Merge pull request #85 from strongdm/add-support-for-generic-authorize

Add support for generic policy iteration when authorizing a request

Author: patjakdev

.github/workflows/build_and_test.yml

@@ -1,7 +1,4 @@
-# This workflow will build a golang project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
-
-name: Go
+name: Verify
 
 on:
   push:
@@ -14,15 +11,21 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: "1.22"
+          go-version-file: 'go.mod'
 
       - name: Build
         run: go build -v ./...
 
       - name: Test
-        run: go test ./...
+        run: go test -coverprofile=coverage.out ./...
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v7
 
       - name: Fuzz
         run: mkdir -p testdata && go test -fuzz=FuzzParse -fuzztime 60s && go test -fuzz=FuzzTokenize -fuzztime 60s
+
+      - name: Coverage check
+        run: go tool cover -func=coverage.out | sed 's/%$//' | awk '{ if ($3 < 100.0) { printf "Insufficient code coverage for %s\n", $0; failed=1 } } END { exit failed }'

.github/workflows/golangci-lint.yml

@@ -1,3 +1,4 @@
 .idea/
 tmp/
 .DS_Store
+coverage.out

.gitignore

@@ -139,21 +139,31 @@ If you're looking to integrate Cedar into a production system, please be sure th
 - `x/exp` - code in this directory is not subject to the semantic versioning constraints of the rest of the module and breaking changes may be made at any time.
 - Variadics may be added to functions that do not have them to expand the arguments of a function or method.
 - Concrete types may be replaced with compatible interfaces to expand the variety of arguments a function or method can take.
+- Backwards compatibility is maintained for all Go minor versions released within 6 months of a release of cedar-go.
 
 ## Change log
 
-### New features in 1.2.0
+### 1.2.0
+#### New Features
 - Support for the .isEmpty() operator.
+- A new top-level Authorize() function, which allows authorization against a generic policy iterator (`AuthorizationPolicySet`) instead of requiring a PolicySet. Like the EntityGetter interface does for entities, using a generic iterator enables policy to be retrieved from external sources or for policy to be selected dynamically by the iterator implementation without having to clone an entire PolicySet.
+- batch.Authorize() likewise now also accepts an `AuthorizationPolicySet`.
+- First class iterator support for EntityUIDSet, Record, Set, and PolicySet container types.
 
-### New features in 1.1.0
+#### Upgrading from 1.1.0
+- cedar-go now requires Go 1.23
+
+### 1.1.0
+#### New features
 - Support for entity tags via the .getTag() and .hasTag() operators.
 
-### New features in 1.0.0
+### 1.0.0
+### New features
 - AST builder methods for Cedar datetime and duration literals and their extension methods have been added
 - AST builder methods for adding extension function calls with uninterpreted strings
 - Small improvement in evaluation runtime performance for large, shallow entity graphs.
 
-### Upgrading from 0.4.x to 1.0.0
+#### Upgrading from 0.4.x to 1.0.0
 
 - The `Parents` field on `types.Entity` has been changed to an immutable set type with an interface similar to `types.Set`
 - The `UnsafeDecimal()` constructor for the `types.Decimal` type has been removed and replaced with the following safe constructors, which return error on overflow:
@@ -174,12 +184,13 @@ If you're looking to integrate Cedar into a production system, please be sure th
 - `PolicySet.Delete()` has been renamed to `PolicySet.Remove()`
 - `types.Set()` now takes variadic arguments of type `types.Value` instead of a single `[]types.Value` argument
 
-### New features in 0.4.0
+### 0.4.0
+#### New features
 
 - `types.Set` is now implemented as a hash set, turning `Set.Contains()` into an O(1) operation, on average. This mitigates a worst case quadratic runtime for the evaluation of the `containsAny()` operator.
 - For convenience, public types, constructors, and constants from the `types` package are now exported via the `cedar` package as well.
 
-### Upgrading from 0.3.x to 0.4.x
+#### Upgrading from 0.3.x to 0.4.x
 
 - `types.Set` is now an immutable type which must be constructed via `types.NewSet()`
   - To iterate the values, use `Set.Iterate()`, which takes an iterator callback.
@@ -189,29 +200,32 @@ If you're looking to integrate Cedar into a production system, please be sure th
   - To iterate the keys and values, use `Record.Iterate()`, which takes an iterator callback.
   - All implementations of `types.Value` are now safe to copy shallowly, so `Record.DeepClone()` has been removed.
 
