Issue #52, New cedar-go parser and deprecated older parser.

Signed-off-by: Phil Hunt <phil.hunt@independentid.com>
hexa-org · Sep 26, 2024 · 410201c · 410201c
1 parent c2d1837
commit 410201c
Show file tree

Hide file tree

Showing 19 changed files with 1,652 additions and 1,273 deletions.
diff --git a/cmd/hexa/commands.go b/cmd/hexa/commands.go
@@ -16,7 +16,7 @@ import (
 
     "github.com/alecthomas/kong"
     "github.com/hexa-org/policy-mapper/api/policyprovider"
-    "github.com/hexa-org/policy-mapper/models/formats/awsCedar"
+    "github.com/hexa-org/policy-mapper/models/formats/cedar"
     "github.com/hexa-org/policy-mapper/models/formats/gcpBind"
     "github.com/hexa-org/policy-mapper/pkg/hexapolicy"
     "github.com/hexa-org/policy-mapper/pkg/hexapolicysupport"
@@ -756,18 +756,15 @@ func (m *MapToCmd) Run(cli *CLI) error {
         _ = MarshalJsonNoEscape(bindings, outWriter.GetOutput())
         outWriter.Close()
     case "cedar":
-        cMapper := awsCedar.New(map[string]string{})
+        cMapper := cedar.NewCedarMapper(map[string]string{})
 
-        cedar, err := cMapper.MapPoliciesToCedar(policies)
+        cedarPoliciesString, err := cMapper.MapHexaPolicies(m.File, policies)
         if err != nil {
             return err
         }
 
-        for _, v := range cedar.Policies {
-            policy := v.String()
-            fmt.Println(policy)
-            cli.GetOutputWriter().WriteString(policy, false)
-        }
+        fmt.Println(cedarPoliciesString)
+        cli.GetOutputWriter().WriteString(cedarPoliciesString, false)
         cli.GetOutputWriter().Close()
     }
     return nil
@@ -802,9 +799,12 @@ func (m *MapFromCmd) Run(cli *CLI) error {
         }
 
     case "cedar":
-        cMapper := awsCedar.New(map[string]string{})
-
-        pols, err := cMapper.ParseFile(m.File)
+        cMapper := cedar.NewCedarMapper(map[string]string{})
+        policyBytes, err := os.ReadFile(m.File)
+        if err != nil {
+            return err
+        }
+        pols, err := cMapper.MapCedarPolicyBytes(m.File, policyBytes)
         if err != nil {
             return err
         }

diff --git a/cmd/hexa/hexa_test.go b/cmd/hexa/hexa_test.go
@@ -487,7 +487,8 @@ func (suite *testSuite) Test08_MapFromCmd() {
     command = "map from cedar ../../examples/policyExamples/cedarAlice.txt"
     res, err = suite.executeCommand(command, 0)
     assert.NoError(suite.T(), err, "Should be successful map of cedar")
-    assert.Contains(suite.T(), string(res), "cedar:Photo:")
+    assert.Contains(suite.T(), string(res), "Photo::VacationPhoto94.jpg")
+    assert.Contains(suite.T(), string(res), "\"Rule\": \"resource in Account::\\\"stacey\\\"\"")
 
     command = "map from gcp ../../examples/policyExamples/example_bindings.json"
     res, err = suite.executeCommand(command, 0)

diff --git a/cmd/hexa/main.go b/cmd/hexa/main.go
@@ -17,7 +17,7 @@ import (
     "github.com/hexa-org/policy-mapper/sdk"
 )
 
-const Version string = "0.7.1"
+const Version string = "0.7.2"
 
 type ParserData struct {
     parser *kong.Kong

diff --git a/examples/opa-server/bundleServer/bundles/bundle/hexaPolicy.rego b/examples/opa-server/bundleServer/bundles/bundle/hexaPolicy.rego
@@ -1,11 +1,11 @@
 package hexaPolicy
 
-# Rego Hexa Policy Interpreter v0.7.0
+# Rego Hexa Policy Interpreter v0.7.1
 import rego.v1
 
 import data.bundle.policies
 
-hexa_rego_version := "0.7.0"
+hexa_rego_version := "0.7.1"
 
 policies_evaluated := count(policies)
 
@@ -60,6 +60,22 @@ allow_set contains policy_id if {
 	condition_match(policy, input)
 }
 
+# Returns the list of matching policy names based on current request with no actions
+allow_set contains policy_id if {
+	some policy in policies
+
+	# return id of the policy
+	policy_id := sprintf("%s", [policy.meta.policyId])
+
+	subject_match(policy.subjects, input.subject, input.req)
+
+	not policy.actions
+
+	is_object_match(policy.object, input.req)
+
+	condition_match(policy, input)
+}
+
 scopes contains scope if {
 	some policy in policies
 	policy.meta.policyId in allow_set
@@ -79,6 +95,15 @@ action_rights contains name if {
 	name := sprintf("%s:%s", [policy.meta.policyId, action])
 }
 
+# Returns the list of possible actions where actions is empty
+action_rights contains name if {
+	some policy in policies
+	policy.meta.policyId in allow_set
+
+	count(policy.actions) == 0
+	name := sprintf("%s:*", [policy.meta.policyId])
+}
+
 # Returns whether the current operation is allowed
 allow if {
 	count(allow_set) > 0
@@ -136,7 +161,7 @@ subject_member_match(member, _, req) if {
 
 actions_match(actions, _) if {
 	# no actions is a match
-	not actions
+	count(actions) == 0
 }
 
 actions_match(actions, req) if {
@@ -236,4 +261,6 @@ condition_match(policy, inreq) if {
 }
 
 # Evaluate whether the condition is set to allow
-action_allow(val) if lower(val) == "allow"
+action_allow(val) if {
+    lower(val) == "allow"
+}