├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.yml │ ├── config.yml │ ├── feature_request.yml │ └── internal_improvement.yml ├── PULL_REQUEST_TEMPLATE.md ├── actions │ ├── create_coverage_comment │ │ └── action.yml │ └── create_coverage_reports │ │ └── action.yml ├── dependabot.yml ├── scripts │ ├── check-out-base-from-crates-io.sh │ └── process_coverage.py └── workflows │ ├── build_and_test.yml │ ├── build_downstream_deps.yml │ ├── build_release.yml │ ├── cargo_audit.yml │ ├── ci.yml │ ├── comment_pr.yml │ ├── nightly_build.yml │ └── run_integration_tests_reusable.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Cargo.lock ├── Cargo.toml ├── LICENSE ├── NOTICE ├── README.md ├── SECURITY.md ├── THIRD_PARTY_LICENSES.txt ├── cedar-language-server ├── .gitignore ├── Cargo.toml ├── src │ ├── document.rs │ ├── documentation.rs │ ├── documentation │ │ ├── action.rs │ │ ├── arithmetic.rs │ │ ├── comparison.rs │ │ ├── context.rs │ │ ├── entity.rs │ │ ├── extension.rs │ │ ├── hierarchy.rs │ │ ├── logical.rs │ │ ├── markdown │ │ │ ├── action.md │ │ │ ├── arithmetic │ │ │ │ ├── add.md │ │ │ │ ├── multiply.md │ │ │ │ └── subtract.md │ │ │ ├── comparison │ │ │ │ ├── equals.md │ │ │ │ ├── greater_than.md │ │ │ │ ├── greater_than_or_equals.md │ │ │ │ ├── less_than.md │ │ │ │ ├── less_than_or_equals.md │ │ │ │ ├── like.md │ │ │ │ └── not_equals.md │ │ │ ├── context.md │ │ │ ├── extension │ │ │ │ ├── datetime │ │ │ │ │ ├── datetime.md │ │ │ │ │ ├── duration.md │ │ │ │ │ ├── duration_since.md │ │ │ │ │ ├── offset.md │ │ │ │ │ ├── to_date.md │ │ │ │ │ ├── to_days.md │ │ │ │ │ ├── to_hours.md │ │ │ │ │ ├── to_milliseconds.md │ │ │ │ │ ├── to_minutes.md │ │ │ │ │ ├── to_seconds.md │ │ │ │ │ └── to_time.md │ │ │ │ ├── decimal │ │ │ │ │ ├── decimal.md │ │ │ │ │ ├── greater_than.md │ │ │ │ │ ├── greater_than_or_equal.md │ │ │ │ │ ├── less_than.md │ │ │ │ │ └── less_than_or_equal.md │ │ │ │ └── ip │ │ │ │ │ ├── ip.md │ │ │ │ │ ├── is_in_range.md │ │ │ │ │ ├── is_ipv4.md │ │ │ │ │ ├── is_ipv6.md │ │ │ │ │ ├── is_loopback.md │ │ │ │ │ └── is_multicast.md │ │ │ ├── get_tag.md │ │ │ ├── has_tag.md │ │ │ ├── hierarchy │ │ │ │ ├── contains.md │ │ │ │ ├── contains_all.md │ │ │ │ ├── contains_any.md │ │ │ │ ├── has.md │ │ │ │ ├── in.md │ │ │ │ ├── is.md │ │ │ │ ├── is_empty.md │ │ │ │ └── set.md │ │ │ ├── logical │ │ │ │ ├── and.md │ │ │ │ ├── if.md │ │ │ │ ├── not.md │ │ │ │ └── or.md │ │ │ ├── primitive │ │ │ │ ├── bool.md │ │ │ │ ├── long.md │ │ │ │ └── string.md │ │ │ ├── principal.md │ │ │ └── resource.md │ │ ├── primitive.rs │ │ ├── principal.rs │ │ └── resource.rs │ ├── entities.rs │ ├── lib.rs │ ├── lsp.rs │ ├── main.rs │ ├── markdown.rs │ ├── policy.rs │ ├── policy │ │ ├── completion.rs │ │ ├── completion │ │ │ ├── items.rs │ │ │ ├── items │ │ │ │ ├── extension.rs │ │ │ │ ├── operators.rs │ │ │ │ └── var.rs │ │ │ ├── provider.rs │ │ │ ├── provider │ │ │ │ ├── ast.rs │ │ │ │ ├── process.rs │ │ │ │ └── scope.rs │ │ │ └── snippets.rs │ │ ├── definition.rs │ │ ├── definition │ │ │ └── visitor.rs │ │ ├── diagnostics.rs │ │ ├── fold.rs │ │ ├── format.rs │ │ ├── hover.rs │ │ ├── hover │ │ │ └── visitor.rs │ │ ├── loc.rs │ │ ├── quickfix.rs │ │ ├── quickpick.rs │ │ ├── symbols.rs │ │ ├── types.rs │ │ └── types │ │ │ ├── cedar.rs │ │ │ ├── cedar │ │ │ ├── attribute.rs │ │ │ ├── context.rs │ │ │ ├── entity.rs │ │ │ └── method.rs │ │ │ ├── context.rs │ │ │ ├── context │ │ │ ├── attr.rs │ │ │ ├── binary.rs │ │ │ └── is.rs │ │ │ └── get_type.rs │ ├── schema.rs │ ├── schema │ │ ├── completions.rs │ │ ├── definition.rs │ │ ├── diagnostics.rs │ │ ├── fold.rs │ │ └── symbols.rs │ ├── server.rs │ ├── server │ │ └── test.rs │ └── utils.rs └── test-data │ ├── goto_def.cedarschema │ └── policies.cedarschema ├── cedar-policy-cli ├── CHANGELOG.md ├── Cargo.toml ├── README.md ├── sample-data │ ├── README.md │ ├── sandbox_a │ │ ├── README.md │ │ ├── entities.json │ │ ├── policies_1.cedar │ │ ├── policies_1_bad.cedar │ │ ├── policies_2.cedar │ │ ├── policies_3.cedar │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ ├── sandbox_b │ │ ├── README.md │ │ ├── context.json │ │ ├── entities.json │ │ ├── policies_4.cedar │ │ ├── policies_5.cedar │ │ ├── policies_5_bad.cedar │ │ ├── policies_6.cedar │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ ├── sandbox_c │ │ ├── README.md │ │ ├── entities.json │ │ ├── policies.cedar │ │ ├── policies_edited.cedar │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ └── tiny_sandboxes │ │ ├── format │ │ ├── README.md │ │ ├── formatted.cedar │ │ └── unformatted.cedar │ │ ├── json-authorize │ │ ├── README.md │ │ ├── entity.json │ │ └── policy.cedar.json │ │ ├── json-check-parse │ │ ├── README.md │ │ ├── policy_mixed_properties.cedar.json │ │ ├── policy_no_matching_properties.cedar.json │ │ ├── policy_set.cedar.json │ │ ├── policy_template.cedar.json │ │ └── static_policy.cedar.json │ │ ├── level-validation │ │ ├── README.md │ │ ├── policy-level-0.cedar │ │ ├── policy-level-1.cedar │ │ ├── policy-level-2.cedar │ │ └── schema.cedarschema │ │ ├── sample1 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample2 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample3 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample4 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample5 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample6 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample7 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample8 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── sample9 │ │ ├── README.md │ │ ├── entity.json │ │ ├── policy.cedar │ │ ├── policy_bad.cedar │ │ ├── request.json │ │ ├── schema.cedarschema │ │ └── schema.cedarschema.json │ │ ├── translate-policy │ │ ├── README.md │ │ ├── policy.cedar │ │ └── policy.cedar.json │ │ └── translate-schema │ │ ├── README.md │ │ ├── tinytodo.cedarschema │ │ └── tinytodo.cedarschema.json ├── src │ ├── lib.rs │ └── main.rs └── tests │ └── sample.rs ├── cedar-policy-core ├── Cargo.toml ├── README.md ├── build.rs ├── experimental_warning.md └── src │ ├── ast.rs │ ├── ast │ ├── annotation.rs │ ├── entity.rs │ ├── expr.rs │ ├── expr_allows_errors.rs │ ├── expr_iterator.rs │ ├── expr_visitor.rs │ ├── extension.rs │ ├── id.rs │ ├── integer.rs │ ├── literal.rs │ ├── name.rs │ ├── ops.rs │ ├── partial_value.rs │ ├── pattern.rs │ ├── policy.rs │ ├── policy_set.rs │ ├── request.rs │ ├── restricted_expr.rs │ ├── types.rs │ └── value.rs │ ├── authorizer.rs │ ├── authorizer │ ├── err.rs │ └── partial_response.rs │ ├── entities.rs │ ├── entities │ ├── conformance.rs │ ├── conformance │ │ └── err.rs │ ├── err.rs │ ├── json.rs │ └── json │ │ ├── context.rs │ │ ├── entities.rs │ │ ├── err.rs │ │ ├── schema.rs │ │ ├── schema_types.rs │ │ └── value.rs │ ├── error_macros.rs │ ├── est.rs │ ├── est │ ├── annotation.rs │ ├── err.rs │ ├── expr.rs │ ├── policy_set.rs │ └── scope_constraints.rs │ ├── evaluator.rs │ ├── evaluator │ └── err.rs │ ├── expr_builder.rs │ ├── extensions.rs │ ├── extensions │ ├── datetime.rs │ ├── decimal.rs │ ├── ipaddr.rs │ └── partial_evaluation.rs │ ├── from_normalized_str.rs │ ├── fuzzy_match.rs │ ├── jsonvalue.rs │ ├── lib.rs │ ├── parser.rs │ ├── parser │ ├── cst.rs │ ├── cst_to_ast.rs │ ├── cst_to_ast │ │ └── to_ref_or_refs.rs │ ├── err.rs │ ├── fmt.rs │ ├── grammar.lalrpop │ ├── loc.rs │ ├── macros.rs │ ├── node.rs │ ├── testfiles │ │ └── policies.cedar │ ├── text_to_cst.rs │ ├── unescape.rs │ └── util.rs │ ├── test_utils.rs │ ├── transitive_closure.rs │ ├── transitive_closure │ └── err.rs │ ├── validator.rs │ └── validator │ ├── README.md │ ├── cedar_schema.rs │ ├── cedar_schema │ ├── ast.rs │ ├── err.rs │ ├── fmt.rs │ ├── grammar.lalrpop │ ├── parser.rs │ ├── test.rs │ ├── testfiles │ │ └── example.cedarschema │ └── to_json_schema.rs │ ├── coreschema.rs │ ├── deprecated_schema_compat.rs │ ├── deprecated_schema_compat │ ├── conversion.rs │ ├── json_schema.rs │ └── test.rs │ ├── diagnostics.rs │ ├── diagnostics │ ├── validation_errors.rs │ └── validation_warnings.rs │ ├── entity_manifest.rs │ ├── entity_manifest │ ├── analysis.rs │ ├── loader.rs │ ├── slicing.rs │ └── type_annotations.rs │ ├── expr_iterator.rs │ ├── extension_schema.rs │ ├── extensions.rs │ ├── extensions │ ├── datetime.rs │ ├── decimal.rs │ ├── ipaddr.rs │ └── partial_evaluation.rs │ ├── json_schema.rs │ ├── level_validate.rs │ ├── partition_nonempty.rs │ ├── rbac.rs │ ├── schema.rs │ ├── schema │ ├── action.rs │ ├── entity_type.rs │ ├── err.rs │ ├── namespace_def.rs │ ├── raw_name.rs │ └── test_579.rs │ ├── str_checks.rs │ ├── typecheck.rs │ ├── typecheck │ ├── test.rs │ ├── test │ │ ├── expr.rs │ │ ├── extensions.rs │ │ ├── namespace.rs │ │ ├── optional_attributes.rs │ │ ├── partial.rs │ │ ├── policy.rs │ │ ├── strict.rs │ │ ├── tags.rs │ │ ├── test_utils.rs │ │ ├── type_annotation.rs │ │ └── unspecified_entity.rs │ └── typecheck_answer.rs │ ├── types.rs │ └── types │ ├── capability.rs │ └── request_env.rs ├── cedar-policy-formatter ├── Cargo.toml ├── README.md ├── src │ ├── lib.rs │ └── pprint │ │ ├── config.rs │ │ ├── doc.rs │ │ ├── fmt.rs │ │ ├── lexer.rs │ │ ├── mod.rs │ │ ├── token.rs │ │ └── utils.rs └── tests │ ├── action_in_set.cedar │ ├── annotations.cedar │ ├── arith.cedar │ ├── blank_lines.cedar │ ├── cli-snapshots │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_1.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_1_bad.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_2.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_3.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_4.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_5.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_5_bad.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_6.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_c__policies.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_c__policies_edited.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__format__formatted.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__format__unformatted.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample1__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample2__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample3__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample4__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample5__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample6__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample7__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample8__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample9__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample9__policy_bad.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_1.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_1_bad.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_2.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_3.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_4.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_5.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_5_bad.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_6.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_c__policies.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_c__policies_edited.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__format__formatted.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__format__unformatted.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__level-validation__policy-level-0.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__level-validation__policy-level-1.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__level-validation__policy-level-2.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample1__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample2__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample3__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample4__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample5__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample6__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample7__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample8__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample9__policy.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample9__policy_bad.cedar.snap │ └── cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__translate-policy__policy.cedar.snap │ ├── comment_euid_elems.cedar │ ├── comment_only.cedar │ ├── comment_trailing_whitespace.cedar │ ├── empty.cedar │ ├── empty_list.cedar │ ├── empty_record.cedar │ ├── extended_has.cedar │ ├── index.cedar │ ├── is_policies.cedar │ ├── ite_comment.cedar │ ├── like.cedar │ ├── policies.cedar │ ├── snapshots │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@action_in_set.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@annotations.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@arith.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@blank_lines.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@comment_euid_elems.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@comment_only.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@comment_trailing_whitespace.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@empty.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@empty_list.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@empty_record.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@extended_has.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@index.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@is_policies.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@ite_comment.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@like.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@policies.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@test.cedar.snap │ ├── cedar_policy_formatter__pprint__fmt__tests__format_files@trivial_forbid.cedar.snap │ └── cedar_policy_formatter__pprint__fmt__tests__format_files@trivial_permit.cedar.snap │ ├── test.cedar │ ├── trivial_forbid.cedar │ └── trivial_permit.cedar ├── cedar-policy ├── CHANGELOG.md ├── Cargo.toml ├── README.md ├── benches │ ├── attr_errors.rs │ ├── cedar_benchmarks.rs │ ├── deeply_nested_est.rs │ ├── entity_attr_errors.rs │ ├── entity_parsing.rs │ └── extension_fn_validation.rs ├── build.rs ├── experimental_warning.md ├── protobuf_schema │ ├── core.proto │ └── validator.proto ├── src │ ├── api.rs │ ├── api │ │ ├── deprecated_schema_compat.rs │ │ ├── err.rs │ │ ├── err │ │ │ ├── validation_errors.rs │ │ │ └── validation_warnings.rs │ │ └── id.rs │ ├── ffi │ │ ├── check_parse.rs │ │ ├── convert.rs │ │ ├── format.rs │ │ ├── is_authorized.rs │ │ ├── mod.rs │ │ ├── tests.rs │ │ ├── utils.rs │ │ ├── validate.rs │ │ └── version.rs │ ├── lib.rs │ ├── proto.rs │ ├── proto │ │ ├── api.rs │ │ ├── ast.rs │ │ ├── entities.rs │ │ ├── policy.rs │ │ ├── traits.rs │ │ └── validator.rs │ ├── test.rs │ └── test │ │ ├── prop_test_policy_set.rs │ │ └── test.rs └── tests │ └── public_interface.rs ├── cedar-testing ├── Cargo.toml ├── README.md ├── src │ ├── cedar_test_impl.rs │ ├── integration_testing.rs │ └── lib.rs └── tests │ ├── cedar-policy-cli │ ├── corpus_tests.rs │ ├── decimal.rs │ ├── example_use_cases.rs │ ├── ip.rs │ ├── main.rs │ └── multi.rs │ └── cedar-policy │ ├── corpus_tests.rs │ ├── decimal.rs │ ├── example_use_cases.rs │ ├── ip.rs │ ├── main.rs │ └── multi.rs ├── cedar-wasm ├── .cargo │ └── config.toml ├── .gitignore ├── CHANGELOG.md ├── Cargo.toml ├── README.md ├── build-wasm.sh ├── package.json.patch └── src │ ├── lib.rs │ └── utils.rs ├── clippy.toml ├── deny.toml ├── logo.svg ├── panic_safety.sh ├── scripts ├── normalize_changelogs.sh ├── publish_crates.sh └── static_changelogs │ ├── cedar-policy-cli_CHANGELOG.md │ ├── cedar-policy_CHANGELOG.md │ └── cedar-wasm_CHANGELOG.md └── style_guide.md /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/internal_improvement.yml: -------------------------------------------------------------------------------- 1 | name: Internal improvement 2 | description: Suggest an internal improvement 3 | labels: [pending-triage, internal-improvement] 4 | 5 | body: 6 | - type: markdown 7 | attributes: 8 | value: | 9 | Thanks for taking the time to submit a request! Try to include as much information as you can. 10 | 11 | - type: textarea 12 | attributes: 13 | label: Describe the improvement you'd like to request 14 | description: | 15 | A clear and concise description of what you want to happen. Please include **any related issues**, documentation, etc. 16 | validations: 17 | required: true 18 | 19 | - type: textarea 20 | attributes: 21 | label: Describe alternatives you've considered 22 | description: | 23 | A clear and concise description of any alternative solutions or features you've considered. 24 | validations: 25 | required: false 26 | 27 | - type: textarea 28 | attributes: 29 | label: Additional context 30 | description: | 31 | Add any other use cases or context about the request here. Please include any prototype/sandbox, workaround, reference implementation, etc. 32 | 33 | - type: checkboxes 34 | attributes: 35 | label: Is this something that you'd be interested in working on? 36 | options: 37 | - label: 👋 I may be able to implement this internal improvement 38 | - label: ⚠️ This feature might incur a breaking change 39 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "cargo" 9 | directory: "/" 10 | schedule: 11 | interval: "weekly" 12 | open-pull-requests-limit: 1 13 | # Update all explicitly defined dependencies 14 | allow: 15 | - dependency-type: "all" 16 | # Group all updates into one pull request 17 | groups: 18 | rust-dependencies: 19 | patterns: 20 | - "*" 21 | -------------------------------------------------------------------------------- /.github/scripts/check-out-base-from-crates-io.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | cedar_policy_version="$( 5 | cd head && 6 | cargo metadata --format-version 1 | 7 | jq --raw-output '.packages[] | select(.name == "cedar-policy") | .version' 8 | )" 9 | echo "HEAD has cedar-policy at ${cedar_policy_version}" 10 | 11 | tmp_dir="$(mktemp -d)" 12 | function cleanup { 13 | rm -rf "${tmp_dir}" 14 | } 15 | trap cleanup EXIT 16 | 17 | ( 18 | cd "${tmp_dir}" 19 | 20 | cat <Cargo.toml 21 | [package] 22 | name = "cedar-semver-checks" 23 | version = "0.0.0" 24 | edition = "2021" 25 | publish = false 26 | 27 | [dependencies] 28 | cedar-policy = "<=${cedar_policy_version}" 29 | EOF 30 | 31 | mkdir src 32 | touch src/lib.rs 33 | 34 | cargo vendor 35 | ) 36 | 37 | mkdir base 38 | mv "${tmp_dir}/vendor/cedar-policy" base/ 39 | cat <base/Cargo.toml 40 | [workspace] 41 | members = ["cedar-policy"] 42 | EOF 43 | -------------------------------------------------------------------------------- /.github/workflows/build_release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | push: 5 | tags: 6 | - 'v[0-9]+.[0-9]+.[0-9]+' 7 | 8 | jobs: 9 | build_release_binaries: 10 | strategy: 11 | matrix: 12 | include: 13 | - os: ubuntu-latest 14 | target: x86_64-unknown-linux-gnu 15 | - os: macos-13 16 | target: x86_64-apple-darwin 17 | - os: macos-latest 18 | target: aarch64-apple-darwin 19 | runs-on: ${{ matrix.os }} 20 | steps: 21 | - uses: actions/checkout@v4 22 | - name: Install Rust toolchain 23 | run: rustup update stable && rustup default stable 24 | - name: Install protobuf (Ubuntu) 25 | if: matrix.os == 'ubuntu-latest' 26 | run: sudo apt-get install protobuf-compiler 27 | - name: Install protobuf (macOS) 28 | if: startsWith(matrix.os, 'macos') 29 | run: brew install protobuf 30 | - name: Build release binaries 31 | run: cargo build --release --all-features 32 | - uses: actions/upload-artifact@v4 33 | with: 34 | name: cedar-${{matrix.target}} 35 | path: ./target/release/cedar 36 | -------------------------------------------------------------------------------- /.github/workflows/cargo_audit.yml: -------------------------------------------------------------------------------- 1 | name: Cargo audit 2 | on: 3 | schedule: 4 | - cron: '0 0 * * *' 5 | jobs: 6 | audit: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v1 10 | - uses: actions-rs/audit-check@v1 11 | with: 12 | token: ${{ secrets.GITHUB_TOKEN }} -------------------------------------------------------------------------------- /.github/workflows/comment_pr.yml: -------------------------------------------------------------------------------- 1 | name: Comment on the pull request 2 | permissions: 3 | contents: read 4 | pull-requests: write 5 | actions: read 6 | statuses: read 7 | on: 8 | workflow_run: 9 | workflows: [Cargo Build & Test] 10 | types: 11 | - completed 12 | 13 | jobs: 14 | post_comment: 15 | runs-on: ubuntu-latest 16 | if: github.event.workflow_run.event == 'pull_request' 17 | steps: 18 | - uses: actions/checkout@v4 19 | - name: Download artifacts 20 | shell: bash 21 | run: | 22 | STATUS=$(gh run download $RUN_ID --name coverage_comment && echo "SUCCESS" || echo "FAILURE") 23 | echo "STATUS=$STATUS" >> $GITHUB_ENV 24 | env: 25 | RUN_ID: ${{github.event.workflow_run.id }} 26 | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 27 | - name: Add comment to PR 28 | if: ${{ env.STATUS == 'SUCCESS' }} 29 | shell: bash 30 | run: | 31 | ISSUE_NUMBER=$(cat issue_number.txt) 32 | gh pr comment $ISSUE_NUMBER --body-file markdown.md 33 | env: 34 | GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 35 | -------------------------------------------------------------------------------- /.github/workflows/nightly_build.yml: -------------------------------------------------------------------------------- 1 | name: Nightly build 2 | on: 3 | workflow_dispatch: 4 | schedule: 5 | - cron: '0 0 * * *' 6 | 7 | env: 8 | CARGO_TERM_COLOR: always 9 | jobs: 10 | build_and_test: 11 | uses: ./.github/workflows/build_and_test.yml 12 | with: 13 | collect_coverage: true 14 | retention-days: 2 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Don't check in the local metadata file. 2 | .DS_Store 3 | .idea 4 | 5 | # Don't check in the Emacs temp files 6 | *~ 7 | 8 | # Don't check in common editors configs 9 | .vscode 10 | .zed 11 | 12 | # Don't check in test framework files 13 | .attach_pid* 14 | 15 | # Don't check IntelliJ module files 16 | *.iml 17 | 18 | # Don't check cargo build output 19 | target 20 | 21 | # Don't check Cargo.lock 22 | Cargo.lock 23 | 24 | # Generated by `insta` on failing test case. Should run `cargo insta review` 25 | # and then commit `.snap` file 26 | *.snap.new 27 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright Cedar Contributors 2 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # SECURITY.md 2 | 3 | ## Reporting a Vulnerability 4 | 5 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. 