AST Tree Support

[independentid]

In Cedar 0.1.0 there was a way albeit through some code marked experimental to access parsed Cedar AST structure. This was useful when evaluating whether a policy is valid and what is wrong. It is also useful in translating from other formats (e.g. Hexa IDQL).

The main thing is to gain access to each parsers syntactical tree structure, eg.. Principal, Actions, Object, Conditions and then be able to drill into the type of relationships expressed. This is particularly critical parsing condition trees (e.g. converting to JSON Path / SCIM RFC7644 style filter expressions).

One thought was to use the Cedar JSON format, but the negative is it doesn't solve parsing condition expressions.

[independentid]

I ended up copying the file json.go and changed json.policyJSON to json.PolicyJSON. After that, I was able to do a json.Unmarshal to parse the json and then walk through the structs using the Cedar JSON Format docs.

This is working fairly well including for parsing the condition expressions.

My thought is that moving internal/json/json.go to the top level is all that is needed for those that want to walk a tree-like structure. json_marshall.go and json_unmarshall.go aren't actually needed to be exposed because all they do is translate to/from cedar.Policy which at present does not expose sub-objects.

[patjakdev]

Thanks for filing this issue, @independentid.

We do intend at some point to have a public interface for walking the AST. We wanted to wait until we'd gotten the internal AST into a shape that we felt was maintainable going forward and then release it publicly.

As far as validation goes, we are also planning to add first-class support for that in a similar manner as the Rust SDK.

I'll leave this issue open to track the work of making the AST publicly walkable.