidatorSchema::from_json_str(
1970 json,
1971 Extensions::all_available(),
1972 )?,
1973 ))
1974 }
1975
1976 pub fn from_json_file(file: impl std::io::Read) -> Result<Self, SchemaError> {
1979 Ok(Self(
1980 cedar_policy_core::validator::ValidatorSchema::from_json_file(
1981 file,
1982 Extensions::all_available(),
1983 )?,
1984 ))
1985 }
1986
1987 pub fn from_cedarschema_file(
1989 file: impl std::io::Read,
1990 ) -> Result<(Self, impl Iterator<Item = SchemaWarning> + 'static), CedarSchemaError> {
1991 let (schema, warnings) =
1992 cedar_policy_core::validator::ValidatorSchema::from_cedarschema_file(
1993 file,
1994 Extensions::all_available(),
1995 )?;
1996 Ok((Self(schema), warnings))
1997 }
1998
1999 pub fn from_cedarschema_str(
2001 src: &str,
2002 ) -> Result<(Self, impl Iterator<Item = SchemaWarning>), CedarSchemaError> {
2003 let (schema, warnings) =
2004 cedar_policy_core::validator::ValidatorSchema::from_cedarschema_str(
2005 src,
2006 Extensions::all_available(),
2007 )?;
2008 Ok((Self(schema), warnings))
2009 }
2010
2011 pub fn action_entities(&self) -> Result<Entities, EntitiesError> {
2014 Ok(Entities(self.0.action_entities()?))
2015 }
2016
2017 pub fn principals(&self) -> impl Iterator<Item = &EntityTypeName> {
2042 self.0.principals().map(RefCast::ref_cast)
2043 }
2044
2045 pub fn resources(&self) -> impl Iterator<Item = &EntityTypeName> {
2069 self.0.resources().map(RefCast::ref_cast)
2070 }
2071
2072 pub fn principals_for_action(
2078 &self,
2079 action: &EntityUid,
2080 ) -> Option<impl Iterator<Item = &EntityTypeName>> {
2081 self.0
2082 .principals_for_action(&action.0)
2083 .map(|iter| iter.map(RefCast::ref_cast))
2084 }
2085
2086 pub fn resources_for_action(
2092 &self,
2093 action: &EntityUid,
2094 ) -> Option<impl Iterator<Item = &EntityTypeName>> {
2095 self.0
2096 .resources_for_action(&action.0)
2097 .map(|iter| iter.map(RefCast::ref_cast))
2098 }
2099
2100 pub fn request_envs(&self) -> impl Iterator<Item = RequestEnv> + '_ {
2103 self.0
2104 .unlinked_request_envs(cedar_policy_core::validator::ValidationMode::Strict)
2105 .map(Into::into)
2106 }
2107
2108 pub fn ancestors<'a>(
2114 &'a self,
2115 ty: &'a EntityTypeName,
2116 ) -> Option<impl Iterator<Item = &'a EntityTypeName> + 'a> {
2117 self.0
2118 .ancestors(&ty.0)
2119 .map(|iter| iter.map(RefCast::ref_cast))
2120 }
2121
2122 pub fn action_groups(&self) -> impl Iterator<Item = &EntityUid> {
2124 self.0.action_groups().map(RefCast::ref_cast)
2125 }
2126
2127 pub fn entity_types(&self) -> impl Iterator<Item = &EntityTypeName> {
2129 self.0
2130 .entity_types()
2131 .map(|ety| RefCast::ref_cast(ety.name()))
2132 }
2133
2134 pub fn actions(&self) -> impl Iterator<Item = &EntityUid> {
2136 self.0.actions().map(RefCast::ref_cast)
2137 }
2138
2139 pub fn actions_for_principal_and_resource<'a: 'b, 'b>(
2143 &'a self,
2144 principal_type: &'b EntityTypeName,
2145 resource_type: &'b EntityTypeName,
2146 ) -> impl Iterator<Item = &'a EntityUid> + 'b {
2147 self.0
2148 .actions_for_principal_and_resource(&principal_type.0, &resource_type.0)
2149 .map(RefCast::ref_cast)
2150 }
2151}
2152
2153pub fn schema_str_to_json_with_resolved_types(
2163 schema_str: &str,
2164) -> Result<(serde_json::Value, Vec<SchemaWarning>), CedarSchemaError> {
2165 let (json_schema_fragment, warnings) =
2167 json_schema::Fragment::from_cedarschema_str(schema_str, Extensions::all_available())
2168 .map_err(
2169 |e: cedar_policy_core::validator::CedarSchemaError| -> CedarSchemaError {
2170 e.into()
2171 },
2172 )?;
2173
2174 let warnings_as_schema_warnings: Vec<SchemaWarning> = warnings.collect();
2175
2176 let fully_resolved_fragment =
2178 match json_schema_fragment.to_internal_name_fragment_with_resolved_types() {
2179 Ok(fragment) => fragment,
2180 Err(e) => {
2181 return Err(e.into());
2183 }
2184 };
2185
2186 let json_value = serde_json::to_value(&fully_resolved_fragment).map_err(|e| {
2188 let schema_error = SchemaError::JsonSerialization(
2189 cedar_policy_core::validator::schema_errors::JsonSerializationError::from(e),
2190 );
2191 CedarSchemaError::Schema(schema_error)
2192 })?;
2193
2194 Ok((json_value, warnings_as_schema_warnings))
2195}
2196
2197#[cfg(test)]
2202mod test_schema_str_to_json_with_resolved_types {
2203 use super::*;
2204
2205 #[test]
2206 fn test_unresolved_type_error() {
2207 let schema_str = r#"entity User = { "name": MyName };"#;
2208
2209 let result = schema_str_to_json_with_resolved_types(schema_str);
2210
2211 match result {
2213 Ok(_) => panic!("Expected error but got success - MyName should not be resolved"),
2214 Err(CedarSchemaError::Schema(SchemaError::TypeNotDefined(type_not_defined_error))) => {
2215 let error_message = format!("{}", type_not_defined_error);
2217 assert!(
2218 error_message.contains("MyName"),
2219 "Expected error message to contain 'MyName', but got: {}",
2220 error_message
2221 );
2222
2223 assert!(
2225 error_message.contains("failed to resolve type"),
2226 "Expected error message to mention 'failed to resolve type', but got: {}",
2227 error_message
2228 );
2229 }
2230 Err(CedarSchemaError::Schema(other_schema_error)) => {
2231 panic!(
2232 "Expected TypeNotDefined error, but got different SchemaError: {:?}",
2233 other_schema_error
2234 );
2235 }
2236 Err(CedarSchemaError::Parse(parse_error)) => {
2237 panic!(
2238 "Expected TypeNotDefined error, but got parse error: {:?}",
2239 parse_error
2240 );
2241 }
2242 Err(CedarSchemaError::Io(io_error)) => {
2243 panic!(
2244 "Expected TypeNotDefined error, but got IO error: {:?}",
2245 io_error
2246 );
2247 }
2248 }
2249 }
2250
2251 #[test]
2252 fn test_successful_resolution() {
2253 let schema_str = r#"
2254 type MyName = String;
2255 entity User = { "name": MyName };
2256 "#;
2257
2258 let result = schema_str_to_json_with_resolved_types(schema_str);
2259
2260 match result {
2261 Ok((json_value, warnings)) => {
2262 assert!(json_value.is_object(), "Expected JSON object");
2264
2265 let json_str = serde_json::to_string(&json_value).unwrap();
2267 assert!(
2268 !json_str.contains("EntityOrCommon"),
2269 "JSON should not contain unresolved EntityOrCommon types: {}",
2270 json_str
2271 );
2272
2273 assert!(
2275 json_str.contains("MyName"),
2276 "JSON should contain resolved MyName type reference: {}",
2277 json_str
2278 );
2279
2280 assert_eq!(warnings.len(), 0, "Expected no warnings for valid schema");
2282 }
2283 Err(e) => panic!("Expected success but got error: {:?}", e),
2284 }
2285 }
2286}
2287#[derive(Debug, Clone)]
2290pub struct ValidationResult {
2291 validation_errors: Vec<ValidationError>,
2292 validation_warnings: Vec<ValidationWarning>,
2293}
2294
2295impl ValidationResult {
2296 pub fn validation_passed(&self) -> bool {
2300 self.validation_errors.is_empty()
2301 }
2302
2303 pub fn validation_passed_without_warnings(&self) -> bool {
2306 self.validation_errors.is_empty() && self.validation_warnings.is_empty()
2307 }
2308
2309 pub fn validation_errors(&self) -> impl Iterator<Item = &ValidationError> {
2311 self.validation_errors.iter()
2312 }
2313
2314 pub fn validation_warnings(&self) -> impl Iterator<Item = &ValidationWarning> {
2316 self.validation_warnings.iter()
2317 }
2318
2319 fn first_error_or_warning(&self) -> Option<&dyn Diagnostic> {
2320 self.validation_errors
2321 .first()
2322 .map(|e| e as &dyn Diagnostic)
2323 .or_else(|| {
2324 self.validation_warnings
2325 .first()
2326 .map(|w| w as &dyn Diagnostic)
2327 })
2328 }
2329
2330 pub(crate) fn into_errors_and_warnings(
2331 self,
2332 ) -> (
2333 impl Iterator<Item = ValidationError>,
2334 impl Iterator<Item = ValidationWarning>,
2335 ) {
2336 (
2337 self.validation_errors.into_iter(),
2338 self.validation_warnings.into_iter(),
2339 )
2340 }
2341}
2342
2343#[doc(hidden)]
2344impl From<cedar_policy_core::validator::ValidationResult> for ValidationResult {
2345 fn from(r: cedar_policy_core::validator::ValidationResult) -> Self {
2346 let (errors, warnings) = r.into_errors_and_warnings();
2347 Self {
2348 validation_errors: errors.map(ValidationError::from).collect(),
2349 validation_warnings: warnings.map(ValidationWarning::from).collect(),
2350 }
2351 }
2352}
2353
2354impl std::fmt::Display for ValidationResult {
2355 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
2356 match self.first_error_or_warning() {
2357 Some(diagnostic) => write!(f, "{diagnostic}"),
2358 None => write!(f, "no errors or warnings"),
2359 }
2360 }
2361}
2362
2363impl std::error::Error for ValidationResult {
2364 fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
2365 self.first_error_or_warning()
2366 .and_then(std::error::Error::source)
2367 }
2368
2369 fn description(&self) -> &str {
2370 #[expect(
2371 deprecated,
2372 reason = "description() is deprecated but we still want to forward it"
2373 )]
2374 self.first_error_or_warning()
2375 .map_or("no errors or warnings", std::error::Error::description)
2376 }
2377
2378 fn cause(&self) -> Option<&dyn std::error::Error> {
2379 #[expect(
2380 deprecated,
2381 reason = "cause() is deprecated but we still want to forward it"
2382 )]
2383 self.first_error_or_warning()
2384 .and_then(std::error::Error::cause)
2385 }
2386}
2387
2388impl Diagnostic for ValidationResult {
2392 fn related(&self) -> Option<Box<dyn Iterator<Item = &dyn Diagnostic> + '_>> {
2393 let mut related = self
2394 .validation_errors
2395 .iter()
2396 .map(|err| err as &dyn Diagnostic)
2397 .chain(
2398 self.validation_warnings
2399 .iter()
2400 .map(|warn| warn as &dyn Diagnostic),
2401 );
2402 related.next().map(move |first| match first.related() {
2403 Some(first_related) => Box::new(first_related.chain(related)),
2404 None => Box::new(related) as Box<dyn Iterator<Item = _>>,
2405 })
2406 }
2407
2408 fn severity(&self) -> Option<miette::Severity> {
2409 self.first_error_or_warning()
2410 .map_or(Some(miette::Severity::Advice), Diagnostic::severity)
2411 }
2412
2413 fn labels(&self) -> Option<Box<dyn Iterator<Item = miette::LabeledSpan> + '_>> {
2414 self.first_error_or_warning().and_then(Diagnostic::labels)
2415 }
2416
2417 fn source_code(&self) -> Option<&dyn miette::SourceCode> {
2418 self.first_error_or_warning()
2419 .and_then(Diagnostic::source_code)
2420 }
2421
2422 fn code(&self) -> Option<Box<dyn std::fmt::Display + '_>> {
2423 self.first_error_or_warning().and_then(Diagnostic::code)
2424 }
2425
2426 fn url(&self) -> Option<Box<dyn std::fmt::Display + '_>> {
2427 self.first_error_or_warning().and_then(Diagnostic::url)
2428 }
2429
2430 fn help(&self) -> Option<Box<dyn std::fmt::Display + '_>> {
2431 self.first_error_or_warning().and_then(Diagnostic::help)
2432 }
2433
2434 fn diagnostic_source(&self) -> Option<&dyn Diagnostic> {
2435 self.first_error_or_warning()
2436 .and_then(Diagnostic::diagnostic_source)
2437 }
2438}
2439
2440pub fn confusable_string_checker<'a>(
2446 templates: impl Iterator<Item = &'a Template> + 'a,
2447) -> impl Iterator<Item = ValidationWarning> + 'a {
2448 cedar_policy_core::validator::confusable_string_checks(templates.map(|t| &t.ast))
2449 .map(std::convert::Into::into)
2450}
2451
2452#[derive(Debug, Clone, Hash, PartialEq, Eq, PartialOrd, Ord)]
2464pub struct EntityNamespace(pub(crate) ast::Name);
2465
2466#[doc(hidden)] impl AsRef<ast::Name> for EntityNamespace {
2468 fn as_ref(&self) -> &ast::Name {
2469 &self.0
2470 }
2471}
2472
2473impl FromStr for EntityNamespace {
2476 type Err = ParseErrors;
2477
2478 fn from_str(namespace_str: &str) -> Result<Self, Self::Err> {
2479 ast::Name::from_normalized_str(namespace_str)
2480 .map(EntityNamespace)
2481 .map_err(Into::into)
2482 }
2483}
2484
2485impl std::fmt::Display for EntityNamespace {
2486 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
2487 write!(f, "{}", self.0)
2488 }
2489}
2490
2491#[derive(Debug, Clone, Default)]
2492pub(crate) struct StringifiedPolicySet {
2496 pub policies: Vec<String>,
2498 pub policy_templates: Vec<String>,
2500}
2501
2502#[derive(Debug, Clone, Default)]
2504pub struct PolicySet {
2505 pub(crate) ast: ast::PolicySet,
2508 policies: LinkedHashMap<PolicyId, Policy>,
2510 templates: LinkedHashMap<PolicyId, Template>,
2512}
2513
2514impl PartialEq for PolicySet {
2515 fn eq(&self, other: &Self) -> bool {
2516 self.ast.eq(&other.ast)
2518 }
2519}
2520impl Eq for PolicySet {}
2521
2522#[doc(hidden)] impl AsRef<ast::PolicySet> for PolicySet {
2524 fn as_ref(&self) -> &ast::PolicySet {
2525 &self.ast
2526 }
2527}
2528
2529#[doc(hidden)]
2530impl TryFrom<ast::PolicySet> for PolicySet {
2531 type Error = PolicySetError;
2532 fn try_from(pset: ast::PolicySet) -> Result<Self, Self::Error> {
2533 Self::from_ast(pset)
2534 }
2535}
2536
2537impl FromStr for PolicySet {
2538 type Err = ParseErrors;
2539
2540 fn from_str(policies: &str) -> Result<Self, Self::Err> {
2547 let (texts, pset) = parser::parse_policyset_and_also_return_policy_text(policies)?;
2548 #[expect(clippy::expect_used, reason = "By the invariant on `parse_policyset_and_also_return_policy_text(policies)`, every `PolicyId` in `pset.policies()` occurs as a key in `text`.")]