6 | -------------------------------------------------------------------------------- /cedar-language-server/.gitignore: -------------------------------------------------------------------------------- 1 | logs/ 2 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/arithmetic.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use crate::impl_documentation_from_markdown_file; 18 | 19 | impl_documentation_from_markdown_file!(AddDocumentation, "markdown/arithmetic/add.md"); 20 | impl_documentation_from_markdown_file!(SubtractDocumentation, "markdown/arithmetic/subtract.md"); 21 | impl_documentation_from_markdown_file!(MultiplyDocumentation, "markdown/arithmetic/multiply.md"); 22 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/comparison.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use crate::impl_documentation_from_markdown_file; 18 | 19 | impl_documentation_from_markdown_file!(EqualsDocumentation, "markdown/comparison/equals.md"); 20 | impl_documentation_from_markdown_file!(NotEqualsDocumentation, "markdown/comparison/not_equals.md"); 21 | impl_documentation_from_markdown_file!(LessThanDocumentation, "markdown/comparison/less_than.md"); 22 | impl_documentation_from_markdown_file!( 23 | LessThanOrEqualsDocumentation, 24 | "markdown/comparison/less_than_or_equals.md" 25 | ); 26 | impl_documentation_from_markdown_file!( 27 | GreaterThanDocumentation, 28 | "markdown/comparison/greater_than.md" 29 | ); 30 | impl_documentation_from_markdown_file!( 31 | GreaterThanOrEqualsDocumentation, 32 | "markdown/comparison/greater_than_or_equals.md" 33 | ); 34 | impl_documentation_from_markdown_file!(LikeDocumentation, "markdown/comparison/like.md"); 35 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/logical.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use crate::impl_documentation_from_markdown_file; 18 | 19 | impl_documentation_from_markdown_file!(AndDocumentation, "markdown/logical/and.md"); 20 | impl_documentation_from_markdown_file!(OrDocumentation, "markdown/logical/or.md"); 21 | impl_documentation_from_markdown_file!(NotDocumentation, "markdown/logical/not.md"); 22 | impl_documentation_from_markdown_file!(IfDocumentation, "markdown/logical/if.md"); 23 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/action.md: -------------------------------------------------------------------------------- 1 | # Action 2 | 3 | The action element in a Cedar policy is the action that can be performed on the resource 4 | defined by the resource element. 5 | 6 | The action element must be present. If you specify only action without an expression 7 | that constrains its scope, then the policy applies to any action. 8 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/arithmetic/add.md: -------------------------------------------------------------------------------- 1 | # + *(numeric addition)* 2 | 3 | ## Usage: 4 | ```cedar 5 | + 6 | ``` 7 | 8 | Binary operator that adds two long integer values and returns their sum. Both operands 9 | must be long integers or evaluation and validation will result in an error. Addition 10 | operations that result in overflow will fail at evaluation time, but will pass validation. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/arithmetic/multiply.md: -------------------------------------------------------------------------------- 1 | # * *(numeric multiplication)* 2 | 3 | ## Usage: 4 | ```cedar 5 | * 6 | ``` 7 | 8 | Binary operator that multiplies two long integer operands and returns their product. 9 | Both operands must be long integers or evaluation and validation will result in an 10 | error. Multiplication operations that result in overflow will fail at evaluation time, 11 | but will pass validation. 12 | 13 | Note: Cedar does not provide an operator for arithmetic division. 14 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/arithmetic/subtract.md: -------------------------------------------------------------------------------- 1 | # - *(numeric subtraction or negation)* 2 | 3 | ## Usage: 4 | ```cedar 5 | - // binary subtraction 6 | - // unary negation 7 | ``` 8 | 9 | Operator that can function as either binary subtraction or unary negation. As a binary 10 | operator, it subtracts the second long integer from the first. As a unary operator, it 11 | negates a single long integer. Both forms require long integer operands or evaluation 12 | and validation will result in an error. Subtraction operations that result in overflow 13 | (or underflow) will fail at evaluation time, but will pass validation. 14 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/comparison/equals.md: -------------------------------------------------------------------------------- 1 | # == *(equality)* 2 | 3 | ## Usage: 4 | ```cedar 5 | == 6 | ``` 7 | 8 | Binary operator that compares two operands of any type and evaluates to true only if 9 | they are exactly the same type and the same value. 10 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/comparison/greater_than.md: -------------------------------------------------------------------------------- 1 | # > *(greater than)* 2 | 3 | ## Usage: 4 | ```cedar 5 | > 6 | ``` 7 | 8 | Binary operator that compares two long integer operands and evaluates to true 9 | if the left operand is numerically greater than the right operand. If either 10 | operand is not a long then evaluation (and validation) results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/comparison/greater_than_or_equals.md: -------------------------------------------------------------------------------- 1 | # >= *(greater than or equal)* 2 | 3 | ## Usage: 4 | ```cedar 5 | >= 6 | ``` 7 | 8 | Binary operator that compares two long integer operands and evaluates to true 9 | if the left operand is numerically greater than or equal to the right operand. If either 10 | operand is not a long then evaluation (and validation) results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/comparison/less_than.md: -------------------------------------------------------------------------------- 1 | # < *(less than)* 2 | 3 | ## Usage: 4 | ```cedar 5 | < 6 | ``` 7 | 8 | Binary operator that compares two long integer operands and evaluates to true 9 | if the left operand is numerically less than the right operand. If either 10 | operand is not a long then evaluation (and validation) results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/comparison/less_than_or_equals.md: -------------------------------------------------------------------------------- 1 | # <= *(less than or equal)* 2 | 3 | ## Usage: 4 | ```cedar 5 | <= 6 | ``` 7 | 8 | Binary operator that compares two long integer operands and evaluates to true 9 | if the left operand is numerically less than or equal to the right operand. If either 10 | operand is not a long then evaluation (and validation) results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/comparison/like.md: -------------------------------------------------------------------------------- 1 | # like *(string matching with wildcard)* 2 | 3 | ## Usage: 4 | ```cedar 5 | like 6 | ``` 7 | 8 | Binary operator that evaluates to true if the string in the left operand matches the pattern string 9 | in the right operand. The pattern string can include one or more asterisks (*) as wildcard characters 10 | that match 0 or more of any character. 11 | 12 | To match a literal asterisk character, use the escaped \* sequence in the pattern string. 13 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/comparison/not_equals.md: -------------------------------------------------------------------------------- 1 | # != *(inequality)* 2 | 3 | ## Usage: 4 | ```cedar 5 | != 6 | ``` 7 | 8 | Binary operator that compares two operands of any type and evaluates to true if the 9 | operands have different values or are of different types. You can use != only in when 10 | and unless clauses. As with the == operator, the validator only accepts policies that 11 | use != on two expressions of (possibly differing) entity type, or the same non-entity type. 12 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/context.md: -------------------------------------------------------------------------------- 1 | # Context 2 | 3 | The context element in a Cedar policy provides additional information about the 4 | circumstances of the request being evaluated. This includes details such as the 5 | date and time, IP address, authentication methods, or any custom data relevant 6 | to authorization decisions. 7 | 8 | Context attributes are passed at evaluation time and can be referenced in policy conditions. 9 | These attributes are not persisted within Cedar but are provided with each request. 10 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/datetime.md: -------------------------------------------------------------------------------- 1 | # datetime() *(datetime constructor)* 2 | 3 | ## Usage: 4 | ```cedar 5 | datetime() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/duration.md: -------------------------------------------------------------------------------- 1 | # duration() *(duration constructor)* 2 | 3 | ## Usage: 4 | ```cedar 5 | duration() 6 | ``` 7 | 8 | Function that constructs a duration value from a string representing a time period. 9 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/duration_since.md: -------------------------------------------------------------------------------- 1 | # durationSince() 2 | 3 | ## Usage: 4 | ```cedar 5 | .durationSince() 6 | ``` 7 | 8 | Calculates the duration between two datetime values. 9 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/offset.md: -------------------------------------------------------------------------------- 1 | # offset() 2 | 3 | ## Usage: 4 | ```cedar 5 | .offset() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/to_date.md: -------------------------------------------------------------------------------- 1 | # toDate() 2 | 3 | ## Usage: 4 | ```cedar 5 | .toDate() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/to_days.md: -------------------------------------------------------------------------------- 1 | # toDays() 2 | 3 | ## Usage: 4 | ```cedar 5 | .toDays() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/to_hours.md: -------------------------------------------------------------------------------- 1 | # toHours() 2 | 3 | ## Usage: 4 | ```cedar 5 | .toHours() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/to_milliseconds.md: -------------------------------------------------------------------------------- 1 | # toMilliseconds() 2 | 3 | ## Usage: 4 | ```cedar 5 | .toMilliseconds() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/to_minutes.md: -------------------------------------------------------------------------------- 1 | # toMinutes() 2 | 3 | ## Usage: 4 | ```cedar 5 | .toMinutes() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/to_seconds.md: -------------------------------------------------------------------------------- 1 | # toSeconds() 2 | 3 | ## Usage: 4 | ```cedar 5 | .toSeconds() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/datetime/to_time.md: -------------------------------------------------------------------------------- 1 | # toTime() 2 | 3 | ## Usage: 4 | ```cedar 5 | .toTime() 6 | ``` 7 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/decimal/decimal.md: -------------------------------------------------------------------------------- 1 | # decimal() *(parse string and convert to decimal)* 2 | 3 | ## Usage: 4 | ```cedar 5 | decimal() 6 | ``` 7 | 8 | Function that parses the string and tries to convert it to type decimal. If the string doesn't represent 9 | a valid decimal value, it generates an error. 10 | 11 | To be interpreted successfully as a decimal value, the string must contain a decimal separator (.) 12 | and at least one digit before and at least one digit after the separator. There can be no more than 13 | 4 digits after the separator. The value must be within the valid range of the decimal type, from 14 | -922337203685477.5808 to 922337203685477.5807. 15 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/decimal/greater_than.md: -------------------------------------------------------------------------------- 1 | # greaterThan() *(decimal 'greater than')* 2 | 3 | ## Usage: 4 | ```cedar 5 | .greaterThan() 6 | ``` 7 | 8 | Function that compares two decimal operands and evaluates to true if the left operand is numerically 9 | greater than the right operand. If either operand is not a decimal then evaluation (and validation) 10 | results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/decimal/greater_than_or_equal.md: -------------------------------------------------------------------------------- 1 | # greaterThanOrEqual() *(decimal 'greater than or equal')* 2 | 3 | ## Usage: 4 | ```cedar 5 | .greaterThanOrEqual() 6 | ``` 7 | 8 | Function that compares two decimal operands and evaluates to true if the left operand is numerically 9 | greater than or equal to the right operand. If either operand is not a decimal then evaluation 10 | (and validation) results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/decimal/less_than.md: -------------------------------------------------------------------------------- 1 | # lessThan() *(decimal 'less than')* 2 | 3 | ## Usage: 4 | ```cedar 5 | .lessThan() 6 | ``` 7 | 8 | Function that compares two decimal operands and evaluates to true if the left operand is numerically 9 | less than the right operand. If either operand is not a decimal then evaluation (and validation) 10 | results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/decimal/less_than_or_equal.md: -------------------------------------------------------------------------------- 1 | # lessThanOrEqual() *(decimal 'less than or equal')* 2 | 3 | ## Usage: 4 | ```cedar 5 | .lessThanOrEqual() 6 | ``` 7 | 8 | Function that compares two decimal operands and evaluates to true if the left operand is numerically 9 | less than or equal to the right operand. If either operand is not a decimal then evaluation 10 | (and validation) results in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/ip/ip.md: -------------------------------------------------------------------------------- 1 | # ip() *(parse string and convert to ipaddr)* 2 | 3 | ## Usage: 4 | ```cedar 5 | ip() 6 | ``` 7 | 8 | Function that parses the string and attempts to convert it to type ipaddr. 9 | If the string doesn't represent a valid IP address or range, then the ip() 10 | expression generates an error when evaluated. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/ip/is_in_range.md: -------------------------------------------------------------------------------- 1 | # isInRange() *(test for inclusion in IP address range)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .isInRange() 6 | ``` 7 | 8 | Function that evaluates to true if the receiver is an IP address or a range 9 | of addresses that fall completely within the range specified by the operand. 10 | This function evaluates (and validates) to an error if either operand does 11 | not have ipaddr type. 12 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/ip/is_ipv4.md: -------------------------------------------------------------------------------- 1 | # isIpv4() *(IPv4 address valid test)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .isIpv4() 6 | ``` 7 | 8 | Evaluates to true if the receiver is an IPv4 address; evaluates (and validates) 9 | to an error if receiver does not have ipaddr type. This function takes no operand. 10 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/ip/is_ipv6.md: -------------------------------------------------------------------------------- 1 | # isIpv6() *(IPv6 address valid test)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .isIpv6() 6 | ``` 7 | 8 | Function that evaluates to true if the receiver is an IPv6 address; 9 | evaluates (and validates) to an error if received does not have ipaddr type. 10 | This function takes no operand. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/ip/is_loopback.md: -------------------------------------------------------------------------------- 1 | # isLoopback() *(test for IP loopback address)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .isLoopback() 6 | ``` 7 | 8 | Function that evaluates to true if the receiver is a valid loopback address 9 | for its IP version type; evaluates (and validates) to an error if receiver 10 | does not have ipaddr type. This function takes no operand. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/extension/ip/is_multicast.md: -------------------------------------------------------------------------------- 1 | # isMulticast() *(test for multicast address)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .isMulticast() 6 | ``` 7 | 8 | Function that evaluates to true if the receiver is a multicast address 9 | for its IP version type; evaluates (and validates) to an error if receiver 10 | does not have ipaddr type. This function takes no operand. 11 | 12 | ## Examples: 13 | In the examples that follow, those labeled //error both evaluate and validate to an error. 14 | ```cedar 15 | ip("127.0.0.1").isMulticast() //false 16 | ip("ff00::2").isMulticast() //true 17 | context.foo.isMulticast() //error if `context.foo` is not an `ipaddr` 18 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/get_tag.md: -------------------------------------------------------------------------------- 1 | # getTag (tag access) 2 | 3 | ## Usage: 4 | ```cedar 5 | .getTag() 6 | ``` 7 | 8 | Method that gets the value of tag, or errors if the tag is not present. 9 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/has_tag.md: -------------------------------------------------------------------------------- 1 | # hasTag (tag presence test) 2 | 3 | ## Usage: 4 | ```cedar 5 | .hasTag() 6 | ``` 7 | 8 | Returns `true` if the tag is present and `false` otherwise 9 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/contains.md: -------------------------------------------------------------------------------- 1 | # contains() *(single element set membership test)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .contains() 6 | ``` 7 | 8 | Function that evaluates to true if the operand is a member of the receiver 9 | on the left side of the function. The receiver must be of type Set or 10 | evaluation produces an error. To be accepted by the policy validator, 11 | contains must be called on a receiver that is a Set of some type T, 12 | with an argument that also has type T. 13 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/contains_all.md: -------------------------------------------------------------------------------- 1 | # containsAll() *(all element set membership test)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .containsAll() 6 | ``` 7 | 8 | Function that evaluates to true if every member of the operand set is a member 9 | of the receiver set. Both the receiver and the operand must be of type set or 10 | evaluation results in an error. To be accepted by the validator, the receiver 11 | and argument to containsAll must be homogeneous sets of the same type. 12 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/contains_any.md: -------------------------------------------------------------------------------- 1 | # containsAny() *(any element set membership test)* 2 | 3 | ## Usage: 4 | ```cedar 5 | .containsAny() 6 | ``` 7 | 8 | Function that evaluates to true if any one or more members of the operand 9 | set is a member of the receiver set. Both the receiver and the operand must 10 | be of type set or evaluation produces an error. To be accepted by the policy 11 | validator, calls to containsAny must be on homogeneous sets of the same type. 12 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/has.md: -------------------------------------------------------------------------------- 1 | # has *(presence of attribute test)* 2 | 3 | ## Usage: 4 | ```cedar 5 | has 6 | has 7 | ``` 8 | 9 | Boolean operator that tests whether an entity or record has a specified attribute or 10 | attribute path defined. It evaluates to true if the attribute exists, false if it 11 | doesn't. Both evaluation and validation will result in an error if the left operand 12 | is not an entity or record type. 13 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/in.md: -------------------------------------------------------------------------------- 1 | # in *(hierarchy membership)* 2 | 3 | ## Usage: 4 | ```cedar 5 | in 6 | ``` 7 | 8 | Binary operator that evaluates to true if the entity in the left operand is a 9 | descendant in the hierarchy under the entity in the right operand. Evaluation 10 | (and validation) produces an error if the first (lhs) operand of in is not an 11 | entity, or the (rhs) is not an entity or a set thereof. 12 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/is.md: -------------------------------------------------------------------------------- 1 | # is *(entity type test)* 2 | 3 | ## Usage: 4 | ```cedar 5 | is 6 | is in 7 | is in set() 8 | ``` 9 | 10 | Boolean operator that tests whether an entity has a specific type. It evaluates to true 11 | if the left operand is an entity of the specified type, and false if it's an entity of 12 | a different type. Both evaluation and validation will result in an error if the left 13 | operand is not an entity or if the right operand is not a known entity type from the schema. 14 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/is_empty.md: -------------------------------------------------------------------------------- 1 | # isEmpty() *(set emptiness test)* 2 | 3 | ## Syntax: 4 | ```cedar 5 | .isEmpty() 6 | ``` 7 | 8 | Function that evaluates to `true` if the set is empty. 9 | The receiver must be of type set or evaluation produces an error. 10 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/hierarchy/set.md: -------------------------------------------------------------------------------- 1 | # Set Type 2 | 3 | ```cedarschema 4 | Set 5 | ``` 6 | 7 | A collection type that contains elements of type `?`. 