Struct PolicySet 

pub struct PolicySet { /* private fields */ }

Represents a set of Policys

Implementations

impl PolicySet

pub fn tpe<'a>( &self, request: &'a PartialRequest, entities: &'a PartialEntities, schema: &'a Schema, ) -> Result<TpeResponse<'a>, TpeError>

Available on crate feature tpe only.

Perform type-aware partial evaluation on this PolicySet If successful, the result is a PolicySet containing residual policies ready for re-authorization

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

pub fn is_authorized_batched( &self, query: &Request, schema: &Schema, loader: &mut dyn EntityLoader, max_iters: u32, ) -> Result<Decision, BatchedEvalError>

Available on crate feature tpe only.

Like Authorizer::is_authorized but uses an EntityLoader to load entities on demand.

Calls loader at most max_iters times, returning early if an authorization result is reached. Otherwise, it iterates max_iters times and returns a partial result.

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

pub fn query_resource( &self, request: &ResourceQueryRequest, entities: &Entities, schema: &Schema, ) -> Result<impl Iterator<Item = EntityUid>, PermissionQueryError>

Available on crate feature tpe only.

Perform a permission query on the resource

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

pub fn query_principal( &self, request: &PrincipalQueryRequest, entities: &Entities, schema: &Schema, ) -> Result<impl Iterator<Item = EntityUid>, PermissionQueryError>

Available on crate feature tpe only.

Perform a permission query on the principal

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

pub fn query_action<'a>( &self, request: &'a ActionQueryRequest, entities: &PartialEntities, ) -> Result<impl Iterator<Item = (&'a EntityUid, Option<Decision>)>, PermissionQueryError>

Available on crate feature tpe only.

Given a ActionQueryRequest (a partial request without a concrete action) enumerate actions in the schema which might be authorized for that request.

Each action is returned with a partial authorization decision. If the action is definitely authorized, then it is Some(Decision::Allow). If we did not reach a concrete authorization decision, then it is None. Actions which are definitely not authorized (i.e., the decision is Some(Decision::Deny)) are not returned by this function. It is also possible that some actions without a concrete authorization decision are never authorized if the residual expressions after partial evaluation are not satisfiable.

If the partial request for a particular action is invalid (e.g., the action does not apply to the type of principal and resource), then that action is not included in the result regardless of whether a request with that action would be authorized.

// Construct a request for a concrete principal and resource, but leaving the context unknown so
// that we can see all actions that might be authorized for some context.
let request = ActionQueryRequest::new(
    PartialEntityUid::from_concrete(r#"User::"alice""#.parse().unwrap()),
    PartialEntityUid::from_concrete(r#"Photo::"vacation.jpg""#.parse().unwrap()),
    None,
    schema,
).unwrap();

// All actions which might be allowed for this principal and resource.
// The exact authorization result may depend on currently unknown
// context and entity data.
let possibly_allowed_actions: Vec<&EntityUid> =
    policies.query_action(&request, &entities)
            .unwrap()
            .map(|(a, _)| a)
            .collect();

// These actions are definitely allowed for this principal and resource.
// These will be allowed for _any_ context.
let allowed_actions: Vec<&EntityUid> =
    policies.query_action(&request, &entities).unwrap()
            .filter(|(_, resp)| resp == &Some(Decision::Allow))
            .map(|(a, _)| a)
            .collect();

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

impl PolicySet

pub fn from_json_str(src: impl AsRef<str>) -> Result<Self, PolicySetError>

Deserialize the PolicySet from a JSON string

pub fn from_json_value(src: Value) -> Result<Self, PolicySetError>

Deserialize the PolicySet from a JSON value

pub fn from_json_file(r: impl Read) -> Result<Self, PolicySetError>

Deserialize the PolicySet from a JSON reader

pub fn to_json(self) -> Result<Value, PolicySetError>

Serialize the PolicySet as a JSON value

pub fn to_cedar(&self) -> Option<String>

Get the human-readable Cedar syntax representation of this policy set. This function is primarily intended for rendering JSON policies in the human-readable syntax, but it will also return the original policy text (though possibly re-ordering policies within the policy set) when the policy-set contains policies parsed from the human-readable syntax.

This will return None if there are any linked policies in the policy set because they cannot be directly rendered in Cedar syntax. It also cannot record policy ids because these cannot be specified in the Cedar syntax. The policies may be reordered, so parsing the resulting string with PolicySet::from_str is likely to yield different policy id assignments. For these reasons you should prefer serializing as JSON (or protobuf) and only using this function to obtain a representation to display to human users.

This function does not format the policy according to any particular rules. Policy formatting can be done through the Cedar policy CLI or the cedar-policy-formatter crate.

pub fn new() -> Self

Create a fresh empty PolicySet

pub fn from_policies( policies: impl IntoIterator<Item = Policy>, ) -> Result<Self, PolicySetError>

Create a PolicySet from the given policies

pub fn merge( &mut self, other: &Self, rename_duplicates: bool, ) -> Result<HashMap<PolicyId, PolicyId>, PolicySetError>

Merges this PolicySet with another PolicySet. This PolicySet is modified while the other PolicySet remains unchanged.