2549 let policies = pset.policies().map(|p|
2550 (
2551 PolicyId::new(p.id().clone()),
2552 Policy { lossless: LosslessPolicy::policy_or_template_text(*texts.get(p.id()).expect("internal invariant violation: policy id exists in asts but not texts")), ast: p.clone() }
2553 )
2554 ).collect();
2555 #[expect(
2556 clippy::expect_used,
2557 reason = "By the invariant on `parse_policyset_and_also_return_policy_text(policies)`, every `PolicyId` in `pset.templates()` also occurs as a key in `text`."
2558 )]
2559 let templates = pset
2560 .templates()
2561 .map(|t| {
2562 (
2563 PolicyId::new(t.id().clone()),
2564 Template {
2565 lossless: LosslessTemplate::from_text(*texts.get(t.id()).expect(
2566 "internal invariant violation: template id exists in asts but not ests",
2567 )),
2568 ast: t.clone(),
2569 },
2570 )
2571 })
2572 .collect();
2573 Ok(Self {
2574 ast: pset,
2575 policies,
2576 templates,
2577 })
2578 }
2579}
2580
2581impl PolicySet {
2582 fn from_est(est: &est::PolicySet) -> Result<Self, PolicySetError> {
2584 let ast: ast::PolicySet = est.clone().try_into()?;
2585 #[expect(
2586 clippy::expect_used,
2587 reason = "Since conversion from EST to AST succeeded, every `PolicyId` in `ast.policies()` occurs in `est`"
2588 )]
2589 let policies = ast
2590 .policies()
2591 .map(|p| {
2592 (
2593 PolicyId::new(p.id().clone()),
2594 Policy {
2595 lossless: LosslessPolicy::Est(est.get_policy(p.id()).expect(
2596 "internal invariant violation: policy id exists in asts but not ests",
2597 )),
2598 ast: p.clone(),
2599 },
2600 )
2601 })
2602 .collect();
2603 #[expect(
2604 clippy::expect_used,
2605 reason = "Since conversion from EST to AST succeeded, every `PolicyId` in `ast.templates()` occurs in `est`"
2606 )]
2607 let templates = ast
2608 .templates()
2609 .map(|t| {
2610 (
2611 PolicyId::new(t.id().clone()),
2612 Template {
2613 lossless: LosslessTemplate::Est(est.get_template(t.id()).expect(
2614 "internal invariant violation: template id exists in asts but not ests",
2615 )),
2616 ast: t.clone(),
2617 },
2618 )
2619 })
2620 .collect();
2621 Ok(Self {
2622 ast,
2623 policies,
2624 templates,
2625 })
2626 }
2627
2628 pub(crate) fn from_ast(ast: ast::PolicySet) -> Result<Self, PolicySetError> {
2630 let templates = ast
2631 .templates()
2632 .cloned()
2633 .map(|t| (PolicyId::new(t.id().clone()), t.into()))
2634 .collect();
2635 let policies = ast
2636 .policies()
2637 .cloned()
2638 .map(|p| (PolicyId::new(p.id().clone()), p.into()))
2639 .collect();
2640 Ok(Self {
2641 ast,
2642 policies,
2643 templates,
2644 })
2645 }
2646
2647 pub fn from_pst(pst_set: pst::PolicySet) -> Result<Self, PolicySetError> {
2654 let mut set = Self::new();
2655 for (id, template) in pst_set.templates {
2656 let ast_template: ast::Template = template.clone().try_into()?;
2657 set.ast.add_template(ast_template.clone())?;
2658 set.templates.insert(
2659 id.into(),
2660 Template {
2661 ast: ast_template,
2662 lossless: LosslessTemplate::Pst(template),
2663 },
2664 );
2665 }
2666 for (id, static_policy) in pst_set.policies {
2667 let pst_policy = pst::Policy::Static(static_policy);
2668 let ast_policy: ast::Policy = pst_policy.clone().try_into()?;
2669 set.ast.add(ast_policy.clone())?;
2670 set.policies.insert(
2671 id.into(),
2672 Policy {
2673 ast: ast_policy,
2674 lossless: LosslessPolicy::Pst(pst_policy),
2675 },
2676 );
2677 }
2678 for link in pst_set.template_links {
2679 let vals: HashMap<SlotId, EntityUid> = link
2680 .values
2681 .into_iter()
2682 .map(|(k, v)| {
2683 let ast_uid = ast::EntityUID::from(v);
2684 (k.into(), EntityUid(ast_uid))
2685 })
2686 .collect();
2687 set.link(link.template_id.into(), link.new_id.into(), vals)?;
2688 }
2689 Ok(set)
2690 }
2691
2692 pub fn from_json_str(src: impl AsRef<str>) -> Result<Self, PolicySetError> {
2694 let est: est::PolicySet = serde_json::from_str(src.as_ref())
2695 .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2696 Self::from_est(&est)
2697 }
2698
2699 pub fn from_json_value(src: serde_json::Value) -> Result<Self, PolicySetError> {
2701 let est: est::PolicySet = serde_json::from_value(src)
2702 .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2703 Self::from_est(&est)
2704 }
2705
2706 pub fn from_json_file(r: impl std::io::Read) -> Result<Self, PolicySetError> {
2708 let est: est::PolicySet = serde_json::from_reader(r)
2709 .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2710 Self::from_est(&est)
2711 }
2712
2713 pub fn to_json(self) -> Result<serde_json::Value, PolicySetError> {
2715 let est = self.est()?;
2716 let value = serde_json::to_value(est)
2717 .map_err(|e| policy_set_errors::JsonPolicySetError { inner: e })?;
2718 Ok(value)
2719 }
2720
2721 pub fn to_pst(&self) -> Result<pst::PolicySet, PolicySetError> {
2731 let templates = self
2732 .templates
2733 .iter()
2734 .map(|(id, t)| Ok((id.clone().into(), t.to_pst()?)))
2735 .collect::<Result<_, pst::PstConstructionError>>()?;
2736 let mut policies = LinkedHashMap::new();
2737 let mut template_links = Vec::new();
2738 for (id, policy) in &self.policies {
2739 if policy.is_static() {
2740 if let pst::Policy::Static(sp) = policy.to_pst()? {
2741 policies.insert(id.clone().into(), sp);
2742 }
2743 } else {
2744 template_links.push(pst::TemplateLink {
2745 template_id: policy.ast.template().id().clone().into(),
2746 new_id: id.clone().into(),
2747 values: policy
2748 .ast
2749 .env()
2750 .iter()
2751 .map(|(k, v)| ((*k).into(), v.clone().into()))
2752 .collect(),
2753 });
2754 }
2755 }
2756 Ok(pst::PolicySet {
2757 templates,
2758 policies,
2759 template_links,
2760 })
2761 }
2762
2763 pub fn try_into_pst(self) -> Result<pst::PolicySet, PolicySetError> {
2768 let templates = self
2769 .templates
2770 .into_iter()
2771 .map(|(id, t)| Ok((id.into(), t.try_into_pst()?)))
2772 .collect::<Result<_, pst::PstConstructionError>>()?;
2773 let mut policies = LinkedHashMap::new();
2774 let mut template_links = Vec::new();
2775 for (id, policy) in self.policies {
2776 if policy.is_static() {
2777 if let pst::Policy::Static(sp) = policy.try_into_pst()? {
2778 policies.insert(id.into(), sp);
2779 }
2780 } else {
2781 template_links.push(pst::TemplateLink {
2782 template_id: policy.ast.template().id().clone().into(),
2783 new_id: id.into(),
2784 values: policy
2785 .ast
2786 .env()
2787 .iter()
2788 .map(|(k, v)| ((*k).into(), v.clone().into()))
2789 .collect(),
2790 });
2791 }
2792 }
2793 Ok(pst::PolicySet {
2794 templates,
2795 policies,
2796 template_links,
2797 })
2798 }
2799
2800 fn est(self) -> Result<est::PolicySet, PolicyToJsonError> {
2802 let (static_policies, template_links): (Vec<_>, Vec<_>) =
2803 fold_partition(self.policies, is_static_or_link)?;
2804 let static_policies = static_policies.into_iter().collect::<LinkedHashMap<_, _>>();
2805 let templates = self
2806 .templates
2807 .into_iter()
2808 .map(|(id, template)| {
2809 template
2810 .lossless
2811 .est(|| template.ast.clone().into())
2812 .map(|est| (id.into(), est))
2813 })
2814 .collect::<Result<LinkedHashMap<_, _>, _>>()?;
2815 let est = est::PolicySet {
2816 templates,
2817 static_policies,
2818 template_links,
2819 };
2820
2821 Ok(est)
2822 }
2823
2824 pub fn to_cedar(&self) -> Option<String> {
2843 match self.stringify() {
2844 Some(StringifiedPolicySet {
2845 policies,
2846 policy_templates,
2847 }) => {
2848 let policies_as_vec = policies
2849 .into_iter()
2850 .chain(policy_templates)
2851 .collect::<Vec<_>>();
2852 Some(policies_as_vec.join("\n\n"))
2853 }
2854 None => None,
2855 }
2856 }
2857
2858 pub(crate) fn stringify(&self) -> Option<StringifiedPolicySet> {
2875 let policies = self
2876 .policies
2877 .values()
2878 .sorted_by_key(|p| AsRef::<str>::as_ref(p.id()))
2882 .map(Policy::to_cedar)
2883 .collect::<Option<Vec<_>>>()?;
2884 let policy_templates = self
2885 .templates
2886 .values()
2887 .sorted_by_key(|t| AsRef::<str>::as_ref(t.id()))
2888 .map(Template::to_cedar)
2889 .collect_vec();
2890
2891 Some(StringifiedPolicySet {
2892 policies,
2893 policy_templates,
2894 })
2895 }
2896
2897 pub fn new() -> Self {
2899 Self {
2900 ast: ast::PolicySet::new(),
2901 policies: LinkedHashMap::new(),
2902 templates: LinkedHashMap::new(),
2903 }
2904 }
2905
2906 pub fn from_policies(
2908 policies: impl IntoIterator<Item = Policy>,
2909 ) -> Result<Self, PolicySetError> {
2910 let mut set = Self::new();
2911 for policy in policies {
2912 set.add(policy)?;
2913 }
2914 Ok(set)
2915 }
2916
2917 pub fn merge(
2932 &mut self,
2933 other: &Self,
2934 rename_duplicates: bool,
2935 ) -> Result<HashMap<PolicyId, PolicyId>, PolicySetError> {
2936 match self.ast.merge_policyset(&other.ast, rename_duplicates) {
2937 Ok(renaming) => {
2938 let renaming: HashMap<PolicyId, PolicyId> = renaming
2939 .into_iter()
2940 .map(|(old_pid, new_pid)| (PolicyId::new(old_pid), PolicyId::new(new_pid)))
2941 .collect();
2942
2943 for (old_pid, op) in &other.policies {
2944 let pid = renaming.get(old_pid).unwrap_or(old_pid);
2945 if !self.policies.contains_key(pid) {
2946 let lossless = if renaming.contains_key(old_pid) {
2947 op.lossless.new_id(pid.clone())
2948 } else {
2949 op.lossless.clone()
2950 };
2951 #[expect(
2952 clippy::unwrap_used,
2953 reason = "`pid` is the new id of a policy from `other`, so it will be in `self` after merging"
2954 )]
2955 let new_p = Policy {
2956 ast: self.ast.get(pid.as_ref()).unwrap().clone(),
2959 lossless,
2960 };
2961 self.policies.insert(pid.clone(), new_p);
2962 }
2963 }
2964 for (old_pid, ot) in &other.templates {
2965 let pid = renaming.get(old_pid).unwrap_or(old_pid);
2966 if !self.templates.contains_key(pid) {
2967 let lossless = if renaming.contains_key(old_pid) {
2968 ot.lossless.new_id(pid.clone())
2969 } else {
2970 ot.lossless.clone()
2971 };
2972 #[expect(
2973 clippy::unwrap_used,
2974 reason = "`pid` is the new id of a template from `other`, so it will be in `self` after merging"
2975 )]
2976 let new_t = Template {
2977 ast: self.ast.get_template(pid.as_ref()).unwrap().clone(),
2978 lossless,
2979 };
2980 self.templates.insert(pid.clone(), new_t);
2981 }
2982 }
2983
2984 Ok(renaming)
2985 }
2986 Err(ast::PolicySetError::Occupied { id }) => Err(PolicySetError::AlreadyDefined(
2987 policy_set_errors::AlreadyDefined {
2988 id: PolicyId::new(id),
2989 },
2990 )),
2991 }
2992 }
2993
2994 pub fn add(&mut self, policy: Policy) -> Result<(), PolicySetError> {
2998 if policy.is_static() {
2999 let id = PolicyId::new(policy.ast.id().clone());
3000 self.ast.add(policy.ast.clone())?;
3001 self.policies.insert(id, policy);
3002 Ok(())
3003 } else {
3004 Err(PolicySetError::ExpectedStatic(
3005 policy_set_errors::ExpectedStatic::new(),
3006 ))
3007 }
3008 }
3009
3010 pub fn remove_static(&mut self, policy_id: PolicyId) -> Result<Policy, PolicySetError> {
3014 let Some(policy) = self.policies.remove(&policy_id) else {
3015 return Err(PolicySetError::PolicyNonexistent(
3016 policy_set_errors::PolicyNonexistentError { policy_id },
3017 ));
3018 };
3019 if self
3020 .ast
3021 .remove_static(&ast::PolicyID::from_string(&policy_id))
3022 .is_ok()
3023 {
3024 Ok(policy)
3025 } else {
3026 self.policies.insert(policy_id.clone(), policy);
3028 Err(PolicySetError::PolicyNonexistent(
3029 policy_set_errors::PolicyNonexistentError { policy_id },
3030 ))
3031 }
3032 }
3033
3034 pub fn add_template(&mut self, template: Template) -> Result<(), PolicySetError> {
3036 let id = PolicyId::new(template.ast.id().clone());
3037 self.ast.add_template(template.ast.clone())?;
3038 self.templates.insert(id, template);
3039 Ok(())
3040 }
3041
3042 pub fn remove_template(&mut self, template_id: PolicyId) -> Result<Template, PolicySetError> {
3047 let Some(template) = self.templates.remove(&template_id) else {
3048 return Err(PolicySetError::TemplateNonexistent(
3049 policy_set_errors::TemplateNonexistentError { template_id },
3050 ));
3051 };
3052 #[expect(clippy::panic, reason = "We just found the policy in self.templates")]
3054 match self
3055 .ast
3056 .remove_template(&ast::PolicyID::from_string(&template_id))
3057 {
3058 Ok(_) => Ok(template),
3059 Err(ast::PolicySetTemplateRemovalError::RemoveTemplateWithLinksError(_)) => {
3060 self.templates.insert(template_id.clone(), template);
3061 Err(PolicySetError::RemoveTemplateWithActiveLinks(
3062 policy_set_errors::RemoveTemplateWithActiveLinksError { template_id },
3063 ))
3064 }
3065 Err(ast::PolicySetTemplateRemovalError::NotTemplateError(_)) => {
3066 self.templates.insert(template_id.clone(), template);
3067 Err(PolicySetError::RemoveTemplateNotTemplate(
3068 policy_set_errors::RemoveTemplateNotTemplateError { template_id },
3069 ))
3070 }
3071 Err(ast::PolicySetTemplateRemovalError::RemovePolicyNoTemplateError(_)) => {
3072 panic!("Found template policy in self.templates but not in self.ast");
3073 }
3074 }
3075 }
3076
3077 pub fn get_linked_policies(
3080 &self,
3081 template_id: PolicyId,
3082 ) -> Result<impl Iterator<Item = &PolicyId>, PolicySetError> {
3083 self.ast
3084 .get_linked_policies(&ast::PolicyID::from_string(&template_id))
3085 .map_or_else(
3086 |_| {
3087 Err(PolicySetError::TemplateNonexistent(
3088 policy_set_errors::TemplateNonexistentError { template_id },
3089 ))
3090 },
3091 |v| Ok(v.map(PolicyId::ref_cast)),
3092 )
3093 }
3094
3095 pub fn policies(&self) -> impl Iterator<Item = &Policy> {
3099 self.policies.values()
3100 }
3101
3102 pub fn templates(&self) -> impl Iterator<Item = &Template> {
3104 self.templates.values()
3105 }
3106
3107 pub fn template(&self, id: &PolicyId) -> Option<&Template> {
3109 self.templates.get(id)
3110 }
3111
3112 pub fn policy(&self, id: &PolicyId) -> Option<&Policy> {
3114 self.policies.get(id)
3115 }
3116
3117 pub fn annotation(&self, id: &PolicyId, key: impl AsRef<str>) -> Option<&str> {
3122 self.ast
3123 .get(id.as_ref())?
