Crate cedar_policy
source ·Expand description
§Cedar-Policy
Cedar is a language for defining permissions as policies, which describe who should have access to what. It is also a specification for evaluating those policies. Use Cedar policies to control what each user of your application is permitted to do and what resources they may access.
§Using Cedar
Cedar can be used in your application by depending on the cedar-policy crate.
Just add cedar-policy as a dependency by running
cargo add cedar-policy
§Quick Start
Let’s write a super simple Cedar policy and test it:
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
This policy permits exactly one authorization request, alice is allowed to view file 93.
Any other authorization request will be implicitly denied. Let’s embed this policy in Rust and use the Cedar Authorizer:
use cedar_policy::*;
fn main() {
const POLICY_SRC: &str = r#"
permit(principal == User::"alice", action == Action::"view", resource == File::"93");
"#;
let policy: PolicySet = POLICY_SRC.parse().unwrap();
let action = r#"Action::"view""#.parse().unwrap();
let alice = r#"User::"alice""#.parse().unwrap();
let file = r#"File::"93""#.parse().unwrap();
let request = Request::new(Some(alice), Some(action), Some(file), Context::empty(), None).unwrap();
let entities = Entities::empty();
let authorizer = Authorizer::new();
let answer = authorizer.is_authorized(&request, &policy, &entities);
// Should output `Allow`
println!("{:?}", answer.decision());
let action = r#"Action::"view""#.parse().unwrap();
let bob = r#"User::"bob""#.parse().unwrap();
let file = r#"File::"93""#.parse().unwrap();
let request = Request::new(Some(bob), Some(action), Some(file), Context::empty(), None).unwrap();
let answer = authorizer.is_authorized(&request, &policy, &entities);
// Should output `Deny`
println!("{:?}", answer.decision());
}If you’d like to see more details on what can be expressed as Cedar policies, see the documentation.
Examples of how to use Cedar in an application are contained in the repository cedar-examples. The most full-featured of these is TinyTodo, which is a simple task list management service whose users’ requests, sent as HTTP messages, are authorized by Cedar.
§Documentation
General documentation for Cedar is available at docs.cedarpolicy.com, with source code in the cedar-policy/cedar-docs repository.
Generated documentation for the latest version of the Rust crates can be accessed on docs.rs.
If you’re looking to integrate Cedar into a production system, please be sure the read the security best practices
§Building
To build, simply run cargo build (or cargo build --release).
§What’s New
See CHANGELOG
§Security
See SECURITY
§Contributing
We welcome contributions from the community. Please either file an issue, or see CONTRIBUTING
§License
This project is licensed under the Apache-2.0 License.
Modules§
- Extended functionality for
Entitiesstruct - This module contains all of the standard Cedar extensions.
- Functions for interacting with
cedar_policy, intended to be easier to use in an FFI context than the root-levelcedar_policyinterface - frontendDeprecatedFrontend utilities, see comments in the module itself
Structs§
- Authorizer object, which provides responses to authorization queries
- the Context object for an authorization request
- Diagnostics providing more information on how a
Decisionwas reached - Represents an entity hierarchy, and allows looking up
Entityobjects by Uid. - Entity datatype
- Error when evaluating an entity attribute
- Identifier portion of the
EntityUidtype. - Represents a namespace.
- Represents an entity type name. Consists of a namespace and the type name.
- Unique id for an entity, such as
User::"alice". - An error generated while evaluating an expression
- Expressions to be evaluated
- Multiple parse errors.
- PartialResponse
partial-evalA partially evaluated authorization response. Splits the results into several categories: satisfied, false, and residual for each policy effect. Also tracks all the errors that were encountered during evaluation. - Structure for a
Policy. Includes both static policies and template-linked policies. - Unique ids assigned to policies and templates.
- Represents a set of
Policys - A record of Cedar values
- An authorization request is a tuple
<P, A, R, C>where - RequestBuilder
partial-evalBuilder for aRequest - Authorization response returned from the
Authorizer - “Restricted” expressions are used for attribute values and
context. - Object containing schema information used by the validator.
- Contains all the type information used to construct a
Schemathat can be used to validate a policy. - Sets of Cedar values
- Identifier for a Template slot
- Represents a location in Cedar policy source.
- Policy template datatype
- UnsetSchema
partial-evalA marker type that indicatesSchemais not set for a request - An error generated by the validator when it finds a potential problem in a policy. The error contains a enumeration that specifies the kind of problem, and provides details specific to that kind of problem. The error also records where the problem was encountered.
- Contains the result of policy validation. The result includes the list of issues found by validation and whether validation succeeds or fails. Validation succeeds if there are no fatal errors. There may still be non-fatal warnings present when validation passes.
- Warnings found in Cedar policies
- Validator object, which provides policy validation and typechecking.
Enums§
- Scope constraint on policy actions.
- Errors that can occur during authorization
- Error type for parsing
Contextfrom JSON - Describes in what action context or entity type shape a schema parsing error occurred.
- Decision returned from the
Authorizer - the Effect of a policy
- Error type for errors raised in entities.rs.
- Result of Evaluation
- Enumeration of the possible errors that can occur during evaluation
- Errors when parsing schemas
- Potential errors when adding to a
PolicySet. - Errors that can happen when getting the JSON representation of a policy
- Scope constraint on policy principals.
- Errors that can be encountered when re-evaluating a partial response
- Scope constraint on policy resources.
- Errors encountered during construction of a Validation Schema
- Scope constraint on policy principals for templates.
- Scope constraint on policy resources for templates.
- Errors serializing Schemas to the natural syntax
- Represents the different kinds of type errors and contains information specific to that type error kind.
- Enumeration of the possible diagnostic error that could be found by the verification steps.
- Used to select how a policy will be validated.
- Represents the different kinds of validation warnings and information specific to that warning. Marked as
non_exhaustiveto allow adding additional warnings in the future as a non-breaking change.
Functions§
- Scan a set of policies for potentially confusing/obfuscating text. These checks are also provided through
Validator::validatewhich provides more comprehensive error detection, but this function can be used to check for confusable strings without defining a schema. - Evaluates an expression. If evaluation results in an error (e.g., attempting to access a non-existent Entity or Record, passing the wrong number of arguments to a function etc.), that error is returned as a String