feat: implement policy templates

authorize.go

@@ -38,7 +38,7 @@ func (p PolicySet) IsAuthorized(entities types.EntityGetter, req Request) (Decis
 	// - All policy should be run to collect errors
 	// - For permit, all permits must be run to collect annotations
 	// - For forbid, forbids must be run to collect annotations
-	for id, po := range p.policies {
+	for id, po := range p.policies.StaticPolicies {
 		result, err := po.eval.Eval(env)
 		if err != nil {
 			diag.Errors = append(diag.Errors, DiagnosticError{PolicyID: id, Position: po.Position(), Message: err.Error()})

internal/eval/compile.go

@@ -66,9 +66,9 @@ func scopeToNode(varNode ast.NodeTypeVariable, in ast.IsScopeNode) ast.Node {
 	case ast.ScopeTypeAll:
 		return ast.True()
 	case ast.ScopeTypeEq:
-		return ast.NewNode(varNode).Equal(ast.Value(t.Entity))
+		return ast.NewNode(varNode).Equal(ast.Value(entityReferenceToUID(t.Entity)))
 	case ast.ScopeTypeIn:
-		return ast.NewNode(varNode).In(ast.Value(t.Entity))
+		return ast.NewNode(varNode).In(ast.Value(entityReferenceToUID(t.Entity)))
 	case ast.ScopeTypeInSet:
 		vals := make([]types.Value, len(t.Entities))
 		for i, e := range t.Entities {
@@ -79,8 +79,19 @@ func scopeToNode(varNode ast.NodeTypeVariable, in ast.IsScopeNode) ast.Node {
 		return ast.NewNode(varNode).Is(t.Type)
 
 	case ast.ScopeTypeIsIn:
-		return ast.NewNode(varNode).IsIn(t.Type, ast.Value(t.Entity))
+		return ast.NewNode(varNode).IsIn(t.Type, ast.Value(entityReferenceToUID(t.Entity)))
 	default:
 		panic(fmt.Sprintf("unknown scope type %T", t))
 	}
 }
+
+func entityReferenceToUID(ef types.EntityReference) types.EntityUID {
+	switch e := ef.(type) {
+	case types.EntityUID:
+		return e
+	case types.VariableSlot:
+		panic("variable slot cannot be evaluated, you should instantiate a template-linked policy first")
+	default:
+		panic(fmt.Sprintf("unknown entity reference type %T", e))
+	}
+}

internal/eval/partial.go

@@ -139,14 +139,14 @@ func partialScopeEval(env Env, ent types.Value, in ast.IsScopeNode) (evaled bool
 	case ast.ScopeTypeEq:
 		return true, e == t.Entity
 	case ast.ScopeTypeIn:
-		return true, entityInOne(env, e, t.Entity)
+		return true, entityInOne(env, e, entityReferenceToUID(t.Entity))
 	case ast.ScopeTypeInSet:
 		set := mapset.Immutable(t.Entities...)
 		return true, entityInSet(env, e, set)
 	case ast.ScopeTypeIs:
 		return true, e.Type == t.Type
 	case ast.ScopeTypeIsIn:
-		return true, e.Type == t.Type && entityInOne(env, e, t.Entity)
+		return true, e.Type == t.Type && entityInOne(env, e, entityReferenceToUID(t.Entity))
 	default:
 		panic(fmt.Sprintf("unknown scope type %T", t))
 	}

internal/json/json.go

@@ -17,7 +17,8 @@ type policyJSON struct {
 
 // scopeInJSON uses the implicit form of EntityUID JSON serialization to match the Rust SDK
 type scopeInJSON struct {
-	Entity types.ImplicitlyMarshaledEntityUID `json:"entity"`
+	Entity *types.ImplicitlyMarshaledEntityUID `json:"entity,omitempty"`
+	Slot   *string                             `json:"slot,omitempty"`
 }
 
 // scopeJSON uses the implicit form of EntityUID JSON serialization to match the Rust SDK
@@ -27,6 +28,7 @@ type scopeJSON struct {
 	Entities   []types.ImplicitlyMarshaledEntityUID `json:"entities,omitempty"`
 	EntityType string                               `json:"entity_type,omitempty"`
 	In         *scopeInJSON                         `json:"in,omitempty"`
+	Slot       *string                              `json:"slot,omitempty"`
 }
 
