Merge pull request #84 from strongdm/add-support-for-isEmpty

Add support for isEmpty operator

Author: patjakdev

README.md

@@ -142,6 +142,12 @@ If you're looking to integrate Cedar into a production system, please be sure th
 
 ## Change log
 
+### New features in 1.2.0
+- Support for the .isEmpty() operator.
+
+### New features in 1.1.0
+- Support for entity tags via the .getTag() and .hasTag() operators.
+
 ### New features in 1.0.0
 - AST builder methods for Cedar datetime and duration literals and their extension methods have been added
 - AST builder methods for adding extension function calls with uninterpreted strings

ast/operator.go

@@ -132,6 +132,8 @@ func (lhs Node) ContainsAny(rhs Node) Node {
 	return wrapNode(lhs.Node.ContainsAny(rhs.Node))
 }
 
+func (lhs Node) IsEmpty() Node { return wrapNode(lhs.Node.IsEmpty()) }
+
 func (lhs Node) Access(attr types.String) Node {
 	return wrapNode(lhs.Node.Access(attr))
 }

authorize_test.go

@@ -809,6 +809,17 @@ func TestIsAuthorized(t *testing.T) {
 			Want:      true,
 			DiagErr:   0,
 		},
+		{
+			Name:      "isEmpty",
+			Policy:    `permit(principal, action, resource) when { context.foo.isEmpty() && !context.bar.isEmpty() };`,
+			Entities:  cedar.EntityMap{},
+			Principal: cedar.NewEntityUID("Principal", "1"),
+			Action:    cedar.NewEntityUID("Action", "action"),
+			Resource:  cedar.NewEntityUID("Resource", "resource"),
+			Context:   cedar.NewRecord(cedar.RecordMap{"foo": cedar.NewSet(), "bar": cedar.NewSet(types.Long(1))}),
+			Want:      true,
+			DiagErr:   0,
+		},
 	}
 	for _, tt := range tests {
 		tt := tt

corpus-tests.tar.gz

@@ -87,6 +87,8 @@ func toEval(n ast.IsNode) Evaler {
 		return newContainsAllEval(toEval(v.Left), toEval(v.Right))
 	case ast.NodeTypeContainsAny:
 		return newContainsAnyEval(toEval(v.Left), toEval(v.Right))
+	case ast.NodeTypeIsEmpty:
+		return newIsEmptyEval(toEval(v.Arg))
 	default:
 		panic(fmt.Sprintf("unknown node type %T", v))
 	}

internal/eval/convert.go

@@ -210,6 +210,12 @@ func TestToEval(t *testing.T) {
 			types.True,
 			testutil.OK,
 		},
+		{
+			"isEmpty",
+			ast.Value(types.NewSet(types.Long(42), types.Long(43), types.Long(44))).IsEmpty(),
+			types.False,
+			testutil.OK,
+		},
 		{
 			"ip",
 			ast.ExtensionCall("ip", ast.String("127.0.0.42/16")),

internal/eval/convert_test.go

@@ -713,6 +713,23 @@ func (n *containsAnyEval) Eval(env Env) (types.Value, error) {
 	return types.Boolean(result), nil
 }
 
+// isEmptyEval
+type isEmptyEval struct {
+	lhs Evaler
+}
+
+func newIsEmptyEval(lhs Evaler) Evaler {
+	return &isEmptyEval{lhs: lhs}
+}
+
+func (n *isEmptyEval) Eval(env Env) (types.Value, error) {
+	lhs, err := evalSet(n.lhs, env)
+	if err != nil {
+		return zeroValue(), err
+	}
+	return types.Boolean(lhs.Len() == 0), nil
+}
+
 // recordLiteralEval
 type recordLiteralEval struct {
 	elements map[types.String]Evaler
@@ -1035,6 +1052,7 @@ func (n *isEval) Eval(env Env) (types.Value, error) {
 	return types.Boolean(lhs.Type == n.rhs), nil
 }
 
+// isInEval
 type isInEval struct {
 	lhs Evaler
 	is  types.EntityType

internal/eval/evalers.go

@@ -1298,6 +1298,53 @@ func TestContainsAnyNode(t *testing.T) {
 	})
 }
 
+func TestIsEmptyNode(t *testing.T) {
+	t.Parallel()
+	{
+		tests := []struct {
+			name string
+			lhs  Evaler
+			err  error
+		}{
+			{"LhsError", newErrorEval(errTest), errTest},
+			{"LhsTypeError", newLiteralEval(types.True), ErrType},
+		}
+		for _, tt := range tests {
+			tt := tt
+			t.Run(tt.name, func(t *testing.T) {
+				t.Parallel()
+				n := newIsEmptyEval(tt.lhs)
+				v, err := n.Eval(Env{})
+				testutil.ErrorIs(t, err, tt.err)
+				AssertZeroValue(t, v)
+			})
+		}
+	}
+	{
+		empty := types.Set{}
+		trueOnly := types.NewSet(types.True)
+
+		tests := []struct {
+			name   string
+			lhs    Evaler
+			result bool
+		}{
+			{"emptyEmpty", newLiteralEval(empty), true},
+			{"trueAndOneEmpty", newLiteralEval(trueOnly), false},
+		}
+		for _, tt := range tests {
+			tt := tt
+			t.Run(tt.name, func(t *testing.T) {
+				t.Parallel()
+				n := newIsEmptyEval(tt.lhs)
+				v, err := n.Eval(Env{})
+				testutil.OK(t, err)
+				AssertBoolValue(t, v, tt.result)
+			})
+		}
+	}
+}
+
 func TestRecordLiteralNode(t *testing.T) {
 	t.Parallel()
 	tests := []struct {

internal/eval/evalers_test.go

@@ -269,6 +269,8 @@ func fold(n ast.IsNode) ast.IsNode {
 		return tryFoldBinary(v.BinaryNode, newContainsAllEval, func(b ast.BinaryNode) ast.IsNode { return ast.NodeTypeContainsAll{BinaryNode: b} })
 	case ast.NodeTypeContainsAny:
 		return tryFoldBinary(v.BinaryNode, newContainsAnyEval, func(b ast.BinaryNode) ast.IsNode { return ast.NodeTypeContainsAny{BinaryNode: b} })
+	case ast.NodeTypeIsEmpty:
+		return tryFoldUnary(v.UnaryNode, newIsEmptyEval, func(b ast.UnaryNode) ast.IsNode { return ast.NodeTypeIsEmpty{UnaryNode: b} })
 	default:
 		panic(fmt.Sprintf("unknown node type %T", v))
 	}

internal/eval/fold.go

@@ -453,6 +453,11 @@ func TestFoldPolicy(t *testing.T) {
 			ast.Permit().When(ast.Long(42).ContainsAny(ast.Long(43))),
 			ast.Permit().When(ast.Long(42).ContainsAny(ast.Long(43))),
 		},
+		{
+			"opIsEmpty",
+			ast.Permit().When(ast.Long(42).IsEmpty()),
+			ast.Permit().When(ast.Long(42).IsEmpty()),
+		},
 		{
 			"opAccess",
 			ast.Permit().When(ast.Long(42).Access("key")),