3124 .annotation(&key.as_ref().parse().ok()?)
3125 .map(AsRef::as_ref)
3126 }
3127
3128 pub fn template_annotation(&self, id: &PolicyId, key: impl AsRef<str>) -> Option<&str> {
3133 self.ast
3134 .get_template(id.as_ref())?
3135 .annotation(&key.as_ref().parse().ok()?)
3136 .map(AsRef::as_ref)
3137 }
3138
3139 pub fn is_empty(&self) -> bool {
3141 debug_assert_eq!(
3142 self.ast.is_empty(),
3143 self.policies.is_empty() && self.templates.is_empty()
3144 );
3145 self.ast.is_empty()
3146 }
3147
3148 pub fn num_of_policies(&self) -> usize {
3152 self.policies.len()
3153 }
3154
3155 pub fn num_of_templates(&self) -> usize {
3157 self.templates.len()
3158 }
3159
3160 pub fn link(
3169 &mut self,
3170 template_id: PolicyId,
3171 new_id: PolicyId,
3172 vals: HashMap<SlotId, EntityUid>,
3173 ) -> Result<(), PolicySetError> {
3174 let unwrapped_vals: HashMap<ast::SlotId, ast::EntityUID> = vals
3175 .into_iter()
3176 .map(|(key, value)| (key.into(), value.into()))
3177 .collect();
3178
3179 let Some(template) = self.templates.get(&template_id) else {
3184 return Err(if self.policies.contains_key(&template_id) {
3185 policy_set_errors::ExpectedTemplate::new().into()
3186 } else {
3187 policy_set_errors::LinkingError {
3188 inner: ast::LinkingError::NoSuchTemplate {
3189 id: template_id.into(),
3190 },
3191 }
3192 .into()
3193 });
3194 };
3195
3196 let linked_ast = self.ast.link(
3197 template_id.into(),
3198 new_id.clone().into(),
3199 unwrapped_vals.clone(),
3200 )?;
3201
3202 #[expect(
3203 clippy::expect_used,
3204 reason = "`lossless.link()` will not fail after `ast.link()` succeeds"
3205 )]
3206 let linked_lossless = template
3207 .lossless
3208 .clone()
3209 .link(
3210 new_id.clone().into(),
3211 unwrapped_vals.iter().map(|(k, v)| (*k, v)),
3212 )
3213 .expect("ast.link() didn't fail above, so this shouldn't fail");
3218 self.policies.insert(
3219 new_id,
3220 Policy {
3221 ast: linked_ast.clone(),
3222 lossless: linked_lossless,
3223 },
3224 );
3225 Ok(())
3226 }
3227
3228 #[doc = include_str!("../experimental_warning.md")]
3230 #[cfg(feature = "partial-eval")]
3231 pub fn unknown_entities(&self) -> HashSet<EntityUid> {
3232 let mut entity_uids = HashSet::new();
3233 for policy in self.policies.values() {
3234 entity_uids.extend(policy.unknown_entities());
3235 }
3236 entity_uids
3237 }
3238
3239 pub fn unlink(&mut self, policy_id: PolicyId) -> Result<Policy, PolicySetError> {
3242 let Some(policy) = self.policies.remove(&policy_id) else {
3243 return Err(PolicySetError::LinkNonexistent(
3244 policy_set_errors::LinkNonexistentError { policy_id },
3245 ));
3246 };
3247 #[expect(clippy::panic, reason = "We just found the policy in self.policies")]
3249 match self.ast.unlink(&ast::PolicyID::from_string(&policy_id)) {
3250 Ok(_) => Ok(policy),
3251 Err(ast::PolicySetUnlinkError::NotLinkError(_)) => {
3252 self.policies.insert(policy_id.clone(), policy);
3254 Err(PolicySetError::UnlinkLinkNotLink(
3255 policy_set_errors::UnlinkLinkNotLinkError { policy_id },
3256 ))
3257 }
3258 Err(ast::PolicySetUnlinkError::UnlinkingError(_)) => {
3259 panic!("Found linked policy in self.policies but not in self.ast")
3260 }
3261 }
3262 }
3263}
3264
3265impl std::fmt::Display for PolicySet {
3266 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3267 let mut policies = self.policies().peekable();
3269 while let Some(policy) = policies.next() {
3270 policy.lossless.fmt(|| policy.ast.clone().into(), f)?;
3271 if policies.peek().is_some() {
3272 writeln!(f)?;
3273 }
3274 }
3275 Ok(())
3276 }
3277}
3278
3279fn is_static_or_link(
3282 (id, policy): (PolicyId, Policy),
3283) -> Result<Either<(ast::PolicyID, est::Policy), TemplateLink>, PolicyToJsonError> {
3284 match policy.template_id() {
3285 Some(template_id) => {
3286 let values = policy
3287 .ast
3288 .env()
3289 .iter()
3290 .map(|(id, euid)| (*id, euid.clone()))
3291 .collect();
3292 Ok(Either::Right(TemplateLink {
3293 new_id: id.into(),
3294 template_id: template_id.clone().into(),
3295 values,
3296 }))
3297 }
3298 None => policy
3299 .lossless
3300 .est(|| policy.ast.clone().into())
3301 .map(|est| Either::Left((id.into(), est))),
3302 }
3303}
3304
3305#[expect(
3308 clippy::redundant_pub_crate,
3309 reason = "can't be private because it's used in tests"
3310)]
3311pub(crate) fn fold_partition<T, A, B, E>(
3312 i: impl IntoIterator<Item = T>,
3313 f: impl Fn(T) -> Result<Either<A, B>, E>,
3314) -> Result<(Vec<A>, Vec<B>), E> {
3315 let mut lefts = vec![];
3316 let mut rights = vec![];
3317
3318 for item in i {
3319 match f(item)? {
3320 Either::Left(left) => lefts.push(left),
3321 Either::Right(right) => rights.push(right),
3322 }
3323 }
3324
3325 Ok((lefts, rights))
3326}
3327
3328#[derive(Debug, Clone, PartialEq, Eq, Hash, PartialOrd, Ord)]
3332pub struct RequestEnv {
3333 pub(crate) principal: EntityTypeName,
3334 pub(crate) action: EntityUid,
3335 pub(crate) resource: EntityTypeName,
3336 pub(crate) principal_slot: Option<EntityTypeName>,
3337 pub(crate) resource_slot: Option<EntityTypeName>,
3338}
3339
3340impl RequestEnv {
3341 pub fn new(principal: EntityTypeName, action: EntityUid, resource: EntityTypeName) -> Self {
3343 Self {
3344 principal,
3345 action,
3346 resource,
3347 principal_slot: None,
3348 resource_slot: None,
3349 }
3350 }
3351
3352 pub fn new_request_env_with_slots(
3354 principal: EntityTypeName,
3355 action: EntityUid,
3356 resource: EntityTypeName,
3357 principal_slot: Option<EntityTypeName>,
3358 resource_slot: Option<EntityTypeName>,
3359 ) -> Self {
3360 Self {
3361 principal,
3362 action,
3363 resource,
3364 principal_slot,
3365 resource_slot,
3366 }
3367 }
3368
3369 pub fn principal(&self) -> &EntityTypeName {
3371 &self.principal
3372 }
3373
3374 pub fn action(&self) -> &EntityUid {
3376 &self.action
3377 }
3378
3379 pub fn resource(&self) -> &EntityTypeName {
3381 &self.resource
3382 }
3383
3384 pub fn principal_slot(&self) -> Option<&EntityTypeName> {
3386 self.principal_slot.as_ref()
3387 }
3388
3389 pub fn resource_slot(&self) -> Option<&EntityTypeName> {
3391 self.resource_slot.as_ref()
3392 }
3393}
3394
3395#[doc(hidden)]
3396impl From<cedar_policy_core::validator::types::RequestEnv<'_>> for RequestEnv {
3397 fn from(renv: cedar_policy_core::validator::types::RequestEnv<'_>) -> Self {
3398 match renv {
3399 cedar_policy_core::validator::types::RequestEnv::DeclaredAction {
3400 principal,
3401 action,
3402 resource,
3403 principal_slot,
3404 resource_slot,
3405 ..
3406 } => Self {
3407 principal: principal.clone().into(),
3408 action: action.clone().into(),
3409 resource: resource.clone().into(),
3410 principal_slot: principal_slot.map(EntityTypeName::from),
3411 resource_slot: resource_slot.map(EntityTypeName::from),
3412 },
3413 #[expect(
3414 clippy::unreachable,
3415 reason = "partial validation is not enabled and hence `RequestEnv::UndeclaredAction` should not show up"
3416 )]
3417 cedar_policy_core::validator::types::RequestEnv::UndeclaredAction => {
3418 unreachable!("used unsupported feature")
3419 }
3420 }
3421 }
3422}
3423
3424fn get_valid_request_envs(ast: &ast::Template, s: &Schema) -> impl Iterator<Item = RequestEnv> {
3429 let tc = Typechecker::new(
3430 &s.0,
3431 cedar_policy_core::validator::ValidationMode::default(),
3432 );
3433 tc.typecheck_by_request_env(ast)
3434 .into_iter()
3435 .filter_map(|(env, pc)| {
3436 if matches!(pc, PolicyCheck::Success(_)) {
3437 Some(env.into())
3438 } else {
3439 None
3440 }
3441 })
3442 .collect::<BTreeSet<_>>()
3443 .into_iter()
3444}
3445
3446#[derive(Debug, Clone)]
3452pub struct Template {
3453 pub(crate) ast: ast::Template,
3456
3457 pub(crate) lossless: LosslessTemplate,
3465}
3466
3467impl PartialEq for Template {
3468 fn eq(&self, other: &Self) -> bool {
3469 self.ast.eq(&other.ast)
3471 }
3472}
3473impl Eq for Template {}
3474
3475#[doc(hidden)] impl AsRef<ast::Template> for Template {
3477 fn as_ref(&self) -> &ast::Template {
3478 &self.ast
3479 }
3480}
3481
3482#[doc(hidden)]
3483impl From<ast::Template> for Template {
3484 fn from(template: ast::Template) -> Self {
3485 Self::from_ast(template)
3486 }
3487}
3488
3489impl Template {
3490 pub fn from_pst(pst_template: pst::Template) -> Result<Self, pst::PstConstructionError> {
3493 let ast: ast::Template = pst_template.clone().try_into()?;
3494 if ast.slots().count() == 0 {
3495 return Err(error_body::ExpectedTemplateWithSlotsError.into());
3496 }
3497 Ok(Self {
3498 ast,
3499 lossless: LosslessTemplate::Pst(pst_template),
3500 })
3501 }
3502
3503 pub fn to_pst(&self) -> Result<pst::Template, pst::PstConstructionError> {
3505 self.lossless
3506 .pst(|| pst::Template::try_from(self.ast.clone()))
3507 .map(|t| t.with_id(self.ast.id().clone().into()))
3508 }
3509
3510 pub fn try_into_pst(self) -> Result<pst::Template, pst::PstConstructionError> {
3514 self.lossless
3515 .try_into_pst(|| pst::Template::try_from(self.ast))
3516 }
3517
3518 pub fn parse(id: Option<PolicyId>, src: impl AsRef<str>) -> Result<Self, ParseErrors> {
3524 let ast = parser::parse_template(id.map(Into::into), src.as_ref())?;
3525 Ok(Self {
3526 ast,
3527 lossless: LosslessTemplate::from_text(Some(src.as_ref())),
3528 })
3529 }
3530
3531 pub fn id(&self) -> &PolicyId {
3533 PolicyId::ref_cast(self.ast.id())
3534 }
3535
3536 #[must_use]
3538 pub fn new_id(&self, id: PolicyId) -> Self {
3539 Self {
3540 ast: self.ast.new_id(id.clone().into()),
3541 lossless: self.lossless.new_id(id),
3542 }
3543 }
3544
3545 pub fn effect(&self) -> Effect {
3547 self.ast.effect()
3548 }
3549
3550 pub fn has_non_scope_constraint(&self) -> bool {
3552 self.ast.non_scope_constraints().is_some()
3553 }
3554
3555 pub fn annotation(&self, key: impl AsRef<str>) -> Option<&str> {
3560 self.ast
3561 .annotation(&key.as_ref().parse().ok()?)
