Entity Literal Substitution #1233
Conversation
|
There seem to be conflicts with main. |
Signed-off-by: Andrew Wells <anmwells@amazon.com>
Signed-off-by: Andrew Wells <anmwells@amazon.com>
andrewmwells-amazon
force-pushed
the
andrewmwells/entity_lit_sub
branch
2 times, most recently
from
7c39a22
to
2e8bd28
Compare
Signed-off-by: Andrew Wells <anmwells@amazon.com>
Signed-off-by: Andrew Wells <anmwells@amazon.com>
Signed-off-by: Andrew Wells <anmwells@amazon.com>
Signed-off-by: Andrew Wells <anmwells@amazon.com>
andrewmwells-amazon
force-pushed
the
andrewmwells/entity_lit_sub
branch
from
2e8bd28
to
19a21f9
Compare
Signed-off-by: Andrew Wells <anmwells@amazon.com>
| // PANIC SAFETY: This can't fail for a policy that was already constructed | ||
| #[allow(clippy::expect_used)] | ||
| let est = cloned_est | ||
| .sub_entity_literals(&mapping) | ||
| .expect("Internal error, failed to sub entity literals."); |
There was a problem hiding this comment.
help me understand why this expect is safe -- the panic-safety comment notes that the est must be valid; but what if the mapping isn't valid or something?
There was a problem hiding this comment.
I think this particular part will be panic-free because we're substituting EntityUIDs for EntityUIDs. I'm less confident about the construction of the AST.
My original thought was that this method can't ensure a policy that previously passed validation still passes after substitution, so the caller will be responsible for checking that policies are valid. I'm not sure that's the best idea. There are some errors that we could catch e.g., mapping Action::"view" -> User::"Alice". Maybe we should try to catch as many as possible and then the caller still needs to re-validate against their schema?
Another option would be to require that the mapping not change entity types.
There was a problem hiding this comment.
Added test based on this that would have caused the AST check below to panic. Now returning an error type again, but I'm not sure reusing the error type is ideal because I suspect there are only a few ways this substitution could fail (the only one I've found so far is the Action -> User one).
There was a problem hiding this comment.
If we wanted the mapping to not change entity types, it could be an Eid->Eid mapping instead of EntityUID->EntityUID. If this fits the need, this might be a better solution.
There was a problem hiding this comment.
Maybe that's the right call for now? It would work well for the internal use case, but I'm hesitant because I think using the same type for human-readable and UUIDs is an anti-pattern. It requires adding constraints like disallowing some prefix from the human-readable Eid and requiring it for the UUIDs.
Signed-off-by: Andrew Wells <anmwells@amazon.com>
Signed-off-by: Andrew Wells <anmwells@amazon.com>
Description of changes
API for Entity literal substitution.
Issue #, if available
#1120
Checklist for requesting a review
The change in this PR is (choose one, and delete the other options):
cedar-policy(e.g., addition of a new API).I confirm that this PR (choose one, and delete the other options):
I confirm that
cedar-spec(choose one, and delete the other options):I confirm that
docs.cedarpolicy.com(choose one, and delete the other options):