cedar_policy_core

Module ast

Source
Expand description

This module contains the AST datatypes.

Modules§

context_creation_errors
Error subtypes for ContextCreationError
expression_construction_errors
Error subtypes for ExpressionConstructionError
restricted_expr_errors
Error subtypes for RestrictedExpressionError

Structs§

Annotation
Struct which holds the value of a particular annotation
Annotations
Struct which holds the annotations for a policy
AnyId
Like Id, except this specifically can contain Cedar reserved identifiers. (It still can’t contain, for instance, spaces or characters like ‘+’.)
BorrowedLiteralPolicy
A borrowed version of LiteralPolicy exclusively for serialization
BorrowedRestrictedExpr
While RestrictedExpr wraps an owned Expr, BorrowedRestrictedExpr wraps a borrowed Expr, with the same invariants.
ContainsUnknown
The PartialValue is a residual, i.e., contains an unknown
Eid
The Eid type represents the id of an Entity, without the typename. Together with the typename it comprises an EntityUID. For example, in User::"alice", the Eid is alice.
Entity
Entity datatype
EntityAttrEvaluationError
Error type for evaluation errors when evaluating an entity attribute or tag. Contains some extra contextual information and the underlying EvaluationError.
EntityType
Entity type names are just Names, but we have some operations on them specific to entity types.
EntityUID
Unique ID for an entity. These represent entities in the AST.
Expr
Internal AST for expressions used by the policy evaluator. This structure is a wrapper around an ExprKind, which is the expression variant this object contains. It also contains source information about where the expression was written in policy source code, and some generic data which is stored on each node of the AST. Cloning is O(1).
ExprBuilder
Builder for constructing Expr objects annotated with some data (possibly taking default value) and optionally a source_loc.
ExprIterator
This structure implements the iterator used to traverse subexpressions of an expression.
ExprShapeOnly
A new type wrapper around Expr that provides Eq and Hash implementations that ignore any source information or other generic data used to annotate the Expr.
Extension
Cedar extension.
ExtensionFunction
Extension function. These can be called by the given name in Ceder expressions.
Id
Identifiers. Anything in Id should be a valid identifier, this means it does not contain, for instance, spaces or characters like ‘+’; and also is not one of the Cedar reserved identifiers (at time of writing, true | false | if | then | else | in | is | like | has).
Infallible
Wrapper around std::convert::Infallible which also implements miette::Diagnostic
InternalName
Represents the name of an entity type, function, etc. The name may include namespaces. Clone is O(1).
IntoIter
Wraps the BTreeMap into an opaque type so we can change it later if need be
LiteralPolicy
Represents either an static policy or a template linked policy This is the serializable version because it simply refers to the Template by its Id;
Name
A new type which indicates that the contained InternalName does not contain reserved __cedar, as specified by RFC 52. This represents names which are legal for end-users to define, while InternalName represents names which are legal for end-users to reference.
PartialValueSerializedAsExpr
PartialValue, but serialized as a RestrictedExpr.
Pattern
Represent a pattern literal (the RHS of the like operator) Also provides an implementation of the Display trait as well as a wildcard matching method.
Policy
A Policy that contains: a pointer to its template an link ID (unless it’s an static policy) the bound values for slots in the template
PolicyID
A unique identifier for a policy statement
PolicySet
Represents a set of Policys
PrincipalConstraint
Template constraint on principal scope variables
RepresentableExtensionValue
Object container for extension values An extension value must be representable by a RestrictedExpr Specifically, it will be a function call func on args Note that func may not be the constructor. A counterexample is that a datetime is represented by an offset method call. Nevertheless, an invariant is that eval(<func>(<args>)) == value
Request
Represents the request tuple <P, A, R, C> (see the Cedar design doc).
RequestSchemaAllPass
A RequestSchema that does no validation and always reports a passing result
RequestType
Represents the principal type, resource type, and action UID.
ReservedNameError
Error when a reserved name is used where it is not allowed
ResourceConstraint
Template constraint on resource scope variables
RestrictedExpr
A few places in Core use these “restricted expressions” (for lack of a better term) which are in some sense the minimal subset of Expr required to express all possible Values.
RestrictedExprShapeOnly
Like ExprShapeOnly, but for restricted expressions.
Set
Value’s internal representation of a Set
Slot
SlotId plus a source location
SlotId
Identifier for a slot Clone is O(1).
StaticPolicy
Static Policies are policy that do not come from templates. They have the same structure as a template definition, but cannot contain slots
Template
Top level structure for a policy template. Contains both the AST for template, and the list of open slots in the template.
TemplateBody
Policy datatype. This is used for both templates (in which case it contains slots) and static policies (in which case it contains zero slots).
Unknown
Representation of a partial-evaluation Unknown at the AST level
UnreservedId
An Id that is not equal to __cedar, as specified by RFC 52
Value
This describes all the values which could be the dynamic result of evaluating an Expr. Cloning is O(1).

