Add Entity Manifests to Cedar (#1102)

Signed-off-by: oflatt <[email protected]>
Co-authored-by: Craig Disselkoen <[email protected]>
Co-authored-by: Kesha Hietala <[email protected]>

Author: 3 people

cedar-policy-core/src/ast/expr.rs

@@ -180,6 +180,30 @@ impl From<PartialValue> for Expr {
     }
 }
 
+impl<T> ExprKind<T> {
+    /// Describe this operator for error messages.
+    pub fn operator_description(self: &ExprKind<T>) -> String {
+        match self {
+            ExprKind::Lit(_) => "literal".to_string(),
+            ExprKind::Var(_) => "variable".to_string(),
+            ExprKind::Slot(_) => "slot".to_string(),
+            ExprKind::Unknown(_) => "unknown".to_string(),
+            ExprKind::If { .. } => "if".to_string(),
+            ExprKind::And { .. } => "&&".to_string(),
+            ExprKind::Or { .. } => "||".to_string(),
+            ExprKind::UnaryApp { op, .. } => op.to_string(),
+            ExprKind::BinaryApp { op, .. } => op.to_string(),
+            ExprKind::ExtensionFunctionApp { fn_name, .. } => fn_name.to_string(),
+            ExprKind::GetAttr { .. } => "get attribute".to_string(),
+            ExprKind::HasAttr { .. } => "has attribute".to_string(),
+            ExprKind::Like { .. } => "like".to_string(),
+            ExprKind::Is { .. } => "is".to_string(),
+            ExprKind::Set(_) => "set".to_string(),
+            ExprKind::Record(_) => "record".to_string(),
+        }
+    }
+}
+
 impl<T> Expr<T> {
     fn new(expr_kind: ExprKind<T>, source_loc: Option<Loc>, data: T) -> Self {
         Self {

cedar-policy-core/src/ast/request.rs

@@ -21,15 +21,15 @@ use crate::evaluator::{EvaluationError, RestrictedEvaluator};
 use crate::extensions::Extensions;
 use crate::parser::Loc;
 use miette::Diagnostic;
-use serde::Serialize;
+use serde::{Deserialize, Serialize};
 use smol_str::SmolStr;
 use std::collections::{BTreeMap, HashMap};
 use std::sync::Arc;
 use thiserror::Error;
 
 use super::{
-    BorrowedRestrictedExpr, EntityUID, Expr, ExprKind, ExpressionConstructionError, PartialValue,
-    RestrictedExpr, Unknown, Value, ValueKind, Var,
+    BorrowedRestrictedExpr, EntityType, EntityUID, Expr, ExprKind, ExpressionConstructionError,
+    PartialValue, RestrictedExpr, Unknown, Value, ValueKind, Var,
 };
 
 /// Represents the request tuple <P, A, R, C> (see the Cedar design doc).
@@ -49,6 +49,18 @@ pub struct Request {
     pub(crate) context: Option<Context>,
 }
 
+/// Represents the principal type, resource type, and action UID.
+#[derive(Debug, Clone, PartialEq, Eq, Hash, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct RequestType {
+    /// Principal type
+    pub principal: EntityType,
+    /// Action type
+    pub action: EntityUID,
+    /// Resource type
+    pub resource: EntityType,
+}
+
 /// An entry in a request for a Entity UID.
 /// It may either be a concrete EUID
 /// or an unknown in the case of partial evaluation
@@ -186,6 +198,19 @@ impl Request {
     pub fn context(&self) -> Option<&Context> {
         self.context.as_ref()
     }
+
+    /// Get the request types that correspond to this request.
+    /// This includes the types of the principal, action, and resource.
+    /// [`RequestType`] is used by the entity manifest.
+    /// The context type is implied by the action's type.
+    /// Returns `None` if the request is not fully concrete.
+    pub fn to_request_type(&self) -> Option<RequestType> {
+        Some(RequestType {
+            principal: self.principal().uid()?.entity_type().clone(),
+            action: self.action().uid()?.clone(),
+            resource: self.resource().uid()?.entity_type().clone(),
+        })
+    }
 }
 
 impl std::fmt::Display for Request {

cedar-policy-validator/Cargo.toml

@@ -47,6 +47,7 @@ arbitrary = ["dep:arbitrary", "cedar-policy-core/arbitrary"]
 # Experimental features.
 partial-validate = []
 wasm = ["serde-wasm-bindgen", "tsify", "wasm-bindgen"]
+entity-manifest = []
 
 [dev-dependencies]
 similar-asserts = "1.5.0"