The flag rename_duplicates controls the expected behavior when a PolicyId in this and the other PolicySet conflict.

When rename_duplicates is false, conflicting PolicyIds result in a PolicySetError::AlreadyDefined error.

Otherwise, when rename_duplicates is true, conflicting PolicyIds from the other PolicySet are automatically renamed to avoid conflict. This renaming is returned as a Hashmap from the old PolicyId to the renamed PolicyId.

pub fn add(&mut self, policy: Policy) -> Result<(), PolicySetError>

Add an static policy to the PolicySet. To add a template instance, use link instead. This function will return an error (and not modify the PolicySet) if a template-linked policy is passed in.

pub fn remove_static( &mut self, policy_id: PolicyId, ) -> Result<Policy, PolicySetError>

Remove a static Policy from the PolicySet.

This will error if the policy is not a static policy.

pub fn add_template(&mut self, template: Template) -> Result<(), PolicySetError>

Add a Template to the PolicySet

pub fn remove_template( &mut self, template_id: PolicyId, ) -> Result<Template, PolicySetError>

Remove a Template from the PolicySet.

This will error if any policy is linked to the template. This will error if policy_id is not a template.

pub fn get_linked_policies( &self, template_id: PolicyId, ) -> Result<impl Iterator<Item = &PolicyId>, PolicySetError>

Get policies linked to a Template in the PolicySet. If any policy is linked to the template, this will error

pub fn policies(&self) -> impl Iterator<Item = &Policy>

Iterate over all the Policys in the PolicySet.

This will include both static and template-linked policies.

pub fn templates(&self) -> impl Iterator<Item = &Template>

Iterate over the Template’s in the PolicySet.

pub fn template(&self, id: &PolicyId) -> Option<&Template>

Get a Template by its PolicyId

pub fn policy(&self, id: &PolicyId) -> Option<&Policy>

Get a Policy by its PolicyId

pub fn annotation(&self, id: &PolicyId, key: impl AsRef<str>) -> Option<&str>

Extract annotation data from a Policy by its PolicyId and annotation key. If the annotation is present without an explicit value (e.g., @annotation), then this function returns Some(""). It returns None only when the annotation is not present.

pub fn template_annotation( &self, id: &PolicyId, key: impl AsRef<str>, ) -> Option<&str>

Extract annotation data from a Template by its PolicyId and annotation key. If the annotation is present without an explicit value (e.g., @annotation), then this function returns Some(""). It returns None only when the annotation is not present.

pub fn is_empty(&self) -> bool

Returns true iff the PolicySet is empty

pub fn num_of_policies(&self) -> usize

Returns the number of Policys in the PolicySet.

This will include both static and template-linked policies.

pub fn num_of_templates(&self) -> usize

Returns the number of Templates in the PolicySet.

pub fn link( &mut self, template_id: PolicyId, new_id: PolicyId, vals: HashMap<SlotId, EntityUid>, ) -> Result<(), PolicySetError>

Attempt to link a template and add the new template-linked policy to the policy set. If link fails, the PolicySet is not modified. Failure can happen for three reasons

1. The map passed in vals may not match the slots in the template
2. The new_id may conflict w/ a policy that already exists in the set
3. template_id does not correspond to a template. Either the id is not in the policy set, or it is in the policy set but is either a linked or static policy rather than a template

pub fn unknown_entities(&self) -> HashSet<EntityUid>

Available on crate feature partial-eval only.

Get all the unknown entities from the policy set

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

pub fn unlink(&mut self, policy_id: PolicyId) -> Result<Policy, PolicySetError>

Unlink a template-linked policy from the policy set. Returns the policy that was unlinked.

Trait Implementations

impl Clone for PolicySet

fn clone(&self) -> PolicySet

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for PolicySet

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for PolicySet

fn default() -> PolicySet

Returns the “default value” for a type.

impl Display for PolicySet

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl From<&PolicySet> for PolicySet

Available on crate feature protobufs only.

fn from(v: &PolicySet) -> Self

Converts to this type from the input type.

impl FromStr for PolicySet

fn from_str(policies: &str) -> Result<Self, Self::Err>

Create a policy set from multiple statements.

Policy ids will default to “policy*” with numbers from 0. If you load more policies, do not use the default id, or there will be conflicts.

See Policy for more.

type Err = ParseErrors

The associated error which can be returned from parsing.

impl PartialEq for PolicySet

fn eq(&self, other: &Self) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Protobuf for PolicySet

Available on crate feature protobufs only.

fn encode(&self) -> Vec<u8>

Encode into protobuf format. Returns a freshly-allocated buffer containing binary data.

fn decode(buf: impl Buf) -> Result<Self, DecodeError>

Decode the binary data in buf, producing something of type Self

impl TryFrom<&PolicySet> for PolicySet

Available on crate feature protobufs only.

type Error = PolicySetError

The type returned in the event of a conversion error.

fn try_from(v: &PolicySet) -> Result<Self, Self::Error>

Performs the conversion.

impl Eq for PolicySet