Crate cedar_policy_validator
source ·Expand description
Validator for Cedar policies
Modules§
- Implements typechecking for Cedar policies. Typechecking is done using the
Typechecker
struct by calling thetypecheck_policy
method given a policy. - Defines the type structure for typechecking and various utilities for constructing and manipulating types.
Structs§
- An action type describes a specific action entity. It also describes what kinds of entities it can be used on.
- Action declarations held in a
ValidatorNamespaceDef
. Entity types referenced here do not need to be declared in the schema. - The apply spec specifies what principals and resources an action can be used with. This specification can either be done through containing to entity types. The fields of this record are optional so that they can be omitted to declare that the apply spec for the principal or resource is undefined, meaning that the action can be applied to any principal or resource. This is different than providing an empty list because the empty list is interpreted as specifying that there are no principals or resources that an action applies to.
- Struct which carries enough information that it can (efficiently) impl Core’s
Schema
- Entity types describe the relationships in the entity store, including what entities can be members of groups of what types, and what attributes can/should be included on entities of each type.
- Struct which carries enough information that it can impl Core’s
EntityTypeDescription
- Defines an EntityType where we have not resolved typedefs occurring in the attributes or verified that the parent entity types and entity types occurring in attributes are defined.
- Entity type declarations held in a
ValidatorNamespaceDef
. Entity type parents and attributes may reference undeclared entity types. - Structure containing details about a function argument validation error.
- Structure containing details about an incompatible type error.
- Structure containing details about an invalid action application error.
- Structure containing details about a multiply defined function error.
- A SchemaFragment describe the types for a given instance of Cedar. SchemaFragments are composed of Entity Types and Action Types. The schema fragment is split into multiple namespace definitions, eac including a namespace name which is applied to all entity types (and the implicit
Action
entity type for all actions) in the schema. - Represents a location in Cedar policy source.
- Holds a map from
Name
s of common type definitions to their correspondingType
. - The structure for type errors. A type errors knows the expression that triggered the type error, as well as additional information for specific kinds of type errors.
- Used to describe the type of a record or entity attribute. It contains a the type of the attribute and whether the attribute is required. The type is flattened for serialization, so, in JSON format, this appears as a regular type with one extra property
required
. - Structure containing details about types must match error.
- Structure containing details about an undefined function error.
- Structure containing details about an unexpected type error.
- Structure containing details about an unrecognized action id error.
- Structure containing details about an unrecognized entity type error.
- Structure containing details about a missing attribute error.
- Structure containing details about an unsafe optional attribute error.
- Structure containing details about an unspecified entity error.
- An error generated by the validator when it finds a potential problem in a policy. The error contains a enumeration that specifies the kind of problem, and provides details specific to that kind of problem. The error also records where the problem was encountered.
- Contains the result of policy validation. The result includes the list of of issues found by the validation and whether validation succeeds or fails. Validation succeeds if there are no fatal errors. There are currently no non-fatal warnings, so any issues found will cause validation to fail.
- Returned by the standalone
confusable_string_checker
function, which checks a policy set for potentially confusing/obfuscating text. - Structure containing the context needed for policy validation. This is currently only the
EntityType
s andActionType
s from a single schema. - Contains information about actions used by the validator. The contents of the struct are the same as the schema entity type structure, but the
member_of
relation is reversed to instead bedescendants
. - Contains entity type information for use by the validator. The contents of the struct are the same as the schema entity type structure, but the
member_of
relation is reversed to instead bedescendants
. - A single namespace definition from the schema json processed into a form which is closer to that used by the validator. The processing includes detection of some errors, for example, parse errors in entity type names or entity type which are declared multiple times. This does not detect references to undeclared entity types because any entity type may be declared in a different fragment that will only be known about when building the complete
ValidatorSchema
. - Structure containing details about a wrong call style error.
- Structure containing details about a wrong number of arguments error.
Enums§
- A restricted version of the
Type
enum containing only the types which are exposed to users. - Represents the different kinds of type errors and contains information specific to that type error kind.
- Enumeration of the possible diagnostic error that could be found by the verification steps.
- Used to select how a policy will be validated.
- Represent a type that might be defined in terms of some type definitions which are not necessarily available in the current namespace.
Functions§
- Perform identifier and string safety checks.