8 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/logical/and.md: -------------------------------------------------------------------------------- 1 | # && *(AND)* 2 | 3 | ## Usage: 4 | ```cedar 5 | && 6 | ``` 7 | 8 | Binary operator that performs logical AND between two boolean expressions. It evaluates 9 | to true only if both operands evaluate to true. Uses short-circuit evaluation: if the 10 | first operand is false, the second operand is not evaluated. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/logical/if.md: -------------------------------------------------------------------------------- 1 | # if *(CONDITIONAL)* 2 | 3 | ## Usage: 4 | ```cedar 5 | if then else 6 | ``` 7 | 8 | Conditional operator that evaluates based on a boolean condition. Returns the 'then' 9 | expression if the condition is true, or the 'else' expression if the condition is 10 | false. The condition must evaluate to a boolean value or an error will occur. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/logical/not.md: -------------------------------------------------------------------------------- 1 | # ! *(NOT)* 2 | 3 | ## Usage: 4 | ```cedar 5 | ! 6 | ``` 7 | 8 | Unary operator that inverts the value of a boolean operand: true becomes false, and 9 | false becomes true. If the operand is not a boolean, both evaluation and validation 10 | will result in an error. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/logical/or.md: -------------------------------------------------------------------------------- 1 | # || *(OR)* 2 | 3 | ## Usage: 4 | ```cedar 5 | || 6 | ``` 7 | 8 | Binary operator that performs logical OR between two boolean expressions. It evaluates 9 | to true if either operand evaluates to true. Uses short-circuit evaluation: if the 10 | first operand is true, the second operand is not evaluated. 11 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/primitive/bool.md: -------------------------------------------------------------------------------- 1 | # Boolean 2 | 3 | A value that is either `true` or `false`. 4 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/primitive/long.md: -------------------------------------------------------------------------------- 1 | # long *(integer type)* 2 | 3 | A whole number without decimals that can range from -9223372036854775808 to 9223372036854775807 (64-bit signed integer). 4 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/primitive/string.md: -------------------------------------------------------------------------------- 1 | # string 2 | 3 | A sequence of characters consisting of letters, numbers, or symbols. 4 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/principal.md: -------------------------------------------------------------------------------- 1 | # Principal 2 | 3 | The principal element in a Cedar policy represents a user, service, or other identity 4 | that can make a request to perform an action on a resource in your application. If the 5 | principal making the request matches the principal defined in this policy statement, 6 | then this element matches. 7 | 8 | The principal element must be present. If you specify only principal without an expression 9 | that constrains its scope, then the policy applies to any principal. 10 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/markdown/resource.md: -------------------------------------------------------------------------------- 1 | # Resource 2 | 3 | The resource element in a Cedar policy is a resource defined by your application that can 4 | be accessed or modified by the specified action. 5 | 6 | The resource element must be present. If you specify only resource without an expression 7 | that constrains its scope, then the policy applies to any resource. 8 | -------------------------------------------------------------------------------- /cedar-language-server/src/documentation/primitive.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use crate::impl_documentation_from_markdown_file; 18 | 19 | impl_documentation_from_markdown_file!(LongDocumentation, "markdown/primitive/long.md"); 20 | impl_documentation_from_markdown_file!(StringDocumentation, "markdown/primitive/string.md"); 21 | impl_documentation_from_markdown_file!(BoolDocumentation, "markdown/primitive/bool.md"); 22 | -------------------------------------------------------------------------------- /cedar-language-server/src/entities.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use cedar_policy_core::validator::{CoreSchema, ValidatorSchema}; 18 | use cedar_policy_core::{entities::TCComputation, extensions::Extensions}; 19 | use lsp_types::Diagnostic; 20 | 21 | use crate::{schema::SchemaInfo, utils::to_lsp_diagnostics}; 22 | 23 | pub(crate) fn entities_diagnostics( 24 | text: &str, 25 | schema_info: Option, 26 | ) -> Option> { 27 | let schema = schema_info.and_then(|s| ValidatorSchema::try_from(&s).ok()); 28 | let schema = schema.as_ref().map(CoreSchema::new); 29 | 30 | let eparser = cedar_policy_core::entities::EntityJsonParser::new( 31 | schema.as_ref(), 32 | Extensions::all_available(), 33 | TCComputation::ComputeNow, 34 | ); 35 | let Err(error) = eparser.from_json_str(text) else { 36 | return None; 37 | }; 38 | 39 | Some(to_lsp_diagnostics(&error, text)) 40 | } 41 | -------------------------------------------------------------------------------- /cedar-language-server/src/lib.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #![warn(clippy::pedantic)] 18 | #![allow( 19 | clippy::missing_errors_doc, 20 | clippy::cast_possible_truncation, 21 | clippy::cast_sign_loss, 22 | clippy::cast_possible_wrap 23 | )] 24 | #![cfg_attr(not(feature = "bin"), allow(dead_code, unused_imports))] 25 | 26 | #[cfg(feature = "bin")] 27 | pub mod document; 28 | mod documentation; 29 | mod entities; 30 | mod lsp; 31 | mod markdown; 32 | pub mod policy; 33 | pub mod schema; 34 | #[cfg(feature = "bin")] 35 | pub mod server; 36 | mod utils; 37 | -------------------------------------------------------------------------------- /cedar-language-server/src/lsp.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | pub(crate) fn new_symbol( 18 | name: String, 19 | range: lsp_types::Range, 20 | kind: lsp_types::SymbolKind, 21 | ) -> lsp_types::DocumentSymbol { 22 | lsp_types::DocumentSymbol { 23 | name, 24 | detail: None, 25 | kind, 26 | tags: None, 27 | range, 28 | selection_range: range, 29 | children: None, 30 | #[allow(deprecated)] 31 | deprecated: None, 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /cedar-language-server/src/main.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use cedar_language_server::server::Backend; 18 | use tower_lsp::{LspService, Server}; 19 | use tracing::info; 20 | 21 | #[tokio::main] 22 | async fn main() { 23 | let appender = tracing_appender::rolling::hourly("./logs", "server.log"); 24 | let (writer, _guard) = tracing_appender::non_blocking(appender); 25 | 26 | tracing_subscriber::fmt().json().with_writer(writer).init(); 27 | info!("Starting server."); 28 | 29 | let (stdin, stdout) = (tokio::io::stdin(), tokio::io::stdout()); 30 | 31 | let (service, socket) = LspService::new(Backend::new); 32 | Server::new(stdin, stdout, socket).serve(service).await; 33 | } 34 | -------------------------------------------------------------------------------- /cedar-language-server/src/policy.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | mod completion; 18 | mod definition; 19 | mod diagnostics; 20 | mod fold; 21 | mod format; 22 | mod hover; 23 | mod loc; 24 | mod quickfix; 25 | mod quickpick; 26 | mod symbols; 27 | mod types; 28 | 29 | pub use completion::*; 30 | pub(crate) use definition::*; 31 | pub use diagnostics::*; 32 | pub(crate) use fold::*; 33 | pub(crate) use format::*; 34 | pub use hover::*; 35 | pub(crate) use loc::*; 36 | pub use quickfix::*; 37 | pub(crate) use quickpick::*; 38 | pub(crate) use symbols::*; 39 | pub use types::*; 40 | -------------------------------------------------------------------------------- /cedar-language-server/src/policy/completion/items.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | mod extension; 18 | mod operators; 19 | mod var; 20 | 21 | pub(crate) use extension::*; 22 | pub(crate) use operators::*; 23 | pub(crate) use var::*; 24 | -------------------------------------------------------------------------------- /cedar-language-server/src/policy/format.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use cedar_policy_formatter::{policies_str_to_pretty, Config}; 18 | use lsp_types::{Position, Range, TextEdit}; 19 | 20 | /// Formats a Cedar policy according to standard style guidelines. 21 | /// 22 | /// # Returns 23 | /// - `Some(Vec)` with a single edit covering the entire document when successful 24 | /// - `None` if formatting fails due to invalid policy syntax 25 | #[must_use] 26 | pub(crate) fn format_policy(policy: &str) -> Option> { 27 | let lines = policy.lines().count(); 28 | let result = policies_str_to_pretty( 29 | policy, 30 | &Config { 31 | line_width: 80, 32 | indent_width: 4, 33 | }, 34 | ) 35 | .ok()?; 36 | let edit = TextEdit { 37 | range: Range { 38 | start: Position { 39 | line: 0, 40 | character: 0, 41 | }, 42 | end: Position { 43 | line: lines as u32, 44 | character: 0, 45 | }, 46 | }, 47 | new_text: result, 48 | }; 49 | 50 | Some(vec![edit]) 51 | } 52 | -------------------------------------------------------------------------------- /cedar-language-server/test-data/policies.cedarschema: -------------------------------------------------------------------------------- 1 | type PermissionsMap = { 2 | hotelReservations: Set, 3 | propertyReservations: Set, 4 | // With unions, just have reservations: Set 5 | // Do similarly for PaymentDetails, Rates, etc. 6 | }; 7 | type ComplexType = { 8 | required: Bool, 9 | hotels: Set, 10 | }; 11 | 12 | entity Group { 13 | 14 | }; 15 | 16 | entity User in [Group] { 17 | viewPermissions: PermissionsMap, 18 | memberPermissions: PermissionsMap, 19 | hotelAdminPermissions: Set, 20 | propertyAdminPermissions: Set, 21 | lastName?: String, 22 | property: Property, 23 | }; 24 | entity Property in [Hotel] { 25 | propertyName: String, 26 | }; 27 | entity Hotel in [Hotel] { 28 | hotelName: String, 29 | complex: ComplexType 30 | }; 31 | entity Reservation in [Property] { 32 | reservationName: String 33 | }; 34 | 35 | action propertyManagerActions; 36 | 37 | // ACTIONS: Reservations 38 | action viewReservation, updateReservation, grantAccessReservation in [propertyManagerActions] 39 | appliesTo { 40 | principal: User, 41 | resource: Reservation, 42 | context: { 43 | complex: ComplexType, 44 | location: String 45 | } 46 | }; 47 | 48 | // ACTIONS: Properties (plus, CreateReservation for a Property) 49 | action createReservation, viewProperty, updateProperty, grantAccessProperty in [propertyManagerActions] 50 | appliesTo { 51 | principal: User, 52 | resource: Property, 53 | context: ComplexType 54 | }; 55 | 56 | // ACTIONS: Hotels (plus, CreateProperty for a Hotel) 57 | action createProperty, createHotel, viewHotel, updateHotel, grantAccessHotel in [propertyManagerActions] 58 | appliesTo { 59 | principal: User, 60 | resource: Hotel, 61 | }; 62 | -------------------------------------------------------------------------------- /cedar-policy-cli/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "cedar-policy-cli" 3 | edition.workspace = true 4 | version.workspace = true 5 | rust-version.workspace = true 6 | license.workspace = true 7 | categories.workspace = true 8 | description = "CLI interface for the Cedar Policy language." 9 | keywords.workspace = true 10 | homepage.workspace = true 11 | repository.workspace = true 12 | 13 | [dependencies] 14 | cedar-policy = { version = "=4.4.0", path = "../cedar-policy" } 15 | cedar-policy-formatter = { version = "=4.4.0", path = "../cedar-policy-formatter" } 16 | clap = { version = "4", features = ["derive", "env"] } 17 | serde = { version = "1.0", features = ["derive"] } 18 | serde_json = "1.0" 19 | miette = { version = "7.6.0", features = ["fancy"] } 20 | thiserror = "2.0" 21 | semver = "1.0.26" 22 | 23 | [features] 24 | default = [] 25 | experimental = ["permissive-validate", "partial-validate", "partial-eval"] 26 | permissive-validate = ["cedar-policy/permissive-validate"] 27 | partial-validate = ["cedar-policy/partial-validate"] 28 | partial-eval = ["cedar-policy/partial-eval"] 29 | 30 | [dev-dependencies] 31 | assert_cmd = "2.0" 32 | tempfile = "3" 33 | glob = "0.3.2" 34 | predicates = "3.1.3" 35 | rstest = "0.25.0" 36 | graphviz-rust = {version = "0.9.5", default-features = false } 37 | 38 | # We override the name of the binary for src/main.rs, which otherwise would be 39 | # cedar-policy-cli (matching the crate name). 40 | [[bin]] 41 | name = "cedar" 42 | path = "src/main.rs" 43 | 44 | [lints] 45 | workspace = true 46 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/README.md: -------------------------------------------------------------------------------- 1 | # Cedar CLI Examples 2 | 3 | This folder contains several examples of using the Cedar CLI. `sandbox_a`, `sandbox_b`, and `sandbox_c` contain a tutorial-style presentation using the example PhotoFlash application described in the [Cedar language guide](https://docs.cedarpolicy.com/overview/scenario.html). `sandbox_a` focuses on RBAC policies, `sandbox_b` focuses on ABAC policies, and `sandbox_c` focuses on templates. 4 | 5 | `tiny_sandboxes` contains a variety of smaller examples that demonstrate how to use different CLI commands. 6 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_a/policies_1.cedar: -------------------------------------------------------------------------------- 1 | // Everyone in the group UserGroup::"jane_friends" can view this specific photo 2 | @id("jane's friends view-permission policy") 3 | permit ( 4 | principal in UserGroup::"jane_friends", 5 | action == Action::"view", 6 | resource == Photo::"VacationPhoto94.jpg" 7 | ); 8 | 9 | // but Tim is disallowed from viewing the photo 10 | @id("disallow tim policy") 11 | forbid ( 12 | principal == User::"tim", 13 | action, 14 | resource == Photo::"VacationPhoto94.jpg" 15 | ); 16 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_a/policies_1_bad.cedar: -------------------------------------------------------------------------------- 1 | // Everyone in the group UserGroup::"jane_friends" can view this specific photo 2 | @id("jane's friends view-permission policy") 3 | permit ( 4 | principal in UsrGroup::"jane_friends", 5 | action == Action::"view", 6 | resource == Photo::"VacationPhoto94.jpg" 7 | ); 8 | 9 | // but Tim is disallowed from viewing the photo 10 | @id("disallow tim policy") 11 | forbid ( 12 | principal == User::"tim", 13 | action, 14 | resource == Photo::"VacationPhoto94.jpg" 15 | ); 16 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_a/policies_2.cedar: -------------------------------------------------------------------------------- 1 | // Alice can view, edit, or delete any photo in the "jane_vacation" album 2 | @id("alice's access policy") 3 | permit ( 4 | principal == User::"alice", 5 | action in [Action::"view", Action::"edit", Action::"delete"], 6 | resource in Album::"jane_vacation" 7 | ); 8 | 9 | // Bob can only view things in the "jane_vacation" album 10 | @id("bob's view policy") 11 | permit ( 12 | principal == User::"bob", 13 | action == Action::"view", 14 | resource in Album::"jane_vacation" 15 | ); 16 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_a/policies_3.cedar: -------------------------------------------------------------------------------- 1 | // Everyone can view the photos in the "jane_vacation" album 2 | // (and list the photos in the album) 3 | @id("jane_vacation public") 4 | permit ( 5 | principal, 6 | action in [Action::"view", Action::"listPhotos"], 7 | resource in Album::"jane_vacation" 8 | ); 9 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_a/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity Video in [Account, Album]; 2 | entity User in [UserGroup]; 3 | entity UserGroup; 4 | entity Administrator; 5 | entity Photo in [Account, Album]; 6 | entity Album in [Account]; 7 | entity Account; 8 | 9 | action listPhotos 10 | appliesTo { principal: [User], resource: [Album, Photo, Video] }; 11 | action view, delete, edit 12 | appliesTo { principal: [User], resource: [Photo, Video, Album] }; 13 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_b/context.json: -------------------------------------------------------------------------------- 1 | { 2 | "source_ip": "ip(\"10.0.1.101\")" 3 | } 4 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_b/policies_4.cedar: -------------------------------------------------------------------------------- 1 | // Only members of the HardwareEngineering department with job level >= 5 can 2 | // view photos in device_prototypes 3 | @id("prototypes access policy") 4 | permit ( 5 | principal, 6 | action == Action::"view", 7 | resource in Album::"device_prototypes" 8 | ) 9 | when 10 | { principal.department == "HardwareEngineering" && principal.jobLevel >= 5 }; 11 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_b/policies_5.cedar: -------------------------------------------------------------------------------- 1 | // Alice's friends can view all of her photos 2 | @id("alice's friends view policy") 3 | permit ( 4 | principal in UserGroup::"alice_friends", 5 | action == Action::"view", 6 | resource in Account::"alice" 7 | ); 8 | 9 | // but, as a general rule, anything marked private can only be viewed by the 10 | // account owner 11 | @id("privacy rule") 12 | forbid (principal, action, resource) 13 | when { resource.private } 14 | unless { resource.account has owner && resource.account.owner == principal }; 15 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_b/policies_5_bad.cedar: -------------------------------------------------------------------------------- 1 | // Alice's friends can view all of her photos 2 | @id("alice's friends view policy") 3 | permit ( 4 | principal in UserGroup::"alice_friends", 5 | action == Action::"view", 6 | resource in Account::"alice" 7 | ); 8 | 9 | // but, as a general rule, anything marked private can only be viewed by the 10 | // account owner 11 | @id("privacy rule") 12 | forbid (principal, action, resource) 13 | when { resource.private } 14 | unless { resource.account.owner == principal }; 15 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_b/policies_6.cedar: -------------------------------------------------------------------------------- 1 | // Alice's friends can view all of her photos 2 | @id("alice's friends view policy") 3 | permit ( 4 | principal in UserGroup::"alice_friends", 5 | action == Action::"view", 6 | resource in Account::"alice" 7 | ); 8 | 9 | // but forbid all requests coming from this IP range 10 | @id("ip_denylist") 11 | forbid (principal, action, resource) 12 | when { context.source_ip.isInRange(ip("222.222.222.0/24")) }; 13 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_b/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity Photo in [Account, Album] { 2 | account: Account, 3 | admins: Set, 4 | private: Bool 5 | }; 6 | entity User in [UserGroup] { department: String, jobLevel: Long }; 7 | entity AccountGroup; 8 | entity Administrator; 9 | entity UserGroup; 10 | entity Album in [Account] { account: Account, private: Bool }; 11 | entity Account in [AccountGroup] { owner?: User }; 12 | 13 | action view, delete, edit 14 | appliesTo { 15 | principal: [User], 16 | resource: [Photo, Album], 17 | context: { source_ip: __cedar::ipaddr } 18 | }; 19 | action listPhotos 20 | appliesTo { 21 | principal: [User], 22 | resource: [Album, Photo], 23 | context: { source_ip: __cedar::ipaddr } 24 | }; 25 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_c/entities.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "__entity": { "type": "User", "id": "alice"} }, 4 | "attrs": {}, 5 | "parents": [] 6 | }, 7 | { 8 | "uid": { "__entity": { "type": "User", "id": "jane"} }, 9 | "attrs": {}, 10 | "parents": [] 11 | }, 12 | { 13 | "uid": { "__entity": { "type": "User", "id": "bob"} }, 14 | "attrs": { 15 | "department": "research" 16 | }, 17 | "parents": [] 18 | }, 19 | { 20 | "uid": { "__entity": { "type": "Album", "id": "jane"} }, 21 | "attrs": {}, 22 | "parents": [] 23 | }, 24 | { 25 | "uid": { "__entity": { "type": "Photo", "id": "VacationPhoto94.jpg"} }, 26 | "attrs": {}, 27 | "parents": [ 28 | { "__entity": { "type": "Album", "id": "jane"} } 29 | ] 30 | }, 31 | { 32 | "uid": { "__entity": { "type": "Photo", "id": "Skyline.jpg"} }, 33 | "attrs": { 34 | "public": true 35 | }, 36 | "parents": [ 37 | { "__entity": { "type": "Album", "id": "jane"} } 38 | ] 39 | } 40 | ] 41 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_c/policies.cedar: -------------------------------------------------------------------------------- 1 | // Template for permitting vacation photo access 2 | @id("AccessVacation") 3 | permit ( 4 | principal in ?principal, 5 | action == Action::"view", 6 | resource == Photo::"VacationPhoto94.jpg" 7 | ); 8 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_c/policies_edited.cedar: -------------------------------------------------------------------------------- 1 | // Template for permitting vacation photo access 2 | @id("AccessVacation") 3 | permit ( 4 | principal in ?principal, 5 | action == Action::"view", 6 | resource == Photo::"VacationPhoto94.jpg" 7 | ) 8 | when { principal has department && principal.department == "research" }; 9 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/sandbox_c/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity Photo in [Account, Album]; 2 | entity Video in [Account, Album]; 3 | entity Account; 4 | entity Album in [Account]; 5 | entity UserGroup; 6 | entity User in [UserGroup]; 7 | entity Administrator; 8 | 9 | action view, delete, edit 10 | appliesTo { principal: [User], resource: [Photo, Video, Album] }; 11 | action listPhotos 12 | appliesTo { principal: [User], resource: [Album, Photo, Video] }; 13 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/format/README.md: -------------------------------------------------------------------------------- 1 | # format 2 | 3 | This sample is used to verify that the cedar-policy-cli's format command works as expected when writing back to the 4 | file system. 5 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/format/formatted.