-### New features in 0.3.2
+### 0.3.2
+#### New features
 
 - An implementation of the `datetime` and `duration` extension types specified in [RFC 80](https://github.com/cedar-policy/rfcs/blob/main/text/0080-datetime-extension.md).
   - Note: While these types have been accepted into the language, they have not yet been formally analyzed in the [specification](https://github.com/cedar-policy/cedar-spec/).
 
-### New features in 0.3.1
+### 0.3.1
+#### New features
 
 - General performance improvements to the evaluator
 - An experimental batch evaluator has been added to `x/exp/batch`
 - Reserved keywords are now rejected in all appropriate places when parsing Cedar text
 - A parsing ambiguity between variables, entity UIDs, and extension functions has been resolved
 
-### Upgrading from 0.2.x to 0.3.x
+#### Upgrading from 0.2.x to 0.3.x
 
 - The JSON marshaling of the Position struct now uses canonical lower-case keys for its fields
 
-### New features in 0.2.0
+### 0.2.0
+#### New features
 
 - A programmatic AST is now available in the `ast` package.
 - Policy sets can be marshaled and unmarshaled from JSON.
 - Policies can also be marshaled to Cedar text.
 
-### Upgrading from 0.1.x to 0.2.x
+#### Upgrading from 0.1.x to 0.2.x
 
 - The Cedar value types have moved from the `cedar` package to the `types` package.
 - The PolicyIDs are now `strings`, previously they were numeric.

README.md

@@ -337,6 +337,11 @@ func TestASTByTable(t *testing.T) {
 			ast.Permit().When(ast.Long(42).ContainsAny(ast.Long(43))),
 			internalast.Permit().When(internalast.Long(42).ContainsAny(internalast.Long(43))),
 		},
+		{
+			"opContainsIsEmpty",
+			ast.Permit().When(ast.Long(42).IsEmpty()),
+			internalast.Permit().When(internalast.Long(42).IsEmpty()),
+		},
 		{
 			"opAccess",
 			ast.Permit().When(ast.Long(42).Access("key")),

ast/ast_test.go

@@ -12,8 +12,9 @@ import (
 func TestPolicy_MarshalJSON(t *testing.T) {
 	t.Parallel()
 
-	p := ast.Permit().PrincipalEq(types.NewEntityUID("Foo::Bar", "Baz"))
-	expected := `{
+	t.Run("roundtrip", func(t *testing.T) {
+		p := ast.Permit().PrincipalEq(types.NewEntityUID("Foo::Bar", "Baz"))
+		expected := `{
 		"effect": "permit",
 		"principal": {
 			"op": "==",
@@ -29,30 +30,45 @@ func TestPolicy_MarshalJSON(t *testing.T) {
 			"op": "All"
 		}
 	}`
-	testutil.JSONMarshalsTo(t, p, expected)
+		testutil.JSONMarshalsTo(t, p, expected)
 
-	var unmarshaled ast.Policy
-	err := unmarshaled.UnmarshalJSON([]byte(expected))
-	testutil.OK(t, err)
-	testutil.Equals(t, &unmarshaled, p)
+		var unmarshaled ast.Policy
+		err := unmarshaled.UnmarshalJSON([]byte(expected))
+		testutil.OK(t, err)
+		testutil.Equals(t, &unmarshaled, p)
+	})
+
+	t.Run("unmarshal error", func(t *testing.T) {
+		var unmarshaled ast.Policy
+		err := unmarshaled.UnmarshalJSON([]byte("[]"))
+		testutil.Error(t, err)
+	})
 }
 
 func TestPolicy_MarshalCedar(t *testing.T) {
 	t.Parallel()
 
-	p := ast.Permit().PrincipalEq(types.NewEntityUID("Foo::Bar", "Baz"))
-	expected := `permit (
+	t.Run("roundtrip", func(t *testing.T) {
+		p := ast.Permit().PrincipalEq(types.NewEntityUID("Foo::Bar", "Baz"))
+		expected := `permit (
     principal == Foo::Bar::"Baz",
     action,
     resource
 );`
 