3562 .map(AsRef::as_ref)
3563 }
3564
3565 pub fn annotations(&self) -> impl Iterator<Item = (&str, &str)> {
3569 self.ast
3570 .annotations()
3571 .map(|(k, v)| (k.as_ref(), v.as_ref()))
3572 }
3573
3574 pub fn slots(&self) -> impl Iterator<Item = &SlotId> {
3576 self.ast.slots().map(|slot| SlotId::ref_cast(&slot.id))
3577 }
3578
3579 pub fn principal_constraint(&self) -> TemplatePrincipalConstraint {
3581 match self.ast.principal_constraint().as_inner() {
3582 ast::PrincipalOrResourceConstraint::Any => TemplatePrincipalConstraint::Any,
3583 ast::PrincipalOrResourceConstraint::In(eref) => {
3584 TemplatePrincipalConstraint::In(match eref {
3585 ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3586 ast::EntityReference::Slot(_) => None,
3587 })
3588 }
3589 ast::PrincipalOrResourceConstraint::Eq(eref) => {
3590 TemplatePrincipalConstraint::Eq(match eref {
3591 ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3592 ast::EntityReference::Slot(_) => None,
3593 })
3594 }
3595 ast::PrincipalOrResourceConstraint::Is(entity_type) => {
3596 TemplatePrincipalConstraint::Is(entity_type.as_ref().clone().into())
3597 }
3598 ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
3599 TemplatePrincipalConstraint::IsIn(
3600 entity_type.as_ref().clone().into(),
3601 match eref {
3602 ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3603 ast::EntityReference::Slot(_) => None,
3604 },
3605 )
3606 }
3607 }
3608 }
3609
3610 pub fn action_constraint(&self) -> ActionConstraint {
3612 match self.ast.action_constraint() {
3614 ast::ActionConstraint::Any => ActionConstraint::Any,
3615 ast::ActionConstraint::In(ids) => {
3616 ActionConstraint::In(ids.iter().map(|id| id.as_ref().clone().into()).collect())
3617 }
3618 ast::ActionConstraint::Eq(id) => ActionConstraint::Eq(id.as_ref().clone().into()),
3619 #[cfg(feature = "tolerant-ast")]
3620 #[expect(clippy::unimplemented, reason = "experimental feature")]
3621 ast::ActionConstraint::ErrorConstraint => {
3622 unimplemented!("internal ErrorConstraint cannot be represented in the public API")
3623 }
3624 }
3625 }
3626
3627 pub fn resource_constraint(&self) -> TemplateResourceConstraint {
3629 match self.ast.resource_constraint().as_inner() {
3630 ast::PrincipalOrResourceConstraint::Any => TemplateResourceConstraint::Any,
3631 ast::PrincipalOrResourceConstraint::In(eref) => {
3632 TemplateResourceConstraint::In(match eref {
3633 ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3634 ast::EntityReference::Slot(_) => None,
3635 })
3636 }
3637 ast::PrincipalOrResourceConstraint::Eq(eref) => {
3638 TemplateResourceConstraint::Eq(match eref {
3639 ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3640 ast::EntityReference::Slot(_) => None,
3641 })
3642 }
3643 ast::PrincipalOrResourceConstraint::Is(entity_type) => {
3644 TemplateResourceConstraint::Is(entity_type.as_ref().clone().into())
3645 }
3646 ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
3647 TemplateResourceConstraint::IsIn(
3648 entity_type.as_ref().clone().into(),
3649 match eref {
3650 ast::EntityReference::EUID(e) => Some(e.as_ref().clone().into()),
3651 ast::EntityReference::Slot(_) => None,
3652 },
3653 )
3654 }
3655 }
3656 }
3657
3658 pub fn from_json(
3664 id: Option<PolicyId>,
3665 json: serde_json::Value,
3666 ) -> Result<Self, PolicyFromJsonError> {
3667 let est: est::Policy = serde_json::from_value(json)
3668 .map_err(|e| entities_json_errors::JsonDeserializationError::Serde(e.into()))
3669 .map_err(cedar_policy_core::est::FromJsonError::from)?;
3670 Self::from_est(id, est)
3671 }
3672
3673 fn from_est(id: Option<PolicyId>, est: est::Policy) -> Result<Self, PolicyFromJsonError> {
3674 Ok(Self {
3675 ast: est.clone().try_into_ast_template(id.map(PolicyId::into))?,
3676 lossless: LosslessTemplate::Est(est),
3677 })
3678 }
3679
3680 pub(crate) fn from_ast(ast: ast::Template) -> Self {
3681 Self {
3682 lossless: LosslessTemplate::Est(ast.clone().into()),
3683 ast,
3684 }
3685 }
3686
3687 pub fn to_json(&self) -> Result<serde_json::Value, PolicyToJsonError> {
3689 let est = self.lossless.est(|| self.ast.clone().into())?;
3690 serde_json::to_value(est).map_err(Into::into)
3691 }
3692
3693 pub fn to_cedar(&self) -> String {
3702 match &self.lossless {
3703 LosslessTemplate::Empty | LosslessTemplate::Est(_) | LosslessTemplate::Pst(_) => {
3704 self.ast.to_string()
3705 }
3706 LosslessTemplate::Text(text) => text.clone(),
3707 }
3708 }
3709
3710 pub fn get_valid_request_envs(&self, s: &Schema) -> impl Iterator<Item = RequestEnv> {
3715 get_valid_request_envs(&self.ast, s)
3716 }
3717}
3718
3719impl std::fmt::Display for Template {
3720 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3721 self.lossless.fmt(|| self.ast.clone().into(), f)
3723 }
3724}
3725
3726impl FromStr for Template {
3727 type Err = ParseErrors;
3728
3729 fn from_str(src: &str) -> Result<Self, Self::Err> {
3730 Self::parse(None, src)
3731 }
3732}
3733
3734#[derive(Debug, Clone, PartialEq, Eq)]
3736pub enum PrincipalConstraint {
3737 Any,
3739 In(EntityUid),
3741 Eq(EntityUid),
3743 Is(EntityTypeName),
3745 IsIn(EntityTypeName, EntityUid),
3747}
3748
3749#[derive(Debug, Clone, PartialEq, Eq)]
3751pub enum TemplatePrincipalConstraint {
3752 Any,
3754 In(Option<EntityUid>),
3757 Eq(Option<EntityUid>),
3760 Is(EntityTypeName),
3762 IsIn(EntityTypeName, Option<EntityUid>),
3765}
3766
3767impl TemplatePrincipalConstraint {
3768 pub fn has_slot(&self) -> bool {
3770 match self {
3771 Self::Any | Self::Is(_) => false,
3772 Self::In(o) | Self::Eq(o) | Self::IsIn(_, o) => o.is_none(),
3773 }
3774 }
3775}
3776
3777#[derive(Debug, Clone, PartialEq, Eq)]
3779pub enum ActionConstraint {
3780 Any,
3782 In(Vec<EntityUid>),
3784 Eq(EntityUid),
3786}
3787
3788#[derive(Debug, Clone, PartialEq, Eq)]
3790pub enum ResourceConstraint {
3791 Any,
3793 In(EntityUid),
3795 Eq(EntityUid),
3797 Is(EntityTypeName),
3799 IsIn(EntityTypeName, EntityUid),
3801}
3802
3803#[derive(Debug, Clone, PartialEq, Eq)]
3805pub enum TemplateResourceConstraint {
3806 Any,
3808 In(Option<EntityUid>),
3811 Eq(Option<EntityUid>),
3814 Is(EntityTypeName),
3816 IsIn(EntityTypeName, Option<EntityUid>),
3819}
3820
3821impl TemplateResourceConstraint {
3822 pub fn has_slot(&self) -> bool {
3824 match self {
3825 Self::Any | Self::Is(_) => false,
3826 Self::In(o) | Self::Eq(o) | Self::IsIn(_, o) => o.is_none(),
3827 }
3828 }
3829}
3830
3831#[derive(Debug, Clone)]
3833pub struct Policy {
3834 pub(crate) ast: ast::Policy,
3837 pub(crate) lossless: LosslessPolicy,
3846}
3847
3848impl PartialEq for Policy {
3849 fn eq(&self, other: &Self) -> bool {
3850 self.ast.eq(&other.ast)
3852 }
3853}
3854impl Eq for Policy {}
3855
3856#[doc(hidden)] impl AsRef<ast::Policy> for Policy {
3858 fn as_ref(&self) -> &ast::Policy {
3859 &self.ast
3860 }
3861}
3862
3863#[doc(hidden)]
3864impl From<ast::Policy> for Policy {
3865 fn from(policy: ast::Policy) -> Self {
3866 Self::from_ast(policy)
3867 }
3868}
3869
3870#[doc(hidden)]
3871impl From<ast::StaticPolicy> for Policy {
3872 fn from(policy: ast::StaticPolicy) -> Self {
3873 ast::Policy::from(policy).into()
3874 }
3875}
3876
3877impl Policy {
3878 pub fn from_pst(pst_policy: pst::Policy) -> Result<Self, pst::PstConstructionError> {
3881 let ast = ast::Policy::try_from(pst_policy.clone())?;
3882 Ok(Self {
3883 ast,
3884 lossless: LosslessPolicy::Pst(pst_policy),
3885 })
3886 }
3887
3888 pub fn template_id(&self) -> Option<&PolicyId> {
3891 if self.is_static() {
3892 None
3893 } else {
3894 Some(PolicyId::ref_cast(self.ast.template().id()))
3895 }
3896 }
3897
3898 pub fn template_links(&self) -> Option<HashMap<SlotId, EntityUid>> {
3901 if self.is_static() {
3902 None
3903 } else {
3904 let wrapped_vals: HashMap<SlotId, EntityUid> = self
3905 .ast
3906 .env()
3907 .iter()
3908 .map(|(key, value)| ((*key).into(), value.clone().into()))
3909 .collect();
3910 Some(wrapped_vals)
3911 }
3912 }
3913
3914 pub fn effect(&self) -> Effect {
3916 self.ast.effect()
3917 }
3918
3919 pub fn has_non_scope_constraint(&self) -> bool {
3921 self.ast.non_scope_constraints().is_some()
3922 }
3923
3924 pub fn annotation(&self, key: impl AsRef<str>) -> Option<&str> {
3929 self.ast
3930 .annotation(&key.as_ref().parse().ok()?)
3931 .map(AsRef::as_ref)
3932 }
3933
3934 pub fn annotations(&self) -> impl Iterator<Item = (&str, &str)> {
3938 self.ast
3939 .annotations()
3940 .map(|(k, v)| (k.as_ref(), v.as_ref()))
3941 }
3942
3943 pub fn id(&self) -> &PolicyId {
3945 PolicyId::ref_cast(self.ast.id())
3946 }
3947
3948 #[must_use]
3950 pub fn new_id(&self, id: PolicyId) -> Self {
3951 Self {
3952 ast: self.ast.new_id(id.clone().into()),
3953 lossless: self.lossless.new_id(id),
3954 }
3955 }
3956
3957 pub fn is_static(&self) -> bool {
3959 self.ast.is_static()
3960 }
3961
3962 pub fn principal_constraint(&self) -> PrincipalConstraint {
3964 let slot_id = ast::SlotId::principal();
3965 match self.ast.template().principal_constraint().as_inner() {
3966 ast::PrincipalOrResourceConstraint::Any => PrincipalConstraint::Any,
3967 ast::PrincipalOrResourceConstraint::In(eref) => {
3968 PrincipalConstraint::In(self.convert_entity_reference(eref, slot_id).clone())
3969 }
3970 ast::PrincipalOrResourceConstraint::Eq(eref) => {
3971 PrincipalConstraint::Eq(self.convert_entity_reference(eref, slot_id).clone())
3972 }
3973 ast::PrincipalOrResourceConstraint::Is(entity_type) => {
3974 PrincipalConstraint::Is(entity_type.as_ref().clone().into())
3975 }
3976 ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
3977 PrincipalConstraint::IsIn(
3978 entity_type.as_ref().clone().into(),
3979 self.convert_entity_reference(eref, slot_id).clone(),
3980 )
3981 }
3982 }
3983 }
3984
3985 pub fn action_constraint(&self) -> ActionConstraint {
3987 match self.ast.template().action_constraint() {
3989 ast::ActionConstraint::Any => ActionConstraint::Any,
3990 ast::ActionConstraint::In(ids) => ActionConstraint::In(
3991 ids.iter()
3992 .map(|euid| EntityUid::ref_cast(euid.as_ref()))
3993 .cloned()
3994 .collect(),
3995 ),
3996 ast::ActionConstraint::Eq(id) => ActionConstraint::Eq(EntityUid::ref_cast(id).clone()),
3997 #[cfg(feature = "tolerant-ast")]
3998 #[expect(clippy::unimplemented, reason = "experimental feature")]
3999 ast::ActionConstraint::ErrorConstraint => {
4000 unimplemented!("internal ErrorConstraint cannot be represented in the public API")
4001 }
4002 }
4003 }
4004
4005 pub fn resource_constraint(&self) -> ResourceConstraint {
4007 let slot_id = ast::SlotId::resource();
4008 match self.ast.template().resource_constraint().as_inner() {
4009 ast::PrincipalOrResourceConstraint::Any => ResourceConstraint::Any,
4010 ast::PrincipalOrResourceConstraint::In(eref) => {
4011 ResourceConstraint::In(self.convert_entity_reference(eref, slot_id).clone())
4012 }
4013 ast::PrincipalOrResourceConstraint::Eq(eref) => {
4014 ResourceConstraint::Eq(self.convert_entity_reference(eref, slot_id).clone())
4015 }
4016 ast::PrincipalOrResourceConstraint::Is(entity_type) => {
4017 ResourceConstraint::Is(entity_type.as_ref().clone().into())
4018 }
4019 ast::PrincipalOrResourceConstraint::IsIn(entity_type, eref) => {
4020 ResourceConstraint::IsIn(
4021 entity_type.as_ref().clone().into(),
4022 self.convert_entity_reference(eref, slot_id).clone(),
4023 )
4024 }
4025 }
4026 }
4027
4028 fn convert_entity_reference<'a>(
4035 &'a self,
4036 r: &'a ast::EntityReference,
4037 slot: ast::SlotId,
4038 ) -> &'a EntityUid {
4039 match r {
4040 ast::EntityReference::EUID(euid) => EntityUid::ref_cast(euid),
4041 #[expect(
4042 clippy::unwrap_used,
4043 reason = "This `unwrap` here is safe due the invariant (values total map) on policies"
4044 )]
4045 ast::EntityReference::Slot(_) => {
4046 EntityUid::ref_cast(self.ast.env().get(&slot).unwrap())
4047 }
4048 }
4049 }
4050
4051 pub fn parse(id: Option<PolicyId>, policy_src: impl AsRef<str>) -> Result<Self, ParseErrors> {
4060 let inline_ast = parser::parse_policy(id.map(Into::into), policy_src.as_ref())?;
4061 let (_, ast) = ast::Template::link_static_policy(inline_ast);
4062 Ok(Self {
4063 ast,
4064 lossless: LosslessPolicy::policy_or_template_text(Some(policy_src.as_ref())),
4065 })
4066 }
4067
4068 pub fn from_json(
4134 id: Option<PolicyId>,
4135 json: serde_json::Value,
4136 ) -> Result<Self, PolicyFromJsonError> {
4137 let est: est::Policy = serde_json::from_value(json)
4138 .map_err(|e| entities_json_errors::JsonDeserializationError::Serde(e.into()))
4139 .map_err(cedar_policy_core::est::FromJsonError::from)?;
4140 Self::from_est(id, est)
4141 }
4142
4143 pub fn get_valid_request_envs(&self, s: &Schema) -> impl Iterator<Item = RequestEnv> {
4148 get_valid_request_envs(self.ast.template(), s)
4149 }
4150
4151 pub fn entity_literals(&self) -> Vec<EntityUid> {
4153 self.ast
4154 .condition()
4155 .subexpressions()
4156 .filter_map(|e| match e.expr_kind() {
4157 cedar_policy_core::ast::ExprKind::Lit(
4158 cedar_policy_core::ast::Literal::EntityUID(euid),
4159 ) => Some(EntityUid((*euid).as_ref().clone())),
4160 _ => None,
4161 })
4162 .collect()
4163 }
4164
4165 pub fn sub_entity_literals(
4168 &self,
4169 mapping: BTreeMap<EntityUid, EntityUid>,
4170 ) -> Result<Self, PolicyFromJsonError> {
4171 #[expect(
4172 clippy::expect_used,
4173 reason = "This can't fail for a policy that was already constructed"
4174 )]
4175 let cloned_est = self
4176 .lossless
4177 .est(|| self.ast.clone().into())
4178 .expect("Internal error, failed to construct est.");
4179
4180 let mapping = mapping.into_iter().map(|(k, v)| (k.0, v.0)).collect();
4181
4182 #[expect(
4183 clippy::expect_used,
4184 reason = "This can't fail for a policy that was already constructed"
4185 )]
4186 let est = cloned_est
4187 .sub_entity_literals(&mapping)
4188 .expect("Internal error, failed to sub entity literals.");
4189
4190 let ast = est
4191 .clone()
4192 .try_into_ast_policy(Some(self.ast.id().clone()))?;
4193
4194 Ok(Self {
4195 ast,
4196 lossless: LosslessPolicy::Est(est),
4197 })
4198 }
4199
4200 fn from_est(id: Option<PolicyId>, est: est::Policy) -> Result<Self, PolicyFromJsonError> {
4201 Ok(Self {
4202 ast: est.clone().try_into_ast_policy(id.map(PolicyId::into))?,
4203 lossless: LosslessPolicy::Est(est),
4204 })
4205 }
4206
4207 pub fn to_json(&self) -> Result<serde_json::Value, PolicyToJsonError> {
4226 let est = self.lossless.est(|| self.ast.clone().into())?;
4227 serde_json::to_value(est).map_err(Into::into)
4228 }
4229
4230 pub fn to_cedar(&self) -> Option<String> {
4245 match &self.lossless {
4246 LosslessPolicy::Empty | LosslessPolicy::Est(_) | LosslessPolicy::Pst(_) => {
4247 Some(self.ast.to_string())
4248 }
4249 LosslessPolicy::Text { text, slots } => {
4250 if slots.is_empty() {
4251 Some(text.clone())
4252 } else {
4253 None
4254 }
4255 }
4256 }
4257 }
4258
4259 pub fn to_pst(&self) -> Result<pst::Policy, pst::PstConstructionError> {
4261 self.lossless
4262 .pst(|| pst::Policy::try_from(self.ast.clone()))
4263 .map(|p| p.new_id(self.ast.id().clone().into()))
4264 }
4265
4266 pub fn try_into_pst(self) -> Result<pst::Policy, pst::PstConstructionError> {
4269 self.lossless
4270 .try_into_pst(|| pst::Policy::try_from(self.ast.clone()))
4271 }
4272
4273 #[doc = include_str!("../experimental_warning.md")]
4275 #[cfg(feature = "partial-eval")]
4276 pub fn unknown_entities(&self) -> HashSet<EntityUid> {
4277 self.ast
4278 .unknown_entities()
4279 .into_iter()
4280 .map(Into::into)
4281 .collect()
4282 }
4283
4284 pub(crate) fn from_ast(ast: ast::Policy) -> Self {
4290 Self {
4306 ast,
4307 lossless: LosslessPolicy::Empty,
4308 }
4309 }
4310}
4311
4312impl std::fmt::Display for Policy {
4313 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4314 self.lossless.fmt(|| self.ast.clone().into(), f)
4316 }
4317}
4318
4319impl FromStr for Policy {
4320 type Err = ParseErrors;
4321 fn from_str(policy: &str) -> Result<Self, Self::Err> {
4329 Self::parse(None, policy)
4330 }
4331}
4332
4333#[derive(Debug, Clone)]
4336pub(crate) enum LosslessTemplate {
4337 Empty,
4339 Est(est::Policy),
4341 Pst(pst::Template),
4343 Text(String),
4345}
4346
4347impl LosslessTemplate {
4348 fn from_text(text: Option<impl Into<String>>) -> Self {
4350 text.map_or(Self::Empty, |text| Self::Text(text.into()))
4351 }
4352
4353 fn new_id(&self, id: PolicyId) -> Self {
4356 match self {
4357 Self::Pst(pst) => {
4358 let mut pst = pst.clone();
4359 pst.id = id.into();