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"alice", 3 | action == Action::"update", 4 | resource == Photo::"VacationPhoto94.jpg" 5 | ); 6 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/format/unformatted.cedar: -------------------------------------------------------------------------------- 1 | permit 2 | 3 | ( 4 | principal 5 | == User::"alice", 6 | action == Action::"update" 7 | 8 | , 9 | resource == Photo::"VacationPhoto94.jpg" 10 | ) 11 | 12 | ; -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-authorize/README.md: -------------------------------------------------------------------------------- 1 | # JSON formatted policies 2 | 3 | The Cedar policy CLI also supports using policies in the JSON policy format. 4 | See the [Cedar language reference](https://docs.cedarpolicy.com/policies/json-format.html) for a detailed description of this format. 5 | 6 | In general, you can select between the Cedar and JSON formats using `--policy-format`. 7 | For example, we can use a JSON format policy in an authorization request 8 | 9 | ```bash 10 | cedar authorize --policy-format json \ 11 | --policies policy.cedar.json \ 12 | --entities entity.json \ 13 | --principal 'User::"bob"' \ 14 | --action 'Action::"view"' \ 15 | --resource 'Photo::"VacationPhoto94.jpg"'` 16 | ``` 17 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-authorize/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type": "User", "id": "bob"} , 4 | "attrs": { }, 5 | "parents": [] 6 | }, 7 | { 8 | "uid": { "type": "Action", "id": "view"}, 9 | "attrs": {}, 10 | "parents": [] 11 | }, 12 | { 13 | "uid": { "type": "Photo", "id": "VacationPhoto94.jpg"}, 14 | "attrs": { 15 | "owner": {"__entity": {"type": "User", "id": "bob"}} 16 | }, 17 | "parents": [] 18 | } 19 | ] 20 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-authorize/policy.cedar.json: -------------------------------------------------------------------------------- 1 | { 2 | "effect": "permit", 3 | "principal": { 4 | "op": "==", 5 | "entity": { "type": "User", "id": "bob" } 6 | }, 7 | "action": { 8 | "op": "in", 9 | "entities": [ 10 | { "type": "Action", "id": "view" }, 11 | { "type": "Action", "id": "edit" } 12 | ] 13 | }, 14 | "resource": { 15 | "op": "All" 16 | }, 17 | "conditions": [ 18 | { 19 | "kind": "when", 20 | "body": { 21 | "==": { 22 | "left": { 23 | ".": { 24 | "left": { 25 | "Var": "resource" 26 | }, 27 | "attr": "owner" 28 | } 29 | }, 30 | "right": { 31 | "Var": "principal" 32 | } 33 | } 34 | } 35 | } 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-check-parse/README.md: -------------------------------------------------------------------------------- 1 | # JSON formatted policies 2 | 3 | The Cedar policy CLI also supports using policies in the JSON policy format. 4 | See the [Cedar language reference](https://docs.cedarpolicy.com/policies/json-format.html) for a detailed description of this format. 5 | 6 | In general, you can select between the Cedar and JSON formats using `--policy-format`. 7 | For example, we can check if a JSON format policy parses: 8 | 9 | ```bash 10 | cedar check-parse --policy-format json \ 11 | --policies policy.cedar.json 12 | ``` 13 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-check-parse/policy_mixed_properties.cedar.json: -------------------------------------------------------------------------------- 1 | { 2 | "effect": "", 3 | "principal": {}, 4 | "action": {}, 5 | "resource": {}, 6 | "conditions": [], 7 | "staticPolicies": {}, 8 | "templates": {}, 9 | "templateLinks": [] 10 | } -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-check-parse/policy_no_matching_properties.cedar.json: -------------------------------------------------------------------------------- 1 | { 2 | "Xeffect": "", 3 | "Xprincipal": {}, 4 | "Xaction": {}, 5 | "Xresource": {}, 6 | "Xconditions": [], 7 | "XstaticPolicies": {}, 8 | "Xtemplates": {}, 9 | "XtemplateLinks": [] 10 | } -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-check-parse/policy_set.cedar.json: -------------------------------------------------------------------------------- 1 | { 2 | "staticPolicies": { 3 | "policy0": { 4 | "effect": "permit", 5 | "principal": { 6 | "op": "==", 7 | "entity": { 8 | "type": "User", 9 | "id": "bob" 10 | } 11 | }, 12 | "action": { 13 | "op": "in", 14 | "entities": [ 15 | { 16 | "type": "Action", 17 | "id": "view" 18 | }, 19 | { 20 | "type": "Action", 21 | "id": "edit" 22 | } 23 | ] 24 | }, 25 | "resource": { 26 | "op": "All" 27 | }, 28 | "conditions": [ 29 | { 30 | "kind": "when", 31 | "body": { 32 | "==": { 33 | "left": { 34 | ".": { 35 | "left": { 36 | "Var": "resource" 37 | }, 38 | "attr": "owner" 39 | } 40 | }, 41 | "right": { 42 | "Var": "principal" 43 | } 44 | } 45 | } 46 | } 47 | ] 48 | } 49 | }, 50 | "templates": {}, 51 | "templateLinks": [] 52 | } 53 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-check-parse/policy_template.cedar.json: -------------------------------------------------------------------------------- 1 | { 2 | "effect": "permit", 3 | "principal": { 4 | "op": "in", 5 | "slot": "?principal" 6 | }, 7 | "action": { 8 | "op": "in", 9 | "entities": [ 10 | { 11 | "type": "Action", 12 | "id": "view" 13 | }, 14 | { 15 | "type": "Action", 16 | "id": "comment" 17 | } 18 | ] 19 | }, 20 | "resource": { 21 | "op": "in", 22 | "slot": "?resource" 23 | }, 24 | "conditions": [ 25 | { 26 | "kind": "unless", 27 | "body": { 28 | "==": { 29 | "left": { 30 | ".": { 31 | "left": { 32 | "Var": "resource" 33 | }, 34 | "attr": "tag" 35 | } 36 | }, 37 | "right": { 38 | "Value": "private" 39 | } 40 | } 41 | } 42 | } 43 | ] 44 | } 45 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/json-check-parse/static_policy.cedar.json: -------------------------------------------------------------------------------- 1 | { 2 | "effect": "permit", 3 | "principal": { 4 | "op": "==", 5 | "entity": { "type": "User", "id": "bob" } 6 | }, 7 | "action": { 8 | "op": "in", 9 | "entities": [ 10 | { "type": "Action", "id": "view" }, 11 | { "type": "Action", "id": "edit" } 12 | ] 13 | }, 14 | "resource": { 15 | "op": "All" 16 | }, 17 | "conditions": [ 18 | { 19 | "kind": "when", 20 | "body": { 21 | "==": { 22 | "left": { 23 | ".": { 24 | "left": { 25 | "Var": "resource" 26 | }, 27 | "attr": "owner" 28 | } 29 | }, 30 | "right": { 31 | "Var": "principal" 32 | } 33 | } 34 | } 35 | } 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/level-validation/policy-level-0.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"alice", 3 | action == Action::"view", 4 | resource 5 | ) 6 | when { context.token.is_secure }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/level-validation/policy-level-1.cedar: -------------------------------------------------------------------------------- 1 | permit (principal, action, resource) 2 | when { principal.jobLevel > 5 }; 3 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/level-validation/policy-level-2.cedar: -------------------------------------------------------------------------------- 1 | @id("attr-access") 2 | permit (principal, action, resource) 3 | when { principal.manager in Group::"admins" }; 4 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/level-validation/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity User in Group { 2 | jobLevel: Long, 3 | manager: User 4 | }; 5 | entity Group; 6 | entity Document; 7 | 8 | action view appliesTo { 9 | principal: User, 10 | resource: Document, 11 | context: { 12 | token: { 13 | is_secure: Bool 14 | } 15 | } 16 | }; 17 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample1/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## sample 1 3 | 4 | ### Authorization 5 | 6 | Can User::alice view Photo:VacationPhoto94.jpg 7 | 8 | Decision: Allow 9 | 10 | ``` 11 | cargo run authorize \ 12 | --policies policy.cedar \ 13 | --entities entity.json \ 14 | --request-json request.json 15 | ``` 16 | or, provide the principal, action, and resources separately 17 | ``` 18 | cargo run authorize \ 19 | --policies policy.cedar \ 20 | --entities entity.json \ 21 | --principal 'User::"alice"' \ 22 | --action 'Action::"view"' \ 23 | --resource 'Photo::"VacationPhoto94.jpg"' 24 | ``` 25 | 26 | ### Validation: 27 | 28 | Is policy.cedar valid based on the schema schema.cedarschema 29 | 30 | ``` 31 | cargo run validate \ 32 | --policies policy.cedar \ 33 | --schema schema.cedarschema 34 | ``` 35 | 36 | 37 | ### Evaluate: 38 | Evaluate a Cedar expression 39 | 40 | ``` 41 | cargo run evaluate \ 42 | --request-json request.json \ 43 | --entities entity.json \ 44 | "principal in UserGroup::\"jane_friends\"" 45 | ``` 46 | ``` 47 | cargo run evaluate \ 48 | --principal 'User::"alice"' \ 49 | --action 'Action::"view"' \ 50 | --resource 'Photo::"VacationPhoto94.jpg"' \ 51 | --entities entity.json \ 52 | "principal in UserGroup::\"jane_friends\"" 53 | ``` 54 | ``` 55 | cargo run evaluate \ 56 | --request-json request.json \ 57 | "[\"a\",true,10].contains(10)" 58 | ``` 59 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample1/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type": "User", "id": "alice"} , 4 | "attrs": { 5 | "age": 18 6 | }, 7 | "parents": [{"type": "UserGroup", "id": "jane_friends"}] 8 | }, 9 | { 10 | "uid": { "type": "UserGroup", "id": "jane_friends" }, 11 | "attrs": {}, 12 | "parents": [] 13 | }, 14 | { 15 | "uid": { "type": "Action", "id": "view"}, 16 | "attrs": {}, 17 | "parents": [] 18 | }, 19 | { 20 | "uid": { "type": "Photo", "id": "VacationPhoto94.jpg"}, 21 | "attrs": {}, 22 | "parents": [{ "type": "Album", "id": "jane_vacation" }] 23 | }, 24 | { 25 | "uid": { "type": "Album", "id": "jane_vacation" }, 26 | "attrs": {}, 27 | "parents": [] 28 | } 29 | ] 30 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample1/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"alice", 3 | action == Action::"view", 4 | resource in Album::"jane_vacation" 5 | ); 6 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample1/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"alice\"", 3 | "action":"Action::\"view\"", 4 | "resource":"Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample1/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity User in [UserGroup]; 2 | entity UserGroup; 3 | entity Photo in [Album]; 4 | entity Album in [Album]; 5 | 6 | action view appliesTo { principal: [User], resource: [Photo] }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample1/schema.cedarschema.json: -------------------------------------------------------------------------------- 1 | { 2 | "": { 3 | "entityTypes": { 4 | "User": { 5 | "memberOfTypes": [ 6 | "UserGroup" 7 | ] 8 | }, 9 | "UserGroup": { 10 | "memberOfTypes": [] 11 | }, 12 | "Photo": { 13 | "memberOfTypes": [ 14 | "Album" 15 | ] 16 | }, 17 | "Album": { 18 | "memberOfTypes": [ 19 | "Album" 20 | ] 21 | } 22 | }, 23 | "actions": { 24 | "view": { 25 | "appliesTo": { 26 | "resourceTypes": [ 27 | "Photo" 28 | ], 29 | "principalTypes": [ 30 | "User" 31 | ] 32 | } 33 | } 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample2/README.md: -------------------------------------------------------------------------------- 1 | ## sample 2 2 | 3 | ### Authorize 4 | 5 | Can `User::bob` view `Photo:VacationPhoto94.jpg` 6 | 7 | Decision: Allow 8 | 9 | Reason: Bob is the owner of the resource 10 | 11 | ``` 12 | cargo run authorize \ 13 | --policies policy.cedar \ 14 | --entities entity.json \ 15 | --request-json request.json 16 | ``` 17 | 18 | 19 | ### Validation: 20 | 21 | Is policy.cedar valid based on the schema schema.cedarschema 22 | 23 | ``` 24 | cargo run validate \ 25 | --policies policy.cedar \ 26 | --schema schema.cedarschema 27 | ``` 28 | ### Evaluate 29 | 30 | Evaluate a Cedar expression 31 | 32 | ``` 33 | cargo run evaluate \ 34 | --request-json request.json \ 35 | --entities entity.json \ 36 | "resource.owner" 37 | ``` 38 | ``` 39 | cargo run evaluate \ 40 | --principal 'User::"alice"' \ 41 | --action 'Action::"view"' \ 42 | --resource 'Photo::"VacationPhoto94.jpg"' \ 43 | --entities entity.json \ 44 | "resource.owner" 45 | ``` 46 | ``` 47 | cargo run evaluate \ 48 | --request-json request.json \ 49 | "if 10 > 5 then \"good\" else \"bad\"" 50 | ``` 51 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample2/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": {"type":"User", "id":"bob" }, 4 | "attrs": {}, 5 | "parents": [] 6 | }, 7 | { 8 | "uid": {"type":"Action", "id":"view" }, 9 | "attrs": {}, 10 | "parents": [] 11 | }, 12 | { 13 | "uid": { "type":"Action", "id":"edit"} , 14 | "attrs": {}, 15 | "parents": [] 16 | }, 17 | { 18 | "uid": { "type":"Photo", "id":"VacationPhoto94.jpg" }, 19 | "attrs": { 20 | "owner": { "__entity": { "type":"User", "id":"bob"} } 21 | }, 22 | "parents": [{"type":"Album", "id":"jane_vacation"}] 23 | }, 24 | { 25 | "uid": { "__entity": { "type":"Album", "id":"jane_vacation"} }, 26 | "attrs": {}, 27 | "parents": [] 28 | } 29 | ] 30 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample2/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"bob", 3 | action in [Action::"view", Action::"edit"], 4 | resource 5 | ) 6 | when { resource.owner == principal }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample2/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"bob\"", 3 | "action":"Action::\"view\"", 4 | "resource":"Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample2/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity Photo in [Album] { owner: User }; 2 | entity UserGroup; 3 | entity Album in [Album]; 4 | entity User in [UserGroup]; 5 | 6 | action view, edit appliesTo { principal: [User], resource: [Photo] }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample2/schema.cedarschema.json: -------------------------------------------------------------------------------- 1 | { 2 | "": { 3 | "entityTypes": { 4 | "User": { 5 | "memberOfTypes": [ 6 | "UserGroup" 7 | ] 8 | }, 9 | "UserGroup": { 10 | "memberOfTypes": [] 11 | }, 12 | "Photo": { 13 | "shape": { 14 | "type": "Record", 15 | "attributes": { 16 | "owner": { 17 | "type": "Entity", 18 | "name": "User" 19 | } 20 | } 21 | }, 22 | "memberOfTypes": [ 23 | "Album" 24 | ] 25 | }, 26 | "Album": { 27 | "memberOfTypes": [ 28 | "Album" 29 | ] 30 | } 31 | }, 32 | "actions": { 33 | "view": { 34 | "appliesTo": { 35 | "resourceTypes": [ 36 | "Photo" 37 | ], 38 | "principalTypes": [ 39 | "User" 40 | ] 41 | } 42 | }, 43 | "edit": { 44 | "appliesTo": { 45 | "resourceTypes": [ 46 | "Photo" 47 | ], 48 | "principalTypes": [ 49 | "User" 50 | ] 51 | } 52 | } 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample3/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## sample 3 3 | ### Authorize 4 | 5 | 6 | Can User::bob view Photo:VacationPhoto94.jpg 7 | 8 | Decision: Deny 9 | 10 | Reason: Bob can access resources in Album::"jane_vacation", 11 | but Photo::"VacationPhoto94.jpg" does not belong to the album 12 | 13 | 14 | ``` 15 | cargo run authorize \ 16 | --policies policy.cedar \ 17 | --entities entity.json \ 18 | --request-json request.json 19 | ``` 20 | 21 | ### Validation: 22 | 23 | Is policy.cedar valid based on the schema schema.cedarschema 24 | 25 | ``` 26 | cargo run validate \ 27 | --policies policy.cedar \ 28 | --schema schema.cedarschema 29 | ``` 30 | 31 | ### Evaluate 32 | 33 | Evaluate a Cedar expression 34 | ``` 35 | cargo run evaluate \ 36 | --request-json request.json \ 37 | "if 10 > 5 then \"good\" else \"bad\"" 38 | ``` 39 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample3/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type":"User", "id":"bob" }, 4 | "attrs": {}, 5 | "parents": [] 6 | }, 7 | { 8 | "uid": { "type":"Action", "id":"view" }, 9 | "attrs": {}, 10 | "parents": [] 11 | }, 12 | { 13 | "uid": { "type":"Action", "id":"edit" }, 14 | "attrs": {}, 15 | "parents": [] 16 | }, 17 | { 18 | "uid": { "type":"Photo", "id":"VacationPhoto94.jpg"}, 19 | "attrs": {}, 20 | "parents": [] 21 | 22 | }, 23 | { 24 | "uid": { "type":"Album", "id":"jane_vacation"}, 25 | "attrs": {}, 26 | "parents": [] 27 | } 28 | ] 29 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample3/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"bob", 3 | action in [Action::"view", Action::"edit"], 4 | resource in Album::"jane_vacation" 5 | ); 6 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample3/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"bob\"", 3 | "action":"Action::\"view\"", 4 | "resource":"Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample3/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity Album in [Album]; 2 | entity User in [UserGroup]; 3 | entity Photo in [Album] { owner: User }; 4 | entity UserGroup; 5 | 6 | action view, edit appliesTo { principal: [User], resource: [Photo] }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample3/schema.cedarschema.json: -------------------------------------------------------------------------------- 1 | { 2 | "": { 3 | "entityTypes": { 4 | "User": { 5 | "memberOfTypes": [ 6 | "UserGroup" 7 | ] 8 | }, 9 | "UserGroup": { 10 | "memberOfTypes": [] 11 | }, 12 | "Photo": { 13 | "shape": { 14 | "type": "Record", 15 | "attributes": { 16 | "owner": { 17 | "type": "Entity", 18 | "name": "User" 19 | } 20 | } 21 | }, 22 | "memberOfTypes": [ 23 | "Album" 24 | ] 25 | }, 26 | "Album": { 27 | "memberOfTypes": [ 28 | "Album" 29 | ] 30 | } 31 | }, 32 | "actions": { 33 | "view": { 34 | "appliesTo": { 35 | "resourceTypes": [ 36 | "Photo" 37 | ], 38 | "principalTypes": [ 39 | "User" 40 | ] 41 | } 42 | }, 43 | "edit": { 44 | "appliesTo": { 45 | "resourceTypes": [ 46 | "Photo" 47 | ], 48 | "principalTypes": [ 49 | "User" 50 | ] 51 | } 52 | } 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample4/README.md: -------------------------------------------------------------------------------- 1 | ## sample 4 2 | 3 | ### Authorize 4 | 5 | Can User::bob view Photo:VacationPhoto94.jpg 6 | 7 | Decision: Allow 8 | 9 | Reason: request action is in the allowed action list 10 | ``` 11 | cargo run authorize \ 12 | --policies policy.cedar \ 13 | --entities entity.json \ 14 | --request-json request.json 15 | ``` 16 | 17 | 18 | 19 | 20 | # Validation 21 | 22 | Is policy.cedar valid based on the schema schema.cedarschema 23 | 24 | ``` 25 | cargo run validate \ 26 | --policies policy.cedar \ 27 | --schema schema.cedarschema 28 | ``` 29 | 30 | ### Evaluate 31 | 32 | Evaluate a Cedar expression 33 | 34 | ``` 35 | cargo run evaluate \ 36 | --request-json request.json \ 37 | --entities entity.json \ 38 | "resource.owner == User::\"bob\"" 39 | ``` 40 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample4/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type":"User", "id":"bob" }, 4 | "attrs": {}, 5 | "parents": [] 6 | }, 7 | { 8 | "uid": { "type":"Action", "id":"view"}, 9 | "attrs": {}, 10 | "parents": [] 11 | }, 12 | { 13 | "uid": { "type":"Action", "id":"edit"}, 14 | "attrs": {}, 15 | "parents": [] 16 | }, 17 | { 18 | "uid": { "type":"Photo", "id":"VacationPhoto94.jpg" }, 19 | "attrs": { 20 | "owner": {"__entity":{ "type":"User", "id":"bob"}} 21 | }, 22 | "parents": [] 23 | } 24 | ] 25 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample4/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"bob", 3 | action == Action::"view", 4 | resource 5 | ) 6 | when { action == Action::"view" }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample4/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"bob\"", 3 | "action":"Action::\"view\"", 4 | "resource":"Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample4/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity Photo in [Album] { owner: User }; 2 | entity UserGroup; 3 | entity Album in [Album]; 4 | entity User in [UserGroup]; 5 | 6 | action edit, view appliesTo { principal: [User], resource: [Photo] }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample4/schema.cedarschema.json: -------------------------------------------------------------------------------- 1 | { 2 | "": { 3 | "entityTypes": { 4 | "User": { 5 | "memberOfTypes": [ 6 | "UserGroup" 7 | ] 8 | }, 9 | "UserGroup": { 10 | "memberOfTypes": [] 11 | }, 12 | "Photo": { 13 | "shape": { 14 | "type": "Record", 15 | "attributes": { 16 | "owner": { 17 | "type": "Entity", 18 | "name": "User" 19 | } 20 | } 21 | }, 22 | "memberOfTypes": [ 23 | "Album" 24 | ] 25 | }, 26 | "Album": { 27 | "memberOfTypes": [ 28 | "Album" 29 | ] 30 | } 31 | }, 32 | "actions": { 33 | "view": { 34 | "appliesTo": { 35 | "resourceTypes": [ 36 | "Photo" 37 | ], 38 | "principalTypes": [ 39 | "User" 40 | ] 41 | } 42 | }, 43 | "edit": { 44 | "appliesTo": { 45 | "resourceTypes": [ 46 | "Photo" 47 | ], 48 | "principalTypes": [ 49 | "User" 50 | ] 51 | } 52 | } 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample5/README.md: -------------------------------------------------------------------------------- 1 | ## sample 5 2 | 3 | ### Authorize 4 | 5 | Can User::bob view Photo:VacationPhoto94.jpg 6 | 7 | Decision: Allow 8 | 9 | ``` 10 | cargo run authorize \ 11 | --policies policy.cedar \ 12 | --entities entity.json \ 13 | --request-json request.json 14 | ``` 15 | 16 | 17 | ### Validation 18 | 19 | Is `policy.cedar` valid based on the schema `schema.cedarschema` 20 | 21 | ``` 22 | cargo run validate \ 23 | --policies policy.cedar \ 24 | --schema schema.cedarschema 25 | ``` 26 | 27 | ### Evaluate: 28 | 29 | Evaluate a Cedar expression 30 | 31 | ``` 32 | cargo run evaluate \ 33 | --request-json request.json \ 34 | --entities entity.json \ 35 | "principal.addr.isLoopback()" 36 | ``` 37 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample5/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type":"User", "id":"bob" }, 4 | "attrs": { 5 | "addr": { "__extn": { "fn": "ip", "arg": "127.0.0.1" }} 6 | }, 7 | "parents": [] 8 | }, 9 | { 10 | "uid": { "type":"Action", "id":"view" }, 11 | "attrs": {}, 12 | "parents": [] 13 | }, 14 | { 15 | "uid": { "type":"Photo", "id":"VacationPhoto94.jpg"}, 16 | "attrs": { 17 | "owner": { "__entity": { "type":"User", "id":"bob"} } 18 | }, 19 | "parents": [] 20 | } 21 | ] 22 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample5/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"bob", 3 | action == Action::"view", 4 | resource 5 | ) 6 | when 7 | { 8 | principal == resource.owner && 9 | ip("127.0.0.1") == ip("127.0.0.1") && 10 | principal.addr.isLoopback() && 11 | ip("192.168.0.1").isInRange(ip("192.168.0.1/24")) && 12 | [ip("127.0.0.1"), ip("127.0.0.2")].containsAny([principal.addr]) && 13 | principal.addr == ip("127.0.0.1") && 14 | principal.addr.isInRange(ip("127.0.0.1/28")) && 15 | principal.addr.isIpv4() && 16 | ip("224.0.0.0").isMulticast() 17 | }; 18 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample5/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"bob\"", 