treetop-core 0.0.17

Core library for Treetop, a Cedar policy engine implementation.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

use std::collections::HashSet;

use cedar_policy::EntityUid;

use crate::error::PolicyError;
use crate::traits::CedarAtom;
use crate::types::{Action, Principal, Resource, group_entity_uid, user_entity_uid};

#[derive(Debug)]
pub(crate) struct PrincipalQuery {
    pub(crate) uid: EntityUid,
    pub(crate) type_name: String,
    pub(crate) parents: HashSet<EntityUid>,
}

impl PrincipalQuery {
    pub(crate) fn for_user(
        user: &str,
        groups: &[&str],
        namespace: &[&str],
    ) -> Result<Self, PolicyError> {
        let uid = user_entity_uid(user, namespace)?;

        let parents: HashSet<EntityUid> = groups
            .iter()
            .map(|group| group_entity_uid(group, namespace))
            .collect::<Result<_, _>>()?;

        Ok(Self {
            type_name: entity_type_name_from_uid(&uid),
            uid,
            parents,
        })
    }

    pub(crate) fn for_group(group: &str, namespace: &[&str]) -> Result<Self, PolicyError> {
        let uid = group_entity_uid(group, namespace)?;
        let mut parents = HashSet::new();
        // Cedar `in` includes equality for entities.
        parents.insert(uid.clone());

        Ok(Self {
            type_name: entity_type_name_from_uid(&uid),
            uid,
            parents,
        })
    }

    pub(crate) fn from_principal(principal: &Principal) -> Result<Self, PolicyError> {
        let uid = principal.cedar_entity_uid()?;
        let type_name = entity_type_name_from_uid(&uid);

        let parents = match principal {
            Principal::User(user) => user
                .groups()
                .into_iter()
                .map(|group| group.cedar_entity_uid())
                .collect::<Result<HashSet<_>, _>>()?,
            Principal::Group(_) => {
                let mut parents = HashSet::new();
                // Cedar `in` includes equality for entities.
                parents.insert(uid.clone());
                parents
            }
        };

        Ok(Self {
            uid,
            type_name,
            parents,
        })
    }
}

#[derive(Debug)]
pub(crate) struct ResourceQuery {
    pub(crate) uid: EntityUid,
    pub(crate) type_name: String,
}

impl ResourceQuery {
    pub(crate) fn from_resource(resource: &Resource) -> Result<Self, PolicyError> {
        let uid = resource.cedar_entity_uid()?;
        Ok(Self {
            uid,
            type_name: resource.kind().to_string(),
        })
    }
}

#[derive(Debug)]
pub(crate) struct ActionQuery {
    pub(crate) uid: EntityUid,
}

impl ActionQuery {
    pub(crate) fn from_action(action: &Action) -> Result<Self, PolicyError> {
        Ok(Self {
            uid: action.cedar_entity_uid()?,
        })
    }
}

fn entity_type_name_from_uid(uid: &EntityUid) -> String {
    let uid_str = uid.to_string();
    if let Some(idx) = uid_str.rfind("::") {
        return uid_str[..idx].to_string();
    }
    uid_str
}