cedar-go allows arbitrary entity id in Action, but aws rust implementation only supports namespace 'Action'

cedar-policy / cedar-go

Apache License 2.0

44 stars 7 forks source link

cedar-go allows arbitrary entity id in Action, but aws rust implementation only supports namespace 'Action' #11

Open erichoffmanstrongdm opened 2 months ago

philhassey commented 2 months ago

Can you go into a bit more detail on this?

How is Something::Action::"example" rejected by Rust?

Is Action::Something::"example" also rejected by Rust?

erichoffmanstrongdm commented 2 months ago

oh, this is actually all over. there are validators that ensure for example that any member of []parents of an action entity are also actions.

but line 721 (action_constraint_contains_only_action_types) in cedar-policy-core/src/parser/cst_to_ast.rs is a pretty big gate

https://github.com/cedar-policy/cedar/blob/main/cedar-policy-core/src/parser/cst_to_ast.rs#L717

philhassey commented 2 months ago

Can you make that a link, thanks!

erichoffmanstrongdm commented 2 months ago

I have validated that cedar is perfectly happy to operate on any namespace prefix (including unknown), but requires that Action be the last element in the namespace. this kind of contradicts the notion that namespaces are just unstructured strings that accidently have colons in them