search

cedar-policy / cedar-spec

Definitional implementation of Cedar language and utilities for DRT
https://www.cedarpolicy.com
Apache License 2.0
91 stars 15 forks source link

DRT should use `cedar-policy::is_authorized` and `cedar-policy::validate` #75

Open khieta opened 1 year ago

khieta commented 1 year ago

Category

DRT infrastructure

Describe the feature you'd like to request

The DRT infrastructure currently tests the is_authorized function in cedar-policy-core and the validate function in cedar-policy-validator. I think it would be cleaner to use the APIs available in the public cedar-policy crate instead. This gives a more "end-to-end" feel to our tests and allows us to use the interfaces in cedar-policy/src/frontend for more consistent input/output formats.

Describe the solution you'd like

N/A

Describe alternatives you've considered

N/A

Additional context

No response

Is this something that you'd be interested in working on?

cdisselkoen commented 1 year ago

I think this is a good idea, but pointing out that one difficulty with implementing this issue is that the DRT currently generates (internal) ASTs for policies, which are not exposed from cedar-policy. My opinion is that the best way to proceed would be for DRT to instead generate ESTs and send them into cedar-policy via Policy::from_json().

khieta commented 1 year ago

I agree that generating ESTs would be preferable (I'll make another issue shortly), but that isn't a requirement for this PR (and I've changed the title to reflect this). We could still use internal APIs to convert an AST -> policy, and then use the public APIs for authorization and validation.

khieta commented 1 year ago

Opened #76. @cdisselkoen feel free to edit the issue description to add additional details/motivation.