 type conditionJSON struct {

internal/json/json_marshal.go

@@ -15,13 +15,27 @@ func (s *scopeJSON) FromNode(src ast.IsScopeNode) {
 		return
 	case ast.ScopeTypeEq:
 		s.Op = "=="
-		e := types.ImplicitlyMarshaledEntityUID(t.Entity)
-		s.Entity = &e
+		switch ent := t.Entity.(type) {
+		case types.EntityUID:
+			e := types.ImplicitlyMarshaledEntityUID(ent)
+			s.Entity = &e
+		case types.VariableSlot:
+			varName := ent.ID.String()
+			s.Slot = &varName
+		}
+
 		return
 	case ast.ScopeTypeIn:
 		s.Op = "in"
-		e := types.ImplicitlyMarshaledEntityUID(t.Entity)
-		s.Entity = &e
+		switch ent := t.Entity.(type) {
+		case types.EntityUID:
+			e := types.ImplicitlyMarshaledEntityUID(ent)
+			s.Entity = &e
+		case types.VariableSlot:
+			varName := ent.ID.String()
+			s.Slot = &varName
+		}
+
 		return
 	case ast.ScopeTypeInSet:
 		s.Op = "in"
@@ -38,9 +52,19 @@ func (s *scopeJSON) FromNode(src ast.IsScopeNode) {
 	case ast.ScopeTypeIsIn:
 		s.Op = "is"
 		s.EntityType = string(t.Type)
-		s.In = &scopeInJSON{
-			Entity: types.ImplicitlyMarshaledEntityUID(t.Entity),
+		in := &scopeInJSON{}
+
+		switch et := t.Entity.(type) {
+		case types.EntityUID:
+			uid := types.ImplicitlyMarshaledEntityUID(et)
+			in.Entity = &uid
+		case types.VariableSlot:
+			varName := et.ID.String()
+			in.Slot = &varName
 		}
+
+		s.In = in
+
 		return
 	default:
 		panic(fmt.Sprintf("unknown scope type %T", t))

internal/json/json_test.go

@@ -468,6 +468,54 @@ func TestUnmarshalJSON(t *testing.T) {
 			ast.Permit().When(ast.ExtensionCall("ip", ast.String("10.0.0.43")).IsInRange(ast.ExtensionCall("ip", ast.String("10.0.0.42/8")))),
 			testutil.OK,
 		},
+		{
+			"principal template variable",
+			`{"effect":"permit","principal":{"op":"==", "slot": "?principal"},"action":{"op":"All"},"resource":{"op":"All"}}`,
+			ast.Permit().PrincipalEq(types.VariableSlot{ID: types.PrincipalSlot}).AddSlot(types.PrincipalSlot),
+			testutil.OK,
+		},
+		{
+			"principal template variable with in operator",
+			`{"effect":"permit","principal":{"op":"in", "slot": "?principal"},"action":{"op":"All"},"resource":{"op":"All"}}`,
+			ast.Permit().PrincipalIn(types.VariableSlot{ID: types.PrincipalSlot}).AddSlot(types.PrincipalSlot),
+			testutil.OK,
+		},
+		{
+			"principal template variable with is in operator",
+			`{"effect":"permit","principal":{"op":"is", "entity_type": "User", "in": {"slot": "?principal"} },"action":{"op":"All"},"resource":{"op":"All"}}`,
+			ast.Permit().PrincipalIsIn("User", types.VariableSlot{ID: types.PrincipalSlot}).AddSlot(types.PrincipalSlot),
+			testutil.OK,
+		},
+		{
+			"resource template variable",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"==", "slot": "?resource"}}`,
+			ast.Permit().ResourceEq(types.VariableSlot{ID: types.ResourceSlot}).AddSlot(types.ResourceSlot),
+			testutil.OK,
+		},
+		{
+			"resource template variable with in operator",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"in", "slot": "?resource"}}`,
+			ast.Permit().ResourceIn(types.VariableSlot{ID: types.ResourceSlot}).AddSlot(types.ResourceSlot),
+			testutil.OK,
+		},
+		{
+			"resource template variable with is in operator",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"is", "entity_type": "Photo", "in": {"slot": "?resource"} }}`,
+			ast.Permit().ResourceIsIn("Photo", types.VariableSlot{ID: types.ResourceSlot}).AddSlot(types.ResourceSlot),
+			testutil.OK,
+		},
+		{
+			"fail if entity and slot present with equal operator",
+			`{"effect":"permit","principal":{"op":"==", "slot": "?principal", "entity": {"type": "User", "id": "12UA45"}},"action":{"op":"All"},"resource":{"op":"All"}}`,
+			nil,
+			testutil.Error,
+		},
+		{
+			"fail if entity and slot present with in operator",
+			`{"effect":"permit","principal":{"op":"All"},"action":{"op":"All"},"resource":{"op":"in", "slot": "?resource", "entity": {"type": "User", "id": "12UA45"}}}`,
+			nil,
+			testutil.Error,
+		},
 	}
 
