treetop-core 0.0.17

Core library for Treetop, a Cedar policy engine implementation.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

use cedar_policy::{ActionConstraint, Effect, PrincipalConstraint, ResourceConstraint};

use crate::query::{ActionQuery, PrincipalQuery, ResourceQuery};
use crate::types::{PolicyEffectFilter, PolicyMatchReason};

pub(crate) fn principal_match_reason(
    constraint: PrincipalConstraint,
    principal: &PrincipalQuery,
) -> Option<PolicyMatchReason> {
    match constraint {
        PrincipalConstraint::Eq(uid) if uid == principal.uid => {
            Some(PolicyMatchReason::PrincipalEq)
        }
        PrincipalConstraint::In(uid)
            if uid == principal.uid || principal.parents.contains(&uid) =>
        {
            Some(PolicyMatchReason::PrincipalIn)
        }
        PrincipalConstraint::Any => Some(PolicyMatchReason::PrincipalAny),
        PrincipalConstraint::Is(entity_type) if entity_type.to_string() == principal.type_name => {
            Some(PolicyMatchReason::PrincipalIs)
        }
        PrincipalConstraint::IsIn(entity_type, parent)
            if entity_type.to_string() == principal.type_name
                && (parent == principal.uid || principal.parents.contains(&parent)) =>
        {
            Some(PolicyMatchReason::PrincipalIsIn)
        }
        _ => None,
    }
}

pub(crate) fn resource_match_reason(
    constraint: ResourceConstraint,
    resource: Option<&ResourceQuery>,
) -> Option<Option<PolicyMatchReason>> {
    let Some(resource) = resource else {
        return Some(None);
    };

    match constraint {
        ResourceConstraint::Eq(uid) if uid == resource.uid => {
            Some(Some(PolicyMatchReason::ResourceEq))
        }
        ResourceConstraint::In(uid) if uid == resource.uid => {
            Some(Some(PolicyMatchReason::ResourceIn))
        }
        ResourceConstraint::Any => Some(Some(PolicyMatchReason::ResourceAny)),
        ResourceConstraint::Is(entity_type) if entity_type.to_string() == resource.type_name => {
            Some(Some(PolicyMatchReason::ResourceIs))
        }
        ResourceConstraint::IsIn(entity_type, parent)
            if entity_type.to_string() == resource.type_name && parent == resource.uid =>
        {
            Some(Some(PolicyMatchReason::ResourceIsIn))
        }
        _ => None,
    }
}

pub(crate) fn action_match_reason(
    constraint: ActionConstraint,
    action: Option<&ActionQuery>,
) -> Option<Option<PolicyMatchReason>> {
    let Some(action) = action else {
        return Some(None);
    };

    match constraint {
        ActionConstraint::Eq(uid) if uid == action.uid => Some(Some(PolicyMatchReason::ActionEq)),
        ActionConstraint::In(uids) if uids.contains(&action.uid) => {
            Some(Some(PolicyMatchReason::ActionIn))
        }
        ActionConstraint::Any => Some(Some(PolicyMatchReason::ActionAny)),
        _ => None,
    }
}

pub(crate) fn matches_effect(effect: Effect, filter: PolicyEffectFilter) -> bool {
    match filter {
        PolicyEffectFilter::Any => true,
        PolicyEffectFilter::Permit => effect == Effect::Permit,
        PolicyEffectFilter::Forbid => effect == Effect::Forbid,
    }
}