4360 Self::Pst(pst)
4361 }
4362 other => other.clone(),
4363 }
4364 }
4365
4366 fn est(
4368 &self,
4369 fallback_est: impl FnOnce() -> est::Policy,
4370 ) -> Result<est::Policy, PolicyToJsonError> {
4371 match self {
4372 Self::Empty => Ok(fallback_est()),
4373 Self::Est(est) => Ok(est.clone()),
4374 Self::Pst(pst) => Ok(pst.clone().try_into()?),
4375 Self::Text(text) => {
4376 Ok(parser::parse_policy_or_template_to_est(text).map_err(ParseErrors::from)?)
4377 }
4378 }
4379 }
4380
4381 fn pst(
4383 &self,
4384 fallback_pst: impl FnOnce() -> Result<pst::Template, pst::PstConstructionError>,
4385 ) -> Result<pst::Template, pst::PstConstructionError> {
4386 match self {
4387 Self::Empty => fallback_pst(),
4388 Self::Est(est) => Ok(est.clone().try_into()?),
4389 Self::Pst(pst) => Ok(pst.clone()),
4390 Self::Text(text) => Ok(parser::parse_policy_or_template_to_est(text)?.try_into()?),
4391 }
4392 }
4393
4394 fn try_into_pst(
4396 self,
4397 fallback_pst: impl FnOnce() -> Result<pst::Template, pst::PstConstructionError>,
4398 ) -> Result<pst::Template, pst::PstConstructionError> {
4399 match self {
4400 Self::Empty => fallback_pst(),
4401 Self::Est(est) => Ok(est.try_into()?),
4402 Self::Pst(pst) => Ok(pst),
4403 Self::Text(text) => Ok(parser::parse_policy_or_template_to_est(&text)?.try_into()?),
4404 }
4405 }
4406
4407 fn link<'a>(
4409 self,
4410 link_id: ast::PolicyID,
4411 vals: impl IntoIterator<Item = (ast::SlotId, &'a ast::EntityUID)>,
4412 ) -> Result<LosslessPolicy, est::LinkingError> {
4413 match self {
4414 Self::Empty => Ok(LosslessPolicy::Empty),
4415 Self::Est(est) => {
4416 let unwrapped_vals: HashMap<
4417 ast::SlotId,
4418 cedar_policy_core::entities::EntityUidJson,
4419 > = vals.into_iter().map(|(k, v)| (k, v.into())).collect();
4420 Ok(LosslessPolicy::Est(est.link(&unwrapped_vals)?))
4421 }
4422 Self::Pst(template) => {
4423 let values: HashMap<pst::SlotId, pst::EntityUID> = vals
4424 .into_iter()
4425 .map(|(k, v)| (k.into(), v.clone().into()))
4426 .collect();
4427 let pst_policy = pst::LinkedPolicy::new(Arc::new(template), values, link_id.into())
4428 .map_err(est::LinkingError::from)?;
4429 Ok(LosslessPolicy::Pst(pst::Policy::Linked(pst_policy)))
4430 }
4431 Self::Text(text) => {
4432 let slots = vals.into_iter().map(|(k, v)| (k, v.clone())).collect();
4433 Ok(LosslessPolicy::Text { text, slots })
4434 }
4435 }
4436 }
4437
4438 fn fmt(
4439 &self,
4440 fallback_est: impl FnOnce() -> est::Policy,
4441 f: &mut std::fmt::Formatter<'_>,
4442 ) -> std::fmt::Result {
4443 match self {
4444 Self::Empty => match self.est(fallback_est) {
4445 Ok(est) => write!(f, "{est}"),
4446 Err(e) => write!(f, "<invalid policy: {e}>"),
4447 },
4448 Self::Pst(pst) => write!(f, "{pst}"), Self::Est(est) => write!(f, "{est}"),
4450 Self::Text(text) => write!(f, "{text}"),
4451 }
4452 }
4453}
4454
4455#[derive(Debug, Clone)]
4458pub(crate) enum LosslessPolicy {
4459 Empty,
4461 Est(est::Policy),
4463 Pst(pst::Policy),
4465 Text {
4467 text: String,
4469 slots: HashMap<ast::SlotId, ast::EntityUID>,
4472 },
4473}
4474
4475impl LosslessPolicy {
4476 fn policy_or_template_text(text: Option<impl Into<String>>) -> Self {
4478 text.map_or(Self::Empty, |text| Self::Text {
4479 text: text.into(),
4480 slots: HashMap::new(),
4481 })
4482 }
4483
4484 fn new_id(&self, id: PolicyId) -> Self {
4487 match self {
4488 Self::Pst(pst) => Self::Pst(pst.new_id(id.into())),
4489 other => other.clone(),
4490 }
4491 }
4492
4493 fn est(
4495 &self,
4496 fallback_est: impl FnOnce() -> est::Policy,
4497 ) -> Result<est::Policy, PolicyToJsonError> {
4498 match self {
4499 Self::Empty => Ok(fallback_est()),
4500 Self::Est(est) => Ok(est.clone()),
4501 Self::Pst(pst) => {
4502 match pst {
4505 pst::Policy::Static(sp) => Ok(sp.body().clone().try_into()?),
4506 pst::Policy::Linked(lp) => {
4507 let static_policy = lp.into_static_policy()?;
4508 Ok(static_policy.body().clone().try_into()?)
4509 }
4510 }
4511 }
4512 Self::Text { text, slots } => {
4513 let est =
4514 parser::parse_policy_or_template_to_est(text).map_err(ParseErrors::from)?;
4515 if slots.is_empty() {
4516 Ok(est)
4517 } else {
4518 let unwrapped_vals = slots.iter().map(|(k, v)| (*k, v.into())).collect();
4519 Ok(est.link(&unwrapped_vals)?)
4520 }
4521 }
4522 }
4523 }
4524
4525 fn pst(
4527 &self,
4528 fallback_pst: impl FnOnce() -> Result<pst::Policy, pst::PstConstructionError>,
4529 ) -> Result<pst::Policy, pst::PstConstructionError> {
4530 match self {
4531 Self::Empty => fallback_pst(),
4532 Self::Est(est) => {
4533 let template: pst::Template = est.clone().try_into()?;
4534 Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4535 }
4536 Self::Pst(pst) => Ok(pst.clone()),
4537 Self::Text { text, slots } => {
4538 let template: pst::Template =
4539 parser::parse_policy_or_template_to_est(text)?.try_into()?;
4540 if slots.is_empty() {
4541 Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4542 } else {
4543 let pst_vals: HashMap<pst::SlotId, pst::EntityUID> = slots
4544 .iter()
4545 .map(|(k, v)| ((*k).into(), v.clone().into()))
4546 .collect();
4547 let static_policy = template.link(&pst_vals)?;
4548 Ok(pst::Policy::Static(static_policy))
4549 }
4550 }
4551 }
4552 }
4553
4554 fn try_into_pst(
4556 self,
4557 fallback_pst: impl FnOnce() -> Result<pst::Policy, pst::PstConstructionError>,
4558 ) -> Result<pst::Policy, pst::PstConstructionError> {
4559 match self {
4560 Self::Empty => fallback_pst(),
4561 Self::Est(est) => {
4562 let template: pst::Template = est.try_into()?;
4563 Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4564 }
4565 Self::Pst(pst) => Ok(pst),
4566 Self::Text { text, slots } => {
4567 let template: pst::Template =
4568 parser::parse_policy_or_template_to_est(&text)?.try_into()?;
4569 if slots.is_empty() {
4570 Ok(pst::Policy::Static(pst::StaticPolicy::try_from(template)?))
4571 } else {
4572 let pst_vals: HashMap<pst::SlotId, pst::EntityUID> = slots
4573 .into_iter()
4574 .map(|(k, v)| (pst::SlotId::from(k), v.into()))
4575 .collect();
4576 let static_policy = template.link(&pst_vals)?;
4577 Ok(pst::Policy::Static(static_policy))
4578 }
4579 }
4580 }
4581 }
4582
4583 fn fmt(
4584 &self,
4585 fallback_est: impl FnOnce() -> est::Policy,
4586 f: &mut std::fmt::Formatter<'_>,
4587 ) -> std::fmt::Result {
4588 match self {
4589 Self::Empty => match self.est(fallback_est) {
4590 Ok(est) => write!(f, "{est}"),
4591 Err(e) => write!(f, "<invalid policy: {e}>"),
4592 },
4593 Self::Pst(pst) => write!(f, "{pst}"), Self::Est(est) => write!(f, "{est}"),
4595 Self::Text { text, slots } => {
4596 if slots.is_empty() {
4597 write!(f, "{text}")
4598 } else {
4599 match self.est(fallback_est) {
4600 Ok(est) => write!(f, "{est}"),
4601 Err(e) => write!(f, "<invalid linked policy: {e}>"),
4602 }
4603 }
4604 }
4605 }
4606 }
4607}
4608
4609#[repr(transparent)]
4611#[derive(Debug, Clone, RefCast)]
4612pub struct Expression(pub(crate) ast::Expr);
4613
4614#[doc(hidden)] impl AsRef<ast::Expr> for Expression {
4616 fn as_ref(&self) -> &ast::Expr {
4617 &self.0
4618 }
4619}
4620
4621#[doc(hidden)]
4622impl From<ast::Expr> for Expression {
4623 fn from(expr: ast::Expr) -> Self {
4624 Self(expr)
4625 }
4626}
4627
4628impl Expression {
4629 pub fn new_string(value: String) -> Self {
4631 Self(ast::Expr::val(value))
4632 }
4633
4634 pub fn new_bool(value: bool) -> Self {
4636 Self(ast::Expr::val(value))
4637 }
4638
4639 pub fn new_long(value: ast::Integer) -> Self {
4641 Self(ast::Expr::val(value))
4642 }
4643
4644 pub fn new_record(
4648 fields: impl IntoIterator<Item = (String, Self)>,
4649 ) -> Result<Self, ExpressionConstructionError> {
4650 Ok(Self(ast::Expr::record(
4651 fields.into_iter().map(|(k, v)| (SmolStr::from(k), v.0)),
4652 )?))
4653 }
4654
4655 pub fn new_set(values: impl IntoIterator<Item = Self>) -> Self {
4657 Self(ast::Expr::set(values.into_iter().map(|v| v.0)))
4658 }
4659
4660 pub fn new_ip(src: impl AsRef<str>) -> Self {
4664 let src_expr = ast::Expr::val(src.as_ref());
4665 Self(ast::Expr::call_extension_fn(
4666 ip_extension_name(),
4667 vec![src_expr],
4668 ))
4669 }
4670
4671 pub fn new_decimal(src: impl AsRef<str>) -> Self {
4675 let src_expr = ast::Expr::val(src.as_ref());
4676 Self(ast::Expr::call_extension_fn(
4677 decimal_extension_name(),
4678 vec![src_expr],
4679 ))
4680 }
4681
4682 pub fn new_datetime(src: impl AsRef<str>) -> Self {
4686 let src_expr = ast::Expr::val(src.as_ref());
4687 Self(ast::Expr::call_extension_fn(
4688 datetime_extension_name(),
4689 vec![src_expr],
4690 ))
4691 }
4692
4693 pub fn new_duration(src: impl AsRef<str>) -> Self {
4697 let src_expr = ast::Expr::val(src.as_ref());
4698 Self(ast::Expr::call_extension_fn(
4699 duration_extension_name(),
4700 vec![src_expr],
4701 ))
4702 }
4703}
4704
4705#[cfg(test)]
4706impl Expression {
4707 pub(crate) fn into_inner(self) -> ast::Expr {
4710 self.0
4711 }
4712}
4713
4714impl FromStr for Expression {
4715 type Err = ParseErrors;
4716
4717 fn from_str(expression: &str) -> Result<Self, Self::Err> {
4719 ast::Expr::from_str(expression)
4720 .map(Expression)
4721 .map_err(Into::into)
4722 }
4723}
4724
4725impl std::fmt::Display for Expression {
4726 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4727 write!(f, "{}", &self.0)
4728 }
4729}
4730
4731#[repr(transparent)]
4747#[derive(Debug, Clone, RefCast, PartialEq, Eq)]
4748pub struct RestrictedExpression(pub(crate) ast::RestrictedExpr);
4749
4750#[doc(hidden)] impl AsRef<ast::RestrictedExpr> for RestrictedExpression {
4752 fn as_ref(&self) -> &ast::RestrictedExpr {
4753 &self.0
4754 }
4755}
4756
4757#[doc(hidden)]
4758impl From<ast::RestrictedExpr> for RestrictedExpression {
4759 fn from(expr: ast::RestrictedExpr) -> Self {
4760 Self(expr)
4761 }
4762}
4763
4764impl RestrictedExpression {
4765 pub fn new_string(value: String) -> Self {
4767 Self(ast::RestrictedExpr::val(value))
4768 }
4769
4770 pub fn new_bool(value: bool) -> Self {
4772 Self(ast::RestrictedExpr::val(value))
4773 }
4774
4775 pub fn new_long(value: ast::Integer) -> Self {
4777 Self(ast::RestrictedExpr::val(value))
4778 }
4779
4780 pub fn new_entity_uid(value: EntityUid) -> Self {
4782 Self(ast::RestrictedExpr::val(ast::EntityUID::from(value)))
4783 }
4784
4785 pub fn new_record(
4789 fields: impl IntoIterator<Item = (String, Self)>,
4790 ) -> Result<Self, ExpressionConstructionError> {
4791 Ok(Self(ast::RestrictedExpr::record(
4792 fields.into_iter().map(|(k, v)| (SmolStr::from(k), v.0)),
4793 )?))
