Conversation
| }) | ||
| } | ||
|
|
||
| fn load_actions_from_schema(entities: Entities, schema: &Option<Schema>) -> Result<Entities> { |
There was a problem hiding this comment.
Removing this function has it will be incorporated into the main cedar library, and we want a very specific error semantics for it
There was a problem hiding this comment.
but I think it's the same change, so we should be able to accept both in either order
| #[should_panic( | ||
| expected = "error occurred while evaluating policy `policy0`: entity `Action::\\\"view\\\"` does not exist" | ||
| )] | ||
| #[should_panic(expected = "Action::\\\"view\\\"` does not have the attribute `readOnly`")] |
There was a problem hiding this comment.
Actually having the entity specifies changes the error message.
There was a problem hiding this comment.
Not surprising. We'll want to make sure yours wins.
There was a problem hiding this comment.
but I think it's the same change, so we should be able to accept both in either order
| EntityJsonParser::new(None, Extensions::all_available(), TCComputation::ComputeNow); | ||
| let e = eparser.from_json_value(json).err().unwrap(); | ||
| let bad_euid: EntityUID = r#"User::"alice""#.parse().unwrap(); | ||
| match e { |
There was a problem hiding this comment.
You can do something nice like
assert_matches(e, Err(EntitiesError::Duplicate(euid)) => {
assert_eq!(bad_euid, euid, r#"Returned euid should be User::"alice""#);
});
for this sort of assertion
|
|
||
| let context = Context::from_json_value(self.context, schema.as_ref().map(|s| (s, &action))) | ||
| let context = serde_json::to_value(self.context) | ||
| .map_err(|e| [format!("Error encoding the context as JSON: {e}")])?; |
There was a problem hiding this comment.
This change should be made to the Context constructor.
There was a problem hiding this comment.
Has to happen here as well, once we deserialize to json the duplicates will already be lost.
There was a problem hiding this comment.
are we serializing here or deserializing here?
There was a problem hiding this comment.
De-serialized to a map so that we can use an annotation to fail on duplicates. Before we pass back to Context constructor we have to serialize back to a json-value. If we want to forbid duplicates in the context contructor itself, than this api can't just take a json value.
cedar-policy/CHANGELOG.md
Outdated
| - The `Response::new()` constructor now expects a `Vec<AuthorizationError>` as its third argument. | ||
| - Implements RFC #19, making validation slightly more strict, but more explainable. | ||
| - Improved formatting for error messages. | ||
| - Standardized on duplicates being errors instead of last-write-wins for parsers. |
There was a problem hiding this comment.
I think we should be slightly more specific -- maybe list the affected APIs?
|
|
||
| let context = Context::from_json_value(self.context, schema.as_ref().map(|s| (s, &action))) | ||
| let context = serde_json::to_value(self.context) | ||
| .map_err(|e| [format!("Error encoding the context as JSON: {e}")])?; |
There was a problem hiding this comment.
are we serializing here or deserializing here?
|
|
aaronjeline
force-pushed
the
bugfix/aaronjeline/358
branch
from
72a9843 to
f3c3457
Compare
Signed-off-by: Craig Disselkoen <cdiss@amazon.com>
5 participants
Description of changes
Moves our parsers to reject duplicate keys, instead of having last-write-wins semantics.
Adds a new dependency on
serde-withIssue #, if available
#358 and #352
Checklist for requesting a review
The change in this PR is (choose one, and delete the other options):
cedar-policy(e.g., changes to the signature of an existing API).I confirm that this PR (choose one, and delete the other options):
I confirm that
cedar-spec(choose one, and delete the other options):Disclaimer
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.