cedar_policy

Struct Policy

Source
pub struct Policy { /* private fields */ }
Expand description

Structure for a Policy. Includes both static policies and template-linked policies.

Implementations§

Source§

impl Policy

Source

pub fn template_id(&self) -> Option<&PolicyId>

Get the PolicyId of the Template this is linked to. If this is a static policy, this will return None.

Get the values this Template is linked to, expressed as a map from SlotId to EntityUid. If this is a static policy, this will return None.

Source

pub fn effect(&self) -> Effect

Get the Effect (Permit or Forbid) for this instance

Source

pub fn annotation(&self, key: impl AsRef<str>) -> Option<&str>

Get an annotation value of this template-linked or static policy If the annotation is present without an explicit value (e.g., @annotation), then this function returns Some(""). It returns None only when the annotation is not present.

Source

pub fn annotations(&self) -> impl Iterator<Item = (&str, &str)>

Iterate through annotation data of this template-linked or static policy Annotations which do not have an explicit value (e.g., @annotation), are included in the iterator with the value "".

Source

pub fn id(&self) -> &PolicyId

Get the PolicyId for this template-linked or static policy

Source

pub fn new_id(&self, id: PolicyId) -> Self

Clone this Policy with a new PolicyId

Source

pub fn is_static(&self) -> bool

Returns true if this is a static policy, false otherwise.

Source

pub fn principal_constraint(&self) -> PrincipalConstraint

Get the scope constraint on this policy’s principal

Source

pub fn action_constraint(&self) -> ActionConstraint

Get the scope constraint on this policy’s action

Source

pub fn resource_constraint(&self) -> ResourceConstraint

Get the scope constraint on this policy’s resource

Source

pub fn parse( id: Option<PolicyId>, policy_src: impl AsRef<str>, ) -> Result<Self, ParseErrors>

Parse a single policy. If id is Some, the policy will be given that Policy Id. If id is None, then “policy0” will be used. The behavior around None may change in the future.

This can fail if the policy fails to parse. It can also fail if a template was passed in, as this function only accepts static policies

Source

pub fn from_json( id: Option<PolicyId>, json: Value, ) -> Result<Self, PolicyFromJsonError>

Create a Policy from its JSON representation. If id is Some, the policy will be given that Policy Id. If id is None, then “JSON policy” will be used. The behavior around None may change in the future.


let json: serde_json::Value = serde_json::json!(
       {
           "effect":"permit",
           "principal":{
           "op":"==",
           "entity":{
               "type":"User",
               "id":"bob"
           }
           },
           "action":{
           "op":"==",
           "entity":{
               "type":"Action",
               "id":"view"
           }
           },
           "resource":{
           "op":"==",
           "entity":{
               "type":"Album",
               "id":"trip"
           }
           },
           "conditions":[
           {
               "kind":"when",
               "body":{
                  ">":{
                       "left":{
                       ".":{
                           "left":{
                               "Var":"principal"
                           },
                           "attr":"age"
                       }
                       },
                       "right":{
                       "Value":18
                       }
                   }
               }
           }
           ]
       }
);
let json_policy = Policy::from_json(None, json).unwrap();
let src = r#"
  permit(
    principal == User::"bob",
    action == Action::"view",
    resource == Album::"trip"
  )
  when { principal.age > 18 };"#;
let text_policy = Policy::parse(None, src).unwrap();
assert_eq!(json_policy.to_json().unwrap(), text_policy.to_json().unwrap());
Source

pub fn get_valid_request_envs( &self, s: &Schema, ) -> impl Iterator<Item = RequestEnv>

Get valid RequestEnvs. A RequestEnv is valid when the policy type checks w.r.t requests that satisfy it.

Source

pub fn entity_literals(&self) -> Vec<EntityUid>

Get all entity literals occuring in a Policy

Source

pub fn sub_entity_literals( &self, mapping: BTreeMap<EntityUid, EntityUid>, ) -> Result<Self, PolicyFromJsonError>

Return a new policy where all occurences of key EntityUids are replaced by value EntityUid (as a single, non-sequential substitution).

Source

pub fn to_json(&self) -> Result<Value, PolicyToJsonError>

Get the JSON representation of this Policy.

let src = r#"
 permit(
   principal == User::"bob",
   action == Action::"view",
   resource == Album::"trip"
 )
 when { principal.age > 18 };"#;

let policy = Policy::parse(None, src).unwrap();
println!("{}", policy);
// convert the policy to JSON
let json = policy.to_json().unwrap();
println!("{}", json);
assert_eq!(json, Policy::from_json(None, json.clone()).unwrap().to_json().unwrap());
Source

pub fn unknown_entities(&self) -> HashSet<EntityUid>

Available on crate feature partial-eval only.

Get all the unknown entities from the policy

This feature is experimental. For more information see https://github.com/cedar-policy/rfcs/blob/main/README.md#experimental-features

Trait Implementations§

Source§

impl Clone for Policy

Source§

fn clone(&self) -> Policy

Returns a copy of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for Policy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Display for Policy

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl FromStr for Policy

Source§

fn from_str(policy: &str) -> Result<Self, Self::Err>

Create a policy

Important note: Policies have ids, but this interface does not allow them to be set. It will use the default “policy0”, which may cause id conflicts if not handled. Use Policy::parse to set the id when parsing, or Policy::new_id to clone a policy with a new id.

Source§

type Err = ParseErrors

The associated error which can be returned from parsing.
Source§

impl PartialEq for Policy

Source§

fn eq(&self, other: &Self) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Eq for Policy

Auto Trait Implementations§

§

impl Freeze for Policy

§

impl RefUnwindSafe for Policy

§

impl Send for Policy

§

impl Sync for Policy

§

impl Unpin for Policy

§

impl UnwindSafe for Policy

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dst: *mut T)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more
Source§

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

Source§

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T> ToSmolStr for T
where T: Display + ?Sized,

Source§

impl<T> ToString for T
where T: Display + ?Sized,

Source§

default fn to_string(&self) -> String

Converts the given value to a String. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.