Policy eval Attribute is Private

[tpaulus]

In order to enforce constraint policies, a policy needs to be "inverted" from a Permit When, to a Forbid Unless. This is currently not possible with policy ast in cedar-go, as the policy evaluation condition in cedar.Policy is private. This also cannot be done at Parse time, as the evaler of a Policy cannot instantiated outside of the cedar module.

Ideally, the conditions (when or unless) are exposed as attributes of a cedar.Policy to enable simple policy mutations without needing to resort to string processing, which can be problematic.

[philhassey]

Right now the shape of our AST is not stable yet (which is why it is living inside the x/exp/parser parser package.)

Once we have a stabilized AST shape (likely when we work on supporting partial evaluation), we'll be able to expose the ability to change an AST and recompile it.

We'll leave this issue open and update it once we know more about the timeline for partial evaluation and a stable AST.