4794 }
4795
4796 pub fn new_set(values: impl IntoIterator<Item = Self>) -> Self {
4798 Self(ast::RestrictedExpr::set(values.into_iter().map(|v| v.0)))
4799 }
4800
4801 pub fn new_ip(src: impl AsRef<str>) -> Self {
4805 let src_expr = ast::RestrictedExpr::val(src.as_ref());
4806 Self(ast::RestrictedExpr::call_extension_fn(
4807 ip_extension_name(),
4808 [src_expr],
4809 ))
4810 }
4811
4812 pub fn new_decimal(src: impl AsRef<str>) -> Self {
4816 let src_expr = ast::RestrictedExpr::val(src.as_ref());
4817 Self(ast::RestrictedExpr::call_extension_fn(
4818 decimal_extension_name(),
4819 [src_expr],
4820 ))
4821 }
4822
4823 pub fn new_datetime(src: impl AsRef<str>) -> Self {
4827 let src_expr = ast::RestrictedExpr::val(src.as_ref());
4828 Self(ast::RestrictedExpr::call_extension_fn(
4829 datetime_extension_name(),
4830 [src_expr],
4831 ))
4832 }
4833
4834 pub fn new_duration(src: impl AsRef<str>) -> Self {
4838 let src_expr = ast::RestrictedExpr::val(src.as_ref());
4839 Self(ast::RestrictedExpr::call_extension_fn(
4840 duration_extension_name(),
4841 [src_expr],
4842 ))
4843 }
4844
4845 #[cfg(feature = "partial-eval")]
4847 pub fn new_unknown(name: impl AsRef<str>) -> Self {
4848 Self(ast::RestrictedExpr::unknown(ast::Unknown::new_untyped(
4849 name.as_ref(),
4850 )))
4851 }
4852}
4853
4854#[cfg(test)]
4855impl RestrictedExpression {
4856 pub(crate) fn into_inner(self) -> ast::RestrictedExpr {
4859 self.0
4860 }
4861}
4862
4863fn decimal_extension_name() -> ast::Name {
4864 #[expect(
4865 clippy::unwrap_used,
4866 reason = "This is a constant and is known to be safe, verified by a test"
4867 )]
4868 ast::Name::unqualified_name("decimal".parse().unwrap())
4869}
4870
4871fn ip_extension_name() -> ast::Name {
4872 #[expect(
4873 clippy::unwrap_used,
4874 reason = "This is a constant and is known to be safe, verified by a test"
4875 )]
4876 ast::Name::unqualified_name("ip".parse().unwrap())
4877}
4878
4879fn datetime_extension_name() -> ast::Name {
4880 #[expect(
4881 clippy::unwrap_used,
4882 reason = "This is a constant and is known to be safe, verified by a test"
4883 )]
4884 ast::Name::unqualified_name("datetime".parse().unwrap())
4885}
4886
4887fn duration_extension_name() -> ast::Name {
4888 #[expect(
4889 clippy::unwrap_used,
4890 reason = "This is a constant and is known to be safe, verified by a test"
4891 )]
4892 ast::Name::unqualified_name("duration".parse().unwrap())
4893}
4894
4895impl FromStr for RestrictedExpression {
4896 type Err = RestrictedExpressionParseError;
4897
4898 fn from_str(expression: &str) -> Result<Self, Self::Err> {
4900 ast::RestrictedExpr::from_str(expression)
4901 .map(RestrictedExpression)
4902 .map_err(Into::into)
4903 }
4904}
4905
4906#[doc = include_str!("../experimental_warning.md")]
4911#[cfg(feature = "partial-eval")]
4912#[derive(Debug, Clone)]
4913pub struct RequestBuilder<S> {
4914 principal: ast::EntityUIDEntry,
4915 action: ast::EntityUIDEntry,
4916 resource: ast::EntityUIDEntry,
4917 context: Option<ast::Context>,
4919 schema: S,
4920}
4921
4922#[doc = include_str!("../experimental_warning.md")]
4924#[cfg(feature = "partial-eval")]
4925#[derive(Debug, Clone, Copy)]
4926pub struct UnsetSchema;
4927
4928#[cfg(feature = "partial-eval")]
4929impl Default for RequestBuilder<UnsetSchema> {
4930 fn default() -> Self {
4931 Self {
4932 principal: ast::EntityUIDEntry::unknown(),
4933 action: ast::EntityUIDEntry::unknown(),
4934 resource: ast::EntityUIDEntry::unknown(),
4935 context: None,
4936 schema: UnsetSchema,
4937 }
4938 }
4939}
4940
4941#[cfg(feature = "partial-eval")]
4942impl<S> RequestBuilder<S> {
4943 #[must_use]
4948 pub fn principal(self, principal: EntityUid) -> Self {
4949 Self {
4950 principal: ast::EntityUIDEntry::known(principal.into(), None),
4951 ..self
4952 }
4953 }
4954
4955 #[must_use]
4959 pub fn unknown_principal_with_type(self, principal_type: EntityTypeName) -> Self {
4960 Self {
4961 principal: ast::EntityUIDEntry::unknown_with_type(principal_type.0, None),
4962 ..self
4963 }
4964 }
4965
4966 #[must_use]
4971 pub fn action(self, action: EntityUid) -> Self {
4972 Self {
4973 action: ast::EntityUIDEntry::known(action.into(), None),
4974 ..self
4975 }
4976 }
4977
4978 #[must_use]
4983 pub fn resource(self, resource: EntityUid) -> Self {
4984 Self {
4985 resource: ast::EntityUIDEntry::known(resource.into(), None),
4986 ..self
4987 }
4988 }
4989
4990 #[must_use]
4994 pub fn unknown_resource_with_type(self, resource_type: EntityTypeName) -> Self {
4995 Self {
4996 resource: ast::EntityUIDEntry::unknown_with_type(resource_type.0, None),
4997 ..self
4998 }
4999 }
5000
5001 #[must_use]
5003 pub fn context(self, context: Context) -> Self {
5004 Self {
5005 context: Some(context.0),
5006 ..self
5007 }
5008 }
5009}
5010
5011#[cfg(feature = "partial-eval")]
5012impl RequestBuilder<UnsetSchema> {
5013 #[must_use]
5015 pub fn schema(self, schema: &Schema) -> RequestBuilder<&Schema> {
5016 RequestBuilder {
5017 principal: self.principal,
5018 action: self.action,
5019 resource: self.resource,
5020 context: self.context,
5021 schema,
5022 }
5023 }
5024
5025 pub fn build(self) -> Request {
5027 Request(ast::Request::new_unchecked(
5028 self.principal,
5029 self.action,
5030 self.resource,
5031 self.context,
5032 ))
5033 }
5034}
5035
5036#[cfg(feature = "partial-eval")]
5037impl RequestBuilder<&Schema> {
5038 pub fn build(self) -> Result<Request, RequestValidationError> {
5040 Ok(Request(ast::Request::new_with_unknowns(
5041 self.principal,
5042 self.action,
5043 self.resource,
5044 self.context,
5045 Some(&self.schema.0),
5046 Extensions::all_available(),
5047 )?))
5048 }
5049}
5050
5051#[repr(transparent)]
5060#[derive(Debug, Clone, RefCast)]
5061pub struct Request(pub(crate) ast::Request);
5062
5063#[doc(hidden)] impl AsRef<ast::Request> for Request {
5065 fn as_ref(&self) -> &ast::Request {
5066 &self.0
5067 }
5068}
5069
5070#[doc(hidden)]
5071impl From<ast::Request> for Request {
5072 fn from(req: ast::Request) -> Self {
5073 Self(req)
5074 }
5075}
5076
5077impl PartialEq for Request {
5078 fn eq(&self, other: &Self) -> bool {
5079 self.principal() == other.principal()
5080 && self.action() == other.action()
5081 && self.resource() == other.resource()
5082 && self.context() == other.context()
5083 }
5084}
5085
5086impl Request {
5087 #[doc = include_str!("../experimental_warning.md")]
5089 #[cfg(feature = "partial-eval")]
5090 pub fn builder() -> RequestBuilder<UnsetSchema> {
5091 RequestBuilder::default()
5092 }
5093
5094 pub fn new(
5107 principal: EntityUid,
5108 action: EntityUid,
5109 resource: EntityUid,
5110 context: Context,
5111 schema: Option<&Schema>,
5112 ) -> Result<Self, RequestValidationError> {
5113 Ok(Self(ast::Request::new(
5114 (principal.into(), None),
5115 (action.into(), None),
5116 (resource.into(), None),
5117 context.0,
5118 schema.map(|schema| &schema.0),
5119 Extensions::all_available(),
5120 )?))
5121 }
5122
5123 pub fn context(&self) -> Option<&Context> {
5126 self.0.context().map(Context::ref_cast)
5127 }
5128
5129 pub fn principal(&self) -> Option<&EntityUid> {
5132 match self.0.principal() {
5133 ast::EntityUIDEntry::Known { euid, .. } => Some(EntityUid::ref_cast(euid.as_ref())),
5134 ast::EntityUIDEntry::Unknown { .. } => None,
5135 }
5136 }
5137
5138 pub fn action(&self) -> Option<&EntityUid> {
5141 match self.0.action() {
5142 ast::EntityUIDEntry::Known { euid, .. } => Some(EntityUid::ref_cast(euid.as_ref())),
5143 ast::EntityUIDEntry::Unknown { .. } => None,
5144 }
5145 }
5146
5147 pub fn resource(&self) -> Option<&EntityUid> {
5150 match self.0.resource() {
5151 ast::EntityUIDEntry::Known { euid, .. } => Some(EntityUid::ref_cast(euid.as_ref())),
5152 ast::EntityUIDEntry::Unknown { .. } => None,
5153 }
5154 }
5155}
5156
5157#[repr(transparent)]
5159#[derive(Debug, Clone, PartialEq, Eq, RefCast)]
5160pub struct Context(ast::Context);
5161
5162#[doc(hidden)] impl AsRef<ast::Context> for Context {
5164 fn as_ref(&self) -> &ast::Context {
5165 &self.0
5166 }
5167}
5168
5169impl Context {
5170 pub fn empty() -> Self {
5177 Self(ast::Context::empty())
5178 }
5179
5180 pub fn from_pairs(
5197 pairs: impl IntoIterator<Item = (String, RestrictedExpression)>,
5198 ) -> Result<Self, ContextCreationError> {
5199 Ok(Self(ast::Context::from_pairs(
5200 pairs.into_iter().map(|(k, v)| (SmolStr::from(k), v.0)),
5201 Extensions::all_available(),
5202 )?))
5203 }
5204
5205 pub fn get(&self, key: &str) -> Option<EvalResult> {
5229 match &self.0 {
5230 ast::Context::Value(map) => map.get(key).map(|v| EvalResult::from(v.clone())),
5231 ast::Context::RestrictedResidual(_) => None,
5232 }
5233 }
5234
5235 pub fn from_json_str(
5265 json: &str,
5266 schema: Option<(&Schema, &EntityUid)>,
5267 ) -> Result<Self, ContextJsonError> {
5268 let schema = schema
5269 .map(|(s, uid)| Self::get_context_schema(s, uid))
5270 .transpose()?;
5271 let context = cedar_policy_core::entities::ContextJsonParser::new(
5272 schema.as_ref(),
5273 Extensions::all_available(),
5274 )
5275 .from_json_str(json)?;
5276 Ok(Self(context))
5277 }
5278
5279 pub fn from_json_value(
5329 json: serde_json::Value,
5330 schema: Option<(&Schema, &EntityUid)>,
5331 ) -> Result<Self, ContextJsonError> {
5332 let schema = schema
5333 .map(|(s, uid)| Self::get_context_schema(s, uid))
5334 .transpose()?;
5335 let context = cedar_policy_core::entities::ContextJsonParser::new(
5336 schema.as_ref(),
5337 Extensions::all_available(),
5338 )
5339 .from_json_value(json)?;
5340 Ok(Self(context))
5341 }
5342
5343 pub fn from_json_file(
5375 json: impl std::io::Read,
5376 schema: Option<(&Schema, &EntityUid)>,
5377 ) -> Result<Self, ContextJsonError> {
5378 let schema = schema
5379 .map(|(s, uid)| Self::get_context_schema(s, uid))
5380 .transpose()?;
5381 let context = cedar_policy_core::entities::ContextJsonParser::new(
5382 schema.as_ref(),
5383 Extensions::all_available(),
5384 )
5385 .from_json_file(json)?;
5386 Ok(Self(context))
5387 }
5388
5389 pub fn to_json_value(
5391 &self,
5392 ) -> Result<serde_json::Value, entities_json_errors::JsonSerializationError> {
5393 self.0.to_json_value()
5394 }
5395
5396 fn get_context_schema(
5398 schema: &Schema,
5399 action: &EntityUid,
5400 ) -> Result<impl ContextSchema, ContextJsonError> {
5401 cedar_policy_core::validator::context_schema_for_action(&schema.0, action.as_ref())
5402 .ok_or_else(|| ContextJsonError::missing_action(action.clone()))
5403 }
5404
5405 pub fn merge(
5409 self,
5410 other_context: impl IntoIterator<Item = (String, RestrictedExpression)>,
5411 ) -> Result<Self, ContextCreationError> {
5412 Self::from_pairs(self.into_iter().chain(other_context))
5413 }
5414
5415 pub fn validate(
5422 &self,
5423 schema: &crate::Schema,
5424 action: &EntityUid,
5425 ) -> std::result::Result<(), RequestValidationError> {
5426 Ok(RequestSchema::validate_context(
5428 &schema.0,
5429 &self.0,
5430 action.as_ref(),
5431 Extensions::all_available(),
5432 )?)
