Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Partial schema validation #79

Merged
merged 7 commits into from
Nov 27, 2023
Merged

Partial schema validation #79

merged 7 commits into from
Nov 27, 2023

Conversation

john-h-kastner-aws
Copy link
Contributor

@john-h-kastner-aws john-h-kastner-aws commented May 25, 2023
edited
Loading

Experimental implementation of partial schema validation as described in cedar-policy/rfcs#8.

The experimental implementation does not include the additionalMemberOfTypes and additionalMemberOf fields discussed in the RFC. I'm not convinced these are neccecary for the feature as a whole to be useful, and they require additional changes inside existing validation code.

I'm marking this ready for review as an experimental feature, so reviewers do not need to review the semantics of partial schema validation. They should be sure to review:

  1. Changes which ensure partial schema validation is in fact experimental, i.e., it's properly placed behind the partial-schema feature.
  2. That the code changes are should not effect the behavior of the strict validator.

@mwhicks1
Copy link
Contributor

Some comments on the writeup:

RequestEnv is now an enumeration which of either the request context as it was previously defined, or RequestEnv::Unknown.

This is a single catchall for handling missing actions, and also missing principals/resources associated with a particular action. Would it be worthwhile to include a specific action in the cross-product, but associated with an unknown principal or resource, in case the listed principalTypes or resourceTypes are incomplete?

An undeclared entity type has an open attributes record, but a declared entity type without an explicitly defined attributes record has a closed attributes record by default. This is a bit weird.

Why is it weird? Seems natural to me: The fact that you are explicitly declaring the entity in your schema, with an empty record, means you are taking a stand on it. If you want it to be open, you have to declare it as open, in the schema.

Same comment about not including a memberOfTypes element -- what you have seems right to me.

mwhicks1
mwhicks1 reviewed May 26, 2023
View reviewed changes
Copy link
Contributor

@mwhicks1 mwhicks1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't review all the testing code, just to get this posted sooner. Will do that on the next review.

john-h-kastner-aws
john-h-kastner-aws commented May 30, 2023
View reviewed changes
Copy link
Contributor Author

@john-h-kastner-aws john-h-kastner-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm making some tweaks to in, so I'll look at the comments there once I'm done with that

mwhicks1
mwhicks1 reviewed May 31, 2023
View reviewed changes
@john-h-kastner-aws john-h-kastner-aws marked this pull request as draft May 31, 2023 16:55
@john-h-kastner-aws john-h-kastner-aws force-pushed the feature/jkastner/partial-schema-validation branch from f630d43 to 369b7c8 Compare June 5, 2023 21:39
@john-h-kastner-aws john-h-kastner-aws force-pushed the feature/jkastner/partial-schema-validation branch 2 times, most recently from 72677fd to 045d0d9 Compare June 13, 2023 14:25
@john-h-kastner-aws john-h-kastner-aws linked an issue Jun 14, 2023 that may be closed by this pull request
Policy validation with partial schema #99
Closed
2 tasks
@john-h-kastner-aws john-h-kastner-aws force-pushed the feature/jkastner/partial-schema-validation branch from 045d0d9 to 97b40ad Compare June 29, 2023 21:27
@john-h-kastner-aws john-h-kastner-aws force-pushed the feature/jkastner/partial-schema-validation branch from b474390 to eb07e44 Compare July 12, 2023 16:08
@john-h-kastner-aws john-h-kastner-aws force-pushed the feature/jkastner/partial-schema-validation branch 7 times, most recently from 2e4f436 to c014e42 Compare November 20, 2023 16:07
@john-h-kastner-aws john-h-kastner-aws force-pushed the feature/jkastner/partial-schema-validation branch from c014e42 to f995527 Compare November 20, 2023 20:00
@john-h-kastner-aws john-h-kastner-aws marked this pull request as ready for review November 20, 2023 22:05
khieta
khieta approved these changes Nov 22, 2023
View reviewed changes
Copy link
Contributor

@khieta khieta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High-level comment: it would be helpful for review to split this PR into two: one for incidental refactoring and one for changes that need to be behind the partial validation flag.

But overall looks fine, so approving as-is.

cedar-policy-validator/src/rbac.rs
Comment on lines +1829 to +1830
#[test]
fn undeclared_entity_type_partial_schema() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add tests for templates/linked policies too.

cedar-policy-validator/src/schema/action.rs
Comment on lines +31 to +32
/// The type of the context record associated with this action.
pub(crate) context: Type,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also might make sense to move this change to a separate PR.

@john-h-kastner-aws @khieta
Update cedar-policy-core/src/entities/json/schema_types.rs
673f4b1 
Co-authored-by: Kesha Hietala <khieta@amazon.com>
@john-h-kastner-aws john-h-kastner-aws merged commit a9d2ed5 into main Nov 27, 2023
@john-h-kastner-aws john-h-kastner-aws deleted the feature/jkastner/partial-schema-validation branch November 28, 2023 15:11
This was referenced Nov 28, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mwhicks1 mwhicks1 mwhicks1 left review comments

@khieta khieta khieta approved these changes

@shaobo-he-aws shaobo-he-aws shaobo-he-aws approved these changes

Assignees

@john-h-kastner-aws john-h-kastner-aws

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Policy validation with partial schema
5 participants
@john-h-kastner-aws @mwhicks1 @khieta @shaobo-he-aws @anwarmamat