search

cedar-policy / cedar-go

Apache License 2.0
44 stars 7 forks source link

Covert a policy to JSON representation #13

Open suchiksagar opened 2 months ago

suchiksagar commented 2 months ago

How can I convert the policy to a JSON representation and vice-versa. I'm looking to dynamically author a policy and came across this documentation but I couldn't achieve this through cedar-go. Can someone help me please?

See this snippet from cedar docs:

Example A “standard” Cedar policy looks like the following:

permit (
    principal == User::"12UA45",
    action == Action::"view",
    resource in Folder::"abc"
) when {
    context.tls_version == "1.3"
};

When you retrieve the JSON representation of this policy, it looks like the following:

{
    "effect": "permit",
    "principal": {
        "op": "==",
        "entity": { "type": "User", "id": "12UA45" }
    },
    "action": {
        "op": "==",
        "entity": { "type": "Action", "id": "view" }
    },
    "resource": {
        "op": "in",
        "entity": { "type": "Folder", "id": "abc" }
    },
    "conditions": [
        {
            "kind": "when",
            "body": {
                "==": {
                    "left": {
                        ".": {
                            "left": {
                                "Var": "context"
                            },
                            "attr": "tls_version"
                        }
                    },
                    "right": {
                        "Literal": "1.3"
                    }
                }
            }
        }
    ]
}

They talk about two functions to convert a policy to/from json, which I couldn't figure in Go implementation

You can use the Cedar Policy::to_json() method to convert the specified policy into a JSON document.

You can also use the Policy::from_json() method to convert a JSON document into a new Cedar policy. This gives you another option for programmatically constructing or parsing your policies.

philhassey commented 2 months ago

Hi, thanks for opening this issue. We do have this on our roadmap, but don't have a timeline set.

Cheers -Phil

caiorcferreira commented 1 month ago

This would be an excellent enhancement. I have been exploring this feature to establish basic constraints on policies using tools such as conftest, aiming to prevent users from creating policies that permit everything, for example:

permit(
  principal,
  action,
  resource
)

Is there anything I can do to assist in implementing this feature?

suchiksagar commented 1 month ago

This would be an excellent enhancement. I have been exploring this feature to establish basic constraints on policies using tools such as conftest, aiming to prevent users from creating policies that permit everything, for example:

permit(
  principal,
  action,
  resource
)

Is there anything I can do to assist in implementing this feature?

@caiorcferreira - I had a similar thought, perhaps can collaborate or atleast give some usecases.. I'll try to upload my repo soon to see if it helps. @philhassey - You mind sharing the roadmap please? Been comparing policy libraries and this will help. Thanks!

philhassey commented 1 month ago

The approximate roadmap is:

  1. Add in JSON support
  2. Add in JSON Schema support
  3. Add in partial evaluation
  4. Add in human readable Schema support

If you have ideas as to a Go idiomatic shape for the Go version of the AST (for programmatic building), please share those ideas, as that'll help us figuring what shape we want to use.

I don't have an approximate timeline yet.

suchiksagar commented 1 month ago

The approximate roadmap is:

  1. Add in JSON support
  2. Add in JSON Schema support
  3. Add in partial evaluation
  4. Add in human readable Schema support

If you have ideas as to a Go idiomatic shape for the Go version of the AST (for programmatic building), please share those ideas, as that'll help us figuring what shape we want to use.

I don't have an approximate timeline yet.

Hi @philhassey,

Regarding 1, I raised a PR to add the feature of 'Convert a JSON-Policy to a cedar Text-Policy' ==> https://github.com/cedar-policy/cedar-go/pull/15 I'll add @philhassey & @caiorcferreira as reviewers, anybody else you suggest?

Thanks!

grsubramanian commented 1 month ago

We are considering using Cedar, and this seems like critical functionality to enable its usage.

Looking forward to this feature. Hopefully, it lands soon.

suchiksagar commented 1 month ago
philhassey commented 1 week ago

We may skip over the current JSON representation and go right to the next version that is being rolled out:

https://github.com/cedar-policy/cedar-docs/pull/109