3 | "action":"Action::\"view\"", 4 | "resource":"Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample5/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity User in [UserGroup] { addr: __cedar::ipaddr }; 2 | entity UserGroup; 3 | entity Photo in [Album] { owner: User }; 4 | entity Album in [Album]; 5 | 6 | action edit, view appliesTo { principal: [User], resource: [Photo] }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample6/README.md: -------------------------------------------------------------------------------- 1 | ## sample 6 2 | 3 | ### Authorize 4 | 5 | Can User::alice view ScreenTime::activity 6 | 7 | Decision: Deny 8 | 9 | Reason: alice's age is not greater than 18 10 | 11 | ``` 12 | cargo run authorize \ 13 | --policies policy.cedar \ 14 | --entities entity.json \ 15 | --request-json request.json 16 | ``` 17 | 18 | 19 | ### Validation 20 | 21 | Is policy.cedar valid based on the schema schema.cedarschema 22 | 23 | ``` 24 | cargo run validate \ 25 | --policies policy.cedar \ 26 | --schema schema.cedarschema 27 | ``` 28 | 29 | ### Evaluate 30 | 31 | Evaluate a Cedar expression 32 | 33 | ``` 34 | cargo run evaluate \ 35 | --request-json request.json \ 36 | --entities entity.json \ 37 | "principal.account.age >= 17" 38 | ``` 39 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample6/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type":"User", "id":"alice"}, 4 | "attrs": { 5 | "account": { "__entity": { "type":"Account", "id":"alice"} } 6 | }, 7 | "parents": [{ "type":"UserGroup", "id":"guardians"}] 8 | }, 9 | { 10 | "uid": { "type":"Account", "id":"alice" }, 11 | "attrs": { 12 | "age": 17 13 | }, 14 | "parents": [] 15 | }, 16 | { 17 | "uid": { "type":"UserGroup", "id":"guardians"}, 18 | "attrs": {}, 19 | "parents": [] 20 | }, 21 | { 22 | "uid": { "type":"Action", "id":"view"}, 23 | "attrs": {}, 24 | "parents": [] 25 | }, 26 | { 27 | "uid": { "type":"ScreenTime", "id":"activity" }, 28 | "attrs": {}, 29 | "parents": [] 30 | } 31 | ] 32 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample6/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal in UserGroup::"guardians", 3 | action in [Action::"view"], 4 | resource == ScreenTime::"activity" 5 | ) 6 | when { principal.account.age >= 18 }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample6/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"alice\"", 3 | "action":"Action::\"view\"", 4 | "resource":"ScreenTime::\"activity\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample6/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity ScreenTime; 2 | entity UserGroup; 3 | entity Album in [Album]; 4 | entity Photo in [Album] { owner: User }; 5 | entity User in [UserGroup] { account: Account }; 6 | entity Account { age: Long }; 7 | 8 | action edit appliesTo { principal: [User], resource: [Photo] }; 9 | action view appliesTo { principal: [User], resource: [Photo, ScreenTime] }; 10 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample7/README.md: -------------------------------------------------------------------------------- 1 | ## sample 7 2 | 3 | ### Authorize 4 | 5 | This example shows how to use list, map and records in the context 6 | 7 | Can PhotoFlash::Data::User::"alice" view PhotoFlash::Data::Photo::"VacationPhoto94.jpg" 8 | 9 | Decision: Allow 10 | 11 | ``` 12 | cargo run authorize \ 13 | --policies policy.cedar \ 14 | --entities entity.json \ 15 | --request-json request.json 16 | ``` 17 | 18 | 19 | ### Validation: 20 | 21 | Is policy.cedar valid based on the schema schema.cedarschema 22 | 23 | ``` 24 | cargo run validate \ 25 | --policies policy.cedar \ 26 | --schema schema.cedarschema 27 | ``` 28 | 29 | ### Evaluate 30 | 31 | Evaluate a Cedar expression 32 | 33 | ``` 34 | cargo run evaluate \ 35 | --request-json request.json \ 36 | --entities entity.json \ 37 | "context.role.contains(\"admin\")" 38 | ``` 39 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample7/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type":"PhotoFlash::Data::User", "id":"alice" }, 4 | "attrs": {}, 5 | "parents": [{ "type":"PhotoFlash::Data::UserGroup", "id":"jane_friends" }] 6 | }, 7 | { 8 | "uid": { "type":"PhotoFlash::Data::UserGroup", "id":"jane_friends"}, 9 | "attrs": {}, 10 | "parents": [] 11 | }, 12 | { 13 | "uid": { "type":"PhotoFlash::Data::Action", "id":"view" }, 14 | "attrs": {}, 15 | "parents": [] 16 | }, 17 | { 18 | "uid": { "type":"PhotoFlash::Data::Photo", "id":"VacationPhoto94.jpg" }, 19 | "attrs": {}, 20 | "parents": [{ "type":"PhotoFlash::Data::Album", "id":"jane_vacation"}] 21 | }, 22 | { 23 | "uid": { "type":"PhotoFlash::Data::Album", "id":"jane_vacation" }, 24 | "attrs": {}, 25 | "parents": [] 26 | } 27 | ] 28 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample7/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == PhotoFlash::Data::User::"alice", 3 | action == PhotoFlash::Data::Action::"view", 4 | resource in PhotoFlash::Data::Album::"jane_vacation" 5 | ) 6 | when 7 | { 8 | context.role.contains("admin") && 9 | context.person.age > 17 && 10 | context.addr.city == "DC" || 11 | context.addr == {city:"DC", street:"main"} 12 | }; 13 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample7/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"PhotoFlash::Data::User::\"alice\"", 3 | "action":"PhotoFlash::Data::Action::\"view\"", 4 | "resource":"PhotoFlash::Data::Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ 6 | "role": ["admin", "user"], 7 | "person": { "name": "Alice", "age": 18 }, 8 | "addr": { "street": "main", "city": "DC"} 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample7/schema.cedarschema: -------------------------------------------------------------------------------- 1 | namespace PhotoFlash::Data { 2 | entity Album in [Album]; 3 | entity ScreenTime; 4 | entity User in [UserGroup] { account: Account }; 5 | entity UserGroup; 6 | entity Account { age: Long }; 7 | entity Photo in [Album] { owner: User }; 8 | 9 | action edit appliesTo { principal: [User], resource: [Photo] }; 10 | action view 11 | appliesTo { 12 | principal: [User], 13 | resource: [Photo, ScreenTime], 14 | context: { 15 | addr: { city: String, street: String }, 16 | person: { age: Long, name: String }, 17 | role: Set 18 | } 19 | }; 20 | } 21 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample8/README.md: -------------------------------------------------------------------------------- 1 | ## sample 8 2 | 3 | ### Authorize 4 | 5 | Can User::bob view Photo:VacationPhoto94.jpg 6 | 7 | Decision: Allow 8 | 9 | ``` 10 | cargo run authorize \ 11 | --policies policy.cedar \ 12 | --entities entity.json \ 13 | --request-json request.json 14 | ``` 15 | 16 | ### Validation: 17 | 18 | Is policy.cedar valid based on the schema schema.cedarschema 19 | 20 | ``` 21 | cargo run validate \ 22 | --policies policy.cedar \ 23 | --schema schema.cedarschema 24 | ``` 25 | 26 | Evaluate 27 | 28 | Evaluate a Cedar expression 29 | 30 | ``` 31 | cargo run evaluate \ 32 | --request-json request.json \ 33 | --entities entity.json \ 34 | "principal.score.lessThan(decimal(\"1.2345\"))" 35 | ``` 36 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample8/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type":"User", "id":"bob" }, 4 | "attrs": { 5 | "score": { "__extn": { "fn": "decimal", "arg": "0.899" }} 6 | }, 7 | "parents": [] 8 | }, 9 | { 10 | "uid": { "type":"Action", "id":"view" }, 11 | "attrs": {}, 12 | "parents": [] 13 | }, 14 | { 15 | "uid": { "type":"Photo", "id":"VacationPhoto94.jpg" }, 16 | "attrs": { 17 | "owner": { "__entity": { "type":"User", "id":"bob"} } 18 | }, 19 | "parents": [] 20 | } 21 | ] 22 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample8/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"bob", 3 | action == Action::"view", 4 | resource 5 | ) 6 | when 7 | { 8 | principal == resource.owner && 9 | principal.score.greaterThanOrEqual(decimal("0.75")) 10 | }; 11 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample8/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"bob\"", 3 | "action":"Action::\"view\"", 4 | "resource":"Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample8/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity Album in [Album]; 2 | entity User in [UserGroup] { score: __cedar::decimal }; 3 | entity UserGroup; 4 | entity Photo in [Album] { owner: User }; 5 | 6 | action edit, view appliesTo { principal: [User], resource: [Photo] }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample9/README.md: -------------------------------------------------------------------------------- 1 | ## sample 9 2 | 3 | This sample demonstrates using `is` operation to write a policy specific to a 4 | particular entity type. 5 | 6 | We want to write a policy allowing the owner of any photo to view that photo. 7 | As a first attempt we could write a policy testing `principal == resource.owner`. 8 | 9 | ```cedar 10 | permit ( 11 | principal, 12 | action == Action::"view", 13 | resource 14 | ) 15 | when { principal == resource.owner }; 16 | ``` 17 | 18 | This doesn't quite work because because `Action::"view"` applies to both `Photo` 19 | and `ScreenTime` entities, but only `Photo` entities have an owner. Policy 20 | validation detects this issue. 21 | 22 | ```console 23 | sample9$ cedar validate --policies policy_bad.cedar --schema schema.cedarschema 24 | Validation Results: 25 | validation error on policy `policy0` at offset 83-97: attribute `owner` for entity type ScreenTime not found 26 | ``` 27 | 28 | We can use the `is` operator to ensure that the policy can only apply to `Photo` entities. 29 | 30 | ```cedar 31 | permit ( 32 | principal, 33 | action == Action::"view", 34 | resource is Photo 35 | ) 36 | when { principal == resource.owner }; 37 | ``` 38 | 39 | ```console 40 | sample9$ cedar validate --policies policy.cedar --schema schema.cedarschema 41 | Validation Passed 42 | ``` 43 | 44 | The policy using `is` will authorize owners to view their photos. We use the 45 | file `request.json` to ask if `User::"Bob"` can view `Photo::"VacationPhoto94.jpg"`. 46 | 47 | ```console 48 | sample9$ cargo run authorize --policies policy.cedar --entities entity.json --request-json request.json 49 | ALLOW 50 | ``` 51 | 52 | This request is allowed because the resource is a photo and `Bob` is the owner of 53 | that photo. 54 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample9/entity.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "uid": { "type":"Action", "id":"view"}, 4 | "attrs": {}, 5 | "parents": [] 6 | }, 7 | { 8 | "uid": { "type":"User", "id":"Bob"}, 9 | "attrs": {}, 10 | "parents": [] 11 | }, 12 | { 13 | "uid": { "type":"Photo", "id":"VacationPhoto94.jpg" }, 14 | "attrs": { 15 | "owner": { "__entity": { "type":"User", "id":"Bob"} } 16 | }, 17 | "parents": [] 18 | } 19 | ] 20 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample9/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal, 3 | action == Action::"view", 4 | resource is Photo 5 | ) 6 | when { principal == resource.owner }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample9/policy_bad.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal, 3 | action == Action::"view", 4 | resource 5 | ) 6 | when { principal == resource.owner }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample9/request.json: -------------------------------------------------------------------------------- 1 | { 2 | "principal":"User::\"Bob\"", 3 | "action":"Action::\"view\"", 4 | "resource":"Photo::\"VacationPhoto94.jpg\"", 5 | "context":{ } 6 | } 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample9/schema.cedarschema: -------------------------------------------------------------------------------- 1 | entity User; 2 | entity ScreenTime; 3 | entity Photo { owner: User }; 4 | 5 | action edit appliesTo { principal: [User], resource: [Photo] }; 6 | action view appliesTo { principal: [User], resource: [Photo, ScreenTime] }; 7 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/sample9/schema.cedarschema.json: -------------------------------------------------------------------------------- 1 | { 2 | "": { 3 | "entityTypes": { 4 | "User": { }, 5 | "ScreenTime": { 6 | "memberOfTypes": [] 7 | }, 8 | "Photo": { 9 | "shape": { 10 | "type": "Record", 11 | "attributes": { 12 | "owner": { 13 | "type": "Entity", 14 | "name": "User" 15 | } 16 | } 17 | } 18 | } 19 | }, 20 | "actions": { 21 | "view": { 22 | "appliesTo": { 23 | "resourceTypes": [ 24 | "Photo", 25 | "ScreenTime" 26 | ], 27 | "principalTypes": [ 28 | "User" 29 | ] 30 | } 31 | }, 32 | "edit": { 33 | "appliesTo": { 34 | "resourceTypes": [ 35 | "Photo" 36 | ], 37 | "principalTypes": [ 38 | "User" 39 | ] 40 | } 41 | } 42 | } 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/translate-policy/README.md: -------------------------------------------------------------------------------- 1 | # translate-policy 2 | 3 | This sample is used to verify that the cedar-policy-cli's translate-policy 4 | command works as expected when converting from Cedar to JSON format. 5 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/translate-policy/policy.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal == User::"alice", 3 | action == Action::"update", 4 | resource == Photo::"VacationPhoto94.jpg" 5 | ); 6 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/translate-policy/policy.cedar.json: -------------------------------------------------------------------------------- 1 | {"templates":{},"staticPolicies":{"policy0":{"effect":"permit","principal":{"op":"==","entity":{"type":"User","id":"alice"}},"action":{"op":"==","entity":{"type":"Action","id":"update"}},"resource":{"op":"==","entity":{"type":"Photo","id":"VacationPhoto94.jpg"}},"conditions":[]}},"templateLinks":[]} 2 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/translate-schema/README.md: -------------------------------------------------------------------------------- 1 | # translate-schema 2 | 3 | This sample is used to verify that the cedar-policy-cli's translate-schema 4 | command works as expected when converting between the Cedar and JSON formats. 5 | -------------------------------------------------------------------------------- /cedar-policy-cli/sample-data/tiny_sandboxes/translate-schema/tinytodo.cedarschema: -------------------------------------------------------------------------------- 1 | type Task = { 2 | "id": Long, 3 | "name": String, 4 | "state": String, 5 | }; 6 | type Tasks = Set; 7 | entity List in [Application] = { 8 | "editors": Team, 9 | "name": String, 10 | "owner": User, 11 | "readers": Team, 12 | "tasks": Tasks, 13 | }; 14 | entity Application; 15 | entity User in [Team, Application] = { 16 | "joblevel": Long, 17 | "location": String, 18 | }; 19 | entity Team in [Team, Application]; 20 | action DeleteList, GetList, UpdateList appliesTo { 21 | principal: [User], 22 | resource: [List] 23 | }; 24 | action CreateList, GetLists appliesTo { 25 | principal: [User], 26 | resource: [Application] 27 | }; 28 | action CreateTask, UpdateTask, DeleteTask appliesTo { 29 | principal: [User], 30 | resource: [List] 31 | }; 32 | action EditShare appliesTo { 33 | principal: [User], 34 | resource: [List] 35 | }; -------------------------------------------------------------------------------- /cedar-policy-core/README.md: -------------------------------------------------------------------------------- 1 | # Cedar Policy Core 2 | 3 | This package contains the Cedar parser and evaluation engine. 4 | 5 | This package exposes low-level and advanced Cedar APIs, e.g., 6 | for interacting with policy ASTs directly. 7 | Anyone simply wanting to use Cedar from a Rust client (e.g., 8 | to make authorization decisions) should use 9 | [`cedar-policy`](../cedar-policy) instead. 10 | 11 | For more information about the Cedar language/project, please take a look 12 | at [cedarpolicy.com](https://www.cedarpolicy.com). 13 | 14 | ## Development 15 | 16 | Build and test this crate independently by running `cargo build` and `cargo test` 17 | from this directory. Run these commands from the root directory of this 18 | repository to build and test this package and all other crates in this 19 | repository. This crate is consumed either directly or indirectly by all other 20 | crates in this repository, so a change here may precipitate test failures 21 | elsewhere. 22 | 23 | ## Documentation 24 | 25 | Generated documentation for the latest version can be accessed 26 | [on docs.rs](https://docs.rs/cedar-policy-core). 27 | -------------------------------------------------------------------------------- /cedar-policy-core/build.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | fn main() { 18 | generate_parsers(); 19 | } 20 | 21 | /// Reads parser grammar files (.lalrpop) and generates Rust modules 22 | fn generate_parsers() { 23 | // PANIC SAFETY: panicking inside our build script on a build dependency error is acceptable 24 | #[allow(clippy::expect_used)] 25 | lalrpop::Configuration::new() 26 | .process_dir("src/parser/") 27 | .expect("parser synth"); 28 | 29 | // PANIC SAFETY: panicking inside our build script on a build dependency error is acceptable 30 | #[allow(clippy::expect_used)] 31 | lalrpop::Configuration::new() 32 | .process_dir("src/validator/cedar_schema/") 33 | .expect("parser synth"); 34 | } 35 | -------------------------------------------------------------------------------- /cedar-policy-core/experimental_warning.md: -------------------------------------------------------------------------------- 1 |
2 | This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features 3 |
-------------------------------------------------------------------------------- /cedar-policy-core/src/ast.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! This module contains the AST datatypes. 18 | 19 | mod expr; 20 | #[cfg(feature = "tolerant-ast")] 21 | pub(crate) mod expr_allows_errors; 22 | pub use expr::*; 23 | mod entity; 24 | pub use entity::*; 25 | mod extension; 26 | pub use extension::*; 27 | mod id; 28 | pub use id::*; 29 | mod integer; 30 | pub use integer::{InputInteger, Integer}; 31 | mod literal; 32 | pub use literal::*; 33 | mod name; 34 | pub use name::*; 35 | mod ops; 36 | pub use ops::*; 37 | mod pattern; 38 | pub use pattern::*; 39 | mod partial_value; 40 | pub use partial_value::*; 41 | mod policy; 42 | pub use policy::*; 43 | mod policy_set; 44 | pub use policy_set::*; 45 | mod request; 46 | pub use request::*; 47 | mod restricted_expr; 48 | pub use restricted_expr::*; 49 | mod types; 50 | pub use types::*; 51 | mod value; 52 | pub use value::*; 53 | mod expr_iterator; 54 | pub use expr_iterator::*; 55 | mod annotation; 56 | pub use annotation::*; 57 | mod expr_visitor; 58 | pub use expr_visitor::*; 59 | -------------------------------------------------------------------------------- /cedar-policy-core/src/ast/integer.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! The integer types we use (both internally and for parsing). 18 | //! By default this is i64, but you may change to some suitable Integer type. 19 | //! If you do change this, some tests for over/underflow will need to change as well. 20 | 21 | /// The integer type we use internally 22 | pub type Integer = i64; 23 | 24 | /// The integer type we use when parsing input 25 | pub type InputInteger = i64; 26 | -------------------------------------------------------------------------------- /cedar-policy-core/src/entities/json.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! This module contains functionality for serializing and deserializing Cedar 18 | //! values, entities, Contexts, etc to and from JSON. 19 | 20 | /// Representation of a Cedar value in JSON, and functionality for parsing it. 21 | /// Shared by both entity-attribute and context parsers. 22 | mod value; 23 | pub use value::*; 24 | 25 | /// Parser for `Entities`, with related functionality. 26 | mod entities; 27 | pub use entities::*; 28 | 29 | /// Parser for `Context`, with related functionality. 30 | mod context; 31 | pub use context::*; 32 | 33 | /// the `Schema` trait and related types/traits, used for schema-based parsing. 34 | mod schema; 35 | pub use schema::*; 36 | 37 | /// Types which schema-based parsing expects for Cedar values. 38 | mod schema_types; 39 | pub use schema_types::*; 40 | 41 | /// Error types for JSON serialization and deserialization 42 | pub mod err; 43 | -------------------------------------------------------------------------------- /cedar-policy-core/src/extensions/partial_evaluation.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | #![cfg(feature = "partial-eval")] 17 | 18 | //! This module contains the extension for including unknown values 19 | use crate::{ 20 | ast::{CallStyle, Extension, ExtensionFunction, ExtensionOutputValue, Unknown, Value}, 21 | entities::SchemaType, 22 | evaluator, 23 | }; 24 | 25 | /// Create a new untyped `Unknown` 26 | fn create_new_unknown(v: &Value) -> evaluator::Result { 27 | Ok(ExtensionOutputValue::Unknown(Unknown::new_untyped( 28 | v.get_as_string()?.clone(), 29 | ))) 30 | } 31 | 32 | /// Construct the extension 33 | // PANIC SAFETY: all uses of `unwrap` here on parsing extension names are correct names 34 | #[allow(clippy::unwrap_used)] 35 | pub fn extension() -> Extension { 36 | Extension::new( 37 | "partial_evaluation".parse().unwrap(), 38 | vec![ExtensionFunction::partial_eval_unknown( 39 | "unknown".parse().unwrap(), 40 | CallStyle::FunctionStyle, 41 | Box::new(create_new_unknown), 42 | SchemaType::String, 43 | )], 44 | std::iter::empty(), 45 | ) 46 | } 47 | -------------------------------------------------------------------------------- /cedar-policy-core/src/lib.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Implementation of the Cedar parser and evaluation engine in Rust. 18 | #![warn(missing_docs)] 19 | #![cfg_attr(feature = "wasm", allow(non_snake_case))] 20 | 21 | #[macro_use] 22 | extern crate lalrpop_util; 23 | 24 | pub mod ast; 25 | pub mod authorizer; 26 | mod from_normalized_str; 27 | pub use from_normalized_str::*; 28 | pub mod entities; 29 | #[macro_use] 30 | mod error_macros; 31 | pub mod est; 32 | pub mod evaluator; 33 | pub mod expr_builder; 34 | pub mod extensions; 35 | pub mod fuzzy_match; 36 | pub mod jsonvalue; 37 | pub mod parser; 38 | pub mod transitive_closure; 39 | pub mod validator; 40 | 41 | #[cfg(any(test, feature = "test-util"))] 42 | pub mod test_utils; 43 | -------------------------------------------------------------------------------- /cedar-policy-core/src/parser/macros.