cedar_policy_core::authorizer

Struct PartialResponse

Source 
pub struct PartialResponse {
    pub satisfied_permits: HashMap<PolicyID, Arc<Annotations>>,
    pub false_permits: HashMap<PolicyID, (ErrorState, Arc<Annotations>)>,
    pub residual_permits: HashMap<PolicyID, (Arc<Expr>, Arc<Annotations>)>,
    pub satisfied_forbids: HashMap<PolicyID, Arc<Annotations>>,
    pub false_forbids: HashMap<PolicyID, (ErrorState, Arc<Annotations>)>,
    pub residual_forbids: HashMap<PolicyID, (Arc<Expr>, Arc<Annotations>)>,
    pub errors: Vec<AuthorizationError>,
    /* private fields */
}
Expand description

A partially evaluated authorization response. Splits the results into several categories: satisfied, false, and residual for each policy effect. Also tracks all the errors that were encountered during evaluation. This structure currently has to own all of the PolicyID objects due to the Self::reauthorize method. If PolicySet could borrow its PolicyID/contents then this whole structured could be borrowed.

Fields§

§satisfied_permits: HashMap<PolicyID, Arc<Annotations>>

All of the Effect::Permit policies that were satisfied

§false_permits: HashMap<PolicyID, (ErrorState, Arc<Annotations>)>

All of the Effect::Permit policies that were not satisfied

§residual_permits: HashMap<PolicyID, (Arc<Expr>, Arc<Annotations>)>

All of the Effect::Permit policies that evaluated to a residual

§satisfied_forbids: HashMap<PolicyID, Arc<Annotations>>

All of the Effect::Forbid policies that were satisfied

§false_forbids: HashMap<PolicyID, (ErrorState, Arc<Annotations>)>

All of the Effect::Forbid policies that were not satisfied

§residual_forbids: HashMap<PolicyID, (Arc<Expr>, Arc<Annotations>)>

All of the Effect::Forbid policies that evaluated to a residual

§errors: Vec<AuthorizationError>

All of the policy errors encountered during evaluation

Implementations§

Source§

impl PartialResponse

Source

pub fn new( true_permits: impl IntoIterator<Item = (PolicyID, Arc<Annotations>)>, false_permits: impl IntoIterator<Item = (PolicyID, (ErrorState, Arc<Annotations>))>, residual_permits: impl IntoIterator<Item = (PolicyID, (Arc<Expr>, Arc<Annotations>))>, true_forbids: impl IntoIterator<Item = (PolicyID, Arc<Annotations>)>, false_forbids: impl IntoIterator<Item = (PolicyID, (ErrorState, Arc<Annotations>))>, residual_forbids: impl IntoIterator<Item = (PolicyID, (Arc<Expr>, Arc<Annotations>))>, errors: impl IntoIterator<Item = AuthorizationError>, request: Arc<Request>, ) -> Self

Create a partial response from each of the policy result categories

Source

pub fn concretize(self) -> Response

Convert this response into a concrete evaluation response. All residuals are treated as errors

Source

pub fn decision(&self) -> Option<Decision>

Attempt to reach a partial decision; the presence of residuals may result in returning None, indicating that a decision could not be reached given the unknowns

Source

pub fn definitely_satisfied(&self) -> impl Iterator<Item = Policy> + '_

Returns the set of PolicyIDs that were definitely satisfied – both permits and forbids

Source

pub fn definitely_errored(&self) -> impl Iterator<Item = &PolicyID>

Returns the set of PolicyIDs that encountered errors

Source

pub fn may_be_determining(&self) -> impl Iterator<Item = Policy> + '_

Returns an over-approximation of the set of determining policies.

This is all policies that may be determining for any substitution of the unknowns.

Source

pub fn must_be_determining(&self) -> impl Iterator<Item = Policy> + '_

Returns an under-approximation of the set of determining policies.

This is all policies that must be determining for all possible substitutions of the unknowns.

Source

pub fn nontrivial_residuals(&self) -> impl Iterator<Item = Policy> + '_

Returns the set of non-trivial (meaning more than just true or false) residuals expressions

Source

pub fn nontrivial_residual_ids(&self) -> impl Iterator<Item = &PolicyID>

Returns the set of ids of non-trivial (meaning more than just true or false) residuals expressions

Source

pub fn nontrival_forbids(&self) -> impl Iterator<Item = Policy> + '_

Returns the set of non-trivial (meaning more than just true or false) residuals expressions from Effect::Forbid

Source

pub fn all_residuals(&self) -> impl Iterator<Item = Policy> + '_

Returns every policy residual, including trivial ones

Source

pub fn get(&self, id: &PolicyID) -> Option<Policy>

Return the residual for a given PolicyID, if it exists in the response

Source

pub fn reauthorize( &self, mapping: &HashMap<SmolStr, Value>, auth: &Authorizer, es: &Entities, ) -> Result<Self, ReauthorizationError>

Attempt to re-authorize this response given a mapping from unknowns to values

Trait Implementations§

Source§

impl Clone for PartialResponse

Source§

fn clone(&self) -> PartialResponse

Returns a copy of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for PartialResponse

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl From<PartialResponse> for Response

Source§

fn from(p: PartialResponse) -> Self

Converts to this type from the input type.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.