5433 }
5434}
5435
5436mod context {
5438 use super::{ast, RestrictedExpression};
5439
5440 #[derive(Debug)]
5442 pub struct IntoIter {
5443 pub(super) inner: <ast::Context as IntoIterator>::IntoIter,
5444 }
5445
5446 impl Iterator for IntoIter {
5447 type Item = (String, RestrictedExpression);
5448
5449 fn next(&mut self) -> Option<Self::Item> {
5450 self.inner
5451 .next()
5452 .map(|(k, v)| (k.to_string(), RestrictedExpression(v)))
5453 }
5454 }
5455}
5456
5457impl IntoIterator for Context {
5458 type Item = (String, RestrictedExpression);
5459
5460 type IntoIter = context::IntoIter;
5461
5462 fn into_iter(self) -> Self::IntoIter {
5463 Self::IntoIter {
5464 inner: self.0.into_iter(),
5465 }
5466 }
5467}
5468
5469#[doc(hidden)]
5470impl From<ast::Context> for Context {
5471 fn from(c: ast::Context) -> Self {
5472 Self(c)
5473 }
5474}
5475
5476impl std::fmt::Display for Request {
5477 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5478 write!(f, "{}", self.0)
5479 }
5480}
5481
5482impl std::fmt::Display for Context {
5483 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5484 write!(f, "{}", self.0)
5485 }
5486}
5487
5488#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
5490pub enum EvalResult {
5491 Bool(bool),
5493 Long(ast::Integer),
5495 String(String),
5497 EntityUid(EntityUid),
5499 Set(Set),
5501 Record(Record),
5503 ExtensionValue(String),
5505 }
5507
5508#[derive(Debug, Clone, Eq, PartialEq, PartialOrd, Ord)]
5510pub struct Set(BTreeSet<EvalResult>);
5511
5512impl Set {
5513 pub fn iter(&self) -> impl Iterator<Item = &EvalResult> {
5515 self.0.iter()
5516 }
5517
5518 pub fn contains(&self, elem: &EvalResult) -> bool {
5520 self.0.contains(elem)
5521 }
5522
5523 pub fn len(&self) -> usize {
5525 self.0.len()
5526 }
5527
5528 pub fn is_empty(&self) -> bool {
5530 self.0.is_empty()
5531 }
5532}
5533
5534#[derive(Debug, Clone, Eq, PartialEq, PartialOrd, Ord)]
5536pub struct Record(BTreeMap<String, EvalResult>);
5537
5538impl Record {
5539 pub fn iter(&self) -> impl Iterator<Item = (&String, &EvalResult)> {
5541 self.0.iter()
5542 }
5543
5544 pub fn contains_attribute(&self, key: impl AsRef<str>) -> bool {
5546 self.0.contains_key(key.as_ref())
5547 }
5548
5549 pub fn get(&self, key: impl AsRef<str>) -> Option<&EvalResult> {
5551 self.0.get(key.as_ref())
5552 }
5553
5554 pub fn len(&self) -> usize {
5556 self.0.len()
5557 }
5558
5559 pub fn is_empty(&self) -> bool {
5561 self.0.is_empty()
5562 }
5563}
5564
5565#[doc(hidden)]
5566impl From<ast::Value> for EvalResult {
5567 fn from(v: ast::Value) -> Self {
5568 match v.value {
5569 ast::ValueKind::Lit(ast::Literal::Bool(b)) => Self::Bool(b),
5570 ast::ValueKind::Lit(ast::Literal::Long(i)) => Self::Long(i),
5571 ast::ValueKind::Lit(ast::Literal::String(s)) => Self::String(s.to_string()),
5572 ast::ValueKind::Lit(ast::Literal::EntityUID(e)) => {
5573 Self::EntityUid(ast::EntityUID::clone(&e).into())
5574 }
5575 ast::ValueKind::Set(set) => Self::Set(Set(set
5576 .authoritative
5577 .iter()
5578 .map(|v| v.clone().into())
5579 .collect())),
5580 ast::ValueKind::Record(record) => Self::Record(Record(
5581 record
5582 .iter()
5583 .map(|(k, v)| (k.to_string(), v.clone().into()))
5584 .collect(),
5585 )),
5586 ast::ValueKind::ExtensionValue(ev) => {
5587 Self::ExtensionValue(RestrictedExpr::from(ev.as_ref().clone()).to_string())
5588 }
5589 }
5590 }
5591}
5592
5593#[doc(hidden)]
5594#[expect(
5595 clippy::fallible_impl_from,
5596 reason = "see the panic safety comments below"
5597)]
5598impl From<EvalResult> for Expression {
5599 fn from(res: EvalResult) -> Self {
5600 match res {
5601 EvalResult::Bool(b) => Self::new_bool(b),
5602 EvalResult::Long(l) => Self::new_long(l),
5603 EvalResult::String(s) => Self::new_string(s),
5604 EvalResult::EntityUid(eid) => {
5605 Self::from(ast::Expr::from(ast::Value::from(ast::EntityUID::from(eid))))
5606 }
5607 EvalResult::Set(set) => Self::new_set(set.iter().cloned().map(Self::from)),
5608 EvalResult::Record(r) =>
5609 {
5610 #[expect(
5611 clippy::unwrap_used,
5612 reason = "record originates from EvalResult so should not panic when reconstructing as an Expression"
5613 )]
5614 Self::new_record(r.iter().map(|(k, v)| (k.clone(), Self::from(v.clone())))).unwrap()
5615 }
5616 EvalResult::ExtensionValue(s) => {
5617 #[expect(
5618 clippy::unwrap_used,
5619 reason = "the string s is constructed using RestrictedExpr::to_string() so should not panic when being parsed back into a RestrictedExpr"
5620 )]
5621 let expr: ast::Expr = ast::RestrictedExpr::from_str(&s).unwrap().into();
5622 Self::from(expr)
5623 }
5624 }
5625 }
5626}
5627
5628impl std::fmt::Display for EvalResult {
5629 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5630 match self {
5631 Self::Bool(b) => write!(f, "{b}"),
5632 Self::Long(l) => write!(f, "{l}"),
5633 Self::String(s) => write!(f, "\"{}\"", s.escape_debug()),
5634 Self::EntityUid(uid) => write!(f, "{uid}"),
5635 Self::Set(s) => {
5636 write!(f, "[")?;
5637 for (i, ev) in s.iter().enumerate() {
5638 write!(f, "{ev}")?;
5639 if (i + 1) < s.len() {
5640 write!(f, ", ")?;
5641 }
5642 }
5643 write!(f, "]")?;
5644 Ok(())
5645 }
5646 Self::Record(r) => {
5647 write!(f, "{{")?;
5648 for (i, (k, v)) in r.iter().enumerate() {
5649 write!(f, "\"{}\": {v}", k.escape_debug())?;
5650 if (i + 1) < r.len() {
5651 write!(f, ", ")?;
5652 }
5653 }
5654 write!(f, "}}")?;
5655 Ok(())
5656 }
5657 Self::ExtensionValue(s) => write!(f, "{s}"),
5658 }
5659 }
5660}
5661
5662pub fn eval_expression(
5667 request: &Request,
5668 entities: &Entities,
5669 expr: &Expression,
5670) -> Result<EvalResult, EvaluationError> {
5671 let all_ext = Extensions::all_available();
5672 let eval = Evaluator::new(request.0.clone(), &entities.0, all_ext);
5673 Ok(EvalResult::from(
5674 eval.interpret(&expr.0, &ast::SlotEnv::new())?,
5676 ))
5677}
5678
5679#[cfg(test)]
5681mod test_access {
5682 use cedar_policy_core::ast;
5683
5684 use super::*;
5685
5686 fn schema() -> Schema {
5687 let src = r#"
5688 type Task = {
5689 "id": Long,
5690 "name": String,
5691 "state": String,
5692};
5693
5694type T = String;
5695
5696type Tasks = Set<Task>;
5697entity List in [Application] = {
5698 "editors": Team,
5699 "name": String,
5700 "owner": User,
5701 "readers": Team,
5702 "tasks": Tasks,
5703};
5704entity Application;
5705entity User in [Team, Application] = {
5706 "joblevel": Long,
5707 "location": String,
5708};
5709
5710entity CoolList;
5711
5712entity Team in [Team, Application];
5713
5714action Read, Write, Create;
5715
5716action DeleteList, EditShare, UpdateList, CreateTask, UpdateTask, DeleteTask in Write appliesTo {
5717 principal: [User],
5718 resource : [List]
5719};
5720
5721action GetList in Read appliesTo {
5722 principal : [User],
5723 resource : [List, CoolList]
5724};
5725
5726action GetLists in Read appliesTo {
5727 principal : [User],
5728 resource : [Application]
5729};
5730
5731action CreateList in Create appliesTo {
5732 principal : [User],
5733 resource : [Application]
5734};
5735
5736 "#;
5737
5738 src.parse().unwrap()
5739 }
5740
5741 #[test]
5742 fn principals() {
5743 let schema = schema();
5744 let principals = schema.principals().collect::<HashSet<_>>();
5745 assert_eq!(principals.len(), 1);
5746 let user: EntityTypeName = "User".parse().unwrap();
5747 assert!(principals.contains(&user));
5748 let principals = schema.principals().collect::<Vec<_>>();
5749 assert!(principals.len() > 1);
5750 assert!(principals.iter().all(|ety| **ety == user));
5751 assert!(principals.iter().all(|ety| ety.0.loc().is_some()));
5752
5753 let et = ast::EntityType::EntityType(ast::Name::from_normalized_str("User").unwrap());
5754 let et = schema.0.get_entity_type(&et).unwrap();
5755 assert!(et.loc.is_some());
5756 }
5757
5758 #[cfg(feature = "extended-schema")]
5759 #[test]
5760 fn common_types_extended() {
5761 use cool_asserts::assert_matches;
5762
5763 use cedar_policy_core::validator::{types::Type, LocatedCommonType};
5764
5765 let schema = schema();
5766 assert_eq!(schema.0.common_types().collect::<HashSet<_>>().len(), 3);
5767 let task_type = LocatedCommonType {
5768 name: "Task".into(),
5769 name_loc: None,
5770 type_loc: None,
5771 };
5772 assert!(schema.0.common_types().contains(&task_type));
5773
5774 let tasks_type = LocatedCommonType {
5775 name: "Tasks".into(),
5776 name_loc: None,
5777 type_loc: None,
5778 };
5779 assert!(schema.0.common_types().contains(&tasks_type));
5780 assert!(schema.0.common_types().all(|ct| ct.name_loc.is_some()));
5781 assert!(schema.0.common_types().all(|ct| ct.type_loc.is_some()));
5782
5783 let tasks_type = LocatedCommonType {
5784 name: "T".into(),
5785 name_loc: None,
5786 type_loc: None,
5787 };
5788 assert!(schema.0.common_types().contains(&tasks_type));
5789
5790 let et = ast::EntityType::EntityType(ast::Name::from_normalized_str("List").unwrap());
5791 let et = schema.0.get_entity_type(&et).unwrap();
5792 let attrs = et.attributes();
5793
5794 let t = attrs.get_attr("tasks").unwrap();
5796 assert!(t.loc.is_some());
5797 assert_matches!(t.attr_type.as_ref(), cedar_policy_core::validator::types::Type::Set { ref element_type } => {
5798 let el = element_type.as_ref().unwrap();
5799 assert_matches!(el.as_ref(), Type::Record{ attrs, .. } => {
5800 assert!(attrs.get_attr("name").unwrap().loc.is_some());
5801 assert!(attrs.get_attr("id").unwrap().loc.is_some());
5802 assert!(attrs.get_attr("state").unwrap().loc.is_some());
5803 });
5804 });
5805 }
5806
5807 #[cfg(feature = "extended-schema")]
5808 #[test]
5809 fn namespace_extended() {
5810 let schema = schema();
5811 assert_eq!(schema.0.namespaces().collect::<HashSet<_>>().len(), 1);
5812 let default_namespace = schema.0.namespaces().last().unwrap();
5813 assert_eq!(default_namespace.name, SmolStr::from("__cedar"));
5814 assert!(default_namespace.name_loc.is_none());
5815 assert!(default_namespace.def_loc.is_none());
5816 }
5817
5818 #[test]
5819 fn empty_schema_principals_and_resources() {
5820 let empty: Schema = "".parse().unwrap();
5821 assert!(empty.principals().next().is_none());
5822 assert!(empty.resources().next().is_none());
5823 }
5824
5825 #[test]
5826 fn resources() {
5827 let schema = schema();
5828 let resources = schema.resources().cloned().collect::<HashSet<_>>();
5829 let expected: HashSet<EntityTypeName> = HashSet::from([
5830 "List".parse().unwrap(),
5831 "Application".parse().unwrap(),
5832 "CoolList".parse().unwrap(),
5833 ]);
5834 assert_eq!(resources, expected);
5835 assert!(resources.iter().all(|ety| ety.0.loc().is_some()));
5836 }
5837
5838 #[test]
5839 fn principals_for_action() {
5840 let schema = schema();
5841 let delete_list: EntityUid = r#"Action::"DeleteList""#.parse().unwrap();
5842 let delete_user: EntityUid = r#"Action::"DeleteUser""#.parse().unwrap();
5843 let got = schema
5844 .principals_for_action(&delete_list)
5845 .unwrap()
5846 .cloned()
5847 .collect::<Vec<_>>();
5848 assert_eq!(got, vec!["User".parse().unwrap()]);
5849 assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5850 assert!(schema.principals_for_action(&delete_user).is_none());
5851 }
5852
5853 #[test]
5854 fn resources_for_action() {
5855 let schema = schema();
5856 let delete_list: EntityUid = r#"Action::"DeleteList""#.parse().unwrap();
5857 let delete_user: EntityUid = r#"Action::"DeleteUser""#.parse().unwrap();
5858 let create_list: EntityUid = r#"Action::"CreateList""#.parse().unwrap();
5859 let get_list: EntityUid = r#"Action::"GetList""#.parse().unwrap();
5860 let got = schema
5861 .resources_for_action(&delete_list)
5862 .unwrap()
5863 .cloned()
5864 .collect::<Vec<_>>();
5865 assert_eq!(got, vec!["List".parse().unwrap()]);
5866 assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5867 let got = schema
5868 .resources_for_action(&create_list)
5869 .unwrap()
5870 .cloned()
5871 .collect::<Vec<_>>();
5872 assert_eq!(got, vec!["Application".parse().unwrap()]);
5873 assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5874 let got = schema
5875 .resources_for_action(&get_list)
5876 .unwrap()
5877 .cloned()
5878 .collect::<HashSet<_>>();
5879 assert_eq!(
5880 got,
5881 HashSet::from(["List".parse().unwrap(), "CoolList".parse().unwrap()])
5882 );
5883 assert!(got.iter().all(|ety| ety.0.loc().is_some()));
5884 assert!(schema.principals_for_action(&delete_user).is_none());
5885 }
5886
5887 #[test]
5888 fn principal_parents() {
5889 let schema = schema();
5890 let user: EntityTypeName = "User".parse().unwrap();
5891 let parents = schema
5892 .ancestors(&user)
5893 .unwrap()
5894 .cloned()
5895 .collect::<HashSet<_>>();
5896 assert!(parents.iter().all(|ety| ety.0.loc().is_some()));
5897 let expected = HashSet::from(["Team".parse().unwrap(), "Application".parse().unwrap()]);
5898 assert_eq!(parents, expected);
5899 let parents = schema
5900 .ancestors(&"List".parse().unwrap())
5901 .unwrap()
5902 .cloned()
5903 .collect::<HashSet<_>>();
5904 assert!(parents.iter().all(|ety| ety.0.loc().is_some()));
5905 let expected = HashSet::from(["Application".parse().unwrap()]);
5906 assert_eq!(parents, expected);
5907 assert!(schema.ancestors(&"Foo".parse().unwrap()).is_none());
5908 let parents = schema
5909 .ancestors(&"CoolList".parse().unwrap())
5910 .unwrap()
5911 .cloned()
5912 .collect::<HashSet<_>>();
5913 assert!(parents.iter().all(|ety| ety.0.loc().is_some()));