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /// Macro that returns a `MaybeLoc` value compatible with its compile-time 18 | /// definition. The optional value depends on the flag. 19 | #[macro_export] 20 | macro_rules! maybe_loc { 21 | ($flag:ident, $loc:expr) => { 22 | if $flag { 23 | #[cfg(feature = "raw-parsing")] 24 | { 25 | Some(Box::new($loc)) 26 | } 27 | #[cfg(not(feature = "raw-parsing"))] 28 | { 29 | Some($loc) 30 | } 31 | } else { 32 | None 33 | } 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /cedar-policy-core/src/validator/README.md: -------------------------------------------------------------------------------- 1 | # Cedar Policy Validator 2 | 3 | This submodule contains the validator for Cedar policies. 4 | 5 | This submodule exposes low-level and advanced APIs for Cedar policy validation. 6 | Anyone simply wanting to use Cedar from a Rust client (e.g., to validate that 7 | policies do not contain run time type errors) should use 8 | [`cedar-policy`](../../../cedar-policy) instead. 9 | 10 | ## Documentation 11 | 12 | Generated documentation for the latest version can be accessed 13 | [on docs.rs](https://docs.rs/cedar-policy-core/latest/cedar_policy_core/validator/index.html). 14 | -------------------------------------------------------------------------------- /cedar-policy-core/src/validator/cedar_schema.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! The Cedar syntax for schemas 18 | 19 | mod ast; 20 | pub use ast::Path; 21 | mod err; 22 | pub mod fmt; 23 | pub mod parser; 24 | pub(crate) mod test; 25 | pub mod to_json_schema; 26 | pub use err::ParseError; 27 | pub use err::{schema_warnings, SchemaWarning}; 28 | -------------------------------------------------------------------------------- /cedar-policy-core/src/validator/cedar_schema/testfiles/example.cedarschema: -------------------------------------------------------------------------------- 1 | entity TopLevel = { 2 | "obj": { 3 | "nestedStr": String 4 | } 5 | }; 6 | 7 | namespace EmptyNs { 8 | } 9 | 10 | namespace Ns { 11 | type Bar = { 12 | "obj": { 13 | "nestedLong": Long, 14 | "nestedObj": { 15 | "nestedStr": String 16 | } 17 | }, 18 | "setWithAnonymousType": Set<{ 19 | "key": String, 20 | "val": String 21 | }> 22 | }; 23 | 24 | entity Resource = { 25 | "bar": Bar 26 | }; 27 | 28 | entity User; 29 | 30 | action "get" appliesTo { 31 | principal: [User], 32 | resource: [Resource], 33 | context: {} 34 | }; 35 | } 36 | -------------------------------------------------------------------------------- /cedar-policy-core/src/validator/deprecated_schema_compat.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | mod conversion; 18 | mod json_schema; 19 | 20 | #[cfg(test)] 21 | mod test; 22 | -------------------------------------------------------------------------------- /cedar-policy-core/src/validator/partition_nonempty.rs: -------------------------------------------------------------------------------- 1 | use itertools::Itertools; 2 | use nonempty::NonEmpty; 3 | 4 | /// A trait for partitioning a collection of `Result`s into a collection of `Ok` values or a `NonEmpty` of `Err` values. 5 | pub(crate) trait PartitionNonEmpty { 6 | fn partition_nonempty(self) -> std::result::Result> 7 | where 8 | C: Default + Extend; 9 | } 10 | 11 | impl PartitionNonEmpty for I 12 | where 13 | I: Iterator>, 14 | { 15 | fn partition_nonempty(self) -> Result> 16 | where 17 | C: Default + Extend, 18 | { 19 | let (oks, errs): (_, Vec<_>) = self.partition_result(); 20 | 21 | if let Some(errs) = NonEmpty::from_vec(errs) { 22 | Err(errs) 23 | } else { 24 | Ok(oks) 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /cedar-policy-core/src/validator/typecheck/test.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #![cfg(test)] 18 | // PANIC SAFETY unit tests 19 | #![allow(clippy::panic)] 20 | // PANIC SAFETY unit tests 21 | #![allow(clippy::indexing_slicing)] 22 | #![allow(clippy::cognitive_complexity)] 23 | 24 | pub(crate) mod test_utils; 25 | 26 | mod expr; 27 | mod extensions; 28 | mod namespace; 29 | mod optional_attributes; 30 | #[cfg(feature = "partial-validate")] 31 | mod partial; 32 | mod policy; 33 | mod strict; 34 | mod tags; 35 | mod type_annotation; 36 | mod unspecified_entity; 37 | -------------------------------------------------------------------------------- /cedar-policy-formatter/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "cedar-policy-formatter" 3 | version.workspace = true 4 | edition.workspace = true 5 | rust-version.workspace = true 6 | license.workspace = true 7 | categories.workspace = true 8 | description = "Policy formatter for the Cedar Policy Language." 9 | keywords.workspace = true 10 | homepage.workspace = true 11 | repository.workspace = true 12 | 13 | [dependencies] 14 | cedar-policy-core = { version = "=4.4.0", path = "../cedar-policy-core" } 15 | pretty = "0.12.4" 16 | logos = "0.15.0" 17 | itertools = "0.14" 18 | smol_str = { version = "0.3", features = ["serde"] } 19 | regex = { version= "1.9.1", features = ["unicode"] } 20 | miette = { version = "7.6.0" } 21 | lazy_static = "1.4.0" 22 | 23 | [dev-dependencies] 24 | insta = { version = "1.43.1", features = ["glob"] } 25 | 26 | [lints] 27 | workspace = true 28 | 29 | [features] 30 | tolerant-ast = ["cedar-policy-core/tolerant-ast"] 31 | experimental = ["tolerant-ast"] 32 | -------------------------------------------------------------------------------- /cedar-policy-formatter/src/lib.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Formatter for Cedar policies 18 | 19 | mod pprint; 20 | pub use pprint::*; 21 | -------------------------------------------------------------------------------- /cedar-policy-formatter/src/pprint/config.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use super::token::WrappedToken; 18 | 19 | /// Configuraton struct that specifies line width and indentation width 20 | #[derive(Debug, Clone)] 21 | pub struct Config { 22 | pub line_width: usize, 23 | pub indent_width: isize, 24 | } 25 | 26 | impl Default for Config { 27 | fn default() -> Self { 28 | Self { 29 | line_width: 80, 30 | indent_width: 2, 31 | } 32 | } 33 | } 34 | 35 | #[derive(Debug)] 36 | pub struct Context<'a, 'src> { 37 | pub config: &'a Config, 38 | pub tokens: Vec>, 39 | } 40 | -------------------------------------------------------------------------------- /cedar-policy-formatter/src/pprint/mod.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | mod fmt; 18 | pub use fmt::*; 19 | mod config; 20 | pub use config::*; 21 | mod doc; 22 | pub mod lexer; 23 | pub mod token; 24 | mod utils; 25 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/action_in_set.cedar: -------------------------------------------------------------------------------- 1 | permit ( 2 | principal in UserGroup::"abc", 3 | action in [Action::"viewPhoto", Action::"viewComments"], 4 | resource in Album::"one" 5 | ); 6 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/annotations.cedar: -------------------------------------------------------------------------------- 1 | @id("foo") 2 | permit (principal, action, resource); 3 | 4 | @id(" 5 | foo 6 | 7 | bar 8 | ") 9 | permit (principal, action, resource); 10 | 11 | @shadow_mode 12 | permit (principal, action, resource); 13 | 14 | @shadow_mode("") 15 | permit (principal, action, resource); 16 | 17 | @shadow_mode // shadow mode is on 18 | permit (principal, action, resource); 19 | 20 | @shadow_mode("") // shadow mode is also on 21 | permit (principal, action, resource); 22 | 23 | @foo@bar@baz("buz") permit(principal, action, resource); 24 | 25 | // foo 26 | @foo@bar 27 | // baz buz 28 | @baz("buz") 29 | // also biz 30 | @biz 31 | permit (principal, action, resource); 32 | 33 | @//1 34 | //2 35 | shadow_mode//3 36 | //4 37 | permit (principal, action, resource); 38 | 39 | @//5 40 | //6 41 | shadow_mode//7 42 | //8 43 | (//9 44 | //10 45 | ""//11 46 | //12 47 | )//13 48 | //14 49 | permit (principal, action, resource); 50 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/arith.cedar: -------------------------------------------------------------------------------- 1 | permit(principal, action, resource) when { 2 | (principal.widgets + principal.gadgets) < resource.limit 3 | }; 4 | 5 | permit(principal, action, resource) when { 6 | (principal.widgets - principal.gadgets) == principal.fidgets 7 | }; 8 | 9 | permit(principal, action, resource) when { 10 | (principal.widgets * 2) < resource.limit 11 | }; 12 | 13 | permit(principal, action, resource) when { 14 | - principal.negative_age > resource.min_age 15 | }; 16 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/blank_lines.cedar: -------------------------------------------------------------------------------- 1 | // Test fix for #862 where blank lines in strings were removed. 2 | 3 | // The output of the formatter should change string or eid content (including 4 | // removing blank lines) because this will change the policy's semantics. It is 5 | // ok to remove blank lines everywhere else. 6 | 7 | permit(principal == User 8 | 9 | :: 10 | 11 | "alice", action, resource 12 | 13 | in Folder::"Name 14 | 15 | 16 | with a newline") when // trailing comment 17 | 18 | { 19 | 20 | context.foo == "string 21 | 22 | with 23 | 24 | newlines and other strange characters🐈👍\" 25 | 26 | // even something that looks like a comment 27 | 28 | " 29 | 30 | // Quotes in comments " 31 | 32 | // shouldn't matter " 33 | 34 | }; 35 | 36 | // A fuzzer-generated policy that wasn't correctly formatter with the original fix 37 | permit( 38 | principal is User in Group::"friends", 39 | action, 40 | resource is Photo in Album::"vacation" 41 | ) when { 42 | (User::"alice" is User) && (User::"alice" in 43 | Group::" 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | friends") 53 | }; -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_1.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_1.cedar 5 | --- 6 | // Everyone in the group UserGroup::"jane_friends" can view this specific photo 7 | @id("jane's friends view-permission policy") 8 | permit ( 9 | principal in UserGroup::"jane_friends", 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ); 13 | 14 | // but Tim is disallowed from viewing the photo 15 | @id("disallow tim policy") 16 | forbid ( 17 | principal == User::"tim", 18 | action, 19 | resource == Photo::"VacationPhoto94.jpg" 20 | ); 21 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_1_bad.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_1_bad.cedar 5 | --- 6 | // Everyone in the group UserGroup::"jane_friends" can view this specific photo 7 | @id("jane's friends view-permission policy") 8 | permit ( 9 | principal in UsrGroup::"jane_friends", 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ); 13 | 14 | // but Tim is disallowed from viewing the photo 15 | @id("disallow tim policy") 16 | forbid ( 17 | principal == User::"tim", 18 | action, 19 | resource == Photo::"VacationPhoto94.jpg" 20 | ); 21 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_2.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_2.cedar 5 | --- 6 | // Alice can view, edit, or delete any photo in the "jane_vacation" album 7 | @id("alice's access policy") 8 | permit ( 9 | principal == User::"alice", 10 | action in [Action::"view", Action::"edit", Action::"delete"], 11 | resource in Album::"jane_vacation" 12 | ); 13 | 14 | // Bob can only view things in the "jane_vacation" album 15 | @id("bob's view policy") 16 | permit ( 17 | principal == User::"bob", 18 | action == Action::"view", 19 | resource in Album::"jane_vacation" 20 | ); 21 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_a__policies_3.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_3.cedar 5 | --- 6 | // Everyone can view the photos in the "jane_vacation" album 7 | // (and list the photos in the album) 8 | @id("jane_vacation public") 9 | permit ( 10 | principal, 11 | action in [Action::"view", Action::"listPhotos"], 12 | resource in Album::"jane_vacation" 13 | ); 14 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_4.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_4.cedar 5 | --- 6 | // Only members of the HardwareEngineering department with job level >= 5 can 7 | // view photos in device_prototypes 8 | @id("prototypes access policy") 9 | permit ( 10 | principal, 11 | action == Action::"view", 12 | resource in Album::"device_prototypes" 13 | ) 14 | when 15 | { principal.department == "HardwareEngineering" && principal.jobLevel >= 5 }; 16 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_5.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_5.cedar 5 | --- 6 | // Alice's friends can view all of her photos 7 | @id("alice's friends view policy") 8 | permit ( 9 | principal in UserGroup::"alice_friends", 10 | action == Action::"view", 11 | resource in Account::"alice" 12 | ); 13 | 14 | // but, as a general rule, anything marked private can only be viewed by the 15 | // account owner 16 | @id("privacy rule") 17 | forbid (principal, action, resource) 18 | when { resource.private } 19 | unless { resource.account has owner && resource.account.owner == principal }; 20 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_5_bad.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_5_bad.cedar 5 | --- 6 | // Alice's friends can view all of her photos 7 | @id("alice's friends view policy") 8 | permit ( 9 | principal in UserGroup::"alice_friends", 10 | action == Action::"view", 11 | resource in Account::"alice" 12 | ); 13 | 14 | // but, as a general rule, anything marked private can only be viewed by the 15 | // account owner 16 | @id("privacy rule") 17 | forbid (principal, action, resource) 18 | when { resource.private } 19 | unless { resource.account.owner == principal }; 20 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_b__policies_6.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_6.cedar 5 | --- 6 | // Alice's friends can view all of her photos 7 | @id("alice's friends view policy") 8 | permit ( 9 | principal in UserGroup::"alice_friends", 10 | action == Action::"view", 11 | resource in Account::"alice" 12 | ); 13 | 14 | // but forbid all requests coming from this IP range 15 | @id("ip_denylist") 16 | forbid (principal, action, resource) 17 | when { context.source_ip.isInRange(ip("222.222.222.0/24")) }; 18 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_c__policies.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_c/policies.cedar 5 | --- 6 | // Template for permitting vacation photo access 7 | @id("AccessVacation") 8 | permit ( 9 | principal in ?principal, 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ); 13 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@sandbox_c__policies_edited.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_c/policies_edited.cedar 5 | --- 6 | // Template for permitting vacation photo access 7 | @id("AccessVacation") 8 | permit ( 9 | principal in ?principal, 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ) 13 | when { principal has department && principal.department == "research" }; 14 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__format__formatted.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/format/formatted.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"update", 9 | resource == Photo::"VacationPhoto94.jpg" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__format__unformatted.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/format/unformatted.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"update", 9 | resource == Photo::"VacationPhoto94.jpg" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample1__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample1/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"view", 9 | resource in Album::"jane_vacation" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample2__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample2/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action in [Action::"view", Action::"edit"], 9 | resource 10 | ) 11 | when { resource.owner == principal }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample3__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample3/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action in [Action::"view", Action::"edit"], 9 | resource in Album::"jane_vacation" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample4__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample4/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action == Action::"view", 9 | resource 10 | ) 11 | when { action == Action::"view" }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample5__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample5/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action == Action::"view", 9 | resource 10 | ) 11 | when 12 | { 13 | principal == resource.owner && 14 | ip("127.0.0.1") == ip("127.0.0.1") && 15 | principal.addr.isLoopback() && 16 | ip("192.168.0.1").isInRange(ip("192.168.0.1/24")) && 17 | [ip("127.0.0.1"), ip("127.0.0.2")].containsAny([principal.addr]) && 18 | principal.addr == ip("127.0.0.1") && 19 | principal.addr.isInRange(ip("127.0.0.1/28")) && 20 | principal.addr.isIpv4() && 21 | ip("224.0.0.0").isMulticast() 22 | }; 23 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample6__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample6/policy.cedar 5 | --- 6 | permit ( 7 | principal in UserGroup::"guardians", 8 | action in [Action::"view"], 9 | resource == ScreenTime::"activity" 10 | ) 11 | when { principal.account.age >= 18 }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample7__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample7/policy.cedar 5 | --- 6 | permit ( 7 | principal == PhotoFlash::Data::User::"alice", 8 | action == PhotoFlash::Data::Action::"view", 9 | resource in PhotoFlash::Data::Album::"jane_vacation" 10 | ) 11 | when 12 | { 13 | context.role.contains("admin") && 14 | context.person.age > 17 && 15 | context.addr.city == "DC" || 16 | context.addr == {city:"DC", street:"main"} 17 | }; 18 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample8__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample8/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action == Action::"view", 9 | resource 10 | ) 11 | when 12 | { 13 | principal == resource.owner && 14 | principal.score.greaterThanOrEqual(decimal("0.75")) 15 | }; 16 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample9__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample9/policy.cedar 5 | --- 6 | permit ( 7 | principal, 8 | action == Action::"view", 9 | resource is Photo 10 | ) 11 | when { principal == resource.owner }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__cli_sample_data_format@tiny_sandboxes__sample9__policy_bad.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample9/policy_bad.cedar 5 | --- 6 | permit ( 7 | principal, 8 | action == Action::"view", 9 | resource 10 | ) 11 | when { principal == resource.owner }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_1.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_1.cedar 5 | --- 6 | // Everyone in the group UserGroup::"jane_friends" can view this specific photo 7 | @id("jane's friends view-permission policy") 8 | permit ( 9 | principal in UserGroup::"jane_friends", 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ); 13 | 14 | // but Tim is disallowed from viewing the photo 15 | @id("disallow tim policy") 16 | forbid ( 17 | principal == User::"tim", 18 | action, 19 | resource == Photo::"VacationPhoto94.jpg" 20 | ); 21 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_1_bad.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_1_bad.cedar 5 | --- 6 | // Everyone in the group UserGroup::"jane_friends" can view this specific photo 7 | @id("jane's friends view-permission policy") 8 | permit ( 9 | principal in UsrGroup::"jane_friends", 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ); 13 | 14 | // but Tim is disallowed from viewing the photo 15 | @id("disallow tim policy") 16 | forbid ( 17 | principal == User::"tim", 18 | action, 19 | resource == Photo::"VacationPhoto94.jpg" 20 | ); 21 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_2.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_2.cedar 5 | --- 6 | // Alice can view, edit, or delete any photo in the "jane_vacation" album 7 | @id("alice's access policy") 8 | permit ( 9 | principal == User::"alice", 10 | action in [Action::"view", Action::"edit", Action::"delete"], 11 | resource in Album::"jane_vacation" 12 | ); 13 | 14 | // Bob can only view things in the "jane_vacation" album 15 | @id("bob's view policy") 16 | permit ( 17 | principal == User::"bob", 18 | action == Action::"view", 19 | resource in Album::"jane_vacation" 20 | ); 21 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_a__policies_3.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_a/policies_3.cedar 5 | --- 6 | // Everyone can view the photos in the "jane_vacation" album 7 | // (and list the photos in the album) 8 | @id("jane_vacation public") 9 | permit ( 10 | principal, 11 | action in [Action::"view", Action::"listPhotos"], 12 | resource in Album::"jane_vacation" 13 | ); 14 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_4.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_4.cedar 5 | --- 6 | // Only members of the HardwareEngineering department with job level >= 5 can 7 | // view photos in device_prototypes 8 | @id("prototypes access policy") 9 | permit ( 10 | principal, 11 | action == Action::"view", 12 | resource in Album::"device_prototypes" 13 | ) 14 | when 15 | { principal.department == "HardwareEngineering" && principal.jobLevel >= 5 }; 16 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_5.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_5.cedar 5 | --- 6 | // Alice's friends can view all of her photos 7 | @id("alice's friends view policy") 8 | permit ( 9 | principal in UserGroup::"alice_friends", 10 | action == Action::"view", 11 | resource in Account::"alice" 12 | ); 13 | 14 | // but, as a general rule, anything marked private can only be viewed by the 15 | // account owner 16 | @id("privacy rule") 17 | forbid (principal, action, resource) 18 | when { resource.private } 19 | unless { resource.account has owner && resource.account.owner == principal }; 20 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_5_bad.