Crate cedar_policy_validator

source ·
Expand description

Validator for Cedar policies

Modules§

  • Implements typechecking for Cedar policies. Typechecking is done using the Typechecker struct by calling the typecheck_policy method given a policy.
  • Defines the type structure for typechecking and various utilities for constructing and manipulating types.

Structs§

  • An action type describes a specific action entity. It also describes what kinds of entities it can be used on.
  • Action declarations held in a ValidatorNamespaceDef. Entity types referenced here do not need to be declared in the schema.
  • The apply spec specifies what principals and resources an action can be used with. This specification can either be done through containing to entity types. The fields of this record are optional so that they can be omitted to declare that the apply spec for the principal or resource is undefined, meaning that the action can be applied to any principal or resource. This is different than providing an empty list because the empty list is interpreted as specifying that there are no principals or resources that an action applies to.
  • Struct which carries enough information that it can (efficiently) impl Core’s Schema
  • Entity types describe the relationships in the entity store, including what entities can be members of groups of what types, and what attributes can/should be included on entities of each type.
  • Struct which carries enough information that it can impl Core’s EntityTypeDescription
  • Defines an EntityType where we have not resolved typedefs occurring in the attributes or verified that the parent entity types and entity types occurring in attributes are defined.
  • Entity type declarations held in a ValidatorNamespaceDef. Entity type parents and attributes may reference undeclared entity types.
  • Structure containing details about a function argument validation error.
  • Structure containing details about an incompatible type error.
  • Structure containing details about an invalid action application error.
  • Structure containing details about a multiply defined function error.
  • A SchemaFragment describe the types for a given instance of Cedar. SchemaFragments are composed of Entity Types and Action Types. The schema fragment is split into multiple namespace definitions, eac including a namespace name which is applied to all entity types (and the implicit Action entity type for all actions) in the schema.
  • Represents a location in Cedar policy source.
  • Holds a map from Names of common type definitions to their corresponding Type.
  • The structure for type errors. A type errors knows the expression that triggered the type error, as well as additional information for specific kinds of type errors.
  • Used to describe the type of a record or entity attribute. It contains a the type of the attribute and whether the attribute is required. The type is flattened for serialization, so, in JSON format, this appears as a regular type with one extra property required.
  • Structure containing details about types must match error.
  • Structure containing details about an undefined function error.
  • Structure containing details about an unexpected type error.
  • Structure containing details about an unrecognized action id error.
  • Structure containing details about an unrecognized entity type error.
  • Structure containing details about a missing attribute error.
  • Structure containing details about an unsafe optional attribute error.
  • Structure containing details about an unspecified entity error.
  • An error generated by the validator when it finds a potential problem in a policy. The error contains a enumeration that specifies the kind of problem, and provides details specific to that kind of problem. The error also records where the problem was encountered.
  • Contains the result of policy validation. The result includes the list of of issues found by the validation and whether validation succeeds or fails. Validation succeeds if there are no fatal errors. There are currently no non-fatal warnings, so any issues found will cause validation to fail.
  • Returned by the standalone confusable_string_checker function, which checks a policy set for potentially confusing/obfuscating text.
  • Structure containing the context needed for policy validation. This is currently only the EntityTypes and ActionTypes from a single schema.
  • Contains information about actions used by the validator. The contents of the struct are the same as the schema entity type structure, but the member_of relation is reversed to instead be descendants.
  • Contains entity type information for use by the validator. The contents of the struct are the same as the schema entity type structure, but the member_of relation is reversed to instead be descendants.
  • A single namespace definition from the schema json processed into a form which is closer to that used by the validator. The processing includes detection of some errors, for example, parse errors in entity type names or entity type which are declared multiple times. This does not detect references to undeclared entity types because any entity type may be declared in a different fragment that will only be known about when building the complete ValidatorSchema.
  • Structure containing details about a wrong call style error.
  • Structure containing details about a wrong number of arguments error.

Enums§

Functions§

Type Aliases§