5914 let expected = HashSet::from([]);
5915 assert_eq!(parents, expected);
5916 }
5917
5918 #[test]
5919 fn action_groups() {
5920 let schema = schema();
5921 let groups = schema.action_groups().cloned().collect::<HashSet<_>>();
5922 let expected = ["Read", "Write", "Create"]
5923 .into_iter()
5924 .map(|ty| format!("Action::\"{ty}\"").parse().unwrap())
5925 .collect::<HashSet<EntityUid>>();
5926 #[cfg(feature = "extended-schema")]
5927 assert!(groups.iter().all(|ety| ety.0.loc().is_some()));
5928 assert_eq!(groups, expected);
5929 }
5930
5931 #[test]
5932 fn actions() {
5933 let schema = schema();
5934 let actions = schema.actions().cloned().collect::<HashSet<_>>();
5935 let expected = [
5936 "Read",
5937 "Write",
5938 "Create",
5939 "DeleteList",
5940 "EditShare",
5941 "UpdateList",
5942 "CreateTask",
5943 "UpdateTask",
5944 "DeleteTask",
5945 "GetList",
5946 "GetLists",
5947 "CreateList",
5948 ]
5949 .into_iter()
5950 .map(|ty| format!("Action::\"{ty}\"").parse().unwrap())
5951 .collect::<HashSet<EntityUid>>();
5952 assert_eq!(actions, expected);
5953 #[cfg(feature = "extended-schema")]
5954 assert!(actions.iter().all(|ety| ety.0.loc().is_some()));
5955 }
5956
5957 #[test]
5958 fn actions_for_principal_and_resource() {
5959 let schema = schema();
5960 let pty: EntityTypeName = "User".parse().unwrap();
5961 let rty: EntityTypeName = "Application".parse().unwrap();
5962 let actions = schema
5963 .actions_for_principal_and_resource(&pty, &rty)
5964 .cloned()
5965 .collect::<HashSet<EntityUid>>();
5966 let expected = ["GetLists", "CreateList"]
5967 .into_iter()
5968 .map(|ty| format!("Action::\"{ty}\"").parse().unwrap())
5969 .collect::<HashSet<EntityUid>>();
5970 assert_eq!(actions, expected);
5971 }
5972
5973 #[test]
5974 fn entities() {
5975 let schema = schema();
5976 let entities = schema.entity_types().cloned().collect::<HashSet<_>>();
5977 let expected = ["List", "Application", "User", "CoolList", "Team"]
5978 .into_iter()
5979 .map(|ty| ty.parse().unwrap())
5980 .collect::<HashSet<EntityTypeName>>();
5981 assert_eq!(entities, expected);
5982 }
5983}
5984
5985#[cfg(test)]
5986mod test_access_namespace {
5987 use super::*;
5988
5989 fn schema() -> Schema {
5990 let src = r#"
5991 namespace Foo {
5992 type Task = {
5993 "id": Long,
5994 "name": String,
5995 "state": String,
5996};
5997
5998type Tasks = Set<Task>;
5999entity List in [Application] = {
6000 "editors": Team,
6001 "name": String,
6002 "owner": User,
6003 "readers": Team,
6004 "tasks": Tasks,
6005};
6006entity Application;
6007entity User in [Team, Application] = {
6008 "joblevel": Long,
6009 "location": String,
6010};
6011
6012entity CoolList;
6013
6014entity Team in [Team, Application];
6015
6016action Read, Write, Create;
6017
6018action DeleteList, EditShare, UpdateList, CreateTask, UpdateTask, DeleteTask in Write appliesTo {
6019 principal: [User],
6020 resource : [List]
6021};
6022
6023action GetList in Read appliesTo {
6024 principal : [User],
6025 resource : [List, CoolList]
6026};
6027
6028action GetLists in Read appliesTo {
6029 principal : [User],
6030 resource : [Application]
6031};
6032
6033action CreateList in Create appliesTo {
6034 principal : [User],
6035 resource : [Application]
6036};
6037 }
6038
6039 "#;
6040
6041 src.parse().unwrap()
6042 }
6043
6044 #[test]
6045 fn principals() {
6046 let schema = schema();
6047 let principals = schema.principals().collect::<HashSet<_>>();
6048 assert_eq!(principals.len(), 1);
6049 let user: EntityTypeName = "Foo::User".parse().unwrap();
6050 assert!(principals.contains(&user));
6051 let principals = schema.principals().collect::<Vec<_>>();
6052 assert!(principals.len() > 1);
6053 assert!(principals.iter().all(|ety| **ety == user));
6054 assert!(principals.iter().all(|ety| ety.0.loc().is_some()));
6055 }
6056
6057 #[test]
6058 fn empty_schema_principals_and_resources() {
6059 let empty: Schema = "".parse().unwrap();
6060 assert!(empty.principals().next().is_none());
6061 assert!(empty.resources().next().is_none());
6062 }
6063
6064 #[test]
6065 fn resources() {
6066 let schema = schema();
6067 let resources = schema.resources().cloned().collect::<HashSet<_>>();
6068 let expected: HashSet<EntityTypeName> = HashSet::from([
6069 "Foo::List".parse().unwrap(),
6070 "Foo::Application".parse().unwrap(),
6071 "Foo::CoolList".parse().unwrap(),
6072 ]);
6073 assert_eq!(resources, expected);
6074 assert!(resources.iter().all(|ety| ety.0.loc().is_some()));
6075 }
6076
6077 #[test]
6078 fn principals_for_action() {
6079 let schema = schema();
6080 let delete_list: EntityUid = r#"Foo::Action::"DeleteList""#.parse().unwrap();
6081 let delete_user: EntityUid = r#"Foo::Action::"DeleteUser""#.parse().unwrap();
6082 let got = schema
6083 .principals_for_action(&delete_list)
6084 .unwrap()
6085 .cloned()
6086 .collect::<Vec<_>>();
6087 assert_eq!(got, vec!["Foo::User".parse().unwrap()]);
6088 assert!(schema.principals_for_action(&delete_user).is_none());
6089 }
6090
6091 #[test]
6092 fn resources_for_action() {
6093 let schema = schema();
6094 let delete_list: EntityUid = r#"Foo::Action::"DeleteList""#.parse().unwrap();
6095 let delete_user: EntityUid = r#"Foo::Action::"DeleteUser""#.parse().unwrap();
6096 let create_list: EntityUid = r#"Foo::Action::"CreateList""#.parse().unwrap();
6097 let get_list: EntityUid = r#"Foo::Action::"GetList""#.parse().unwrap();
6098 let got = schema
6099 .resources_for_action(&delete_list)
6100 .unwrap()
6101 .cloned()
6102 .collect::<Vec<_>>();
6103 assert!(got.iter().all(|ety| ety.0.loc().is_some()));
6104
6105 assert_eq!(got, vec!["Foo::List".parse().unwrap()]);
6106 let got = schema
6107 .resources_for_action(&create_list)
6108 .unwrap()
6109 .cloned()
6110 .collect::<Vec<_>>();
6111 assert_eq!(got, vec!["Foo::Application".parse().unwrap()]);
6112 assert!(got.iter().all(|ety| ety.0.loc().is_some()));
6113
6114 let got = schema
6115 .resources_for_action(&get_list)
6116 .unwrap()
6117 .cloned()
6118 .collect::<HashSet<_>>();
6119 assert_eq!(
6120 got,
6121 HashSet::from([
6122 "Foo::List".parse().unwrap(),
6123 "Foo::CoolList".parse().unwrap()
6124 ])
6125 );
6126 assert!(schema.principals_for_action(&delete_user).is_none());
6127 }
6128
6129 #[test]
6130 fn principal_parents() {
6131 let schema = schema();
6132 let user: EntityTypeName = "Foo::User".parse().unwrap();
6133 let parents = schema
6134 .ancestors(&user)
6135 .unwrap()
6136 .cloned()
6137 .collect::<HashSet<_>>();
6138 let expected = HashSet::from([
6139 "Foo::Team".parse().unwrap(),
6140 "Foo::Application".parse().unwrap(),
6141 ]);
6142 assert_eq!(parents, expected);
6143 let parents = schema
6144 .ancestors(&"Foo::List".parse().unwrap())
6145 .unwrap()
6146 .cloned()
6147 .collect::<HashSet<_>>();
6148 let expected = HashSet::from(["Foo::Application".parse().unwrap()]);
6149 assert_eq!(parents, expected);
6150 assert!(schema.ancestors(&"Foo::Foo".parse().unwrap()).is_none());
6151 let parents = schema
6152 .ancestors(&"Foo::CoolList".parse().unwrap())
6153 .unwrap()
6154 .cloned()
6155 .collect::<HashSet<_>>();
6156 let expected = HashSet::from([]);
6157 assert_eq!(parents, expected);
6158 }
6159
6160 #[test]
6161 fn action_groups() {
6162 let schema = schema();
6163 let groups = schema.action_groups().cloned().collect::<HashSet<_>>();
6164 let expected = ["Read", "Write", "Create"]
6165 .into_iter()
6166 .map(|ty| format!("Foo::Action::\"{ty}\"").parse().unwrap())
6167 .collect::<HashSet<EntityUid>>();
6168 assert_eq!(groups, expected);
6169 }
6170
6171 #[test]
6172 fn actions() {
6173 let schema = schema();
6174 let actions = schema.actions().cloned().collect::<HashSet<_>>();
6175 let expected = [
6176 "Read",
6177 "Write",
6178 "Create",
6179 "DeleteList",
6180 "EditShare",
6181 "UpdateList",
6182 "CreateTask",
6183 "UpdateTask",
6184 "DeleteTask",
6185 "GetList",
6186 "GetLists",
6187 "CreateList",
6188 ]
6189 .into_iter()
6190 .map(|ty| format!("Foo::Action::\"{ty}\"").parse().unwrap())
6191 .collect::<HashSet<EntityUid>>();
6192 assert_eq!(actions, expected);
6193 }
6194
6195 #[test]
6196 fn entities() {
6197 let schema = schema();
6198 let entities = schema.entity_types().cloned().collect::<HashSet<_>>();
6199 let expected = [
6200 "Foo::List",
6201 "Foo::Application",
6202 "Foo::User",
6203 "Foo::CoolList",
6204 "Foo::Team",
6205 ]
6206 .into_iter()
6207 .map(|ty| ty.parse().unwrap())
6208 .collect::<HashSet<EntityTypeName>>();
6209 assert_eq!(entities, expected);
6210 }
6211
6212 #[test]
6213 fn test_request_context() {
6214 let context =
6216 Context::from_json_str(r#"{"testKey": "testValue", "numKey": 42}"#, None).unwrap();
6217
6218 let principal: EntityUid = "User::\"alice\"".parse().unwrap();
6220 let action: EntityUid = "Action::\"view\"".parse().unwrap();
6221 let resource: EntityUid = "Resource::\"doc123\"".parse().unwrap();
6222
6223 let request = Request::new(
6225 principal, action, resource, context, None, )
6227 .unwrap();
6228
6229 let retrieved_context = request.context().expect("Context should be present");
6231
6232 assert!(retrieved_context.get("testKey").is_some());
6234 assert!(retrieved_context.get("numKey").is_some());
6235 assert!(retrieved_context.get("nonexistent").is_none());
6236 }
6237
6238 #[cfg(feature = "extended-schema")]
6239 #[test]
6240 fn namespace_extended() {
6241 let schema = schema();
6242 assert_eq!(schema.0.namespaces().collect::<HashSet<_>>().len(), 2);
6243 let default_namespace = schema
6244 .0
6245 .namespaces()
6246 .filter(|n| n.name == *"__cedar")
6247 .last()
6248 .unwrap();
6249 assert!(default_namespace.name_loc.is_none());
6250 assert!(default_namespace.def_loc.is_none());
6251
6252 let default_namespace = schema
6253 .0
6254 .namespaces()
6255 .filter(|n| n.name == *"Foo")
6256 .last()
6257 .unwrap();
6258 assert!(default_namespace.name_loc.is_some());
6259 assert!(default_namespace.def_loc.is_some());
6260 }
6261}
6262
6263#[cfg(test)]
6264mod test_lossless_empty {
6265 use super::{LosslessPolicy, LosslessTemplate, Policy, PolicyId, Template};
6266 use cedar_policy_core::pst;
6267 use cool_asserts::assert_matches;
6268
6269 #[test]
6270 fn test_lossless_empty_policy() {
6271 const STATIC_POLICY_TEXT: &str = "permit(principal,action,resource);";
6272 let policy0 = Policy::parse(Some(PolicyId::new("policy0")), STATIC_POLICY_TEXT)
6273 .expect("Failed to parse");
6274 let lossy_policy0 = Policy {
6275 ast: policy0.ast.clone(),
6276 lossless: LosslessPolicy::policy_or_template_text(None::<&str>),
6277 };
6278 assert_eq!(
6280 lossy_policy0.to_cedar(),
6281 Some(String::from(
6282 "permit(\n principal,\n action,\n resource\n);"
6283 ))
6284 );
6285 let lossy_policy0_est = lossy_policy0
6287 .lossless
6288 .est(|| policy0.ast.clone().into())
6289 .unwrap();
6290 assert_eq!(lossy_policy0_est, policy0.ast.into());
6291 }
6292
6293 #[test]
6294 fn test_lossless_empty_template() {
6295 const TEMPLATE_TEXT: &str = "permit(principal == ?principal,action,resource);";
6296 let template0 = Template::parse(Some(PolicyId::new("template0")), TEMPLATE_TEXT)
6297 .expect("Failed to parse");
6298 let lossy_template0 = Template {
6299 ast: template0.ast.clone(),
6300 lossless: LosslessTemplate::from_text(None::<&str>),
6301 };
6302 assert_eq!(
6304 lossy_template0.to_cedar(),
6305 String::from("permit(\n principal == ?principal,\n action,\n resource\n);")
6306 );
6307 let lossy_template0_est = lossy_template0
6309 .lossless
6310 .est(|| template0.ast.clone().into())
6311 .unwrap();
6312 assert_eq!(lossy_template0_est, template0.ast.into());
6313 }
6314
6315 #[test]
6316 fn try_into_pst_empty_policy() {
6317 let p = Policy::parse(
6318 Some(PolicyId::new("p")),
6319 "permit(principal,action,resource);",
6320 )
6321 .expect("parse");
6322 let empty = Policy {
6323 ast: p.ast,
6324 lossless: LosslessPolicy::policy_or_template_text(None::<&str>),
6325 };
6326 assert_matches!(
6327 empty.try_into_pst().unwrap().body(),
6328 pst::Template {
6329 effect: pst::Effect::Permit,
6330 principal: pst::PrincipalConstraint::Any,
6331 resource: pst::ResourceConstraint::Any,
6332 action: pst::ActionConstraint::Any,
6333 ..
6334 },
6335 );
6336 }
6337
6338 #[test]
6339 fn try_into_pst_empty_template() {
6340 let t = Template::parse(
6341 Some(PolicyId::new("t")),
6342 "permit(principal == ?principal,action,resource);",
6343 )
6344 .expect("parse");
6345 let empty = Template {
6346 ast: t.ast,
6347 lossless: LosslessTemplate::from_text(None::<&str>),
6348 };
6349 assert_matches!(
6350 empty.try_into_pst().unwrap(),
6351 pst::Template {
6352 effect: pst::Effect::Permit,
6353 principal: pst::PrincipalConstraint::Eq(pst::EntityOrSlot::Slot(
6354 pst::SlotId::Principal
6355 )),
6356 resource: pst::ResourceConstraint::Any,
6357 action: pst::ActionConstraint::Any,
6358 ..
6359 },
6360 );
6361 }
6362}
6363
6364#[doc = include_str!("../experimental_warning.md")]
6371#[deprecated = "The `entity-manifest` experimental feature and all associated functions are deprecated. Migrate to `PolicySet::is_authorized_batch` for efficient authorization with on-demand entity loading."]
6372#[cfg(feature = "entity-manifest")]
6373pub fn compute_entity_manifest(
6374 validator: &Validator,
6375 pset: &PolicySet,
6376) -> Result<EntityManifest, EntityManifestError> {
6377 entity_manifest::compute_entity_manifest(&validator.0, &pset.ast).map_err(Into::into)
6378}