-	testutil.Equals(t, string(p.MarshalCedar()), expected)
+		testutil.Equals(t, string(p.MarshalCedar()), expected)
+
+		var unmarshaled ast.Policy
+		err := unmarshaled.UnmarshalCedar([]byte(expected))
 
-	var unmarshaled ast.Policy
-	err := unmarshaled.UnmarshalCedar([]byte(expected))
+		p.Position = internalast.Position{Offset: 0, Line: 1, Column: 1}
+		testutil.OK(t, err)
+		testutil.Equals(t, &unmarshaled, p)
+	})
 
-	p.Position = internalast.Position{Offset: 0, Line: 1, Column: 1}
-	testutil.OK(t, err)
-	testutil.Equals(t, &unmarshaled, p)
+	t.Run("unmarshal error", func(t *testing.T) {
+		var unmarshaled ast.Policy
+		err := unmarshaled.UnmarshalCedar([]byte("this isn't Cedar"))
+		testutil.Error(t, err)
+	})
 }

ast/policy_test.go

@@ -1,28 +1,21 @@
 package cedar
 
 import (
+	"iter"
+
 	"github.com/cedar-policy/cedar-go/internal/eval"
 	"github.com/cedar-policy/cedar-go/types"
 )
 
-//revive:disable:exported
-
-type Request = types.Request
-type Decision = types.Decision
-type Diagnostic = types.Diagnostic
-type DiagnosticReason = types.DiagnosticReason
-type DiagnosticError = types.DiagnosticError
-
-const (
-	Allow = types.Allow
-	Deny  = types.Deny
-)
-
-//revive:enable:exported
+// AuthorizationPolicySet is an interface which abstracts an iterable set of policies.
+type AuthorizationPolicySet interface {
+	// All returns an iterator over all the policies in the set
+	All() iter.Seq2[PolicyID, *Policy]
+}
 
-// IsAuthorized uses the combination of the PolicySet and Entities to determine
+// Authorize uses the combination of the PolicySet and Entities to determine
 // if the given Request to determine Decision and Diagnostic.
-func (p PolicySet) IsAuthorized(entities types.EntityGetter, req Request) (Decision, Diagnostic) {
+func Authorize(policies AuthorizationPolicySet, entities types.EntityGetter, req Request) (Decision, Diagnostic) {
 	if entities == nil {
 		var zero types.EntityMap
 		entities = zero
@@ -42,7 +35,7 @@ func (p PolicySet) IsAuthorized(entities types.EntityGetter, req Request) (Decis
 	// - All policy should be run to collect errors
 	// - For permit, all permits must be run to collect annotations
 	// - For forbid, forbids must be run to collect annotations
-	for id, po := range p.policies {
+	for id, po := range policies.All() {
 		result, err := po.eval.Eval(env)
 		if err != nil {
 			diag.Errors = append(diag.Errors, DiagnosticError{PolicyID: id, Position: po.Position(), Message: err.Error()})

authorize.go

@@ -835,6 +835,15 @@ func TestIsAuthorized(t *testing.T) {
 			})
 			testutil.Equals(t, len(diag.Errors), tt.DiagErr)
 			testutil.Equals(t, ok, tt.Want)
+
+			ok, diag = cedar.Authorize(ps, tt.Entities, cedar.Request{
+				Principal: tt.Principal,
+				Action:    tt.Action,
+				Resource:  tt.Resource,
+				Context:   tt.Context,
+			})
+			testutil.Equals(t, len(diag.Errors), tt.DiagErr)
+			testutil.Equals(t, ok, tt.Want)
 		})
 	}
 }

authorize_test.go

@@ -1,5 +1,5 @@
 module github.com/cedar-policy/cedar-go
 
-go 1.22
+go 1.23.0
 
-require golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
+require golang.org/x/exp v0.0.0-20220921023135-46d9e7742f1e

go.mod

@@ -1,2 +1,2 @@
-golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ=
-golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc=
+golang.org/x/exp v0.0.0-20220921023135-46d9e7742f1e h1:Ctm9yurWsg7aWwIpH9Bnap/IdSVxixymIb3MhiMEQQA=
+golang.org/x/exp v0.0.0-20220921023135-46d9e7742f1e/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=