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_5_bad.cedar 5 | --- 6 | // Alice's friends can view all of her photos 7 | @id("alice's friends view policy") 8 | permit ( 9 | principal in UserGroup::"alice_friends", 10 | action == Action::"view", 11 | resource in Account::"alice" 12 | ); 13 | 14 | // but, as a general rule, anything marked private can only be viewed by the 15 | // account owner 16 | @id("privacy rule") 17 | forbid (principal, action, resource) 18 | when { resource.private } 19 | unless { resource.account.owner == principal }; 20 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_b__policies_6.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_b/policies_6.cedar 5 | --- 6 | // Alice's friends can view all of her photos 7 | @id("alice's friends view policy") 8 | permit ( 9 | principal in UserGroup::"alice_friends", 10 | action == Action::"view", 11 | resource in Account::"alice" 12 | ); 13 | 14 | // but forbid all requests coming from this IP range 15 | @id("ip_denylist") 16 | forbid (principal, action, resource) 17 | when { context.source_ip.isInRange(ip("222.222.222.0/24")) }; 18 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_c__policies.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_c/policies.cedar 5 | --- 6 | // Template for permitting vacation photo access 7 | @id("AccessVacation") 8 | permit ( 9 | principal in ?principal, 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ); 13 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@sandbox_c__policies_edited.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/sandbox_c/policies_edited.cedar 5 | --- 6 | // Template for permitting vacation photo access 7 | @id("AccessVacation") 8 | permit ( 9 | principal in ?principal, 10 | action == Action::"view", 11 | resource == Photo::"VacationPhoto94.jpg" 12 | ) 13 | when { principal has department && principal.department == "research" }; 14 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__format__formatted.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/format/formatted.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"update", 9 | resource == Photo::"VacationPhoto94.jpg" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__format__unformatted.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/format/unformatted.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"update", 9 | resource == Photo::"VacationPhoto94.jpg" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__level-validation__policy-level-0.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/level-validation/policy-level-0.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"view", 9 | resource 10 | ) 11 | when { context.token.is_secure }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__level-validation__policy-level-1.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/level-validation/policy-level-1.cedar 5 | --- 6 | permit (principal, action, resource) 7 | when { principal.jobLevel > 5 }; 8 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__level-validation__policy-level-2.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/level-validation/policy-level-2.cedar 5 | --- 6 | @id("attr-access") 7 | permit (principal, action, resource) 8 | when { principal.manager in Group::"admins" }; 9 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample1__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample1/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"view", 9 | resource in Album::"jane_vacation" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample2__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample2/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action in [Action::"view", Action::"edit"], 9 | resource 10 | ) 11 | when { resource.owner == principal }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample3__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample3/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action in [Action::"view", Action::"edit"], 9 | resource in Album::"jane_vacation" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample4__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample4/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action == Action::"view", 9 | resource 10 | ) 11 | when { action == Action::"view" }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample5__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample5/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action == Action::"view", 9 | resource 10 | ) 11 | when 12 | { 13 | principal == resource.owner && 14 | ip("127.0.0.1") == ip("127.0.0.1") && 15 | principal.addr.isLoopback() && 16 | ip("192.168.0.1").isInRange(ip("192.168.0.1/24")) && 17 | [ip("127.0.0.1"), ip("127.0.0.2")].containsAny([principal.addr]) && 18 | principal.addr == ip("127.0.0.1") && 19 | principal.addr.isInRange(ip("127.0.0.1/28")) && 20 | principal.addr.isIpv4() && 21 | ip("224.0.0.0").isMulticast() 22 | }; 23 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample6__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample6/policy.cedar 5 | --- 6 | permit ( 7 | principal in UserGroup::"guardians", 8 | action in [Action::"view"], 9 | resource == ScreenTime::"activity" 10 | ) 11 | when { principal.account.age >= 18 }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample7__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample7/policy.cedar 5 | --- 6 | permit ( 7 | principal == PhotoFlash::Data::User::"alice", 8 | action == PhotoFlash::Data::Action::"view", 9 | resource in PhotoFlash::Data::Album::"jane_vacation" 10 | ) 11 | when 12 | { 13 | context.role.contains("admin") && 14 | context.person.age > 17 && 15 | context.addr.city == "DC" || 16 | context.addr == {city:"DC", street:"main"} 17 | }; 18 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample8__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample8/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"bob", 8 | action == Action::"view", 9 | resource 10 | ) 11 | when 12 | { 13 | principal == resource.owner && 14 | principal.score.greaterThanOrEqual(decimal("0.75")) 15 | }; 16 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample9__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample9/policy.cedar 5 | --- 6 | permit ( 7 | principal, 8 | action == Action::"view", 9 | resource is Photo 10 | ) 11 | when { principal == resource.owner }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__sample9__policy_bad.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/sample9/policy_bad.cedar 5 | --- 6 | permit ( 7 | principal, 8 | action == Action::"view", 9 | resource 10 | ) 11 | when { principal == resource.owner }; 12 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/cli-snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@tiny_sandboxes__translate-policy__policy.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-cli/sample-data/tiny_sandboxes/translate-policy/policy.cedar 5 | --- 6 | permit ( 7 | principal == User::"alice", 8 | action == Action::"update", 9 | resource == Photo::"VacationPhoto94.jpg" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/comment_euid_elems.cedar: -------------------------------------------------------------------------------- 1 | // Test fix for #787 where comments between euid elements were reorderd. 2 | permit(principal, action, resource == a // 1 3 | // 2 4 | :: 5 | // 3 6 | ""); 7 | 8 | permit(principal, action in 9 | [ 10 | Action // 4 11 | // 5 12 | :: 13 | // 6 14 | "" 15 | ] 16 | , 17 | resource); 18 | 19 | permit(principal, action, resource) when { a // 7 20 | // 8 21 | :: 22 | // 9 23 | ""}; 24 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/comment_only.cedar: -------------------------------------------------------------------------------- 1 | // Comments in an empty file are a valid policy set. 2 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/comment_trailing_whitespace.cedar: -------------------------------------------------------------------------------- 1 | // Tests that trailing spaces are correctly removed at the end of comment lines. 2 | 3 | // ___WARNING___ Some editors will automaticaly trim trailing whitespace, but 4 | // this file expliciclty tests formatter behavior in this case. When making 5 | // changes to this file check that the comments still have trailing whitespace. 6 | 7 | // There is a space at the end of this line 8 | permit (principal, action, resource); 9 | 10 | // No space here 11 | // But there is one here 12 | permit (principal, action, resource); 13 | 14 | // No space here 15 | // Leading space before this comment 16 | // A tab character here: 17 | permit (principal, action, resource); 18 | 19 | permit (principal, // Trailing comment Space 20 | // Leading comment Space 21 | // Leading comment Space 22 | // Leading comment Space 23 | action, resource); 24 | 25 | // end of file comment with space 26 | // on these lines 27 | 28 | // trailing whitespace on the last line is ignored by insta, so we test that 29 | // case as part of `test_add_trailing_newline` in `fmt.rs` 30 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/empty.cedar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cedar-policy/cedar/3f474ccc89acbaa0a1f7e62add954a66989271a9/cedar-policy-formatter/tests/empty.cedar -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/empty_list.cedar: -------------------------------------------------------------------------------- 1 | permit(principal, action, resource) when { 2 | principal.things == [] 3 | }; 4 | 5 | permit(principal, action, resource) when { 6 | principal.things == [ 7 | // This is empty 8 | ] 9 | }; 10 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/empty_record.cedar: -------------------------------------------------------------------------------- 1 | forbid(principal, action, resource) when { 2 | principal.tags == {} 3 | }; 4 | 5 | forbid(principal, action, resource) when { 6 | principal.tags == { // This 7 | // is 8 | // empty 9 | } 10 | }; 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/extended_has.cedar: -------------------------------------------------------------------------------- 1 | // An example from RFC 2 | permit( 3 | principal is User, 4 | action == Action::"preview", 5 | resource == Movie::"Blockbuster" 6 | ) when { 7 | // extended has 8 | principal has 9 | // contactInfo 10 | contactInfo. 11 | // address 12 | address. 13 | // zip 14 | zip && 15 | // we are safe to access all attributes 16 | principal.contactInfo.address.zip == "90210" 17 | }; 18 | 19 | // Same example without comments 20 | permit( 21 | principal is User, 22 | action == Action::"preview", 23 | resource == Movie::"Blockbuster" 24 | ) when { 25 | principal has 26 | contactInfo. 27 | address. 28 | zip && 29 | principal.contactInfo.address.zip == "90210" 30 | }; 31 | 32 | // Same example with long attributes 33 | permit( 34 | principal is User, 35 | action == Action::"preview", 36 | resource == Movie::"Blockbuster" 37 | ) when { 38 | principal has 39 | contactInfooooooooooooooooooooooooooooooooooooooooooooooo. 40 | addressssssssssssssssssssss. 41 | zipppppppppppp && 42 | principal.contactInfo.address.zip == "90210" 43 | }; -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/index.cedar: -------------------------------------------------------------------------------- 1 | permit(principal, action, resource) when { 2 | principal["is_admin"] 3 | }; 4 | 5 | permit(principal, action, resource) when { 6 | principal["roles"]["admin"] 7 | }; 8 | 9 | permit(principal, action, resource) when { 10 | principal // principal 11 | ["roles"] // get roles 12 | ["admin"] // get the admin role 13 | }; 14 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/is_policies.cedar: -------------------------------------------------------------------------------- 1 | permit( principal is User, action, resource is Photo) when { User::"alice" is User }; 2 | permit( principal is User in Group::"friends", action, resource is Photo in Album::"vacation") when { User::"alice" is User in Group::"friends" }; 3 | 4 | permit // 0 5 | ( // 1 6 | principal // 2 7 | is // 3 8 | User // 4 9 | , // 5 10 | action // 6 11 | , // 7 12 | resource // 8 13 | is // 9 14 | Photo // 10 15 | ) // 11 16 | when // 12 17 | { // 13 18 | User // 14 19 | :: // 15 20 | "alice" // 16 21 | is // 17 22 | User // 18 23 | } // 19 24 | ; // 20 25 | 26 | permit // 0 27 | ( // 1 28 | principal // 2 29 | is // 3 30 | User // 4 31 | in // 5 32 | Group // 6 33 | :: // 7 34 | "friends" // 8 35 | , // 9 36 | action, // 10 37 | resource // 11 38 | is // 12 39 | Photo // 13 40 | in // 14 41 | Album // 15 42 | :: // 16 43 | "vacation" // 17 44 | ) // 18 45 | when // 19 46 | { // 20 47 | User // 21 48 | :: // 22 49 | "alice" // 23 50 | is // 24 51 | User // 25 52 | in // 26 53 | Group // 27 54 | :: // 28 55 | "friends" // 29 56 | } // 30 57 | ; // 31 58 | 59 | permit (principal, action, resource is List) 60 | when { resource.owner == principal }; -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/ite_comment.cedar: -------------------------------------------------------------------------------- 1 | permit(principal, action, resource) when { 2 | // 0 3 | if // 1 4 | true // 2 5 | then // 3 6 | 1 // 4 7 | else // 5 8 | 2 // 6 9 | }; 10 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/like.cedar: -------------------------------------------------------------------------------- 1 | permit(principal, action, resource) when { 2 | resource.path like "/home/*" 3 | }; 4 | 5 | permit(principal, action, resource) when { 6 | resource.path // Checking path 7 | like 8 | // is `home` 9 | "/home/*" 10 | }; 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@action_in_set.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/action_in_set.cedar 5 | --- 6 | permit ( 7 | principal in UserGroup::"abc", 8 | action in [Action::"viewPhoto", Action::"viewComments"], 9 | resource in Album::"one" 10 | ); 11 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@annotations.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/annotations.cedar 5 | --- 6 | @id("foo") 7 | permit (principal, action, resource); 8 | 9 | @id(" 10 | foo 11 | 12 | bar 13 | ") 14 | permit (principal, action, resource); 15 | 16 | @shadow_mode 17 | permit (principal, action, resource); 18 | 19 | @shadow_mode("") 20 | permit (principal, action, resource); 21 | 22 | @shadow_mode // shadow mode is on 23 | permit (principal, action, resource); 24 | 25 | @shadow_mode("") // shadow mode is also on 26 | permit (principal, action, resource); 27 | 28 | @foo 29 | @bar 30 | @baz("buz") 31 | permit (principal, action, resource); 32 | 33 | // foo 34 | @foo 35 | @bar 36 | // baz buz 37 | @baz("buz") 38 | // also biz 39 | @biz 40 | permit (principal, action, resource); 41 | 42 | @ //1 43 | //2 44 | shadow_mode //3 45 | //4 46 | permit (principal, action, resource); 47 | 48 | @ //5 49 | //6 50 | shadow_mode //7 51 | //8 52 | ( //9 53 | //10 54 | "" //11 55 | //12 56 | ) //13 57 | //14 58 | permit (principal, action, resource); 59 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@arith.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/arith.cedar 5 | --- 6 | permit (principal, action, resource) 7 | when { (principal.widgets + principal.gadgets) < resource.limit }; 8 | 9 | permit (principal, action, resource) 10 | when { (principal.widgets - principal.gadgets) == principal.fidgets }; 11 | 12 | permit (principal, action, resource) 13 | when { (principal.widgets * 2) < resource.limit }; 14 | 15 | permit (principal, action, resource) 16 | when { -principal.negative_age > resource.min_age }; 17 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@blank_lines.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/blank_lines.cedar 5 | --- 6 | // Test fix for #862 where blank lines in strings were removed. 7 | // The output of the formatter should change string or eid content (including 8 | // removing blank lines) because this will change the policy's semantics. It is 9 | // ok to remove blank lines everywhere else. 10 | permit ( 11 | principal == User::"alice", 12 | action, 13 | resource in Folder::"Name 14 | 15 | 16 | with a newline" 17 | ) 18 | when // trailing comment 19 | { 20 | context.foo == "string 21 | 22 | with 23 | 24 | newlines and other strange characters🐈👍\" 25 | 26 | // even something that looks like a comment 27 | 28 | " 29 | // Quotes in comments " 30 | // shouldn't matter " 31 | }; 32 | 33 | // A fuzzer-generated policy that wasn't correctly formatter with the original fix 34 | permit ( 35 | principal is User in Group::"friends", 36 | action, 37 | resource is Photo in Album::"vacation" 38 | ) 39 | when 40 | { (User::"alice" is User) && (User::"alice" in Group::" 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | friends") }; 50 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@comment_euid_elems.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/comment_euid_elems.cedar 5 | --- 6 | // Test fix for #787 where comments between euid elements were reorderd. 7 | permit ( 8 | principal, 9 | action, 10 | resource == 11 | a // 1 12 | // 2 13 | :: 14 | // 3 15 | "" 16 | ); 17 | 18 | permit ( 19 | principal, 20 | action in 21 | [Action // 4 22 | // 5 23 | :: 24 | // 6 25 | ""], 26 | resource 27 | ); 28 | 29 | permit (principal, action, resource) 30 | when 31 | { 32 | a // 7 33 | // 8 34 | :: 35 | // 9 36 | "" 37 | }; 38 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@comment_only.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/comment_only.cedar 5 | --- 6 | // Comments in an empty file are a valid policy set. 7 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@comment_trailing_whitespace.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/comment_trailing_whitespace.cedar 5 | --- 6 | // Tests that trailing spaces are correctly removed at the end of comment lines. 7 | // ___WARNING___ Some editors will automaticaly trim trailing whitespace, but 8 | // this file expliciclty tests formatter behavior in this case. When making 9 | // changes to this file check that the comments still have trailing whitespace. 10 | // There is a space at the end of this line 11 | permit (principal, action, resource); 12 | 13 | // No space here 14 | // But there is one here 15 | permit (principal, action, resource); 16 | 17 | // No space here 18 | // Leading space before this comment 19 | // A tab character here: 20 | permit (principal, action, resource); 21 | 22 | permit (principal, // Trailing comment Space 23 | // Leading comment Space 24 | // Leading comment Space 25 | // Leading comment Space 26 | action, resource); 27 | // end of file comment with space 28 | // on these lines 29 | // trailing whitespace on the last line is ignored by insta, so we test that 30 | // case as part of `test_add_trailing_newline` in `fmt.rs` 31 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@empty.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/empty.cedar 5 | --- 6 | 7 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@empty_list.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/empty_list.cedar 5 | --- 6 | permit (principal, action, resource) 7 | when { principal.things == [] }; 8 | 9 | permit (principal, action, resource) 10 | when 11 | { 12 | principal.things == [ 13 | // This is empty 14 | ] 15 | }; 16 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@empty_record.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/empty_record.cedar 5 | --- 6 | forbid (principal, action, resource) 7 | when { principal.tags == {} }; 8 | 9 | forbid (principal, action, resource) 10 | when 11 | { 12 | principal.tags == { // This 13 | // is 14 | // empty 15 | } 16 | }; 17 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@extended_has.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/extended_has.cedar 5 | --- 6 | // An example from RFC 7 | permit ( 8 | principal is User, 9 | action == Action::"preview", 10 | resource == Movie::"Blockbuster" 11 | ) 12 | when 13 | { 14 | // extended has 15 | principal 16 | has 17 | // contactInfo 18 | contactInfo. 19 | // address 20 | address 21 | . 22 | // zip 23 | zip && 24 | // we are safe to access all attributes 25 | principal.contactInfo 26 | .address 27 | .zip == "90210" 28 | }; 29 | 30 | // Same example without comments 31 | permit ( 32 | principal is User, 33 | action == Action::"preview", 34 | resource == Movie::"Blockbuster" 35 | ) 36 | when 37 | { 38 | principal has contactInfo.address.zip && 39 | principal.contactInfo.address.zip == "90210" 40 | }; 41 | 42 | // Same example with long attributes 43 | permit ( 44 | principal is User, 45 | action == Action::"preview", 46 | resource == Movie::"Blockbuster" 47 | ) 48 | when 49 | { 50 | principal 51 | has 52 | contactInfooooooooooooooooooooooooooooooooooooooooooooooo.addressssssssssssssssssssss 53 | .zipppppppppppp && 54 | principal.contactInfo.address.zip == "90210" 55 | }; 56 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@index.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/index.cedar 5 | --- 6 | permit (principal, action, resource) 7 | when { principal["is_admin"] }; 8 | 9 | permit (principal, action, resource) 10 | when { principal["roles"]["admin"] }; 11 | 12 | permit (principal, action, resource) 13 | when 14 | { 15 | principal // principal 16 | [ 17 | "roles" 18 | ] // get roles 19 | [ 20 | "admin" 21 | ] // get the admin role 22 | }; 23 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@is_policies.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/is_policies.cedar 5 | --- 6 | permit ( 7 | principal is User, 8 | action, 9 | resource is Photo 10 | ) 11 | when { User::"alice" is User }; 12 | 13 | permit ( 14 | principal is User in Group::"friends", 15 | action, 16 | resource is Photo in Album::"vacation" 17 | ) 18 | when { User::"alice" is User in Group::"friends" }; 19 | 20 | permit // 0 21 | ( // 1 22 | principal // 2 23 | is // 3 24 | User // 4 25 | , // 5 26 | action // 6 27 | , // 7 28 | resource // 8 29 | is // 9 30 | Photo // 10 31 | ) // 11 32 | when // 12 33 | { // 13 34 | User // 14 35 | :: // 15 36 | "alice" // 16 37 | is // 17 38 | User // 18 39 | } // 19 40 | ; // 20 41 | 42 | permit // 0 43 | ( // 1 44 | principal // 2 45 | is // 3 46 | User // 4 47 | in // 5 48 | Group // 6 49 | :: // 7 50 | "friends" // 8 51 | , // 9 52 | action, // 10 53 | resource // 11 54 | is // 12 55 | Photo // 13 56 | in // 14 57 | Album // 15 58 | :: // 16 59 | "vacation" // 17 60 | ) // 18 61 | when // 19 62 | { // 20 63 | User // 21 64 | :: // 22 65 | "alice" // 23 66 | is // 24 67 | User // 25 68 | in // 26 69 | Group // 27 70 | :: // 28 71 | "friends" // 29 72 | } // 30 73 | ; // 31 74 | 75 | permit ( 76 | principal, 77 | action, 78 | resource is List 79 | ) 80 | when { resource.owner == principal }; 81 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@ite_comment.