Merge pull request #97 from jaredzhou/expose-partial-functions

expose partial eval functions

Author: philhassey

internal/eval/compile.go

@@ -25,11 +25,11 @@ func (e *BoolEvaler) Eval(env Env) (types.Boolean, error) {
 
 func Compile(p *ast.Policy) BoolEvaler {
 	p = foldPolicy(p)
-	node := policyToNode(p).AsIsNode()
+	node := PolicyToNode(p).AsIsNode()
 	return BoolEvaler{eval: ToEval(node)}
 }
 
-func policyToNode(p *ast.Policy) ast.Node {
+func PolicyToNode(p *ast.Policy) ast.Node {
 	var nodes []ast.Node
 	_, principalAll := p.Principal.(ast.ScopeTypeAll)
 	_, actionAll := p.Action.(ast.ScopeTypeAll)

internal/eval/compile_test.go

@@ -58,6 +58,11 @@ func TestPolicyToNode(t *testing.T) {
 			ast.Permit(),
 			ast.True(),
 		},
+		{
+			"forbid",
+			ast.Forbid(),
+			ast.True(),
+		},
 		{
 			"eqs",
 
@@ -87,7 +92,7 @@ func TestPolicyToNode(t *testing.T) {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			out := policyToNode(tt.in)
+			out := PolicyToNode(tt.in)
 			testutil.Equals(t, out, tt.out)
 		})
 	}

internal/eval/partial.go

@@ -508,6 +508,35 @@ func extError(err error) ast.NodeTypeExtensionCall {
 	return ast.NodeTypeExtensionCall{Name: partialErrorName, Args: []ast.IsNode{ast.NodeValue{Value: types.String(err.Error())}}}
 }
 
+// PartialError returns a node that represents a partial error.
+func PartialError(err error) ast.IsNode {
+	return ast.NodeTypeExtensionCall{Name: partialErrorName, Args: []ast.IsNode{ast.NodeValue{Value: types.String(err.Error())}}}
+}
+
+// ToPartialError returns the error if the node is a partial error.
+func ToPartialError(n ast.IsNode) (error, bool) {
+	ec, ok := n.(ast.NodeTypeExtensionCall)
+	if !ok {
+		return nil, false
+	}
+	if ec.Name != partialErrorName {
+		return nil, false
+	}
+	if len(ec.Args) != 1 {
+		return nil, false
+	}
+	evaler := ToEval(ec.Args[0])
+	v, err := evaler.Eval(Env{})
+	if err != nil {
+		return nil, false
+	}
+	strVal, err := ValueToString(v)
+	if err != nil {
+		return nil, false
+	}
+	return errors.New(string(strVal)), true
+}
+
 // partialHasEval
 type partialHasEval struct {
 	object    Evaler

internal/eval/partial_test.go

@@ -1568,3 +1568,29 @@ func TestToVariable(t *testing.T) {
 		})
 	}
 }
+
+func TestToPartialError(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name string
+		in   ast.IsNode
+		out  error
+		ok   bool
+	}{
+		{"ok", PartialError(errors.New("err")), errors.New("err"), true},
+		{"otherexternalcall", ast.NodeTypeExtensionCall{Name: "x", Args: []ast.IsNode{ast.NodeValue{Value: types.String("err")}}}, nil, false},
+		{"multipleargs", ast.NodeTypeExtensionCall{Name: partialErrorName, Args: []ast.IsNode{ast.NodeValue{Value: types.String("err")}, ast.NodeValue{Value: types.String("err2")}}}, nil, false},
+		{"notStringVal", ast.NodeTypeExtensionCall{Name: partialErrorName, Args: []ast.IsNode{ast.NodeValue{Value: types.Long(42)}}}, nil, false},
+		{"evalArgError", ast.NodeTypeExtensionCall{Name: partialErrorName, Args: []ast.IsNode{ast.Long(42).Add(ast.False()).AsIsNode()}}, nil, false},
+		{"othernode", ast.NodeValue{Value: types.String("err")}, nil, false},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			out, ok := ToPartialError(tt.in)
+			testutil.Equals(t, out, tt.out)
+			testutil.Equals(t, ok, tt.ok)
+		})
+	}
+}

x/exp/eval/eval.go

@@ -1,4 +1,4 @@
-// Package eval provides a simple interface for evaluating a policy node in a given environment.
+// Package eval provides a simple interface for evaluating or partially evaluating a policy node in a given environment.
 package eval
 
 import (
@@ -15,3 +15,68 @@ func Eval(n ast.IsNode, env Env) (types.Value, error) {
 	evaler := eval.ToEval(n)
 	return evaler.Eval(env)
 }
+
+// PartialPolicy returns a partially evaluated version of the policy and a boolean indicating if the policy should be kept.
+// (Policies that are determined to evaluate to false are not kept.)
+//
+// it is supposed to use `PartialPolicy` to partially evaluate a policy, and then use `PolicyToNode` to compile the policy to a node.
+// but you can also use `PartialPolicy` directly.
+//
+// All the env parts (PARC) must be specified, but you can
+// specify `Variable` as `Variable("principal")` or `Variable("action")` or `Variable("resource")` or `Variable("context")`.
+// also you can specify part of Context to be a `Variable`, such as `key` in `Context` could be
+// `
+//
+//	context := types.NewRecord(types.RecordMap{
+//			"key": Variable("key"),
+//	})
+//
+// `
+//
+// when the node is kept, it can be one of three kinds:
+// 1. it is a `ValueNode`, and Must be `ast.True()` (e.g. `ast.True()`)
+// 2. it is a `Node` contains `Variable` (e.g. `ast.Permit().When(ast.Context().Access("key").Equal(ast.Long(42)))`)
+// 3. it is a `Node` contains `PartialError` (e.g. `ast.ExtensionCall(partialErrorName, ast.String("type error: expected comparable value, got string"))`)
+//
+// you can use the partial evaluation result `ast.Node` to do any additional work you want
+// for example, you can convert it to an sql query.
+// in which case the variable should be a column name and binary node should be an sql expression.
+func PartialPolicy(env Env, p *ast.Policy) (policy *ast.Policy, keep bool) {
+	return eval.PartialPolicy(env, p)
+}
+
+// PolicyToNode returns a node compiled from a policy.
+func PolicyToNode(p *ast.Policy) ast.Node {
+	return eval.PolicyToNode(p)
+}
+
+// PartialError returns a node that represents a partial error.
+func PartialError(err error) ast.IsNode {
+	return eval.PartialError(err)
+}
+
+// ToPartialError returns the error if the node is a partial error.
+func ToPartialError(n ast.IsNode) (err error, ok bool) {
+	return eval.ToPartialError(n)
+}
+
+// Variable is a variable in the policy.
+func Variable(v types.String) types.Value {
+	return eval.Variable(v)
+}
+
+// ToVariable converts a value to a variable.
+func ToVariable(v types.Value) (types.String, bool) {
+	if ent, ok := v.(types.EntityUID); ok {
+		return eval.ToVariable(ent)
+	}
+	return "", false
+}
+
+// TypeName returns the type name of a value.
+func TypeName(v types.Value) string {
+	return eval.TypeName(v)
+}
+
+// ErrType is the error type for type errors.
+var ErrType = eval.ErrType