 	for _, tt := range tests {

internal/json/json_unmarshal.go

@@ -15,28 +15,109 @@ import (
 type isPrincipalResourceScopeNode interface {
 	ast.IsPrincipalScopeNode
 	ast.IsResourceScopeNode
+	Slot() (types.SlotID, bool)
+}
+
+func slotID(id *string) (types.SlotID, error) {
+	sid := *id
+
+	switch sid {
+	case string(types.PrincipalSlot):
+		return types.PrincipalSlot, nil
+	case string(types.ResourceSlot):
+		return types.ResourceSlot, nil
+	default:
+		return "", fmt.Errorf("unknown slot ID: %v", sid)
+	}
+}
+
+func scopeEntityReference(s *scopeJSON) (types.EntityReference, error) {
+	var ref types.EntityReference
+
+	if s.Entity != nil && s.Slot != nil {
+		return nil, fmt.Errorf("both entity and slot are set")
+	}
+
+	if s.Entity == nil && s.Slot == nil {
+		return nil, fmt.Errorf("entity or slot should be set")
+	}
+
+	switch {
+	case s.Slot != nil:
+		id, err := slotID(s.Slot)
+		if err != nil {
+			return nil, err
+		}
+
+		ref = types.VariableSlot{ID: id}
+	case s.Entity != nil:
+		ref = types.EntityUID(*s.Entity)
+	default:
+		return nil, fmt.Errorf("missing entity and slot")
+	}
+
+	return ref, nil
+}
+
+func scopeInEntityReference(s *scopeInJSON) (types.EntityReference, error) {
+	var ref types.EntityReference
+
+	if s.Entity != nil && s.Slot != nil {
+		return nil, fmt.Errorf("both entity and slot are set")
+	}
+
+	if s.Entity == nil && s.Slot == nil {
+		return nil, fmt.Errorf("entity or slot should be set")
+	}
+
+	switch {
+	case s.Slot != nil:
+		id, err := slotID(s.Slot)
+		if err != nil {
+			return nil, err
+		}
+
+		ref = types.VariableSlot{ID: id}
+	case s.Entity != nil:
+		ref = types.EntityUID(*s.Entity)
+	default:
+		return nil, fmt.Errorf("missing entity and slot")
+	}
+
+	return ref, nil
 }
 
 func (s *scopeJSON) ToPrincipalResourceNode() (isPrincipalResourceScopeNode, error) {
 	switch s.Op {
 	case "All":
 		return ast.Scope{}.All(), nil
 	case "==":
-		if s.Entity == nil {
-			return nil, fmt.Errorf("missing entity")
+		ref, err := scopeEntityReference(s)
+		if err != nil {
+			return nil, err
 		}
-		return ast.Scope{}.Eq(types.EntityUID(*s.Entity)), nil
+
+		return ast.Scope{}.Eq(ref), nil
 	case "in":
-		if s.Entity == nil {
-			return nil, fmt.Errorf("missing entity")
+		ref, err := scopeEntityReference(s)
+		if err != nil {
+			return nil, err
 		}
-		return ast.Scope{}.In(types.EntityUID(*s.Entity)), nil
+
+		return ast.Scope{}.In(ref), nil
 	case "is":
 		if s.In == nil {
 			return ast.Scope{}.Is(types.EntityType(s.EntityType)), nil
 		}
-		return ast.Scope{}.IsIn(types.EntityType(s.EntityType), types.EntityUID(s.In.Entity)), nil
+
+		ref, err := scopeInEntityReference(s.In)
+		if err != nil {
+			return nil, err
+		}
+
+		return ast.Scope{}.IsIn(types.EntityType(s.EntityType), ref), nil
 	}
+
 	return nil, fmt.Errorf("unknown op: %v", s.Op)
 }
 
@@ -304,19 +385,40 @@ func (p *Policy) UnmarshalJSON(b []byte) error {
 	for k, v := range j.Annotations {
 		p.unwrap().Annotate(types.Ident(k), types.String(v))
 	}
-	var err error
-	p.Principal, err = j.Principal.ToPrincipalResourceNode()
+
+	principal, err := j.Principal.ToPrincipalResourceNode()
 	if err != nil {
 		return fmt.Errorf("error in principal: %w", err)
 	}
+
+	p.Principal = principal
+	if slot, found := principal.Slot(); found {
+		if slot != types.PrincipalSlot {
+			return fmt.Errorf("variable used in principal slot is not %s", types.PrincipalSlot)
+		}
+
+		p.unwrap().AddSlot(slot)
+	}
+
 	p.Action, err = j.Action.ToActionNode()
 	if err != nil {
 		return fmt.Errorf("error in action: %w", err)
 	}
-	p.Resource, err = j.Resource.ToPrincipalResourceNode()
+
+	resource, err := j.Resource.ToPrincipalResourceNode()
 	if err != nil {
 		return fmt.Errorf("error in resource: %w", err)
 	}
+
+	p.Resource = resource
+	if slot, found := resource.Slot(); found {
+		if slot != types.ResourceSlot {
+			return fmt.Errorf("variable used in resource slot is not %s", types.ResourceSlot)
+		}
+
+		p.unwrap().AddSlot(slot)
+	}
+
 	for _, c := range j.Conditions {
 		n, err := c.Body.ToNode()
 		if err != nil {

internal/json/policy_set.go

@@ -2,6 +2,9 @@ package json
 
 type PolicySet map[string]*Policy
 
+type TemplateSet map[string]*Policy
+
 type PolicySetJSON struct {
-	StaticPolicies PolicySet `json:"staticPolicies"`
+	StaticPolicies PolicySet   `json:"staticPolicies"`
+	Templates      TemplateSet `json:"templates"`
 }