Level validation Rust implementation (RFC 76) (#1146)

Signed-off-by: Andrew Wells <anmwells@amazon.com>

cedar-policy-validator/Cargo.toml

@@ -45,6 +45,7 @@ arbitrary = ["dep:arbitrary", "cedar-policy-core/arbitrary"]
 
 # Experimental features.
 partial-validate = []
+level-validate = []
 wasm = ["serde-wasm-bindgen", "tsify", "wasm-bindgen"]
 entity-manifest = []
 entity-tags = []

cedar-policy-validator/src/diagnostics.rs

@@ -172,6 +172,12 @@ pub enum ValidationError {
     #[diagnostic(transparent)]
     #[cfg_attr(not(feature = "entity-tags"), allow(dead_code))]
     InternalInvariantViolation(#[from] validation_errors::InternalInvariantViolation),
+    #[cfg(feature = "level-validate")]
+    /// If a entity dereference level was provided, the policies cannot deref
+    /// more than `level` hops away from PARX
+    #[error(transparent)]
+    #[diagnostic(transparent)]
+    EntityDerefLevelViolation(#[from] validation_errors::EntityDerefLevelViolation),
 }
 
 impl ValidationError {

cedar-policy-validator/src/diagnostics/validation_errors.rs

@@ -20,6 +20,7 @@ use miette::Diagnostic;
 use thiserror::Error;
 
 use std::fmt::Display;
+use std::ops::{Add, Neg};
 
 use cedar_policy_core::impl_diagnostic_from_source_loc_opt_field;
 use cedar_policy_core::parser::Loc;
@@ -448,6 +449,82 @@ impl Diagnostic for HierarchyNotRespected {
     }
 }
 
+#[derive(Debug, Clone, Hash, Eq, PartialEq, Error, Copy, Ord, PartialOrd)]
+/// Represents how many entity dereferences can be applied to a node.
+pub struct EntityDerefLevel {
+    /// A negative value `-n` represents `n` too many dereferences
+    pub level: i64,
+}
+
+impl Display for EntityDerefLevel {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::result::Result<(), std::fmt::Error> {
+        write!(f, "{}", self.level)
+    }
+}
+
+impl From<u32> for EntityDerefLevel {
+    fn from(value: u32) -> Self {
+        EntityDerefLevel {
+            level: value as i64,
+        }
+    }
+}
+
+impl Default for EntityDerefLevel {
+    fn default() -> Self {
+        Self { level: 0 }
+    }
+}
+
+impl Add for EntityDerefLevel {
+    type Output = Self;
+
+    fn add(self, rhs: Self) -> Self::Output {
+        EntityDerefLevel {
+            level: self.level + rhs.level,
+        }
+    }
+}
+
+impl Neg for EntityDerefLevel {
+    type Output = Self;
+
+    fn neg(self) -> Self::Output {
+        EntityDerefLevel { level: -self.level }
+    }
+}
+
+impl EntityDerefLevel {
+    /// Decrement the entity deref level
+    pub fn decrement(&self) -> Self {
+        EntityDerefLevel {
+            level: self.level - 1,
+        }
+    }
+}
+
+/// Structure containing details about entity dereference level violation
+#[derive(Debug, Clone, Hash, Eq, PartialEq, Error)]
+#[error("for policy `{policy_id}`, the maximum allowed level {allowed_level} is violated. Actual level is {}", (allowed_level.add(actual_level.neg())))]
+pub struct EntityDerefLevelViolation {
+    /// Source location
+    pub source_loc: Option<Loc>,
+    /// Policy ID where the error occurred
+    pub policy_id: PolicyID,
+    /// The maximum level allowed by the schema
+    pub allowed_level: EntityDerefLevel,
+    /// The actual level this policy uses
+    pub actual_level: EntityDerefLevel,
+}
+
+impl Diagnostic for EntityDerefLevelViolation {
+    impl_diagnostic_from_source_loc_opt_field!(source_loc);
+
+    fn help<'a>(&'a self) -> Option<Box<dyn Display + 'a>> {
+        Some(Box::new(format!("Consider increasing the level")))
+    }
+}
+
 /// The policy uses an empty set literal in a way that is forbidden
 #[derive(Debug, Clone, Hash, Eq, PartialEq, Error)]
 #[error("for policy `{policy_id}`, empty set literals are forbidden in policies")]

cedar-policy-validator/src/entity_manifest.rs

@@ -407,7 +407,7 @@ pub fn compute_entity_manifest(
                     // using static analysis
                     compute_root_trie(&typechecked_expr, policy.id())
                 }
-                PolicyCheck::Irrelevant(_) => {
+                PolicyCheck::Irrelevant(_, _) => {
                     // this policy is irrelevant, so we need no data
                     Ok(RootAccessTrie::new())
                 }