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/ite_comment.cedar 5 | --- 6 | permit (principal, action, resource) 7 | when 8 | { 9 | // 0 10 | if // 1 11 | true // 2 12 | then // 3 13 | 1 // 4 14 | else // 5 15 | 2 // 6 16 | }; 17 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@like.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/like.cedar 5 | --- 6 | permit (principal, action, resource) 7 | when { resource.path like "/home/*" }; 8 | 9 | permit (principal, action, resource) 10 | when 11 | { 12 | resource.path // Checking path 13 | like 14 | // is `home` 15 | "/home/*" 16 | }; 17 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@trivial_forbid.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/trivial_forbid.cedar 5 | --- 6 | forbid (principal, action, resource); 7 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/snapshots/cedar_policy_formatter__pprint__fmt__tests__format_files@trivial_permit.cedar.snap: -------------------------------------------------------------------------------- 1 | --- 2 | source: cedar-policy-formatter/src/pprint/fmt.rs 3 | expression: formatted 4 | input_file: cedar-policy-formatter/tests/trivial_permit.cedar 5 | --- 6 | permit (principal, action, resource); 7 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/trivial_forbid.cedar: -------------------------------------------------------------------------------- 1 | forbid (principal, action, resource); 2 | -------------------------------------------------------------------------------- /cedar-policy-formatter/tests/trivial_permit.cedar: -------------------------------------------------------------------------------- 1 | permit (principal, action, resource); 2 | -------------------------------------------------------------------------------- /cedar-policy/benches/entity_parsing.rs: -------------------------------------------------------------------------------- 1 | // PANIC SAFETY: it's ok for benchmarking code to panic 2 | #![allow(clippy::unwrap_used)] 3 | 4 | use std::{hint::black_box, str::FromStr}; 5 | 6 | use cedar_policy::EntityTypeName; 7 | 8 | use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion}; 9 | 10 | fn entity_type_name_parsing(c: &mut Criterion) { 11 | let mut group = c.benchmark_group("EntityTypeName parsing"); 12 | for name in [ 13 | "foo", 14 | "foo::bar", 15 | "foo::bar::bar::bar::bar", 16 | "foo::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar", 17 | "foo::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar::bar", 18 | ] 19 | .iter() 20 | { 21 | group.bench_with_input(BenchmarkId::from_parameter(format!("Type Name size {}", name.len())), name, |b, name| { 22 | b.iter(|| EntityTypeName::from_str(black_box(name)).unwrap()); 23 | }); 24 | } 25 | group.finish(); 26 | } 27 | 28 | criterion_group!(benches, entity_type_name_parsing); 29 | criterion_main!(benches); 30 | -------------------------------------------------------------------------------- /cedar-policy/build.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | fn main() { 18 | #[cfg(feature = "protobufs")] 19 | generate_schemas(); 20 | } 21 | 22 | #[cfg(feature = "protobufs")] 23 | /// Reads protobuf schema files (.proto) and generates Rust modules 24 | fn generate_schemas() { 25 | // PANIC SAFETY: panics in build.rs are acceptable, they just fail the build 26 | #[allow(clippy::expect_used)] 27 | prost_build::compile_protos( 28 | &[ 29 | "./protobuf_schema/core.proto", 30 | "./protobuf_schema/validator.proto", 31 | ], 32 | &["./protobuf_schema"], 33 | ) 34 | .expect("failed to compile `.proto` schema files"); 35 | } 36 | -------------------------------------------------------------------------------- /cedar-policy/experimental_warning.md: -------------------------------------------------------------------------------- 1 |
2 | This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features 3 |
-------------------------------------------------------------------------------- /cedar-policy/src/ffi/mod.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | mod is_authorized; 18 | pub use is_authorized::*; 19 | mod utils; 20 | pub use utils::*; 21 | mod validate; 22 | pub use validate::*; 23 | mod check_parse; 24 | pub use check_parse::*; 25 | mod format; 26 | pub use format::*; 27 | mod convert; 28 | pub use convert::*; 29 | mod version; 30 | pub use version::*; 31 | mod tests; 32 | -------------------------------------------------------------------------------- /cedar-policy/src/ffi/version.rs: -------------------------------------------------------------------------------- 1 | #[cfg(feature = "wasm")] 2 | use wasm_bindgen::prelude::wasm_bindgen; 3 | 4 | use crate::api; 5 | 6 | /// Get language version of Cedar 7 | #[allow(clippy::module_name_repetitions)] 8 | #[cfg_attr(feature = "wasm", wasm_bindgen(js_name = "getCedarLangVersion"))] 9 | pub fn get_lang_version() -> String { 10 | let version = api::version::get_lang_version(); 11 | format!("{}.{}", version.major, version.minor) 12 | } 13 | 14 | /// Get SDK version of Cedar 15 | #[allow(clippy::module_name_repetitions)] 16 | pub fn get_sdk_version() -> String { 17 | let version = api::version::get_sdk_version(); 18 | format!("{version}") 19 | } 20 | -------------------------------------------------------------------------------- /cedar-policy/src/test.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #![cfg(test)] 18 | // PANIC SAFETY unit tests 19 | #![allow(clippy::panic)] 20 | // PANIC SAFETY unit tests 21 | #![allow(clippy::indexing_slicing)] 22 | #![allow(clippy::cognitive_complexity, clippy::too_many_lines)] 23 | 24 | mod test; 25 | 26 | mod prop_test_policy_set; 27 | -------------------------------------------------------------------------------- /cedar-testing/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "cedar-testing" 3 | edition.workspace = true 4 | version.workspace = true 5 | license.workspace = true 6 | publish = false 7 | 8 | [dependencies] 9 | cedar-policy = { version = "=4.4.0", path = "../cedar-policy" } 10 | cedar-policy-core = { version = "=4.4.0", path = "../cedar-policy-core" } 11 | serde = { version = "1.0", features = ["derive"] } 12 | serde_json = "1.0" 13 | smol_str = { version = "0.3", features = ["serde"] } 14 | miette = { version = "7.6.0", features = ["fancy"] } 15 | 16 | [features] 17 | default = ["ipaddr", "decimal"] 18 | decimal = ["cedar-policy/decimal"] 19 | ipaddr = ["cedar-policy/ipaddr"] 20 | integration-testing = [] 21 | entity-manifest = ["cedar-policy/entity-manifest"] 22 | 23 | [dev-dependencies] 24 | assert_cmd = "2.0" 25 | tempfile = "3" 26 | 27 | [lints] 28 | workspace = true 29 | -------------------------------------------------------------------------------- /cedar-testing/README.md: -------------------------------------------------------------------------------- 1 | # Cedar Testing 2 | 3 | This package contains utility code for testing `cedar-policy` and `cedar-policy-cli`. 4 | It is used for running integration tests in CI and by our fuzzing infrastructure in [`cedar-spec`](https://github.com/cedar-policy/cedar-spec). 5 | 6 | ## Running integration tests 7 | 8 | The integration tests are run by default in CI (e.g., as a part of each pull request), but you can also run them locally. 9 | In order to do this, you need to have the [`cedar-integration-tests`](https://github.com/cedar-policy/cedar-integration-tests) repository cloned in the top-level directory (`..`). 10 | Then, run `cargo test --features "integration-testing" -- --include-ignored`. 11 | (Omit `--include-ignored` if you want to skip the corpus tests.) 12 | 13 | ```bash 14 | # starting in the top-level directory (..) 15 | rm -rf cedar-integration-tests 16 | git clone --depth 1 https://github.com/cedar-policy/cedar-integration-tests 17 | cd cedar-integration-tests 18 | tar xzf corpus-tests.tar.gz 19 | cd .. 20 | cargo test --features "integration-testing" -- --include-ignored 21 | ``` 22 | -------------------------------------------------------------------------------- /cedar-testing/src/lib.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | pub mod cedar_test_impl; 18 | pub mod integration_testing; 19 | -------------------------------------------------------------------------------- /cedar-testing/tests/cedar-policy-cli/decimal.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Integration tests targeting the decimal extension 18 | 19 | use super::perform_integration_test_from_json; 20 | use std::path::Path; 21 | 22 | /// Path of the folder containing the JSON tests 23 | fn folder() -> &'static Path { 24 | Path::new("tests/decimal") 25 | } 26 | 27 | #[test] 28 | fn decimal_1() { 29 | perform_integration_test_from_json(folder().join("1.json")); 30 | } 31 | 32 | #[test] 33 | fn decimal_2() { 34 | perform_integration_test_from_json(folder().join("2.json")); 35 | } 36 | -------------------------------------------------------------------------------- /cedar-testing/tests/cedar-policy-cli/ip.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Integration tests targeting the ipaddr extension 18 | 19 | use super::perform_integration_test_from_json; 20 | use std::path::Path; 21 | 22 | /// Path of the folder containing the JSON tests 23 | fn folder() -> &'static Path { 24 | Path::new("tests/ip") 25 | } 26 | 27 | #[test] 28 | fn ip_1() { 29 | perform_integration_test_from_json(folder().join("1.json")); 30 | } 31 | 32 | #[test] 33 | fn ip_2() { 34 | perform_integration_test_from_json(folder().join("2.json")); 35 | } 36 | 37 | #[test] 38 | fn ip_3() { 39 | perform_integration_test_from_json(folder().join("3.json")); 40 | } 41 | -------------------------------------------------------------------------------- /cedar-testing/tests/cedar-policy-cli/multi.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Integration tests which involve interactions between multiple policies 18 | 19 | use super::perform_integration_test_from_json; 20 | use std::path::Path; 21 | 22 | /// Path of the folder containing the JSON tests 23 | fn folder() -> &'static Path { 24 | Path::new("tests/multi") 25 | } 26 | 27 | #[test] 28 | fn multi_1() { 29 | perform_integration_test_from_json(folder().join("1.json")); 30 | } 31 | 32 | #[test] 33 | fn multi_2() { 34 | perform_integration_test_from_json(folder().join("2.json")); 35 | } 36 | 37 | #[test] 38 | fn multi_3() { 39 | perform_integration_test_from_json(folder().join("3.json")); 40 | } 41 | 42 | #[test] 43 | fn multi_4() { 44 | perform_integration_test_from_json(folder().join("4.json")); 45 | } 46 | 47 | #[test] 48 | fn multi_5() { 49 | perform_integration_test_from_json(folder().join("5.json")); 50 | } 51 | -------------------------------------------------------------------------------- /cedar-testing/tests/cedar-policy/decimal.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Integration tests targeting the decimal extension 18 | 19 | use cedar_testing::integration_testing::perform_integration_test_from_json; 20 | use std::path::Path; 21 | 22 | /// Path of the folder containing the JSON tests 23 | fn folder() -> &'static Path { 24 | Path::new("tests/decimal") 25 | } 26 | 27 | #[test] 28 | fn decimal_1() { 29 | perform_integration_test_from_json(folder().join("1.json")); 30 | } 31 | 32 | #[test] 33 | fn decimal_2() { 34 | perform_integration_test_from_json(folder().join("2.json")); 35 | } 36 | -------------------------------------------------------------------------------- /cedar-testing/tests/cedar-policy/ip.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Integration tests targeting the ipaddr extension 18 | 19 | use cedar_testing::integration_testing::perform_integration_test_from_json; 20 | use std::path::Path; 21 | 22 | /// Path of the folder containing the JSON tests 23 | fn folder() -> &'static Path { 24 | Path::new("tests/ip") 25 | } 26 | 27 | #[test] 28 | fn ip_1() { 29 | perform_integration_test_from_json(folder().join("1.json")); 30 | } 31 | 32 | #[test] 33 | fn ip_2() { 34 | perform_integration_test_from_json(folder().join("2.json")); 35 | } 36 | 37 | #[test] 38 | fn ip_3() { 39 | perform_integration_test_from_json(folder().join("3.json")); 40 | } 41 | -------------------------------------------------------------------------------- /cedar-testing/tests/cedar-policy/main.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #![cfg(feature = "integration-testing")] 18 | // PANIC SAFETY tests 19 | #![allow(clippy::expect_used)] 20 | // PANIC SAFETY tests 21 | #![allow(clippy::panic)] 22 | 23 | mod corpus_tests; 24 | #[cfg(feature = "decimal")] 25 | mod decimal; 26 | mod example_use_cases; 27 | #[cfg(feature = "ipaddr")] 28 | mod ip; 29 | mod multi; 30 | -------------------------------------------------------------------------------- /cedar-testing/tests/cedar-policy/multi.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | //! Integration tests that involve interactions between multiple policies 18 | 19 | use cedar_testing::integration_testing::perform_integration_test_from_json; 20 | use std::path::Path; 21 | 22 | /// Path of the folder containing the JSON tests 23 | fn folder() -> &'static Path { 24 | Path::new("tests/multi") 25 | } 26 | 27 | #[test] 28 | fn multi_1() { 29 | perform_integration_test_from_json(folder().join("1.json")); 30 | } 31 | 32 | #[test] 33 | fn multi_2() { 34 | perform_integration_test_from_json(folder().join("2.json")); 35 | } 36 | 37 | #[test] 38 | fn multi_3() { 39 | perform_integration_test_from_json(folder().join("3.json")); 40 | } 41 | 42 | #[test] 43 | fn multi_4() { 44 | perform_integration_test_from_json(folder().join("4.json")); 45 | } 46 | 47 | #[test] 48 | fn multi_5() { 49 | perform_integration_test_from_json(folder().join("5.json")); 50 | } 51 | -------------------------------------------------------------------------------- /cedar-wasm/.cargo/config.toml: -------------------------------------------------------------------------------- 1 | [profile.release] 2 | overflow-checks = true 3 | # Tell `rustc` to optimize for small code size 4 | opt-level = "s" 5 | -------------------------------------------------------------------------------- /cedar-wasm/.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore wasm build artifacts 2 | node_modules 3 | package-lock.json 4 | package.json 5 | pkg 6 | -------------------------------------------------------------------------------- /cedar-wasm/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## Unreleased 4 | 5 | ## 4.4.1 6 | 7 | ## 4.4.0 8 | 9 | ## 4.3.3 10 | 11 | ## 4.3.2 12 | 13 | ## 4.3.1 14 | 15 | ## 4.3.0 16 | 17 | ## 4.2.2 18 | 19 | ## 4.2.1 20 | 21 | ## 4.2.0 22 | 23 | ### Fixed 24 | - Fixed import logic (https://github.com/cedar-policy/cedar/issues/1227 25 | and https://github.com/cedar-policy/cedar/issues/1226) 26 | 27 | ## 4.1.0 28 | 29 | ## 4.0.0 30 | 31 | ### Added 32 | 33 | Initial release of the Wasm bindings 34 | 35 | ## 3.2.x 36 | 37 | Initial pre-release of the Wasm bindings 38 | -------------------------------------------------------------------------------- /cedar-wasm/Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "cedar-wasm" 3 | version.workspace = true 4 | edition.workspace = true 5 | rust-version.workspace = true 6 | description = "Wasm bindings and typescript types for Cedar lib" 7 | license.workspace = true 8 | 9 | exclude = ['/build'] 10 | 11 | [dependencies] 12 | cedar-policy = { version = "=4.4.0", path = "../cedar-policy", features = ["wasm"] } 13 | cedar-policy-core = { version = "=4.4.0", path = "../cedar-policy-core", features = ["wasm"] } 14 | cedar-policy-formatter = { version = "=4.4.0", path = "../cedar-policy-formatter" } 15 | 16 | serde = { version = "1.0", features = ["derive", "rc"] } 17 | serde-wasm-bindgen = "0.6" 18 | serde_json = "1.0" 19 | # wasm support 20 | wasm-bindgen = { version = "0.2.97" } 21 | console_error_panic_hook = { version = "0.1.6", optional = true } 22 | tsify = "0.4.5" 23 | 24 | [features] 25 | default = ["console_error_panic_hook"] 26 | 27 | [lib] 28 | crate-type = ["cdylib", "rlib"] 29 | 30 | [dev-dependencies] 31 | wasm-bindgen-test = "0.3.50" 32 | cool_asserts = "2.0" 33 | 34 | [lints] 35 | workspace = true 36 | -------------------------------------------------------------------------------- /cedar-wasm/package.json.patch: -------------------------------------------------------------------------------- 1 | { 2 | "files": [ 3 | "esm/package.json", 4 | "esm/README.md", 5 | "esm/cedar_wasm_bg.wasm", 6 | "esm/cedar_wasm_bg.wasm.d.ts", 7 | "esm/cedar_wasm.js", 8 | "esm/cedar_wasm_bg.js", 9 | "esm/cedar_wasm.d.ts", 10 | "nodejs/package.json", 11 | "nodejs/README.md", 12 | "nodejs/cedar_wasm_bg.wasm", 13 | "nodejs/cedar_wasm_bg.wasm.d.ts", 14 | "nodejs/cedar_wasm.js", 15 | "nodejs/cedar_wasm.d.ts", 16 | "web/package.json", 17 | "web/README.md", 18 | "web/cedar_wasm_bg.wasm", 19 | "web/cedar_wasm_bg.wasm.d.ts", 20 | "web/cedar_wasm.js", 21 | "web/cedar_wasm.d.ts" 22 | ], 23 | "sideEffects": ["./snippets/*"], 24 | "module": "esm/cedar_wasm.js", 25 | "types": "esm/cedar_wasm.d.ts", 26 | "exports": { 27 | ".": { 28 | "import": "./esm/cedar_wasm.js", 29 | "types": "./esm/cedar_wasm.d.ts" 30 | }, 31 | "./nodejs": { 32 | "require": "./nodejs/cedar_wasm.js", 33 | "import": "./nodejs/cedar_wasm.js", 34 | "types": "./nodejs/cedar_wasm.d.ts" 35 | }, 36 | "./web": { 37 | "import": "./web/cedar_wasm.js", 38 | "types": "./web/cedar_wasm.d.ts" 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /cedar-wasm/src/lib.rs: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Cedar Contributors 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * https://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | use wasm_bindgen::prelude::*; 18 | mod utils; 19 | 20 | use cedar_policy::ffi; 21 | pub use cedar_policy::ffi::{ 22 | check_parse_context, check_parse_entities, check_parse_policy_set, check_parse_schema, format, 23 | get_lang_version, is_authorized, policy_to_json, policy_to_text, schema_to_json, 24 | schema_to_text, validate, 25 | }; 26 | pub use utils::*; 27 | 28 | #[wasm_bindgen(js_name = "getCedarVersion")] 29 | pub fn get_sdk_version_deprecated() -> String { 30 | get_sdk_version() 31 | } 32 | 33 | #[wasm_bindgen(js_name = "getCedarSDKVersion")] 34 | pub fn get_sdk_version() -> String { 35 | ffi::get_sdk_version() 36 | } 37 | -------------------------------------------------------------------------------- /clippy.toml: -------------------------------------------------------------------------------- 1 | 2 | allow-unwrap-in-tests = true 3 | allow-expect-in-tests = true 4 | -------------------------------------------------------------------------------- /deny.toml: -------------------------------------------------------------------------------- 1 | [licenses] 2 | unlicensed = "deny" 3 | copyleft = "deny" 4 | default = "deny" 5 | unused-allowed-license = "allow" 6 | confidence-threshold = 0.95 7 | allow = [ 8 | "Apache-2.0", 9 | "MIT", 10 | "ISC", 11 | "Unicode-DFS-2016", 12 | "Unicode-3.0", 13 | ] 14 | -------------------------------------------------------------------------------- /scripts/normalize_changelogs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Replace the changelog files by the static changelog files used for release branches. 4 | # Only replace the files if they could be found in their expected location. Do nothing otherwise. 5 | 6 | CEDAR_POLICY_CHANGELOG="cedar-policy/CHANGELOG.md" 7 | CEDAR_POLICY_CLI_CHANGELOG="cedar-policy-cli/CHANGELOG.md" 8 | CEDAR_WASM_CHANGELOG="cedar-wasm/CHANGELOG.md" 9 | 10 | STATIC_CEDAR_POLICY_CHANGELOG="scripts/static_changelogs/cedar-policy_CHANGELOG.md" 11 | STATIC_CEDAR_POLICY_CLI_CHANGELOG="scripts/static_changelogs/cedar-policy-cli_CHANGELOG.md" 12 | STATIC_CEDAR_WASM_CHANGELOG="scripts/static_changelogs/cedar-wasm_CHANGELOG.md" 13 | 14 | if [ -f "$CEDAR_POLICY_CHANGELOG" ] && [ -f "$CEDAR_POLICY_CLI_CHANGELOG" ] && [ -f "$CEDAR_WASM_CHANGELOG" ]; then 15 | cp $STATIC_CEDAR_POLICY_CHANGELOG $CEDAR_POLICY_CHANGELOG 16 | cp $STATIC_CEDAR_POLICY_CLI_CHANGELOG $CEDAR_POLICY_CLI_CHANGELOG 17 | cp $STATIC_CEDAR_WASM_CHANGELOG $CEDAR_WASM_CHANGELOG 18 | 19 | echo "Success! The changelog files have been normalized" 20 | else 21 | echo "Error: The changelogs files could not be located. No actions taken." 22 | echo "This script must be run from the root directory. Did you run it from another directory?" 23 | fi 24 | -------------------------------------------------------------------------------- /scripts/publish_crates.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Publishes the Cedar crates to crates.io in the specified order. 4 | 5 | CRATES=( 6 | "cedar-policy-core" 7 | "cedar-policy-validator" 8 | "cedar-policy-formatter" 9 | "cedar-policy" 10 | "cedar-policy-cli" 11 | ) 12 | 13 | for crate in "${CRATES[@]}"; do 14 | echo "Publishing $crate..." 15 | if ! cargo publish -p "$crate"; then 16 | echo "Failed to publish $crate" 17 | exit 1 18 | fi 19 | done 20 | 21 | echo "All crates published successfully!" 22 | -------------------------------------------------------------------------------- /scripts/static_changelogs/cedar-policy-cli_CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | The changelog for all the release branches of `cedar-policy-cli` is maintained on 4 | the `main` branch. You can view the most up-to-date changelog 5 | [here](https://github.com/cedar-policy/cedar/blob/main/cedar-policy-cli/CHANGELOG.md). 6 | 7 | -------------------------------------------------------------------------------- /scripts/static_changelogs/cedar-policy_CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | The changelog for all the release branches of `cedar-policy` is maintained on 4 | the `main` branch. You can view the most up-to-date changelog 5 | [here](https://github.com/cedar-policy/cedar/blob/main/cedar-policy/CHANGELOG.md). 6 | 7 | -------------------------------------------------------------------------------- /scripts/static_changelogs/cedar-wasm_CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | The changelog for all the release branches of `cedar-wasm` is maintained on 4 | the `main` branch. You can view the most up-to-date changelog 5 | [here](https://github.com/cedar-policy/cedar/blob/main/cedar-wasm/CHANGELOG.md). 6 | --------------------------------------------------------------------------------