Enums§

ActionConstraint
Constraint for action scope variables. Action variables can be constrained to be in any variable in a list.
BinaryOp
Built-in operators with exactly two arguments
CallStyle
Which “style” is a function call
Context
Context field of a Request
ContextCreationError
Errors while trying to create a Context
Effect
the Effect of a policy
EntityReference
A reference to an EntityUID that may be a Slot
EntityUIDEntry
An entry in a request for a Entity UID. It may either be a concrete EUID or an unknown in the case of partial evaluation
ExprKind
The possible expression variants. This enum should be matched on by code recursively traversing the AST.
ExpressionConstructionError
Errors when constructing an expression
ExtensionOutputValue
The output of an extension call, either a value or an unknown
LinkingError
Errors linking templates
Literal
First-class values which may appear as literals in Expr::Lit.
NotValue
An error that can be thrown converting an expression to a value
PartialValue
Intermediate results of partial evaluation
PartialValueToRestrictedExprError
Errors when converting PartialValue to RestrictedExpr
PartialValueToValueError
Errors encountered when converting PartialValue to Value
PatternElem
Represent an element in a pattern literal (the RHS of the like operation)
PolicySetError
Potential errors when working with PolicySets.
PolicySetGetLinksError
Potential errors when working with PolicySets.
PolicySetPolicyRemovalError
Potential errors when removing policies from a PolicySet.
PolicySetTemplateRemovalError
Potential errors when removing templates from a PolicySet.
PolicySetUnlinkError
Potential errors when unlinking from a PolicySet.
PrincipalOrResource
Subset of AST variables that have the same constraint form
PrincipalOrResourceConstraint
Represents the constraints for principals and resources. Can either not constrain, or constrain via == or in for a single entity literal.
ReificationError
Errors that can happen during policy reification
RestrictedExpressionError
Error when constructing a restricted expression from unrestricted expression
RestrictedExpressionParseError
Errors possible from RestrictedExpr::from_str()
SubstitutionError
Enum for errors encountered during substitution
Type
This represents the runtime type of a Cedar value. Nominal types: two entity types are equal if they have the same Name.
UnaryOp
Built-in operators with exactly one argument
UnexpectedSlotError
Error for unexpected slots
ValueKind
This describes all the values which could be the dynamic result of evaluating an Expr. Cloning is O(1).
Var
AST variables

Statics§

ACTION_ENTITY_TYPE
The entity type that Actions must have

Traits§

BoundedDisplay
Like Display, but optionally truncates embedded sets/records to n elements/pairs, including recursively.
BoundedToString
Like ToString, but optionally truncates embedded sets/records to n elements/pairs, including recursively.
ExtensionValue
Extension value.
InternalExtensionValue
Extensions provide a type implementing ExtensionValue, Eq, and Ord. We automatically implement InternalExtensionValue for that type (with the impl below). Internally, we use dyn InternalExtensionValue instead of dyn ExtensionValue.
RequestSchema
Trait for schemas capable of validating Requests
StaticallyTyped
Trait for everything in Cedar that has a type known statically.

Functions§

split
Collect an iterator of either residuals or values into one of the following a) An iterator over values, if everything evaluated to values b) An iterator over residuals expressions, if anything only evaluated to a residual Order is preserved.

Type Aliases§

BinaryExtensionFunctionObject
Trait object that implements the extension function call accepting exactly 2 arguments
ExtensionFunctionObject
Trait object that implements the extension function call accepting any number of arguments.
InputInteger
The integer type we use when parsing input
Integer
The integer type we use internally
NullaryExtensionFunctionObject
Trait object that implements the extension function call accepting exactly 0 arguments
SlotEnv
Map from Slot Ids to Entity UIDs which fill the slots
TernaryExtensionFunctionObject
Trait object that implements the extension function call accepting exactly 3 arguments
UnaryExtensionFunctionObject
Trait object that implements the extension function call accepting exactly 1 arguments